2017-07-27 22:51:12 +02:00
#!/bin/bash
2018-04-08 14:30:21 +02:00
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
2017-07-27 22:51:12 +02:00
#
2018-04-08 14:30:21 +02:00
# Freedom in the Cloud
2017-07-27 22:51:12 +02:00
#
# SKS Keyserver
#
# License
# =======
#
2018-01-25 19:35:39 +01:00
# Copyright (C) 2017-2018 Bob Mottram <bob@freedombone.net>
2017-07-27 22:51:12 +02:00
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS='full full-vim'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1
KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"
KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'
KEYSERVER_PORT=11371
KEYSERVER_ONION_PORT=8122
KEYSERVER_DOMAIN_NAME=
KEYSERVER_CODE=
2017-07-27 22:54:08 +02:00
keyserver_variables=(ONION_ONLY
MY_USERNAME
DEFAULT_DOMAIN_NAME
KEYSERVER_DOMAIN_NAME
KEYSERVER_CODE)
2017-07-27 22:51:12 +02:00
2017-07-30 12:08:30 +02:00
function check_keyserver_directory_size {
dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
# 500M
2018-02-27 15:11:56 +01:00
if [ "$dirsize" -gt 500000 ]; then
2017-07-30 12:08:30 +02:00
echo "1"
return
fi
echo "0"
}
2017-07-30 17:38:49 +02:00
function keyserver_watchdog {
2018-02-27 15:11:56 +01:00
ADMIN_USERNAME=$(grep "Admin user" "$COMPLETION_FILE" | awk -F ':' '{print $2}')
2017-07-30 17:38:49 +02:00
ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"
2017-07-30 17:55:53 +02:00
keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server. You may need to restore the keyserver from backup."
2017-07-30 17:38:49 +02:00
keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"
keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"
read_config_param KEYSERVER_DOMAIN_NAME
2017-07-31 12:53:03 +02:00
# check database size hourly
2017-08-05 21:08:57 +02:00
keyserver_watchdog_script=/tmp/keyserver-watchdog
2018-02-27 15:11:56 +01:00
{ echo '#!/bin/bash';
echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')";
echo "if [ \$dirsize -gt 450000 ]; then";
echo " echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS";
echo " if [ \$dirsize -gt 500000 ]; then";
echo " nginx_dissite $KEYSERVER_DOMAIN_NAME";
echo ' systemctl stop sks';
echo ' systemctl disable sks';
echo " echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS";
echo ' fi';
echo 'fi'; } > $keyserver_watchdog_script
2017-07-30 17:38:49 +02:00
chmod +x $keyserver_watchdog_script
2017-08-05 21:08:57 +02:00
if [ ! -f /etc/cron.hourly/keyserver-watchdog ]; then
cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
else
HASH1=$(sha256sum $keyserver_watchdog_script | awk -F ' ' '{print $1}')
HASH2=$(sha256sum /etc/cron.hourly/keyserver-watchdog | awk -F ' ' '{print $1}')
if [[ "$HASH1" != "$HASH2" ]]; then
cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
fi
fi
rm $keyserver_watchdog_script
2017-07-30 17:38:49 +02:00
}
2017-07-28 23:46:36 +02:00
function configure_firewall_for_keyserver {
if [[ $ONION_ONLY != "no" ]]; then
return
fi
firewall_add keyserver 11370 tcp
firewall_add keyserver 11371 tcp
firewall_add keyserver 11372 tcp
2018-02-25 13:50:46 +01:00
mark_completed "${FUNCNAME[0]}"
2017-07-28 23:46:36 +02:00
}
2017-07-29 16:37:42 +02:00
function keyserver_reset_database {
if [ -d /var/lib/sks/DB ]; then
rm -rf /var/lib/sks/DB
fi
sks build
chown -Rc debian-sks: /var/lib/sks
systemctl restart sks
}
2017-07-27 22:51:12 +02:00
function logging_on_keyserver {
echo -n ''
}
function logging_off_keyserver {
echo -n ''
}
function reconfigure_keyserver {
echo -n ''
}
2017-07-28 22:06:46 +02:00
function upgrade_keyserver {
2017-07-30 17:38:49 +02:00
keyserver_watchdog
2017-07-27 22:51:12 +02:00
CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
return
fi
2018-02-27 15:11:56 +01:00
if grep -q "keyserver domain" "$COMPLETION_FILE"; then
2017-07-27 22:51:12 +02:00
KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")
fi
# update to the next commit
function_check set_repo_commit
2018-02-27 15:11:56 +01:00
set_repo_commit "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs" "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO
2017-07-27 22:51:12 +02:00
2017-07-28 23:01:35 +02:00
read_config_param MY_USERNAME
2018-02-27 15:11:56 +01:00
USER_EMAIL_ADDRESS="$MY_USERNAME@$HOSTNAME"
GPG_ID=$(su -m root -c "gpg --list-keys \"$USER_EMAIL_ADDRESS\" | sed -n '2p' | sed 's/^[ \\t]*//'" - "$MY_USERNAME")
if [ ! "$GPG_ID" ]; then
2017-07-28 23:01:35 +02:00
echo $'No GPG ID for admin user'
exit 846336
fi
if [ ${#GPG_ID} -lt 5 ]; then
echo $'GPG ID not retrieved for admin user'
exit 835292
fi
if [[ "$GPG_ID" == *"error"* ]]; then
echo $'GPG ID not retrieved for admin user due to error'
exit 74825
fi
2018-02-27 15:11:56 +01:00
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html"
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html"
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html"
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html"
2017-07-28 23:01:35 +02:00
2018-02-27 15:11:56 +01:00
chown -R www-data:www-data "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs"
2017-07-27 22:51:12 +02:00
}
function backup_local_keyserver {
2017-07-30 15:27:15 +02:00
# remove any unused log files
2018-02-27 15:11:56 +01:00
cd /var/lib/sks/DB || exit 2468245
2017-07-30 15:27:15 +02:00
db_archive -d
2017-07-30 13:19:52 +02:00
source_directory=/etc/sks
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserverconfig
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
systemctl start sks
fi
2017-07-30 12:08:30 +02:00
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
echo $'WARNING: Keyserver database size is too large to backup'
return
fi
2017-07-30 11:34:44 +02:00
source_directory=/var/lib/sks/DB
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserver
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
systemctl start sks
fi
2017-07-27 22:51:12 +02:00
}
2017-07-27 22:54:08 +02:00
function restore_local_keyserver {
2017-07-30 11:34:44 +02:00
if [ ! -d /var/lib/sks/DB ]; then
return
fi
echo $"Restoring SKS Keyserver"
systemctl stop sks
2017-07-30 13:19:52 +02:00
temp_restore_dir=/root/tempkeyserverconfig
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir keyserverconfig
2017-08-25 18:35:33 +02:00
if [ -d $temp_restore_dir/etc/sks ]; then
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
else
cp -r $temp_restore_dir/* /etc/sks/
fi
2017-07-30 13:19:52 +02:00
rm -rf $temp_restore_dir
chown -Rc debian-sks: /etc/sks/sksconf
2017-07-30 13:45:51 +02:00
chown -Rc debian-sks: /etc/sks/mailsync
2017-07-30 13:19:52 +02:00
2017-07-30 11:34:44 +02:00
temp_restore_dir=/root/tempkeyserver
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir keyserver
mv /var/lib/sks/DB /var/lib/sks/DB_prev
2017-08-25 18:35:33 +02:00
if [ -d $temp_restore_dir/var/lib/sks/DB ]; then
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
else
if [ ! -d /var/lib/sks/DB ]; then
mkdir /var/lib/sks/DB
fi
cp -r $temp_restore_dir/* /var/lib/sks/DB
fi
2018-02-27 15:11:56 +01:00
# shellcheck disable=SC2181
2017-07-30 11:34:44 +02:00
if [ ! "$?" = "0" ]; then
# restore the old database
rm -rf /var/lib/sks/DB
mv /var/lib/sks/DB_prev /var/lib/sks/DB
rm -rf $temp_restore_dir
function_check set_user_permissions
set_user_permissions
function_check backup_unmount_drive
backup_unmount_drive
exit 5627294
fi
rm -rf $temp_restore_dir
chown -Rc debian-sks: /var/lib/sks
# remove the old database
rm -rf /var/lib/sks/DB_prev
2017-07-30 17:55:53 +02:00
systemctl enable sks
2017-07-30 11:34:44 +02:00
systemctl start sks
2018-02-27 15:11:56 +01:00
nginx_ensite "$KEYSERVER_DOMAIN_NAME"
2017-07-27 22:51:12 +02:00
}
function backup_remote_keyserver {
2017-07-30 15:27:15 +02:00
# remove any unused log files
2018-02-27 15:11:56 +01:00
cd /var/lib/sks/DB || exit 734624
2017-07-30 15:27:15 +02:00
db_archive -d
2017-07-30 13:19:52 +02:00
source_directory=/etc/sks
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserverconfig
function_check backup_directory_to_friend
backup_directory_to_friend $source_directory $dest_directory
systemctl start sks
fi
2017-07-30 12:08:30 +02:00
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
echo $'WARNING: Keyserver database size is too large to backup'
return
fi
2017-07-30 11:34:44 +02:00
source_directory=/var/lib/sks/DB
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserver
function_check backup_directory_to_friend
backup_directory_to_friend $source_directory $dest_directory
systemctl start sks
fi
2017-07-27 22:51:12 +02:00
}
function restore_remote_keyserver {
2017-07-30 11:34:44 +02:00
if [ ! -d /var/lib/sks/DB ]; then
return
fi
echo $"Restoring SKS Keyserver"
systemctl stop sks
2017-07-30 13:19:52 +02:00
temp_restore_dir=/root/tempkeyserverconfig
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir keyserverconfig
2017-08-25 18:35:33 +02:00
if [ -d $temp_restore_dir/etc/sks ]; then
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
else
cp -r $temp_restore_dir/* /etc/sks/
fi
2017-07-30 13:19:52 +02:00
rm -rf $temp_restore_dir
chown -Rc debian-sks: /etc/sks/sksconf
2017-07-30 13:45:51 +02:00
chown -Rc debian-sks: /etc/sks/mailsync
2017-07-30 13:19:52 +02:00
2017-07-30 11:34:44 +02:00
temp_restore_dir=/root/tempkeyserver
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir keyserver
mv /var/lib/sks/DB /var/lib/sks/DB_prev
2017-08-25 18:35:33 +02:00
if [ -d $temp_restore_dir/var/lib/sks/DB ]; then
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
else
if [ ! -d /var/lib/sks/DB ]; then
mkdir /var/lib/sks/DB
fi
cp -r $temp_restore_dir/* /var/lib/sks/DB
fi
2018-02-27 15:11:56 +01:00
# shellcheck disable=SC2181
2017-07-30 11:34:44 +02:00
if [ ! "$?" = "0" ]; then
# restore the old database
rm -rf /var/lib/sks/DB
mv /var/lib/sks/DB_prev /var/lib/sks/DB
rm -rf $temp_restore_dir
function_check set_user_permissions
set_user_permissions
return
fi
rm -rf $temp_restore_dir
chown -Rc debian-sks: /var/lib/sks
# remove the old database
rm -rf /var/lib/sks/DB_prev
2017-07-30 17:55:53 +02:00
systemctl enable sks
2017-07-30 11:34:44 +02:00
systemctl start sks
2018-02-27 15:11:56 +01:00
nginx_ensite "$KEYSERVER_DOMAIN_NAME"
2017-07-27 22:51:12 +02:00
}
function remove_keyserver {
2017-07-28 22:06:46 +02:00
systemctl stop sks
2017-07-30 17:38:49 +02:00
if [ -f /etc/cron.hourly/keyserver-watchdog ]; then
rm /etc/cron.hourly/keyserver-watchdog
fi
2017-07-29 16:19:29 +02:00
apt-get -qy remove sks dirmngr
2017-07-27 22:51:12 +02:00
read_config_param "KEYSERVER_DOMAIN_NAME"
2018-02-27 15:11:56 +01:00
nginx_dissite "$KEYSERVER_DOMAIN_NAME"
remove_certs "${KEYSERVER_DOMAIN_NAME}"
if [ -f "/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME" ]; then
rm -f "/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME"
2017-07-27 22:51:12 +02:00
fi
2018-02-27 15:11:56 +01:00
if [ -d "/var/www/$KEYSERVER_DOMAIN_NAME" ]; then
rm -rf "/var/www/$KEYSERVER_DOMAIN_NAME"
2017-07-27 22:51:12 +02:00
fi
function_check remove_ddns_domain
2018-02-27 15:11:56 +01:00
remove_ddns_domain "$KEYSERVER_DOMAIN_NAME"
2017-07-27 22:51:12 +02:00
remove_config_param KEYSERVER_DOMAIN_NAME
remove_config_param KEYSERVER_CODE
function_check remove_onion_service
2018-02-27 15:11:56 +01:00
remove_onion_service keyserver "${KEYSERVER_ONION_PORT}"
2017-07-28 23:52:38 +02:00
remove_onion_service sks 11370 11371 11372
2017-07-27 22:51:12 +02:00
remove_completion_param "install_keyserver"
2017-07-28 23:46:36 +02:00
firewall_remove 11370 tcp
firewall_remove 11371 tcp
firewall_remove 11372 tcp
2018-02-27 15:11:56 +01:00
sed -i '/keyserver/d' "$COMPLETION_FILE"
sed -i '/sks onion/d' "$COMPLETION_FILE"
2017-07-28 20:57:21 +02:00
if [ -d /var/lib/sks ]; then
rm -rf /var/lib/sks
fi
2017-07-27 22:51:12 +02:00
}
function install_interactive_keyserver {
2018-02-27 15:11:56 +01:00
if [ ! "$ONION_ONLY" ]; then
2017-07-27 22:51:12 +02:00
ONION_ONLY='no'
fi
if [[ $ONION_ONLY != "no" ]]; then
KEYSERVER_DOMAIN_NAME='keyserver.local'
write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"
else
function_check interactive_site_details
interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"
fi
APP_INSTALLED=1
}
2017-07-30 13:45:51 +02:00
function keyserver_create_mailsync {
echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
echo '' >> /etc/sks/mailsync
chown -Rc debian-sks: /etc/sks/mailsync
}
2017-07-30 12:08:30 +02:00
function keyserver_create_membership {
if [ -f /etc/sks/membership ]; then
return
fi
systemctl stop sks
2018-02-27 15:11:56 +01:00
{ echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with.";
echo '#';
echo $"# Don't add major keyservers here, because it will take an";
echo $'# Infeasible amount of time to sync and backups will become';
echo $'# absurdly long and probably break your system. You have been warned.';
echo ''; } > /etc/sks/membership
2017-07-30 12:08:30 +02:00
chown -Rc debian-sks: /etc/sks/membership
systemctl start sks
}
2017-07-28 20:57:21 +02:00
function keyserver_import_keys {
2017-07-30 12:08:30 +02:00
# NOTE: this function isn't used, but kept for reference
2017-07-28 21:02:25 +02:00
dialog --title $"Import public keys database" \
--backtitle $"Freedombone Control Panel" \
--defaultno \
2018-02-27 15:11:56 +01:00
--yesno $"\\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\\n\\nContinue?" 10 60
2017-07-28 21:02:25 +02:00
sel=$?
case $sel in
1) return;;
255) return;;
esac
2017-07-28 20:57:21 +02:00
if [ ! -d /var/lib/sks/dump ]; then
mkdir -p /var/lib/sks/dump
fi
2018-02-27 15:11:56 +01:00
cd /var/lib/sks/dump || exit 59242684
2017-07-28 22:39:29 +02:00
echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'
2017-07-28 23:03:12 +02:00
rm -rf /var/lib/sks/dump/*
2017-07-28 22:39:29 +02:00
KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"
2017-07-28 20:57:21 +02:00
wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \
2018-02-27 15:11:56 +01:00
-A pgp,txt "$KEYSERVER_DUMP_URL"
2017-07-28 20:57:21 +02:00
2018-02-27 15:11:56 +01:00
cd /var/lib/sks || exit 936572424
2017-07-28 20:57:21 +02:00
echo $'Building the keyserver database from the downloaded dump'
2017-07-29 16:37:42 +02:00
keyserver_reset_database
2017-07-28 20:57:21 +02:00
}
2017-07-29 16:19:29 +02:00
function keyserver_sync {
2018-02-27 15:11:56 +01:00
data=$(mktemp 2>/dev/null)
2017-07-29 16:19:29 +02:00
dialog --backtitle $"Freedombone Control Panel" \
--title $"Sync with other keyserver" \
2017-07-30 13:45:51 +02:00
--form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
$"Domain:" 1 1 "" 1 25 32 64 \
$"Port:" 2 1 "11370" 2 25 6 6 \
$"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
2018-02-27 15:11:56 +01:00
2> "$data"
2017-07-29 16:19:29 +02:00
sel=$?
case $sel in
2018-02-27 15:11:56 +01:00
1) rm -f "$data"
return;;
255) rm -f "$data"
return;;
2017-07-29 16:19:29 +02:00
esac
2018-02-27 15:11:56 +01:00
other_keyserver_domain=$(sed -n 1p < "$data")
other_keyserver_port=$(sed -n 2p < "$data")
other_keyserver_email=$(sed -n 3p < "$data")
rm -f "$data"
2017-07-29 16:19:29 +02:00
if [[ "$other_keyserver_domain" != *'.'* ]]; then
return
fi
if [[ "$other_keyserver_domain" == *' '* ]]; then
return
fi
if [[ "$other_keyserver_port" == *'.'* ]]; then
return
fi
if [[ "$other_keyserver_port" == *' '* ]]; then
return
fi
if [ ${#other_keyserver_domain} -lt 4 ]; then
return
fi
if [ ${#other_keyserver_port} -lt 4 ]; then
return
fi
2017-07-30 14:15:33 +02:00
# Warn if trying to sync
if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then
dialog --title $"Sync with other keyserver" \
2018-02-27 15:11:56 +01:00
--msgbox $"\\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60
2017-07-30 14:15:33 +02:00
return
fi
2017-07-30 13:45:51 +02:00
if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
if [[ "$other_keyserver_email" == *"@"* ]]; then
2017-07-30 13:48:41 +02:00
if [[ "$other_keyserver_email" == *"."* ]]; then
keyserver_create_mailsync
if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
echo "$other_keyserver_email" >> /etc/sks/mailsync
chown -Rc debian-sks: /etc/sks/mailsync
fi
2017-07-30 13:52:43 +02:00
else
dialog --title $"Sync with other keyserver" \
--msgbox $"Email doesn't look right: $other_keyserver_email" 6 60
return
2017-07-30 13:45:51 +02:00
fi
fi
fi
2017-07-30 12:08:30 +02:00
keyserver_create_membership
2017-07-29 16:19:29 +02:00
if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
return
fi
if grep -q "$other_keyserver_domain " /etc/sks/membership; then
sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
else
echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
fi
chown -Rc debian-sks: /etc/sks/membership
systemctl restart sks
dialog --title $"Sync with other keyserver" \
--msgbox $"Keyserver added" 6 40
}
2017-07-29 16:37:42 +02:00
function keyserver_edit {
2017-07-30 12:08:30 +02:00
if [ ! -f /etc/sks/membership ]; then
return
fi
2017-07-29 16:37:42 +02:00
editor /etc/sks/membership
chown -Rc debian-sks: /etc/sks/membership
systemctl restart sks
}
2017-07-30 17:15:17 +02:00
function keyserver_remove_key {
2018-02-27 15:11:56 +01:00
data=$(mktemp 2>/dev/null)
2017-07-30 17:15:17 +02:00
dialog --title $"Remove a key" \
--backtitle $"Freedombone Control Panel" \
2018-02-27 15:11:56 +01:00
--inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>"$data"
2017-07-30 17:15:17 +02:00
sel=$?
case $sel in
0)
2018-02-27 15:11:56 +01:00
remove_key_id=$(<"$data")
2017-07-30 17:15:17 +02:00
if [ ${#remove_key_id} -gt 8 ]; then
2018-02-27 15:11:56 +01:00
sks drop "$remove_key_id"
2017-07-30 17:15:17 +02:00
dialog --title $"Remove a key" \
--msgbox $"The key was removed" 6 40
fi
;;
esac
2018-02-27 15:11:56 +01:00
rm -f "$data"
2017-07-30 17:15:17 +02:00
}
2017-07-28 20:57:21 +02:00
function configure_interactive_keyserver {
2018-04-04 14:09:50 +02:00
W=(1 $"Remove a key"
2 $"Sync with other keyserver"
3 $"Edit sync keyservers")
2017-07-28 20:57:21 +02:00
while true
do
2018-04-04 14:09:50 +02:00
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"SKS Keyserver" --menu $"Choose an operation, or ESC to exit:" 11 60 3 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then
break
fi
case $selection in
2017-07-30 17:15:17 +02:00
1) keyserver_remove_key;;
2) keyserver_sync;;
3) keyserver_edit;;
2017-07-28 20:57:21 +02:00
esac
done
}
2017-07-27 22:51:12 +02:00
function install_keyserver {
2017-07-28 22:06:46 +02:00
apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
2017-07-29 16:19:29 +02:00
keyserver_reset_database
2017-07-28 22:06:46 +02:00
sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
2017-07-29 16:19:29 +02:00
apt-get -qy install dirmngr
2017-07-28 22:06:46 +02:00
systemctl restart sks
2017-07-27 22:51:12 +02:00
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
mkdir /var/www/$KEYSERVER_DOMAIN_NAME
fi
2018-02-27 15:11:56 +01:00
cd "/var/www/$KEYSERVER_DOMAIN_NAME" || exit 25427642847
2017-07-27 22:51:12 +02:00
if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
fi
if [ -d /repos/keyserverweb ]; then
mkdir htdocs
cp -r -p /repos/keyserverweb/. htdocs
2018-02-27 15:11:56 +01:00
cd htdocs || exit 379584659
2017-07-27 22:51:12 +02:00
git pull
else
git_clone $KEYSERVER_WEB_REPO htdocs
fi
2017-07-28 21:16:20 +02:00
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"
exit 6539230
fi
2017-07-27 22:51:12 +02:00
2018-02-27 15:11:56 +01:00
cd "/var/www/$KEYSERVER_DOMAIN_NAME/htdocs" || exit 264824528
2017-07-27 22:51:12 +02:00
git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT
set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"
USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
2018-02-27 15:11:56 +01:00
GPG_ID=$(su -m root -c "gpg --list-keys \"$USER_EMAIL_ADDRESS\" | sed -n '2p' | sed 's/^[ \\t]*//'" - "$MY_USERNAME")
if [ ! "$GPG_ID" ]; then
2017-07-27 22:51:12 +02:00
echo $'No GPG ID for admin user'
exit 846336
fi
if [ ${#GPG_ID} -lt 5 ]; then
echo $'GPG ID not retrieved for admin user'
exit 835292
fi
if [[ "$GPG_ID" == *"error"* ]]; then
echo $'GPG ID not retrieved for admin user due to error'
exit 74825
fi
2017-07-28 23:01:35 +02:00
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
2017-07-27 22:51:12 +02:00
2017-07-29 16:19:29 +02:00
sksconf_file=/etc/sks/sksconf
sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
2017-07-29 22:28:24 +02:00
sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
2017-07-30 13:02:27 +02:00
sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file
2017-07-29 22:28:24 +02:00
2017-07-30 13:02:27 +02:00
if ! grep -q "#disable_mailsync" $sksconf_file; then
echo '#disable_mailsync:' >> $sksconf_file
2017-07-29 22:28:24 +02:00
else
2017-07-30 13:02:27 +02:00
sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
2017-07-29 22:28:24 +02:00
fi
if ! grep -q "membership_reload_interval:" $sksconf_file; then
echo 'membership_reload_interval: 1' >> $sksconf_file
else
sed -i 's|#membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
sed -i 's|membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
fi
2017-07-30 13:02:27 +02:00
if ! grep -q "max_matches:" $sksconf_file; then
echo 'max_matches: 50' >> $sksconf_file
else
sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
fi
if ! grep -q "stat_hour:" $sksconf_file; then
echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
else
sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
fi
2017-07-30 15:01:58 +02:00
if ! grep -q "disable_log_diffs:" $sksconf_file; then
echo "disable_log_diffs:" >> $sksconf_file
else
sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
fi
2017-07-30 15:10:05 +02:00
if ! grep -q "debuglevel:" $sksconf_file; then
echo "debuglevel: 0" >> $sksconf_file
else
sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file
sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file
fi
2017-07-30 13:02:27 +02:00
2017-07-28 22:06:46 +02:00
chown debian-sks: $sksconf_file
2017-07-27 22:51:12 +02:00
2018-05-01 17:15:06 +02:00
if ! grep -q "hidden_service_sks" "$ONION_SERVICES_FILE"; then
2018-02-27 15:11:56 +01:00
{ echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/';
echo 'HiddenServiceVersion 3';
echo "HiddenServicePort 11370 127.0.0.1:11370";
echo "HiddenServicePort 11373 127.0.0.1:11371";
2018-05-01 17:15:06 +02:00
echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> "$ONION_SERVICES_FILE"
2017-07-28 23:52:38 +02:00
echo $'Added onion site for sks'
fi
onion_update
wait_for_onion_service 'sks'
2017-07-28 23:57:40 +02:00
if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
echo $'sks onion site hostname not found'
exit 8352982
2017-07-28 23:52:38 +02:00
fi
2017-07-28 23:57:40 +02:00
SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)
2017-07-28 23:52:38 +02:00
2017-07-27 22:51:12 +02:00
KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})
keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
2017-07-29 23:44:45 +02:00
# NOTE: without http active on port 80 the keyserver doesn't work
# from the commandline
2018-02-27 15:11:56 +01:00
{ echo 'server {';
echo ' listen 80;';
echo ' listen 0.0.0.0:11371;';
echo ' listen [::]:80;';
echo " server_name $KEYSERVER_DOMAIN_NAME;";
echo '';
echo ' # Logs';
echo ' access_log /dev/null;';
echo ' error_log /dev/null;';
echo '';
echo ' # Root';
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;";
echo '';
echo ' rewrite ^/stats /pks/lookup?op=stats;';
echo " rewrite ^/s/(.*) /pks/lookup?search=\$1;";
echo " rewrite ^/search/(.*) /pks/lookup?search=\$1;";
echo " rewrite ^/g/(.*) /pks/lookup?op=get&search=\$1;";
echo " rewrite ^/get/(.*) /pks/lookup?op=get&search=\$1;";
echo " rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=\$1;";
echo " rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=\$1;";
echo '';
echo ' location / {'; } > $keyserver_nginx_site
2017-07-31 13:34:11 +02:00
function_check nginx_limits
2018-02-27 15:11:56 +01:00
nginx_limits "$KEYSERVER_DOMAIN_NAME" '128k'
{ echo ' }';
echo '';
echo ' location /pks {';
echo ' proxy_pass http://127.0.0.1:11373;';
echo ' proxy_pass_header Server;';
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";";
echo ' proxy_ignore_client_abort on;';
echo ' client_max_body_size 8m;';
echo ' client_body_buffer_size 128k;';
echo ' }';
echo '}';
echo '';
echo 'server {';
echo ' listen 443 ssl;';
echo ' listen 0.0.0.0:11372 ssl;';
echo ' #listen [::]:443 ssl;';
echo " server_name $KEYSERVER_DOMAIN_NAME;";
echo '';
echo ' error_page 404 /404.html;';
echo '';
echo ' location ~ (.git|LICENSE|readme.md) {';
echo ' deny all;';
echo ' return 404;';
echo ' }';
echo '';
echo ' # Security'; } >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
function_check nginx_ssl
nginx_ssl $KEYSERVER_DOMAIN_NAME
2018-03-05 19:15:29 +01:00
function_check nginx_security_options
nginx_security_options $KEYSERVER_DOMAIN_NAME
2017-07-27 22:51:12 +02:00
2018-02-27 15:11:56 +01:00
{ echo ' add_header Strict-Transport-Security max-age=15768000;';
echo '';
echo ' # Logs';
echo ' access_log /dev/null;';
echo ' error_log /dev/null;';
echo '';
echo ' # Root';
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;";
echo '';
echo ' rewrite ^/stats /pks/lookup?op=stats;';
echo " rewrite ^/s/(.*) /pks/lookup?search=\$1;";
echo " rewrite ^/search/(.*) /pks/lookup?search=\$1;";
echo " rewrite ^/g/(.*) /pks/lookup?op=get&search=\$1;";
echo " rewrite ^/get/(.*) /pks/lookup?op=get&search=\$1;";
echo " rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=\$1;";
echo " rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=\$1;";
echo '';
echo ' location / {'; } >> $keyserver_nginx_site
2017-07-31 13:34:11 +02:00
function_check nginx_limits
nginx_limits $KEYSERVER_DOMAIN_NAME '128k'
2018-02-27 15:11:56 +01:00
{ echo ' }';
echo '';
echo ' location /pks {';
echo " proxy_pass http://127.0.0.1:11373;";
echo ' proxy_pass_header Server;';
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";";
echo ' proxy_ignore_client_abort on;';
echo ' client_max_body_size 8m;';
echo ' client_body_buffer_size 128k;';
echo ' }';
echo '}';
echo ''; } >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
else
echo -n '' > $keyserver_nginx_site
fi
2018-02-27 15:11:56 +01:00
{ echo 'server {';
echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;";
echo " server_name $KEYSERVER_ONION_HOSTNAME;";
echo '';
echo ' error_page 404 /404.html;';
echo '';
echo ' location ~ (.git|LICENSE|readme.md) {';
echo ' deny all;';
echo ' return 404;';
echo ' }';
echo ''; } >> $keyserver_nginx_site
2018-03-05 19:15:29 +01:00
function_check nginx_security_options
nginx_security_options $KEYSERVER_DOMAIN_NAME
2018-02-27 15:11:56 +01:00
{ echo '';
echo ' # Logs';
echo ' access_log /dev/null;';
echo ' error_log /dev/null;';
echo '';
echo ' # Root';
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/mail;";
echo '';
echo ' rewrite ^/stats /pks/lookup?op=stats;';
echo " rewrite ^/s/(.*) /pks/lookup?search=\$1;";
echo " rewrite ^/search/(.*) /pks/lookup?search=\$1;";
echo " rewrite ^/g/(.*) /pks/lookup?op=get&search=\$1;";
echo " rewrite ^/get/(.*) /pks/lookup?op=get&search=\$1;";
echo " rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=\$1;";
echo " rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=\$1;";
echo '';
echo ' location / {'; } >> $keyserver_nginx_site
2017-07-31 13:34:11 +02:00
function_check nginx_limits
nginx_limits $KEYSERVER_DOMAIN_NAME '128k'
2018-02-27 15:11:56 +01:00
{ echo ' }';
echo '';
echo ' location /pks {';
echo " proxy_pass http://127.0.0.1:11373;";
echo ' proxy_pass_header Server;';
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";";
echo ' proxy_ignore_client_abort on;';
echo ' client_max_body_size 8m;';
echo ' client_body_buffer_size 128k;';
echo ' }';
echo '}'; } >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
function_check create_site_certificate
if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'
fi
if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then
mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
fi
if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}
fi
if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then
chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key
fi
chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
function_check nginx_ensite
nginx_ensite $KEYSERVER_DOMAIN_NAME
2017-07-28 23:46:36 +02:00
configure_firewall_for_keyserver
2017-07-29 16:19:29 +02:00
# remove membership file - don't try to sync with other keyservers
if [ -f /etc/sks/membership ]; then
rm /etc/sks/membership
fi
2017-07-30 13:02:27 +02:00
if ! grep -q "pgp-public-keys" /etc/aliases; then
echo 'pgp-public-keys: "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
fi
2017-07-30 13:45:51 +02:00
chown -Rc debian-sks: /etc/sks/mailsync
2017-07-30 13:02:27 +02:00
2017-07-29 16:19:29 +02:00
systemctl enable sks
systemctl restart sks
2017-07-27 22:51:12 +02:00
systemctl restart nginx
set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
2017-07-28 22:06:46 +02:00
set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
2017-07-28 23:57:40 +02:00
set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"
2017-07-27 22:51:12 +02:00
2017-07-30 17:38:49 +02:00
keyserver_watchdog
2017-07-27 22:51:12 +02:00
APP_INSTALLED=1
}
# NOTE: deliberately no exit 0
