freedomboneeee/src/freedombone-app-keyserver

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# SKS Keyserver
#
# License
# =======
#
# Copyright (C) 2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

VARIANTS='full full-vim'

IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1

KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"
KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'
KEYSERVER_PORT=11371
KEYSERVER_ONION_PORT=8122
KEYSERVER_DOMAIN_NAME=
KEYSERVER_CODE=

keyserver_variables=(ONION_ONLY
                     MY_USERNAME
                     DEFAULT_DOMAIN_NAME
                     KEYSERVER_DOMAIN_NAME
                     KEYSERVER_CODE)

function configure_firewall_for_keyserver {
    if [[ $ONION_ONLY != "no" ]]; then
        return
    fi
    firewall_add keyserver 11370 tcp
    firewall_add keyserver 11371 tcp
    firewall_add keyserver 11372 tcp
    mark_completed $FUNCNAME
}

function logging_on_keyserver {
    echo -n ''
}

function logging_off_keyserver {
    echo -n ''
}

function reconfigure_keyserver {
    echo -n ''
}

function upgrade_keyserver {
    CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
    if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
        return
    fi

    if grep -q "keyserver domain" $COMPLETION_FILE; then
        KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")
    fi

    # update to the next commit
    function_check set_repo_commit
    set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO

    read_config_param MY_USERNAME
    USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
    GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
    if [ ! $GPG_ID ]; then
        echo $'No GPG ID for admin user'
        exit 846336
    fi
    if [ ${#GPG_ID} -lt 5 ]; then
        echo $'GPG ID not retrieved for admin user'
        exit 835292
    fi
    if [[ "$GPG_ID" == *"error"* ]]; then
        echo $'GPG ID not retrieved for admin user due to error'
        exit 74825
    fi
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

    chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
}

function backup_local_keyserver {
    echo -n ''
}

function restore_local_keyserver {
    echo -n ''
}

function backup_remote_keyserver {
    echo -n ''
}

function restore_remote_keyserver {
    echo -n ''
}

function remove_keyserver {
    systemctl stop sks
    apt-get -qy remove sks

    read_config_param "KEYSERVER_DOMAIN_NAME"
    nginx_dissite $KEYSERVER_DOMAIN_NAME
    remove_certs ${KEYSERVER_DOMAIN_NAME}
    if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then
        rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
    fi
    if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
        rm -rf /var/www/$KEYSERVER_DOMAIN_NAME
    fi
    function_check remove_ddns_domain
    remove_ddns_domain $KEYSERVER_DOMAIN_NAME

    remove_config_param KEYSERVER_DOMAIN_NAME
    remove_config_param KEYSERVER_CODE
    function_check remove_onion_service
    remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
    remove_completion_param "install_keyserver"

    firewall_remove 11370 tcp
    firewall_remove 11371 tcp
    firewall_remove 11372 tcp

    sed -i '/keyserver/d' $COMPLETION_FILE
    if [ -d /var/lib/sks ]; then
        rm -rf /var/lib/sks
    fi
}

function install_interactive_keyserver {
    if [ ! $ONION_ONLY ]; then
        ONION_ONLY='no'
    fi

    if [[ $ONION_ONLY != "no" ]]; then
        KEYSERVER_DOMAIN_NAME='keyserver.local'
        write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"
    else
        function_check interactive_site_details
        interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"
    fi
    APP_INSTALLED=1
}

function keyserver_import_keys {
    dialog --title $"Import public keys database" \
           --backtitle $"Freedombone Control Panel" \
           --defaultno \
           --yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60
    sel=$?
    case $sel in
        1) return;;
        255) return;;
    esac
    if [ ! -d /var/lib/sks/dump ]; then
        mkdir -p /var/lib/sks/dump
    fi
    cd /var/lib/sks/dump
    echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'
    rm -rf /var/lib/sks/dump/*
    KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"
    wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \
         -A pgp,txt $KEYSERVER_DUMP_URL

    cd /var/lib/sks
    echo $'Building the keyserver database from the downloaded dump'
    sks build
}

function configure_interactive_keyserver {
    while true
    do
        data=$(tempfile 2>/dev/null)
        trap "rm -f $data" 0 1 2 5 15
        dialog --backtitle $"Freedombone Control Panel" \
               --title $"SKS Keyserver" \
               --radiolist $"Choose an operation:" 10 70 2 \
               1 $"Import public keys database" off \
               2 $"Exit" on 2> $data
        sel=$?
        case $sel in
            1) return;;
            255) return;;
        esac
        case $(cat $data) in
            1) keyserver_import_keys;;
            2) break;;
        esac
    done
}

function install_keyserver {
    apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
    sks build
    chown -Rc debian-sks: /var/lib/sks/DB
    sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
    systemctl restart sks

    if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
        mkdir /var/www/$KEYSERVER_DOMAIN_NAME
    fi

    cd /var/www/$KEYSERVER_DOMAIN_NAME
    if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
        rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
    fi

    if [ -d /repos/keyserverweb ]; then
        mkdir htdocs
        cp -r -p /repos/keyserverweb/. htdocs
        cd htdocs
        git pull
    else
        git_clone $KEYSERVER_WEB_REPO htdocs
    fi
    if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
        echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"
        exit 6539230
    fi

    cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
    git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT
    set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"


    USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
    GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
    if [ ! $GPG_ID ]; then
        echo $'No GPG ID for admin user'
        exit 846336
    fi
    if [ ${#GPG_ID} -lt 5 ]; then
        echo $'GPG ID not retrieved for admin user'
        exit 835292
    fi
    if [[ "$GPG_ID" == *"error"* ]]; then
        echo $'GPG ID not retrieved for admin user due to error'
        exit 74825
    fi
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

    sksconf_file=/var/lib/sks/sksconf
    echo 'debuglevel: 3' > $sksconf_file
    echo '' >> $sksconf_file
    echo "hostname:                       $KEYSERVER_DOMAIN_NAME" >> $sksconf_file
    echo '' >> $sksconf_file
    echo 'hkp_address:                    127.0.0.1' >> $sksconf_file
    echo "hkp_port:                       $KEYSERVER_PORT" >> $sksconf_file
    echo 'recon_port:                     11370' >> $sksconf_file
    echo '' >> $sksconf_file
    echo "server_contact:                 $GPG_ID" >> $sksconf_file
    echo '' >> $sksconf_file
    echo 'initial_stat:' >> $sksconf_file
    echo 'disable_mailsync:' >> $sksconf_file
    echo 'membership_reload_interval:     1' >> $sksconf_file
    echo 'stat_hour:                      12' >> $sksconf_file
    echo '' >> $sksconf_file
    echo 'max_matches:                    500' >> $sksconf_file
    chown debian-sks: $sksconf_file

    KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})

    keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
    if [[ $ONION_ONLY == "no" ]]; then
        function_check nginx_http_redirect
        nginx_http_redirect $KEYSERVER_DOMAIN_NAME
        echo 'server {' >> $keyserver_nginx_site
        echo '  listen 443 ssl;' >> $keyserver_nginx_site
        echo '  listen [::]:443 ssl;' >> $keyserver_nginx_site
        echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Security' >> $keyserver_nginx_site
        function_check nginx_ssl
        nginx_ssl $KEYSERVER_DOMAIN_NAME

        function_check nginx_disable_sniffing
        nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME

        echo '  add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Logs' >> $keyserver_nginx_site
        echo '  access_log /dev/null;' >> $keyserver_nginx_site
        echo '  error_log /dev/null;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Root' >> $keyserver_nginx_site
        echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site

        echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
        echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  location /pks {' >> $keyserver_nginx_site
        echo "    proxy_pass         http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site
        echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
        echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site
        echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
        echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
        echo '  }' >> $keyserver_nginx_site
        echo '}' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
    else
        echo -n '' > $keyserver_nginx_site
    fi
    echo 'server {' >> $keyserver_nginx_site
    echo "    listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
    echo "    server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    function_check nginx_disable_sniffing
    nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
    echo '' >> $keyserver_nginx_site
    echo '  # Logs' >> $keyserver_nginx_site
    echo '  access_log /dev/null;' >> $keyserver_nginx_site
    echo '  error_log /dev/null;' >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  # Root' >> $keyserver_nginx_site
    echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
    echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  location /pks {' >> $keyserver_nginx_site
    echo "    proxy_pass         http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site
    echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
    echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site
    echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
    echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
    echo '  }' >> $keyserver_nginx_site
    echo '}' >> $keyserver_nginx_site

    function_check create_site_certificate
    if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
        create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'
    fi

    if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then
        mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
    fi
    if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
        chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
        sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}
    fi
    if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then
        chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key
    fi

    chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

    function_check nginx_ensite
    nginx_ensite $KEYSERVER_DOMAIN_NAME

    configure_firewall_for_keyserver

    systemctl restart nginx

    set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
    set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"

    APP_INSTALLED=1
}

# NOTE: deliberately no exit 0
sks keyserver app 2017-07-27 22:51:12 +02:00			`#!/bin/bash`
			`#`
			`# .---. . .`
			`# \| \| \|`
			`# \|--- .--. .-. .-. .-.\| .-. .--.--. \|.-. .-. .--. .-.`
			`# \| \| (.-' (.-' ( \| ( )\| \| \| \| )( )\| \| (.-'`
			`# ' ' --' --' -' - -' ' ' -' -' -' ' - --'`
			`#`
			`# Freedom in the Cloud`
			`#`
			`# SKS Keyserver`
			`#`
			`# License`
			`# =======`
			`#`
			`# Copyright (C) 2017 Bob Mottram <bob@freedombone.net>`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Affero General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`VARIANTS='full full-vim'`

			`IN_DEFAULT_INSTALL=0`
			`SHOW_ON_ABOUT=1`

			`KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"`
			`KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'`
			`KEYSERVER_PORT=11371`
			`KEYSERVER_ONION_PORT=8122`
			`KEYSERVER_DOMAIN_NAME=`
			`KEYSERVER_CODE=`

keyserver 2017-07-27 22:54:08 +02:00			`keyserver_variables=(ONION_ONLY`
			`MY_USERNAME`
			`DEFAULT_DOMAIN_NAME`
			`KEYSERVER_DOMAIN_NAME`
			`KEYSERVER_CODE)`
sks keyserver app 2017-07-27 22:51:12 +02:00
Firewall for keyserver 2017-07-28 23:46:36 +02:00			`function configure_firewall_for_keyserver {`
			`if [[ $ONION_ONLY != "no" ]]; then`
			`return`
			`fi`
			`firewall_add keyserver 11370 tcp`
			`firewall_add keyserver 11371 tcp`
			`firewall_add keyserver 11372 tcp`
			`mark_completed $FUNCNAME`
			`}`

sks keyserver app 2017-07-27 22:51:12 +02:00			`function logging_on_keyserver {`
			`echo -n ''`
			`}`

			`function logging_off_keyserver {`
			`echo -n ''`
			`}`

			`function reconfigure_keyserver {`
			`echo -n ''`
			`}`

Simplify keyserver install 2017-07-28 22:06:46 +02:00			`function upgrade_keyserver {`
sks keyserver app 2017-07-27 22:51:12 +02:00			`CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")`
			`if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then`
			`return`
			`fi`

			`if grep -q "keyserver domain" $COMPLETION_FILE; then`
			`KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")`
			`fi`

			`# update to the next commit`
			`function_check set_repo_commit`
			`set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO`

Change name on keyserver 2017-07-28 23:01:35 +02:00			`read_config_param MY_USERNAME`
			`USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME`
			`GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS \| sed -n '2p' \| sed 's/^[ \t]*//'" - $MY_USERNAME)`
			`if [ ! $GPG_ID ]; then`
			`echo $'No GPG ID for admin user'`
			`exit 846336`
			`fi`
			`if [ ${#GPG_ID} -lt 5 ]; then`
			`echo $'GPG ID not retrieved for admin user'`
			`exit 835292`
			`fi`
			`if [[ "$GPG_ID" == "error" ]]; then`
			`echo $'GPG ID not retrieved for admin user due to error'`
			`exit 74825`
			`fi`
			`sed -i "s\|###ENTERPUBLICKEYHERE###\|$GPG_ID\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html`
			`sed -i "s\|###ENTERPUBLICKEYHERE###\|$GPG_ID\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html`
			`sed -i "s\|###ENTERNAMEHERE###\|$USER_EMAIL_ADDRESS\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html`
			`sed -i "s\|###ENTERNAMEHERE###\|$USER_EMAIL_ADDRESS\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html`

sks keyserver app 2017-07-27 22:51:12 +02:00			`chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs`
			`}`

			`function backup_local_keyserver {`
			`echo -n ''`
			`}`

keyserver 2017-07-27 22:54:08 +02:00			`function restore_local_keyserver {`
sks keyserver app 2017-07-27 22:51:12 +02:00			`echo -n ''`
			`}`

			`function backup_remote_keyserver {`
			`echo -n ''`
			`}`

			`function restore_remote_keyserver {`
			`echo -n ''`
			`}`

			`function remove_keyserver {`
Simplify keyserver install 2017-07-28 22:06:46 +02:00			`systemctl stop sks`
			`apt-get -qy remove sks`
sks keyserver app 2017-07-27 22:51:12 +02:00
			`read_config_param "KEYSERVER_DOMAIN_NAME"`
			`nginx_dissite $KEYSERVER_DOMAIN_NAME`
			`remove_certs ${KEYSERVER_DOMAIN_NAME}`
			`if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then`
			`rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME`
			`fi`
			`if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then`
			`rm -rf /var/www/$KEYSERVER_DOMAIN_NAME`
			`fi`
			`function_check remove_ddns_domain`
			`remove_ddns_domain $KEYSERVER_DOMAIN_NAME`

			`remove_config_param KEYSERVER_DOMAIN_NAME`
			`remove_config_param KEYSERVER_CODE`
			`function_check remove_onion_service`
			`remove_onion_service keyserver ${KEYSERVER_ONION_PORT}`
			`remove_completion_param "install_keyserver"`

Firewall for keyserver 2017-07-28 23:46:36 +02:00			`firewall_remove 11370 tcp`
			`firewall_remove 11371 tcp`
			`firewall_remove 11372 tcp`

sks keyserver app 2017-07-27 22:51:12 +02:00			`sed -i '/keyserver/d' $COMPLETION_FILE`
Move database import to interactive 2017-07-28 20:57:21 +02:00			`if [ -d /var/lib/sks ]; then`
			`rm -rf /var/lib/sks`
			`fi`
sks keyserver app 2017-07-27 22:51:12 +02:00			`}`

			`function install_interactive_keyserver {`
			`if [ ! $ONION_ONLY ]; then`
			`ONION_ONLY='no'`
			`fi`

			`if [[ $ONION_ONLY != "no" ]]; then`
			`KEYSERVER_DOMAIN_NAME='keyserver.local'`
			`write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"`
			`else`
			`function_check interactive_site_details`
			`interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"`
			`fi`
			`APP_INSTALLED=1`
			`}`

Move database import to interactive 2017-07-28 20:57:21 +02:00			`function keyserver_import_keys {`
Add dialog asking to continue with download 2017-07-28 21:02:25 +02:00			`dialog --title $"Import public keys database" \`
			`--backtitle $"Freedombone Control Panel" \`
			`--defaultno \`
Download keyserver dump using date Because downloading the full data will likely take longer than a day 2017-07-28 22:39:29 +02:00			`--yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60`
Add dialog asking to continue with download 2017-07-28 21:02:25 +02:00			`sel=$?`
			`case $sel in`
			`1) return;;`
			`255) return;;`
			`esac`
Move database import to interactive 2017-07-28 20:57:21 +02:00			`if [ ! -d /var/lib/sks/dump ]; then`
			`mkdir -p /var/lib/sks/dump`
			`fi`
			`cd /var/lib/sks/dump`
Download keyserver dump using date Because downloading the full data will likely take longer than a day 2017-07-28 22:39:29 +02:00			`echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'`
typo 2017-07-28 23:03:12 +02:00			`rm -rf /var/lib/sks/dump/*`
Download keyserver dump using date Because downloading the full data will likely take longer than a day 2017-07-28 22:39:29 +02:00			`KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"`
Move database import to interactive 2017-07-28 20:57:21 +02:00			`wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \`
			`-A pgp,txt $KEYSERVER_DUMP_URL`

			`cd /var/lib/sks`
			`echo $'Building the keyserver database from the downloaded dump'`
Simplify keyserver install 2017-07-28 22:06:46 +02:00			`sks build`
Move database import to interactive 2017-07-28 20:57:21 +02:00			`}`

			`function configure_interactive_keyserver {`
			`while true`
			`do`
			`data=$(tempfile 2>/dev/null)`
			`trap "rm -f $data" 0 1 2 5 15`
			`dialog --backtitle $"Freedombone Control Panel" \`
			`--title $"SKS Keyserver" \`
			`--radiolist $"Choose an operation:" 10 70 2 \`
Add dialog asking to continue with download 2017-07-28 21:02:25 +02:00			`1 $"Import public keys database" off \`
Move database import to interactive 2017-07-28 20:57:21 +02:00			`2 $"Exit" on 2> $data`
			`sel=$?`
			`case $sel in`
			`1) return;;`
			`255) return;;`
			`esac`
			`case $(cat $data) in`
			`1) keyserver_import_keys;;`
			`2) break;;`
			`esac`
			`done`
			`}`

sks keyserver app 2017-07-27 22:51:12 +02:00			`function install_keyserver {`
Simplify keyserver install 2017-07-28 22:06:46 +02:00			`apt-get -qy install build-essential gcc ocaml libdb-dev wget sks`
			`sks build`
			`chown -Rc debian-sks: /var/lib/sks/DB`
			`sed -i 's\|initstart=.*\|initstart=yes\|g' /etc/default/sks`
			`systemctl restart sks`
sks keyserver app 2017-07-27 22:51:12 +02:00
			`if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then`
			`mkdir /var/www/$KEYSERVER_DOMAIN_NAME`
			`fi`

			`cd /var/www/$KEYSERVER_DOMAIN_NAME`
			`if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then`
			`rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs`
			`fi`

			`if [ -d /repos/keyserverweb ]; then`
			`mkdir htdocs`
			`cp -r -p /repos/keyserverweb/. htdocs`
			`cd htdocs`
			`git pull`
			`else`
			`git_clone $KEYSERVER_WEB_REPO htdocs`
			`fi`
Check directories 2017-07-28 21:16:20 +02:00			`if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then`
			`echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"`
			`exit 6539230`
			`fi`
sks keyserver app 2017-07-27 22:51:12 +02:00
			`cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs`
			`git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT`
			`set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"`


			`USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME`
			`GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS \| sed -n '2p' \| sed 's/^[ \t]*//'" - $MY_USERNAME)`
			`if [ ! $GPG_ID ]; then`
			`echo $'No GPG ID for admin user'`
			`exit 846336`
			`fi`
			`if [ ${#GPG_ID} -lt 5 ]; then`
			`echo $'GPG ID not retrieved for admin user'`
			`exit 835292`
			`fi`
			`if [[ "$GPG_ID" == "error" ]]; then`
			`echo $'GPG ID not retrieved for admin user due to error'`
			`exit 74825`
			`fi`
Change name on keyserver 2017-07-28 23:01:35 +02:00			`sed -i "s\|###ENTERPUBLICKEYHERE###\|$GPG_ID\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html`
			`sed -i "s\|###ENTERPUBLICKEYHERE###\|$GPG_ID\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html`
			`sed -i "s\|###ENTERNAMEHERE###\|$USER_EMAIL_ADDRESS\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html`
			`sed -i "s\|###ENTERNAMEHERE###\|$USER_EMAIL_ADDRESS\|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html`
sks keyserver app 2017-07-27 22:51:12 +02:00
			`sksconf_file=/var/lib/sks/sksconf`
			`echo 'debuglevel: 3' > $sksconf_file`
			`echo '' >> $sksconf_file`
			`echo "hostname: $KEYSERVER_DOMAIN_NAME" >> $sksconf_file`
			`echo '' >> $sksconf_file`
			`echo 'hkp_address: 127.0.0.1' >> $sksconf_file`
			`echo "hkp_port: $KEYSERVER_PORT" >> $sksconf_file`
			`echo 'recon_port: 11370' >> $sksconf_file`
			`echo '' >> $sksconf_file`
			`echo "server_contact: $GPG_ID" >> $sksconf_file`
			`echo '' >> $sksconf_file`
			`echo 'initial_stat:' >> $sksconf_file`
			`echo 'disable_mailsync:' >> $sksconf_file`
			`echo 'membership_reload_interval: 1' >> $sksconf_file`
			`echo 'stat_hour: 12' >> $sksconf_file`
			`echo '' >> $sksconf_file`
			`echo 'max_matches: 500' >> $sksconf_file`
Simplify keyserver install 2017-07-28 22:06:46 +02:00			`chown debian-sks: $sksconf_file`
sks keyserver app 2017-07-27 22:51:12 +02:00
			`KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})`

			`keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME`
			`if [[ $ONION_ONLY == "no" ]]; then`
			`function_check nginx_http_redirect`
			`nginx_http_redirect $KEYSERVER_DOMAIN_NAME`
			`echo 'server {' >> $keyserver_nginx_site`
			`echo ' listen 443 ssl;' >> $keyserver_nginx_site`
			`echo ' listen [::]:443 ssl;' >> $keyserver_nginx_site`
			`echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' # Security' >> $keyserver_nginx_site`
			`function_check nginx_ssl`
			`nginx_ssl $KEYSERVER_DOMAIN_NAME`

			`function_check nginx_disable_sniffing`
			`nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME`

			`echo ' add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' # Logs' >> $keyserver_nginx_site`
			`echo ' access_log /dev/null;' >> $keyserver_nginx_site`
			`echo ' error_log /dev/null;' >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' # Root' >> $keyserver_nginx_site`
			`echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`

			`echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' location /pks {' >> $keyserver_nginx_site`
			`echo " proxy_pass http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site`
			`echo ' proxy_pass_header Server;' >> $keyserver_nginx_site`
			`echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site`
			`echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site`
			`echo ' client_max_body_size 8m;' >> $keyserver_nginx_site`
			`echo ' }' >> $keyserver_nginx_site`
			`echo '}' >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`else`
			`echo -n '' > $keyserver_nginx_site`
			`fi`
			`echo 'server {' >> $keyserver_nginx_site`
			`echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site`
			`echo " server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`function_check nginx_disable_sniffing`
			`nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME`
			`echo '' >> $keyserver_nginx_site`
			`echo ' # Logs' >> $keyserver_nginx_site`
			`echo ' access_log /dev/null;' >> $keyserver_nginx_site`
			`echo ' error_log /dev/null;' >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' # Root' >> $keyserver_nginx_site`
			`echo " root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site`
			`echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site`
			`echo '' >> $keyserver_nginx_site`
			`echo ' location /pks {' >> $keyserver_nginx_site`
			`echo " proxy_pass http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site`
			`echo ' proxy_pass_header Server;' >> $keyserver_nginx_site`
			`echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site`
			`echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site`
			`echo ' client_max_body_size 8m;' >> $keyserver_nginx_site`
			`echo ' }' >> $keyserver_nginx_site`
			`echo '}' >> $keyserver_nginx_site`

			`function_check create_site_certificate`
			`if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then`
			`create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'`
			`fi`

			`if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then`
			`mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem`
			`fi`
			`if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then`
			`chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem`
			`sed -i "s\|.crt\|.pem\|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}`
			`fi`
			`if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then`
			`chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key`
			`fi`

			`chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs`

			`function_check nginx_ensite`
			`nginx_ensite $KEYSERVER_DOMAIN_NAME`

Firewall for keyserver 2017-07-28 23:46:36 +02:00			`configure_firewall_for_keyserver`

sks keyserver app 2017-07-27 22:51:12 +02:00			`systemctl restart nginx`

			`set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"`
Simplify keyserver install 2017-07-28 22:06:46 +02:00			`set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"`
sks keyserver app 2017-07-27 22:51:12 +02:00
			`APP_INSTALLED=1`
			`}`

			`# NOTE: deliberately no exit 0`