freedomboneeee/src/freedombone-app-keyserver

722 lines
28 KiB
Plaintext
Raw Normal View History

2017-07-27 22:51:12 +02:00
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# SKS Keyserver
#
# License
# =======
#
# Copyright (C) 2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS='full full-vim'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1
KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"
KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'
KEYSERVER_PORT=11371
KEYSERVER_ONION_PORT=8122
KEYSERVER_DOMAIN_NAME=
KEYSERVER_CODE=
2017-07-27 22:54:08 +02:00
keyserver_variables=(ONION_ONLY
MY_USERNAME
DEFAULT_DOMAIN_NAME
KEYSERVER_DOMAIN_NAME
KEYSERVER_CODE)
2017-07-27 22:51:12 +02:00
function check_keyserver_directory_size {
dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
# 500M
if [ $dirsize -gt 500000 ]; then
echo "1"
return
fi
echo "0"
}
2017-07-28 23:46:36 +02:00
function configure_firewall_for_keyserver {
if [[ $ONION_ONLY != "no" ]]; then
return
fi
firewall_add keyserver 11370 tcp
firewall_add keyserver 11371 tcp
firewall_add keyserver 11372 tcp
mark_completed $FUNCNAME
}
2017-07-29 16:37:42 +02:00
function keyserver_reset_database {
if [ -d /var/lib/sks/DB ]; then
rm -rf /var/lib/sks/DB
fi
sks build
chown -Rc debian-sks: /var/lib/sks
systemctl restart sks
}
2017-07-27 22:51:12 +02:00
function logging_on_keyserver {
echo -n ''
}
function logging_off_keyserver {
echo -n ''
}
function reconfigure_keyserver {
echo -n ''
}
2017-07-28 22:06:46 +02:00
function upgrade_keyserver {
2017-07-27 22:51:12 +02:00
CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
return
fi
if grep -q "keyserver domain" $COMPLETION_FILE; then
KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")
fi
# update to the next commit
function_check set_repo_commit
set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO
2017-07-28 23:01:35 +02:00
read_config_param MY_USERNAME
USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
if [ ! $GPG_ID ]; then
echo $'No GPG ID for admin user'
exit 846336
fi
if [ ${#GPG_ID} -lt 5 ]; then
echo $'GPG ID not retrieved for admin user'
exit 835292
fi
if [[ "$GPG_ID" == *"error"* ]]; then
echo $'GPG ID not retrieved for admin user due to error'
exit 74825
fi
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
2017-07-27 22:51:12 +02:00
chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
}
function backup_local_keyserver {
2017-07-30 13:19:52 +02:00
source_directory=/etc/sks
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserverconfig
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
systemctl start sks
fi
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
echo $'WARNING: Keyserver database size is too large to backup'
return
fi
2017-07-30 11:34:44 +02:00
source_directory=/var/lib/sks/DB
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserver
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
systemctl start sks
fi
2017-07-27 22:51:12 +02:00
}
2017-07-27 22:54:08 +02:00
function restore_local_keyserver {
2017-07-30 11:34:44 +02:00
if [ ! -d /var/lib/sks/DB ]; then
return
fi
echo $"Restoring SKS Keyserver"
systemctl stop sks
2017-07-30 13:19:52 +02:00
temp_restore_dir=/root/tempkeyserverconfig
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir keyserverconfig
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
rm -rf $temp_restore_dir
chown -Rc debian-sks: /etc/sks/sksconf
chown -Rc debian-sks: /etc/sks/mailsync
2017-07-30 13:19:52 +02:00
2017-07-30 11:34:44 +02:00
temp_restore_dir=/root/tempkeyserver
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir keyserver
mv /var/lib/sks/DB /var/lib/sks/DB_prev
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
if [ ! "$?" = "0" ]; then
# restore the old database
rm -rf /var/lib/sks/DB
mv /var/lib/sks/DB_prev /var/lib/sks/DB
rm -rf $temp_restore_dir
function_check set_user_permissions
set_user_permissions
function_check backup_unmount_drive
backup_unmount_drive
exit 5627294
fi
rm -rf $temp_restore_dir
chown -Rc debian-sks: /var/lib/sks
# remove the old database
rm -rf /var/lib/sks/DB_prev
systemctl start sks
2017-07-27 22:51:12 +02:00
}
function backup_remote_keyserver {
2017-07-30 13:19:52 +02:00
source_directory=/etc/sks
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserverconfig
function_check backup_directory_to_friend
backup_directory_to_friend $source_directory $dest_directory
systemctl start sks
fi
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
echo $'WARNING: Keyserver database size is too large to backup'
return
fi
2017-07-30 11:34:44 +02:00
source_directory=/var/lib/sks/DB
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserver
function_check backup_directory_to_friend
backup_directory_to_friend $source_directory $dest_directory
systemctl start sks
fi
2017-07-27 22:51:12 +02:00
}
function restore_remote_keyserver {
2017-07-30 11:34:44 +02:00
if [ ! -d /var/lib/sks/DB ]; then
return
fi
echo $"Restoring SKS Keyserver"
systemctl stop sks
2017-07-30 13:19:52 +02:00
temp_restore_dir=/root/tempkeyserverconfig
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir keyserverconfig
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
rm -rf $temp_restore_dir
chown -Rc debian-sks: /etc/sks/sksconf
chown -Rc debian-sks: /etc/sks/mailsync
2017-07-30 13:19:52 +02:00
2017-07-30 11:34:44 +02:00
temp_restore_dir=/root/tempkeyserver
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir keyserver
mv /var/lib/sks/DB /var/lib/sks/DB_prev
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
if [ ! "$?" = "0" ]; then
# restore the old database
rm -rf /var/lib/sks/DB
mv /var/lib/sks/DB_prev /var/lib/sks/DB
rm -rf $temp_restore_dir
function_check set_user_permissions
set_user_permissions
return
fi
rm -rf $temp_restore_dir
chown -Rc debian-sks: /var/lib/sks
# remove the old database
rm -rf /var/lib/sks/DB_prev
systemctl start sks
2017-07-27 22:51:12 +02:00
}
function remove_keyserver {
2017-07-28 22:06:46 +02:00
systemctl stop sks
2017-07-29 16:19:29 +02:00
apt-get -qy remove sks dirmngr
2017-07-27 22:51:12 +02:00
read_config_param "KEYSERVER_DOMAIN_NAME"
nginx_dissite $KEYSERVER_DOMAIN_NAME
remove_certs ${KEYSERVER_DOMAIN_NAME}
if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then
rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
fi
if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
rm -rf /var/www/$KEYSERVER_DOMAIN_NAME
fi
function_check remove_ddns_domain
remove_ddns_domain $KEYSERVER_DOMAIN_NAME
remove_config_param KEYSERVER_DOMAIN_NAME
remove_config_param KEYSERVER_CODE
function_check remove_onion_service
remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
2017-07-28 23:52:38 +02:00
remove_onion_service sks 11370 11371 11372
2017-07-27 22:51:12 +02:00
remove_completion_param "install_keyserver"
2017-07-28 23:46:36 +02:00
firewall_remove 11370 tcp
firewall_remove 11371 tcp
firewall_remove 11372 tcp
2017-07-27 22:51:12 +02:00
sed -i '/keyserver/d' $COMPLETION_FILE
2017-07-28 23:57:40 +02:00
sed -i '/sks onion/d' $COMPLETION_FILE
2017-07-28 20:57:21 +02:00
if [ -d /var/lib/sks ]; then
rm -rf /var/lib/sks
fi
2017-07-27 22:51:12 +02:00
}
function install_interactive_keyserver {
if [ ! $ONION_ONLY ]; then
ONION_ONLY='no'
fi
if [[ $ONION_ONLY != "no" ]]; then
KEYSERVER_DOMAIN_NAME='keyserver.local'
write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"
else
function_check interactive_site_details
interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"
fi
APP_INSTALLED=1
}
function keyserver_create_mailsync {
echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
echo '' >> /etc/sks/mailsync
chown -Rc debian-sks: /etc/sks/mailsync
}
function keyserver_create_membership {
if [ -f /etc/sks/membership ]; then
return
fi
systemctl stop sks
echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership
echo '#' >> /etc/sks/membership
echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership
echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership
echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership
echo '' >> /etc/sks/membership
chown -Rc debian-sks: /etc/sks/membership
systemctl start sks
}
2017-07-28 20:57:21 +02:00
function keyserver_import_keys {
# NOTE: this function isn't used, but kept for reference
dialog --title $"Import public keys database" \
--backtitle $"Freedombone Control Panel" \
--defaultno \
--yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60
sel=$?
case $sel in
1) return;;
255) return;;
esac
2017-07-28 20:57:21 +02:00
if [ ! -d /var/lib/sks/dump ]; then
mkdir -p /var/lib/sks/dump
fi
cd /var/lib/sks/dump
echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'
2017-07-28 23:03:12 +02:00
rm -rf /var/lib/sks/dump/*
KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"
2017-07-28 20:57:21 +02:00
wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \
-A pgp,txt $KEYSERVER_DUMP_URL
cd /var/lib/sks
echo $'Building the keyserver database from the downloaded dump'
2017-07-29 16:37:42 +02:00
keyserver_reset_database
2017-07-28 20:57:21 +02:00
}
2017-07-29 16:19:29 +02:00
function keyserver_sync {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"Sync with other keyserver" \
--form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
$"Domain:" 1 1 "" 1 25 32 64 \
$"Port:" 2 1 "11370" 2 25 6 6 \
$"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
2017-07-29 16:19:29 +02:00
2> $data
sel=$?
case $sel in
1) return;;
255) return;;
esac
other_keyserver_domain=$(cat $data | sed -n 1p)
other_keyserver_port=$(cat $data | sed -n 2p)
other_keyserver_email=$(cat $data | sed -n 3p)
2017-07-29 16:19:29 +02:00
if [[ "$other_keyserver_domain" != *'.'* ]]; then
return
fi
if [[ "$other_keyserver_domain" == *' '* ]]; then
return
fi
if [[ "$other_keyserver_port" == *'.'* ]]; then
return
fi
if [[ "$other_keyserver_port" == *' '* ]]; then
return
fi
if [ ${#other_keyserver_domain} -lt 4 ]; then
return
fi
if [ ${#other_keyserver_port} -lt 4 ]; then
return
fi
if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
if [[ "$other_keyserver_email" == *"@"* ]]; then
keyserver_create_mailsync
if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
echo "$other_keyserver_email" >> /etc/sks/mailsync
chown -Rc debian-sks: /etc/sks/mailsync
fi
fi
fi
keyserver_create_membership
2017-07-29 16:19:29 +02:00
if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
return
fi
if grep -q "$other_keyserver_domain " /etc/sks/membership; then
sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
else
echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
fi
chown -Rc debian-sks: /etc/sks/membership
systemctl restart sks
dialog --title $"Sync with other keyserver" \
--msgbox $"Keyserver added" 6 40
}
2017-07-29 16:37:42 +02:00
function keyserver_edit {
if [ ! -f /etc/sks/membership ]; then
return
fi
2017-07-29 16:37:42 +02:00
editor /etc/sks/membership
chown -Rc debian-sks: /etc/sks/membership
systemctl restart sks
}
2017-07-28 20:57:21 +02:00
function configure_interactive_keyserver {
while true
do
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"SKS Keyserver" \
--radiolist $"Choose an operation:" 11 70 3 \
2017-07-29 16:19:29 +02:00
1 $"Sync with other keyserver" off \
2017-07-29 16:37:42 +02:00
2 $"Edit sync keyservers" off \
3 $"Exit" on 2> $data
2017-07-28 20:57:21 +02:00
sel=$?
case $sel in
1) return;;
255) return;;
esac
case $(cat $data) in
2017-07-29 16:19:29 +02:00
1) keyserver_sync;;
2017-07-29 16:37:42 +02:00
2) keyserver_edit;;
3) break;;
2017-07-28 20:57:21 +02:00
esac
done
}
2017-07-27 22:51:12 +02:00
function install_keyserver {
2017-07-28 22:06:46 +02:00
apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
2017-07-29 16:19:29 +02:00
keyserver_reset_database
2017-07-28 22:06:46 +02:00
sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
2017-07-29 16:19:29 +02:00
apt-get -qy install dirmngr
2017-07-28 22:06:46 +02:00
systemctl restart sks
2017-07-27 22:51:12 +02:00
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
mkdir /var/www/$KEYSERVER_DOMAIN_NAME
fi
cd /var/www/$KEYSERVER_DOMAIN_NAME
if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
fi
if [ -d /repos/keyserverweb ]; then
mkdir htdocs
cp -r -p /repos/keyserverweb/. htdocs
cd htdocs
git pull
else
git_clone $KEYSERVER_WEB_REPO htdocs
fi
2017-07-28 21:16:20 +02:00
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"
exit 6539230
fi
2017-07-27 22:51:12 +02:00
cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT
set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"
USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
if [ ! $GPG_ID ]; then
echo $'No GPG ID for admin user'
exit 846336
fi
if [ ${#GPG_ID} -lt 5 ]; then
echo $'GPG ID not retrieved for admin user'
exit 835292
fi
if [[ "$GPG_ID" == *"error"* ]]; then
echo $'GPG ID not retrieved for admin user due to error'
exit 74825
fi
2017-07-28 23:01:35 +02:00
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
2017-07-27 22:51:12 +02:00
2017-07-29 16:19:29 +02:00
sksconf_file=/etc/sks/sksconf
sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
2017-07-29 22:28:24 +02:00
sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
2017-07-30 13:02:27 +02:00
sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file
2017-07-29 22:28:24 +02:00
2017-07-30 13:02:27 +02:00
if ! grep -q "#disable_mailsync" $sksconf_file; then
echo '#disable_mailsync:' >> $sksconf_file
2017-07-29 22:28:24 +02:00
else
2017-07-30 13:02:27 +02:00
sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
2017-07-29 22:28:24 +02:00
fi
if ! grep -q "membership_reload_interval:" $sksconf_file; then
echo 'membership_reload_interval: 1' >> $sksconf_file
else
sed -i 's|#membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
sed -i 's|membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
fi
2017-07-30 13:02:27 +02:00
if ! grep -q "max_matches:" $sksconf_file; then
echo 'max_matches: 50' >> $sksconf_file
else
sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
fi
if ! grep -q "stat_hour:" $sksconf_file; then
echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
else
sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
fi
2017-07-28 22:06:46 +02:00
chown debian-sks: $sksconf_file
2017-07-27 22:51:12 +02:00
2017-07-28 23:52:38 +02:00
if ! grep -q "hidden_service_sks" /etc/tor/torrc; then
echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc
echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc
2017-07-29 22:28:24 +02:00
echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc
2017-07-28 23:52:38 +02:00
echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc
echo $'Added onion site for sks'
fi
onion_update
wait_for_onion_service 'sks'
2017-07-28 23:57:40 +02:00
if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
echo $'sks onion site hostname not found'
exit 8352982
2017-07-28 23:52:38 +02:00
fi
2017-07-28 23:57:40 +02:00
SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)
2017-07-28 23:52:38 +02:00
2017-07-27 22:51:12 +02:00
KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})
keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
# NOTE: without http active on port 80 the keyserver doesn't work
# from the commandline
echo 'server {' > $keyserver_nginx_site
echo ' listen 80;' >> $keyserver_nginx_site
echo ' listen 0.0.0.0:11371;' >> $keyserver_nginx_site
echo ' listen [::]:80;' >> $keyserver_nginx_site
echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Logs' >> $keyserver_nginx_site
echo ' access_log /dev/null;' >> $keyserver_nginx_site
echo ' error_log /dev/null;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Root' >> $keyserver_nginx_site
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location /pks {' >> $keyserver_nginx_site
echo ' proxy_pass http://127.0.0.1:11373;' >> $keyserver_nginx_site
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '}' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo 'server {' >> $keyserver_nginx_site
echo ' listen 443 ssl;' >> $keyserver_nginx_site
2017-07-29 22:28:24 +02:00
echo ' listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo ' listen [::]:443 ssl;' >> $keyserver_nginx_site
echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
2017-07-29 22:28:24 +02:00
echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
echo ' deny all;' >> $keyserver_nginx_site
echo ' return 404;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo ' # Security' >> $keyserver_nginx_site
function_check nginx_ssl
nginx_ssl $KEYSERVER_DOMAIN_NAME
function_check nginx_disable_sniffing
nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Logs' >> $keyserver_nginx_site
echo ' access_log /dev/null;' >> $keyserver_nginx_site
echo ' error_log /dev/null;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Root' >> $keyserver_nginx_site
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location /pks {' >> $keyserver_nginx_site
2017-07-29 16:19:29 +02:00
echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
2017-07-29 22:28:24 +02:00
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '}' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
else
echo -n '' > $keyserver_nginx_site
fi
echo 'server {' >> $keyserver_nginx_site
2017-07-29 22:28:24 +02:00
echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
echo " server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
echo ' deny all;' >> $keyserver_nginx_site
echo ' return 404;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo '' >> $keyserver_nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
echo '' >> $keyserver_nginx_site
echo ' # Logs' >> $keyserver_nginx_site
echo ' access_log /dev/null;' >> $keyserver_nginx_site
echo ' error_log /dev/null;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Root' >> $keyserver_nginx_site
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location /pks {' >> $keyserver_nginx_site
2017-07-29 16:19:29 +02:00
echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
2017-07-29 22:28:24 +02:00
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site
2017-07-27 22:51:12 +02:00
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '}' >> $keyserver_nginx_site
function_check create_site_certificate
if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'
fi
if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then
mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
fi
if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}
fi
if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then
chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key
fi
chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
function_check nginx_ensite
nginx_ensite $KEYSERVER_DOMAIN_NAME
2017-07-28 23:46:36 +02:00
configure_firewall_for_keyserver
2017-07-29 16:19:29 +02:00
# remove membership file - don't try to sync with other keyservers
if [ -f /etc/sks/membership ]; then
rm /etc/sks/membership
fi
2017-07-30 13:02:27 +02:00
if ! grep -q "pgp-public-keys" /etc/aliases; then
echo 'pgp-public-keys: "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
fi
chown -Rc debian-sks: /etc/sks/mailsync
2017-07-30 13:02:27 +02:00
2017-07-29 16:19:29 +02:00
systemctl enable sks
systemctl restart sks
2017-07-27 22:51:12 +02:00
systemctl restart nginx
set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
2017-07-28 22:06:46 +02:00
set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
2017-07-28 23:57:40 +02:00
set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"
2017-07-27 22:51:12 +02:00
APP_INSTALLED=1
}
# NOTE: deliberately no exit 0