Reorganize matrix

This commit is contained in:
Bob Mottram 2017-01-01 20:40:08 +00:00
parent 24e906dab5
commit 2778298607
3 changed files with 276 additions and 116 deletions

View File

@ -36,8 +36,12 @@ IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1 SHOW_ON_ABOUT=1
MATRIX_DATA_DIR='/var/lib/matrix' MATRIX_DATA_DIR='/var/lib/matrix'
MATRIX_HTTP_PORT=8558
MATRIX_ID_HTTP_PORT=8557
MATRIX_PORT=8448 MATRIX_PORT=8448
MATRIX_ID_PORT=8081 MATRIX_ID_PORT=8081
MATRIX_ONION_PORT=8109
MATRIX_ID_ONION_PORT=8111
MATRIX_REPO="https://github.com/matrix-org/synapse" MATRIX_REPO="https://github.com/matrix-org/synapse"
MATRIX_COMMIT='f5a4001bb116c468cc5e8e0ae04a1c570e2cb171' MATRIX_COMMIT='f5a4001bb116c468cc5e8e0ae04a1c570e2cb171'
SYDENT_REPO="https://github.com/matrix-org/sydent" SYDENT_REPO="https://github.com/matrix-org/sydent"
@ -51,124 +55,115 @@ matrix_variables=(ONION_ONLY
DEFAULT_DOMAIN_NAME) DEFAULT_DOMAIN_NAME)
function matrix_nginx { function matrix_nginx {
matrix_identityserver_proxy_str=' \ create_default_web_site
location /_matrixid { \
proxy_pass http://localhost:8081; \
proxy_set_header X-Forwarded-For $remote_addr; \
}'
matrix_proxy_str=' \
location /_matrix { \
proxy_pass https://localhost:8448; \
proxy_set_header X-Forwarded-For $remote_addr; \
}'
turn_proxy_str=' \
location /_turn { \
proxy_pass https://localhost:3478; \
proxy_set_header X-Forwarded-For $remote_addr; \
}'
if [[ $ONION_ONLY != 'no' ]]; then # append the matrix server to the web site config
matrix_proxy_str=' \ matrix_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
location /_matrix { \ if [[ $ONION_ONLY == "no" ]]; then
proxy_pass http://localhost:8448; \ echo '# Matrix Server' >> $matrix_nginx_site
proxy_set_header X-Forwarded-For $remote_addr; \
}'
turn_proxy_str=' \
location /_turn { \
proxy_pass http://localhost:3478; \
proxy_set_header X-Forwarded-For $remote_addr; \
}'
fi
if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
matrix_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
function_check nginx_http_redirect
nginx_http_redirect $DEFAULT_DOMAIN_NAME
echo 'server {' >> $matrix_nginx_site
echo ' listen 443 ssl;' >> $matrix_nginx_site
echo ' listen [::]:443 ssl;' >> $matrix_nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Security' >> $matrix_nginx_site
function_check nginx_ssl
nginx_ssl $DEFAULT_DOMAIN_NAME
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Logs' >> $matrix_nginx_site
echo ' access_log /dev/null;' >> $matrix_nginx_site
echo ' error_log /dev/null;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Root' >> $matrix_nginx_site
echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Index' >> $matrix_nginx_site
echo ' index index.html;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Location' >> $matrix_nginx_site
echo ' location / {' >> $matrix_nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo ' }' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $matrix_nginx_site
echo ' location ~ /\.(ht|git) {' >> $matrix_nginx_site
echo ' deny all;' >> $matrix_nginx_site
echo ' }' >> $matrix_nginx_site
echo '}' >> $matrix_nginx_site
else
echo -n '' > $matrix_nginx_site
fi
echo 'server {' >> $matrix_nginx_site echo 'server {' >> $matrix_nginx_site
echo " listen 127.0.0.1:$MATRIX_PORT default_server;" >> $matrix_nginx_site echo " listen ${MATRIX_HTTP_PORT} ssl;" >> $matrix_nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site echo ' listen [::]:${MATRIX_HTTP_PORT} ssl;' >> $matrix_nginx_site
echo " server_name ${DEFAULT_DOMAIN_NAME};" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site echo '' >> $matrix_nginx_site
echo ' # Security' >> $matrix_nginx_site
function_check nginx_ssl
nginx_ssl ${DEFAULT_DOMAIN_NAME}
function_check nginx_disable_sniffing function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site echo '' >> $matrix_nginx_site
echo ' # Logs' >> $matrix_nginx_site echo ' # Logs' >> $matrix_nginx_site
echo ' access_log /dev/null;' >> $matrix_nginx_site echo ' access_log /dev/null;' >> $matrix_nginx_site
echo ' error_log /dev/null;' >> $matrix_nginx_site echo ' error_log /dev/null;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site echo '' >> $matrix_nginx_site
echo ' # Root' >> $matrix_nginx_site echo ' # Index' >> $matrix_nginx_site
echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $matrix_nginx_site echo ' index index.html;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site echo '' >> $matrix_nginx_site
echo ' # Location' >> $matrix_nginx_site echo ' # Location' >> $matrix_nginx_site
echo ' location / {' >> $matrix_nginx_site echo ' location / {' >> $matrix_nginx_site
function_check nginx_limits function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m' nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
echo ' }' >> $matrix_nginx_site echo " proxy_pass http://localhost:${MATRIX_PORT};" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site echo ' proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $matrix_nginx_site
echo ' location ~ /\.(ht|git) {' >> $matrix_nginx_site
echo ' deny all;' >> $matrix_nginx_site
echo ' }' >> $matrix_nginx_site echo ' }' >> $matrix_nginx_site
echo '}' >> $matrix_nginx_site echo '}' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo 'server {' >> $matrix_nginx_site
echo " listen ${MATRIX_ID_HTTP_PORT} ssl;" >> $matrix_nginx_site
echo ' listen [::]:${MATRIX_ID_HTTP_PORT} ssl;' >> $matrix_nginx_site
echo " server_name ${DEFAULT_DOMAIN_NAME};" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Security' >> $matrix_nginx_site
function_check nginx_ssl
nginx_ssl ${DEFAULT_DOMAIN_NAME}
if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then function_check nginx_disable_sniffing
function_check create_site_certificate nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
fi
nginx_ensite $DEFAULT_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> $matrix_nginx_site
fi echo '' >> $matrix_nginx_site
echo ' # Logs' >> $matrix_nginx_site
if ! grep "localhost:${MATRIX_ID_PORT}" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}; then echo ' access_log /dev/null;' >> $matrix_nginx_site
sed -i "s|:443 ssl;|:443 ssl;${matrix_identityserver_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} echo ' error_log /dev/null;' >> $matrix_nginx_site
sed -i "s| default_server;| default_server;${matrix_identityserver_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} echo '' >> $matrix_nginx_site
fi echo ' # Index' >> $matrix_nginx_site
if ! grep "localhost:${MATRIX_PORT}" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}; then echo ' index index.html;' >> $matrix_nginx_site
sed -i "s|:443 ssl;|:443 ssl;${matrix_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} echo '' >> $matrix_nginx_site
sed -i "s| default_server;| default_server;${matrix_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} echo ' # Location' >> $matrix_nginx_site
fi echo ' location / {' >> $matrix_nginx_site
if ! grep "localhost:${TURN_PORT}" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}; then function_check nginx_limits
sed -i "s|:443 ssl;|:443 ssl;${turn_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
sed -i "s| default_server;| default_server;${turn_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} echo " proxy_pass http://localhost:${MATRIX_ID_PORT};" >> $matrix_nginx_site
echo ' proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
echo ' }' >> $matrix_nginx_site
echo '}' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
else
echo '# Matrix Server' >> $matrix_nginx_site
fi fi
echo 'server {' >> $matrix_nginx_site
echo " listen 127.0.0.1:$MATRIX_ONION_PORT default_server;" >> $matrix_nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo '' >> $matrix_nginx_site
echo ' # Logs' >> $matrix_nginx_site
echo ' access_log /dev/null;' >> $matrix_nginx_site
echo ' error_log /dev/null;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Location' >> $matrix_nginx_site
echo ' location / {' >> $matrix_nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo " proxy_pass http://localhost:${MATRIX_PORT};" >> $matrix_nginx_site
echo ' proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
echo ' }' >> $matrix_nginx_site
echo '}' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo 'server {' >> $matrix_nginx_site
echo " listen 127.0.0.1:$MATRIX_ID_ONION_PORT default_server;" >> $matrix_nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo '' >> $matrix_nginx_site
echo ' # Logs' >> $matrix_nginx_site
echo ' access_log /dev/null;' >> $matrix_nginx_site
echo ' error_log /dev/null;' >> $matrix_nginx_site
echo '' >> $matrix_nginx_site
echo ' # Location' >> $matrix_nginx_site
echo ' location / {' >> $matrix_nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo " proxy_pass http://localhost:${MATRIX_ID_PORT};" >> $matrix_nginx_site
echo ' proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
echo ' }' >> $matrix_nginx_site
echo '}' >> $matrix_nginx_site
echo '# End of Matrix Server' >> $matrix_nginx_site
systemctl restart nginx systemctl restart nginx
systemctl restart turn systemctl restart turn
@ -207,7 +202,7 @@ function matrix_configure_homeserver_yaml {
local ymltemp="$(mktemp)" local ymltemp="$(mktemp)"
awk -v TURNURIES="turn_uris: [\"turn:${DEFAULT_DOMAIN_NAME}/_turn?transport=udp\", \"turn:${DEFAULT_DOMAIN_NAME}/_turn?transport=tcp\"]" \ awk -v TURNURIES="turn_uris: [\"turn:${DEFAULT_DOMAIN_NAME}:${TURN_HTTP_PORT}?transport=udp\", \"turn:${DEFAULT_DOMAIN_NAME}:${TURN_HTTP_PORT}?transport=tcp\"]" \
-v TURNSHAREDSECRET="turn_shared_secret: \"${turnkey}\"" \ -v TURNSHAREDSECRET="turn_shared_secret: \"${turnkey}\"" \
-v PIDFILE="pid_file: ${MATRIX_DATA_DIR}/homeserver.pid" \ -v PIDFILE="pid_file: ${MATRIX_DATA_DIR}/homeserver.pid" \
-v DATABASE="database: \"${MATRIX_DATA_DIR}/homeserver.db\"" \ -v DATABASE="database: \"${MATRIX_DATA_DIR}/homeserver.db\"" \
@ -225,15 +220,14 @@ function matrix_configure_homeserver_yaml {
mv ${ymltemp} "${filepath}" mv ${ymltemp} "${filepath}"
if [[ $ONION_ONLY != 'no' ]]; then sed -i 's|no_tls: .*|no_tls: true|g' "${filepath}"
sed -i 's|no_tls: .*|no_tls: True|g' "${filepath}" sed -i 's| tls: .*| tls: false|g' "${filepath}"
fi
sed -i 's|enable_registration_captcha.*|enable_registration_captcha: False|g' "${filepath}" sed -i 's|enable_registration_captcha.*|enable_registration_captcha: False|g' "${filepath}"
sed -i "s|database: \".*|database: \"${MATRIX_DATA_DIR}/homeserver.db\"|g" "${filepath}" sed -i "s|database: \".*|database: \"${MATRIX_DATA_DIR}/homeserver.db\"|g" "${filepath}"
sed -i "s|media_store_path:.*|media_store_path: \"${MATRIX_DATA_DIR}/media_store\"|g" "${filepath}" sed -i "s|media_store_path:.*|media_store_path: \"${MATRIX_DATA_DIR}/media_store\"|g" "${filepath}"
sed -i "s|pid_file:.*|pid_file: \"${MATRIX_DATA_DIR}/homeserver.pid\"|g" "${filepath}" sed -i "s|pid_file:.*|pid_file: \"${MATRIX_DATA_DIR}/homeserver.pid\"|g" "${filepath}"
sed -i "s|log_file:.*|log_file: \"/dev/null\"|g" "${filepath}" sed -i "s|log_file:.*|log_file: \"/dev/null\"|g" "${filepath}"
sed -i '0,/bind_address:.*/s//bind_address: 127.0.0.1/' "${filepath}" sed -i 's|bind_address:.*|bind_address: 127.0.0.1|g' "${filepath}"
sed -i '0,/x_forwarded:.*/s//x_forwarded: true/' "${filepath}" sed -i '0,/x_forwarded:.*/s//x_forwarded: true/' "${filepath}"
sed -i "s|server_name:.*|server_name: \"${DEFAULT_DOMAIN_NAME}\"|g" "${filepath}" sed -i "s|server_name:.*|server_name: \"${DEFAULT_DOMAIN_NAME}\"|g" "${filepath}"
sed -i "/trusted_third_party_id_servers:/a - ${DEFAULT_DOMAIN_NAME}" "${filepath}" sed -i "/trusted_third_party_id_servers:/a - ${DEFAULT_DOMAIN_NAME}" "${filepath}"
@ -473,6 +467,8 @@ function restore_remote_matrix {
} }
function remove_matrix { function remove_matrix {
firewall_remove ${MATRIX_HTTP_PORT}
systemctl stop matrix systemctl stop matrix
systemctl stop sydent systemctl stop sydent
@ -497,11 +493,10 @@ function remove_matrix {
rm -rf /etc/sydent rm -rf /etc/sydent
deluser matrix deluser matrix
delgroup matrix delgroup matrix
remove_onion_service matrix ${MATRIX_PORT} remove_onion_service matrix ${MATRIX_ONION_PORT}
remove_onion_service matrix ${MATRIX_ID_ONION_PORT}
sed -i "/location \/_matrix {/,/}/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} sed -i "/# Matrix Server{/,/# End of Matrix Server/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
sed -i "/location \/_matrixid {/,/}/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
sed -i "/location \/_turn {/,/}/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
systemctl restart nginx systemctl restart nginx
remove_completion_param install_matrix remove_completion_param install_matrix
@ -644,7 +639,8 @@ function install_home_server {
fi fi
chmod -R 700 $MATRIX_DATA_DIR/homeserver.db chmod -R 700 $MATRIX_DATA_DIR/homeserver.db
MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_PORT}) MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT})
MATRIX_ID_ONION_HOSTNAME=$(add_onion_service matrixid ${MATRIX_ID_PORT} ${MATRIX_ID_ONION_PORT})
if [ ! ${MATRIX_PASSWORD} ]; then if [ ! ${MATRIX_PASSWORD} ]; then
if [ -f ${IMAGE_PASSWORD_FILE} ]; then if [ -f ${IMAGE_PASSWORD_FILE} ]; then
MATRIX_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" MATRIX_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
@ -653,6 +649,8 @@ function install_home_server {
fi fi
fi fi
firewall_add matrix ${MATRIX_HTTP_PORT}
rm -rf ${MATRIX_DATA_DIR}/Maildir rm -rf ${MATRIX_DATA_DIR}/Maildir
rm -rf ${MATRIX_DATA_DIR}/.mutt rm -rf ${MATRIX_DATA_DIR}/.mutt
rm -f ${MATRIX_DATA_DIR}/.muttrc rm -f ${MATRIX_DATA_DIR}/.muttrc

View File

@ -29,6 +29,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
TURN_PORT=3478 TURN_PORT=3478
TURN_HTTP_PORT=3407
TURN_ONION_PORT=8110
function generate_turn_key { function generate_turn_key {
local turnkey="${1}" local turnkey="${1}"
@ -45,11 +47,7 @@ function generate_turn_key {
} }
function remove_turn { function remove_turn {
firewall_remove ${TURN_PORT} firewall_remove ${TURN_HTTP_PORT}
}
function remove_turn {
firewall_remove ${TURN_PORT}
systemctl stop turn systemctl stop turn
systemctl disable turn systemctl disable turn
if [ -f /etc/systemd/system/turn.service ]; then if [ -f /etc/systemd/system/turn.service ]; then
@ -57,9 +55,72 @@ function remove_turn {
fi fi
apt-get -y remove coturn apt-get -y remove coturn
rm -rf /var/lib/turn rm -rf /var/lib/turn
sed -i "/# TURN Server{/,/# End of TURN Server/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
remove_onion_service turn ${TURN_ONION_PORT}
systemctl restart nginx
} }
function install_turn { function install_turn {
create_default_web_site
# append the matrix server to the web site config
turn_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
echo '# TURN Server' >> $turn_nginx_site
echo 'server {' >> $turn_nginx_site
echo " listen ${TURN_HTTP_PORT} ssl;" >> $turn_nginx_site
echo ' listen [::]:${TURN_HTTP_PORT} ssl;' >> $turn_nginx_site
echo " server_name ${DEFAULT_DOMAIN_NAME};" >> $turn_nginx_site
echo '' >> $turn_nginx_site
echo ' # Security' >> $turn_nginx_site
function_check nginx_ssl
nginx_ssl ${DEFAULT_DOMAIN_NAME}
function_check nginx_disable_sniffing
nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $turn_nginx_site
echo '' >> $turn_nginx_site
echo ' # Logs' >> $turn_nginx_site
echo ' access_log /dev/null;' >> $turn_nginx_site
echo ' error_log /dev/null;' >> $turn_nginx_site
echo '' >> $turn_nginx_site
echo ' # Index' >> $turn_nginx_site
echo ' index index.html;' >> $turn_nginx_site
echo '' >> $turn_nginx_site
echo ' # Location' >> $turn_nginx_site
echo ' location / {' >> $turn_nginx_site
function_check nginx_limits
nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
echo " proxy_pass http://localhost:${TURN_PORT};" >> $turn_nginx_site
echo ' proxy_set_header X-Forwarded-For $remote_addr;' >> $turn_nginx_site
echo ' }' >> $turn_nginx_site
echo '}' >> $turn_nginx_site
echo '' >> $turn_nginx_site
else
echo '# TURN Server' >> $turn_nginx_site
fi
echo 'server {' >> $turn_nginx_site
echo " listen 127.0.0.1:$TURN_ONION_PORT default_server;" >> $turn_nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $turn_nginx_site
echo '' >> $turn_nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo '' >> $turn_nginx_site
echo ' # Logs' >> $turn_nginx_site
echo ' access_log /dev/null;' >> $turn_nginx_site
echo ' error_log /dev/null;' >> $turn_nginx_site
echo '' >> $turn_nginx_site
echo ' # Location' >> $turn_nginx_site
echo ' location / {' >> $turn_nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo " proxy_pass http://localhost:${TURN_PORT};" >> $turn_nginx_site
echo ' proxy_set_header X-Forwarded-For $remote_addr;' >> $turn_nginx_site
echo ' }' >> $turn_nginx_site
echo '}' >> $turn_nginx_site
echo '# End of TURN Server' >> $turn_nginx_site
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get -yq install coreutils coturn \ apt-get -yq install coreutils coturn \
curl file gcc git libevent-2.0-5 \ curl file gcc git libevent-2.0-5 \
@ -108,7 +169,11 @@ function install_turn {
systemctl daemon-reload systemctl daemon-reload
systemctl start turn systemctl start turn
firewall_add turn ${TURN_PORT} firewall_add turn ${TURN_HTTP_PORT}
TURN_ONION_HOSTNAME=$(add_onion_service turn ${TURN_PORT} ${TURN_ONION_PORT})
systemctl restart nginx
} }
# NOTE: deliberately no exit 0 # NOTE: deliberately no exit 0

View File

@ -31,6 +31,9 @@
# default search engine for command line browser # default search engine for command line browser
DEFAULT_SEARCH='https://searx.laquadrature.net' DEFAULT_SEARCH='https://searx.laquadrature.net'
# onion port for the default domain
DEFAULT_DOMAIN_ONION_PORT=8099
# Whether Let's Encrypt is enabled for all sites # Whether Let's Encrypt is enabled for all sites
LETSENCRYPT_ENABLED="no" LETSENCRYPT_ENABLED="no"
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
@ -802,4 +805,98 @@ function update_default_domain {
fi fi
} }
function create_default_web_site {
if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
# create a web site for the default domain
if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then
mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
if [ -d /root/${PROJECT_NAME} ]; then
cd /root/${PROJECT_NAME}/website
./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
else
if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then
cd /home/${MY_USERNAME}/${PROJECT_NAME}
./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
fi
fi
fi
# add a config for the default domain
nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
function_check nginx_http_redirect
nginx_http_redirect $DEFAULT_DOMAIN_NAME
echo 'server {' >> $nginx_site
echo ' listen 443 ssl;' >> $nginx_site
echo ' listen [::]:443 ssl;' >> $nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
echo '' >> $nginx_site
echo ' # Security' >> $nginx_site
function_check nginx_ssl
nginx_ssl $DEFAULT_DOMAIN_NAME
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Logs' >> $nginx_site
echo ' access_log /dev/null;' >> $nginx_site
echo ' error_log /dev/null;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Root' >> $nginx_site
echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
echo '' >> $nginx_site
echo ' # Index' >> $nginx_site
echo ' index index.html;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Location' >> $nginx_site
echo ' location / {' >> $nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo ' }' >> $nginx_site
echo '' >> $nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $nginx_site
echo ' location ~ /\.(ht|git) {' >> $nginx_site
echo ' deny all;' >> $nginx_site
echo ' }' >> $nginx_site
echo '}' >> $nginx_site
else
echo -n '' > $nginx_site
fi
echo 'server {' >> $nginx_site
echo " listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
echo '' >> $nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo '' >> $nginx_site
echo ' # Logs' >> $nginx_site
echo ' access_log /dev/null;' >> $nginx_site
echo ' error_log /dev/null;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Root' >> $nginx_site
echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
echo '' >> $nginx_site
echo ' # Location' >> $nginx_site
echo ' location / {' >> $nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo ' }' >> $nginx_site
echo '' >> $nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $nginx_site
echo ' location ~ /\.(ht|git) {' >> $nginx_site
echo ' deny all;' >> $nginx_site
echo ' }' >> $nginx_site
echo '}' >> $nginx_site
if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
function_check create_site_certificate
create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
fi
nginx_ensite $DEFAULT_DOMAIN_NAME
fi
}
# NOTE: deliberately no exit 0 # NOTE: deliberately no exit 0