diff --git a/src/freedombone-app-gogs b/src/freedombone-app-gogs index d54f0452..6e87b424 100755 --- a/src/freedombone-app-gogs +++ b/src/freedombone-app-gogs @@ -655,11 +655,11 @@ function install_gogs { echo $'No Tor installation found. Gogs onion site cannot be configured.' exit 877367 fi - if ! grep -q "hidden_service_gogs" $ONION_SERVICES_FILE; then + if ! grep -q "hidden_service_gogs" "$ONION_SERVICES_FILE"; then { echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/'; echo 'HiddenServiceVersion 3'; echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}"; - echo "HiddenServicePort 9418 127.0.0.1:9418"; } >> $ONION_SERVICES_FILE + echo "HiddenServicePort 9418 127.0.0.1:9418"; } >> "$ONION_SERVICES_FILE" echo $'Added onion site for Gogs' fi diff --git a/src/freedombone-app-keyserver b/src/freedombone-app-keyserver index 5e65792d..ae050f5b 100755 --- a/src/freedombone-app-keyserver +++ b/src/freedombone-app-keyserver @@ -656,12 +656,12 @@ function install_keyserver { chown debian-sks: $sksconf_file - if ! grep -q "hidden_service_sks" $ONION_SERVICES_FILE; then + if ! grep -q "hidden_service_sks" "$ONION_SERVICES_FILE"; then { echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/'; echo 'HiddenServiceVersion 3'; echo "HiddenServicePort 11370 127.0.0.1:11370"; echo "HiddenServicePort 11373 127.0.0.1:11371"; - echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> $ONION_SERVICES_FILE + echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> "$ONION_SERVICES_FILE" echo $'Added onion site for sks' fi diff --git a/src/freedombone-app-matrix b/src/freedombone-app-matrix index a6e6c12f..55e8c641 100755 --- a/src/freedombone-app-matrix +++ b/src/freedombone-app-matrix @@ -702,7 +702,7 @@ function install_home_server { #MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT}) add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT} - echo "HiddenServicePort ${MATRIX_HTTP_PORT} 127.0.0.1:${MATRIX_FEDERATION_ONION_PORT}" >> $ONION_SERVICES_FILE + echo "HiddenServicePort ${MATRIX_HTTP_PORT} 127.0.0.1:${MATRIX_FEDERATION_ONION_PORT}" >> "$ONION_SERVICES_FILE" systemctl restart tor if [ ! "${MATRIX_PASSWORD}" ]; then diff --git a/src/freedombone-app-pleroma b/src/freedombone-app-pleroma index 3a38462c..b8b7c94c 100755 --- a/src/freedombone-app-pleroma +++ b/src/freedombone-app-pleroma @@ -36,7 +36,7 @@ PLEROMA_CODE= PLEROMA_PORT=4000 PLEROMA_ONION_PORT=8011 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git" -PLEROMA_COMMIT='fc6f5bcad3ad94eefbfcb24ca361e818ed0319d6' +PLEROMA_COMMIT='5b6d6d7f2d9363c494642bfda4d6e4d12daa53c7' PLEROMA_ADMIN_PASSWORD= PLEROMA_DIR=/etc/pleroma PLEROMA_SECRET_KEY="" @@ -62,6 +62,24 @@ pleroma_variables=(ONION_ONLY MY_EMAIL_ADDRESS MY_USERNAME) +function pleroma_add_filtering { + if grep -q "# begin filtering" $pleroma_secret; then + return + fi + sed -i '/pbkdf2_rounds/a reject: []' $pleroma_secret + sed -i '/pbkdf2_rounds/a federated_timeline_removal: [],' $pleroma_secret + sed -i '/pbkdf2_rounds/a media_nsfw: [],' $pleroma_secret + sed -i '/pbkdf2_rounds/a media_removal: [],' $pleroma_secret + sed -i '/pbkdf2_rounds/a config :pleroma, :mrf_simple,' $pleroma_secret + sed -i '/pbkdf2_rounds/a # begin filtering' $pleroma_secret + + sed -i 's|reject: | reject: |g' $pleroma_secret + sed -i 's|federated_timeline_removal: | federated_timeline_removal: |g' $pleroma_secret + sed -i 's|media_nsfw: | media_nsfw: |g' $pleroma_secret + sed -i 's|media_removal: | media_removal: |g' $pleroma_secret + create_pleroma_blocklist +} + function pleroma_enable_chat { if [[ "$1" == 't'* || "$1" == 'y'* || "$1" == 'T'* || "$1" == 'Y'* ]]; then sed -i 's|"chatDisabled":.*|"chatDisabled": false,|g' $PLEROMA_DIR/priv/static/static/config.json @@ -91,6 +109,7 @@ function create_pleroma_blocklist { echo 'users_query="DELETE FROM users WHERE"'; echo 'websub_server_subscriptions_query="DELETE FROM websub_server_subscriptions WHERE"'; echo 'websub_server_subscriptions_updated='; + echo 'filter_str='; echo 'while read blocked; do'; echo " if [[ \"\$blocked\" == *\".\"* || \"\$blocked\" == *\"@\"* ]]; then"; echo " if [ \${#blocked} -gt 4 ]; then"; @@ -102,6 +121,13 @@ function create_pleroma_blocklist { echo " users_query=\"\${users_query} nickname ilike '%\${blocked}%'\""; echo ' objects_updated=1'; echo " if [[ \"\$blocked\" != *\"@\"* ]]; then"; + echo ' # Create a filter string for the pleroma configuration'; + echo " if [ \"\$filter_str\" ]; then"; + echo " filter_str=\"\${filter_str}, \\\"\$blocked\\\"\""; + echo ' else'; + echo " filter_str=\"\\\"\${blocked}\\\"\""; + echo ' fi'; + echo ''; echo " if ! grep -q \"127.0.0.1 \$blocked\" /etc/hosts; then"; echo " echo \"127.0.0.1 \$blocked\" >> /etc/hosts"; echo ' fi'; @@ -115,6 +141,19 @@ function create_pleroma_blocklist { echo ' fi'; echo 'done > "$filename" + else + sed -i 's|e2e_policy_muc.*|e2e_policy_muc = "none"|g' "$filename" + fi + if ! grep -q "e2e_policy_chat" "$filename"; then + echo "e2e_policy_chat = \"required\"" >> "$filename" + else + sed -i 's|e2e_policy_chat.*|e2e_policy_chat = "required"|g' "$filename" + fi + if ! grep -q "e2e_policy_message_required_chat" "$filename"; then + echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"" >> "$filename" + else + sed -i "s|e2e_policy_message_required_chat.*|e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"|g" "$filename" + fi + + if [[ "$ONION_ONLY" != 'no' ]]; then + XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname) + sed -i "s|VirtualHost \".*.onion.*|VirtualHost \"${XMPP_ONION_HOSTNAME}\"|g" "$filename" + # TLS is not strictly needed for onion transport security + sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' "$filename" + sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' "$filename" + fi +} + function logging_on_xmpp { if [ -d /etc/prosody ]; then if [ ! -d /var/log/prosody ]; then @@ -425,6 +457,10 @@ function upgrade_xmpp { usermod -a -G ssl-cert prosody fi fi + + xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua + xmpp_update_e2e_policy /etc/prosody/prosody.cfg.lua + prosody_daemon_restart_script function_check update_prosody_modules update_prosody_modules @@ -608,7 +644,7 @@ function remove_xmpp { function_check remove_onion_service remove_onion_service xmpp 5222 5223 5269 - sed -i '/HiddenServiceVersion 2/d' $ONION_SERVICES_FILE + sed -i '/HiddenServiceVersion 2/d' "$ONION_SERVICES_FILE" apt-mark -q unhold prosody apt-get -yq remove --purge prosody @@ -818,11 +854,16 @@ function xmpp_create_config { else echo " dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua fi + { echo '}'; echo ''; echo 'c2s_require_encryption = true'; echo 's2s_require_encryption = true'; echo ''; + echo 'e2e_policy_muc = "none"'; + echo 'e2e_policy_chat = "required"'; + echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\""; + echo ''; echo 's2s_secure_auth = false'; echo ''; echo 'authentication = "internal_hashed"'; @@ -838,6 +879,9 @@ function xmpp_create_config { echo ''; } >> /etc/prosody/prosody.cfg.lua if [[ "$ONION_ONLY" != 'no' ]]; then echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/prosody.cfg.lua + # TLS is not needed for onion transport security + sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua + sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua else echo "VirtualHost \"${DEFAULT_DOMAIN_NAME}\"" >> /etc/prosody/prosody.cfg.lua fi @@ -1068,6 +1112,14 @@ function install_xmpp { else sed -i 's|s2s_require_encryption.*|s2s_require_encryption = true|g' /etc/prosody/conf.avail/xmpp.cfg.lua fi + + if [[ "$ONION_ONLY" != 'no' ]]; then + sed -i 's|c2s_require_encryption.*|c2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua + sed -i 's|s2s_require_encryption.*|s2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua + fi + + xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua + if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/conf.avail/xmpp.cfg.lua; then echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua else @@ -1079,11 +1131,11 @@ function install_xmpp { echo $'No Tor installation found. xmpp onion site cannot be configured.' exit 877367 fi - if ! grep -q "hidden_service_xmpp" $ONION_SERVICES_FILE; then + if ! grep -q "hidden_service_xmpp" "$ONION_SERVICES_FILE"; then { echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/'; echo 'HiddenServiceVersion 2'; echo "HiddenServicePort 5222 127.0.0.1:5222"; - echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> $ONION_SERVICES_FILE + echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> "$ONION_SERVICES_FILE" echo $'Added onion site for xmpp chat' fi diff --git a/src/freedombone-utils-onion b/src/freedombone-utils-onion index 9882a1d9..e193e5cc 100755 --- a/src/freedombone-utils-onion +++ b/src/freedombone-utils-onion @@ -34,7 +34,7 @@ HIDDEN_SERVICE_PATH='/var/lib/tor/hidden_service_' ONION_SERVICES_FILE=/etc/torrc.d/${PROJECT_NAME} function torrc_migrate { - if [ -f $ONION_SERVICES_FILE ]; then + if [ -f "$ONION_SERVICES_FILE" ]; then if grep -q "#%include /etc/torrc.d" /etc/tor/torrc; then sed -i 's|#%include /etc/torrc.d|%include /etc/torrc.d|g' /etc/tor/torrc systemctl restart tor @@ -45,9 +45,9 @@ function torrc_migrate { mkdir /etc/torrc.d - grep "HiddenServiceDir\\|HiddenServiceVersion\\|HiddenServicePort" /etc/tor/torrc | grep -v "#HiddenServiceDir" >> $ONION_SERVICES_FILE + grep "HiddenServiceDir\\|HiddenServiceVersion\\|HiddenServicePort" /etc/tor/torrc | grep -v "#HiddenServiceDir" >> "$ONION_SERVICES_FILE" - if ! grep "HiddenServiceVersion" $ONION_SERVICES_FILE; then + if ! grep "HiddenServiceVersion" "$ONION_SERVICES_FILE"; then systemctl restart tor return fi @@ -121,17 +121,17 @@ function remove_onion_service { nick="$3" if [ ${#nick} -gt 0 ]; then - sed -i "/stealth ${nick}/d" $ONION_SERVICES_FILE + sed -i "/stealth ${nick}/d" "$ONION_SERVICES_FILE" fi - sed -i "/hidden_service_${onion_service_name}/,+1 d" $ONION_SERVICES_FILE - sed -i "/hidden_service_${onion_service_name}_mobile/,+1 d" $ONION_SERVICES_FILE - sed -i "/127.0.0.1:${onion_service_port_to}/d" $ONION_SERVICES_FILE + sed -i "/hidden_service_${onion_service_name}/,+1 d" "$ONION_SERVICES_FILE" + sed -i "/hidden_service_${onion_service_name}_mobile/,+1 d" "$ONION_SERVICES_FILE" + sed -i "/127.0.0.1:${onion_service_port_to}/d" "$ONION_SERVICES_FILE" if [ "$3" ]; then - sed -i "/127.0.0.1:${3}/d" $ONION_SERVICES_FILE + sed -i "/127.0.0.1:${3}/d" "$ONION_SERVICES_FILE" if [ "$4" ]; then - sed -i "/127.0.0.1:${4}/d" $ONION_SERVICES_FILE + sed -i "/127.0.0.1:${4}/d" "$ONION_SERVICES_FILE" if [ "$5" ]; then - sed -i "/127.0.0.1:${5}/d" $ONION_SERVICES_FILE + sed -i "/127.0.0.1:${5}/d" "$ONION_SERVICES_FILE" fi fi fi @@ -164,16 +164,16 @@ function add_onion_service { USE_V2_ONION_ADDRESS= exit 877367 fi - if ! grep -q "hidden_service_${onion_service_name}" $ONION_SERVICES_FILE; then - echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}${onion_service_name}/" >> $ONION_SERVICES_FILE + if ! grep -q "hidden_service_${onion_service_name}" "$ONION_SERVICES_FILE"; then + echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}${onion_service_name}/" >> "$ONION_SERVICES_FILE" if [ ! $USE_V2_ONION_ADDRESS ]; then - echo 'HiddenServiceVersion 3' >> $ONION_SERVICES_FILE + echo 'HiddenServiceVersion 3' >> "$ONION_SERVICES_FILE" else - echo 'HiddenServiceVersion 2' >> $ONION_SERVICES_FILE + echo 'HiddenServiceVersion 2' >> "$ONION_SERVICES_FILE" fi - echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> $ONION_SERVICES_FILE + echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> "$ONION_SERVICES_FILE" if [ ${#onion_stealth_name} -gt 0 ]; then - echo "HiddenServiceAuthorizeClient stealth ${onion_stealth_name}" >> $ONION_SERVICES_FILE + echo "HiddenServiceAuthorizeClient stealth ${onion_stealth_name}" >> "$ONION_SERVICES_FILE" fi fi