This commit is contained in:
Bob Mottram 2018-05-01 16:23:43 +01:00
commit 6791362368
7 changed files with 121 additions and 25 deletions

View File

@ -655,11 +655,11 @@ function install_gogs {
echo $'No Tor installation found. Gogs onion site cannot be configured.' echo $'No Tor installation found. Gogs onion site cannot be configured.'
exit 877367 exit 877367
fi fi
if ! grep -q "hidden_service_gogs" $ONION_SERVICES_FILE; then if ! grep -q "hidden_service_gogs" "$ONION_SERVICES_FILE"; then
{ echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/'; { echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/';
echo 'HiddenServiceVersion 3'; echo 'HiddenServiceVersion 3';
echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}"; echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}";
echo "HiddenServicePort 9418 127.0.0.1:9418"; } >> $ONION_SERVICES_FILE echo "HiddenServicePort 9418 127.0.0.1:9418"; } >> "$ONION_SERVICES_FILE"
echo $'Added onion site for Gogs' echo $'Added onion site for Gogs'
fi fi

View File

@ -656,12 +656,12 @@ function install_keyserver {
chown debian-sks: $sksconf_file chown debian-sks: $sksconf_file
if ! grep -q "hidden_service_sks" $ONION_SERVICES_FILE; then if ! grep -q "hidden_service_sks" "$ONION_SERVICES_FILE"; then
{ echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/'; { echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/';
echo 'HiddenServiceVersion 3'; echo 'HiddenServiceVersion 3';
echo "HiddenServicePort 11370 127.0.0.1:11370"; echo "HiddenServicePort 11370 127.0.0.1:11370";
echo "HiddenServicePort 11373 127.0.0.1:11371"; echo "HiddenServicePort 11373 127.0.0.1:11371";
echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> $ONION_SERVICES_FILE echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> "$ONION_SERVICES_FILE"
echo $'Added onion site for sks' echo $'Added onion site for sks'
fi fi

View File

@ -702,7 +702,7 @@ function install_home_server {
#MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT}) #MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT})
add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT} add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT}
echo "HiddenServicePort ${MATRIX_HTTP_PORT} 127.0.0.1:${MATRIX_FEDERATION_ONION_PORT}" >> $ONION_SERVICES_FILE echo "HiddenServicePort ${MATRIX_HTTP_PORT} 127.0.0.1:${MATRIX_FEDERATION_ONION_PORT}" >> "$ONION_SERVICES_FILE"
systemctl restart tor systemctl restart tor
if [ ! "${MATRIX_PASSWORD}" ]; then if [ ! "${MATRIX_PASSWORD}" ]; then

View File

@ -36,7 +36,7 @@ PLEROMA_CODE=
PLEROMA_PORT=4000 PLEROMA_PORT=4000
PLEROMA_ONION_PORT=8011 PLEROMA_ONION_PORT=8011
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git" PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
PLEROMA_COMMIT='fc6f5bcad3ad94eefbfcb24ca361e818ed0319d6' PLEROMA_COMMIT='5b6d6d7f2d9363c494642bfda4d6e4d12daa53c7'
PLEROMA_ADMIN_PASSWORD= PLEROMA_ADMIN_PASSWORD=
PLEROMA_DIR=/etc/pleroma PLEROMA_DIR=/etc/pleroma
PLEROMA_SECRET_KEY="" PLEROMA_SECRET_KEY=""
@ -62,6 +62,24 @@ pleroma_variables=(ONION_ONLY
MY_EMAIL_ADDRESS MY_EMAIL_ADDRESS
MY_USERNAME) MY_USERNAME)
function pleroma_add_filtering {
if grep -q "# begin filtering" $pleroma_secret; then
return
fi
sed -i '/pbkdf2_rounds/a reject: []' $pleroma_secret
sed -i '/pbkdf2_rounds/a federated_timeline_removal: [],' $pleroma_secret
sed -i '/pbkdf2_rounds/a media_nsfw: [],' $pleroma_secret
sed -i '/pbkdf2_rounds/a media_removal: [],' $pleroma_secret
sed -i '/pbkdf2_rounds/a config :pleroma, :mrf_simple,' $pleroma_secret
sed -i '/pbkdf2_rounds/a # begin filtering' $pleroma_secret
sed -i 's|reject: | reject: |g' $pleroma_secret
sed -i 's|federated_timeline_removal: | federated_timeline_removal: |g' $pleroma_secret
sed -i 's|media_nsfw: | media_nsfw: |g' $pleroma_secret
sed -i 's|media_removal: | media_removal: |g' $pleroma_secret
create_pleroma_blocklist
}
function pleroma_enable_chat { function pleroma_enable_chat {
if [[ "$1" == 't'* || "$1" == 'y'* || "$1" == 'T'* || "$1" == 'Y'* ]]; then if [[ "$1" == 't'* || "$1" == 'y'* || "$1" == 'T'* || "$1" == 'Y'* ]]; then
sed -i 's|"chatDisabled":.*|"chatDisabled": false,|g' $PLEROMA_DIR/priv/static/static/config.json sed -i 's|"chatDisabled":.*|"chatDisabled": false,|g' $PLEROMA_DIR/priv/static/static/config.json
@ -91,6 +109,7 @@ function create_pleroma_blocklist {
echo 'users_query="DELETE FROM users WHERE"'; echo 'users_query="DELETE FROM users WHERE"';
echo 'websub_server_subscriptions_query="DELETE FROM websub_server_subscriptions WHERE"'; echo 'websub_server_subscriptions_query="DELETE FROM websub_server_subscriptions WHERE"';
echo 'websub_server_subscriptions_updated='; echo 'websub_server_subscriptions_updated=';
echo 'filter_str=';
echo 'while read blocked; do'; echo 'while read blocked; do';
echo " if [[ \"\$blocked\" == *\".\"* || \"\$blocked\" == *\"@\"* ]]; then"; echo " if [[ \"\$blocked\" == *\".\"* || \"\$blocked\" == *\"@\"* ]]; then";
echo " if [ \${#blocked} -gt 4 ]; then"; echo " if [ \${#blocked} -gt 4 ]; then";
@ -102,6 +121,13 @@ function create_pleroma_blocklist {
echo " users_query=\"\${users_query} nickname ilike '%\${blocked}%'\""; echo " users_query=\"\${users_query} nickname ilike '%\${blocked}%'\"";
echo ' objects_updated=1'; echo ' objects_updated=1';
echo " if [[ \"\$blocked\" != *\"@\"* ]]; then"; echo " if [[ \"\$blocked\" != *\"@\"* ]]; then";
echo ' # Create a filter string for the pleroma configuration';
echo " if [ \"\$filter_str\" ]; then";
echo " filter_str=\"\${filter_str}, \\\"\$blocked\\\"\"";
echo ' else';
echo " filter_str=\"\\\"\${blocked}\\\"\"";
echo ' fi';
echo '';
echo " if ! grep -q \"127.0.0.1 \$blocked\" /etc/hosts; then"; echo " if ! grep -q \"127.0.0.1 \$blocked\" /etc/hosts; then";
echo " echo \"127.0.0.1 \$blocked\" >> /etc/hosts"; echo " echo \"127.0.0.1 \$blocked\" >> /etc/hosts";
echo ' fi'; echo ' fi';
@ -115,6 +141,19 @@ function create_pleroma_blocklist {
echo ' fi'; echo ' fi';
echo 'done </root/freedombone-firewall-domains.cfg'; echo 'done </root/freedombone-firewall-domains.cfg';
echo ''; echo '';
echo "if [ \"\$filter_str\" ]; then";
echo " if ! grep -q \" \$filter_str \" $pleroma_secret; then";
echo " sed -i \"s| media_removal:.*| media_removal: [ \$filter_str ],|g\" $pleroma_secret";
echo " sed -i \"s| federated_timeline_removal:.*| federated_timeline_removal: [ \$filter_str ],|g\" $pleroma_secret";
echo " sed -i \"s| reject:.*| reject: [ \$filter_str ]|g\" $pleroma_secret";
echo " chown -R pleroma:pleroma $PLEROMA_DIR";
echo ' sudo -u pleroma mix clean';
echo ' sudo -u pleroma mix deps.compile';
echo ' sudo -u pleroma mix compile';
echo ' systemctl restart pleroma';
echo ' fi';
echo 'fi';
echo '';
echo 'cd /etc/postgresql'; echo 'cd /etc/postgresql';
echo "if [ \$objects_updated ]; then"; echo "if [ \$objects_updated ]; then";
echo " sudo -u postgres psql -d pleroma -c \"\$objects_query\""; echo " sudo -u postgres psql -d pleroma -c \"\$objects_query\"";
@ -755,6 +794,8 @@ function upgrade_pleroma {
read_config_param PLEROMA_DOMAIN_NAME read_config_param PLEROMA_DOMAIN_NAME
read_config_param PLEROMA_EXPIRE_MONTHS read_config_param PLEROMA_EXPIRE_MONTHS
pleroma_add_filtering
if ! grep -q "/media/" /etc/cron.daily/pleroma-expire; then if ! grep -q "/media/" /etc/cron.daily/pleroma-expire; then
rm $pleroma_expire_posts_script rm $pleroma_expire_posts_script
fi fi
@ -1308,6 +1349,8 @@ function install_pleroma {
fi fi
sed -i 's|"chatDisabled":.*|"chatDisabled": true,|g' $PLEROMA_DIR/priv/static/static/config.json sed -i 's|"chatDisabled":.*|"chatDisabled": true,|g' $PLEROMA_DIR/priv/static/static/config.json
pleroma_add_filtering
systemctl daemon-reload systemctl daemon-reload
systemctl enable pleroma systemctl enable pleroma
systemctl start pleroma systemctl start pleroma

View File

@ -376,6 +376,7 @@ function install_dat {
} }
function mesh_install_scuttlebot { function mesh_install_scuttlebot {
#shellcheck disable=SC2153
if [[ "$VARIANT" != "meshclient" && "$VARIANT" != "meshusb" ]]; then if [[ "$VARIANT" != "meshclient" && "$VARIANT" != "meshusb" ]]; then
return return
fi fi

View File

@ -51,6 +51,7 @@ prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest
# From https://hg.prosody.im/prosody-modules # From https://hg.prosody.im/prosody-modules
prosody_modules_filename='prosody-modules-20180322.tar.gz' prosody_modules_filename='prosody-modules-20180322.tar.gz'
prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072' prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072'
xmpp_encryption_warning=$"For security reasons, OMEMO or PGP encryption is required for conversations on this server."
xmpp_variables=(ONION_ONLY xmpp_variables=(ONION_ONLY
INSTALLED_WITHIN_DOCKER INSTALLED_WITHIN_DOCKER
@ -62,6 +63,37 @@ xmpp_variables=(ONION_ONLY
DEFAULT_DOMAIN_NAME DEFAULT_DOMAIN_NAME
XMPP_DOMAIN_CODE) XMPP_DOMAIN_CODE)
function xmpp_update_e2e_policy {
filename="$1"
read_config_param DEFAULT_DOMAIN_NAME
read_config_param ONION_ONLY
if ! grep -q "e2e_policy_muc" "$filename"; then
echo "e2e_policy_muc = \"none\"" >> "$filename"
else
sed -i 's|e2e_policy_muc.*|e2e_policy_muc = "none"|g' "$filename"
fi
if ! grep -q "e2e_policy_chat" "$filename"; then
echo "e2e_policy_chat = \"required\"" >> "$filename"
else
sed -i 's|e2e_policy_chat.*|e2e_policy_chat = "required"|g' "$filename"
fi
if ! grep -q "e2e_policy_message_required_chat" "$filename"; then
echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"" >> "$filename"
else
sed -i "s|e2e_policy_message_required_chat.*|e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"|g" "$filename"
fi
if [[ "$ONION_ONLY" != 'no' ]]; then
XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
sed -i "s|VirtualHost \".*.onion.*|VirtualHost \"${XMPP_ONION_HOSTNAME}\"|g" "$filename"
# TLS is not strictly needed for onion transport security
sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' "$filename"
sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' "$filename"
fi
}
function logging_on_xmpp { function logging_on_xmpp {
if [ -d /etc/prosody ]; then if [ -d /etc/prosody ]; then
if [ ! -d /var/log/prosody ]; then if [ ! -d /var/log/prosody ]; then
@ -425,6 +457,10 @@ function upgrade_xmpp {
usermod -a -G ssl-cert prosody usermod -a -G ssl-cert prosody
fi fi
fi fi
xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua
xmpp_update_e2e_policy /etc/prosody/prosody.cfg.lua
prosody_daemon_restart_script prosody_daemon_restart_script
function_check update_prosody_modules function_check update_prosody_modules
update_prosody_modules update_prosody_modules
@ -608,7 +644,7 @@ function remove_xmpp {
function_check remove_onion_service function_check remove_onion_service
remove_onion_service xmpp 5222 5223 5269 remove_onion_service xmpp 5222 5223 5269
sed -i '/HiddenServiceVersion 2/d' $ONION_SERVICES_FILE sed -i '/HiddenServiceVersion 2/d' "$ONION_SERVICES_FILE"
apt-mark -q unhold prosody apt-mark -q unhold prosody
apt-get -yq remove --purge prosody apt-get -yq remove --purge prosody
@ -818,11 +854,16 @@ function xmpp_create_config {
else else
echo " dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua echo " dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua
fi fi
{ echo '}'; { echo '}';
echo ''; echo '';
echo 'c2s_require_encryption = true'; echo 'c2s_require_encryption = true';
echo 's2s_require_encryption = true'; echo 's2s_require_encryption = true';
echo ''; echo '';
echo 'e2e_policy_muc = "none"';
echo 'e2e_policy_chat = "required"';
echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"";
echo '';
echo 's2s_secure_auth = false'; echo 's2s_secure_auth = false';
echo ''; echo '';
echo 'authentication = "internal_hashed"'; echo 'authentication = "internal_hashed"';
@ -838,6 +879,9 @@ function xmpp_create_config {
echo ''; } >> /etc/prosody/prosody.cfg.lua echo ''; } >> /etc/prosody/prosody.cfg.lua
if [[ "$ONION_ONLY" != 'no' ]]; then if [[ "$ONION_ONLY" != 'no' ]]; then
echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/prosody.cfg.lua echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/prosody.cfg.lua
# TLS is not needed for onion transport security
sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua
sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua
else else
echo "VirtualHost \"${DEFAULT_DOMAIN_NAME}\"" >> /etc/prosody/prosody.cfg.lua echo "VirtualHost \"${DEFAULT_DOMAIN_NAME}\"" >> /etc/prosody/prosody.cfg.lua
fi fi
@ -1068,6 +1112,14 @@ function install_xmpp {
else else
sed -i 's|s2s_require_encryption.*|s2s_require_encryption = true|g' /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's|s2s_require_encryption.*|s2s_require_encryption = true|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi fi
if [[ "$ONION_ONLY" != 'no' ]]; then
sed -i 's|c2s_require_encryption.*|c2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|s2s_require_encryption.*|s2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua
if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/conf.avail/xmpp.cfg.lua; then if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
else else
@ -1079,11 +1131,11 @@ function install_xmpp {
echo $'No Tor installation found. xmpp onion site cannot be configured.' echo $'No Tor installation found. xmpp onion site cannot be configured.'
exit 877367 exit 877367
fi fi
if ! grep -q "hidden_service_xmpp" $ONION_SERVICES_FILE; then if ! grep -q "hidden_service_xmpp" "$ONION_SERVICES_FILE"; then
{ echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/'; { echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/';
echo 'HiddenServiceVersion 2'; echo 'HiddenServiceVersion 2';
echo "HiddenServicePort 5222 127.0.0.1:5222"; echo "HiddenServicePort 5222 127.0.0.1:5222";
echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> $ONION_SERVICES_FILE echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> "$ONION_SERVICES_FILE"
echo $'Added onion site for xmpp chat' echo $'Added onion site for xmpp chat'
fi fi

View File

@ -34,7 +34,7 @@ HIDDEN_SERVICE_PATH='/var/lib/tor/hidden_service_'
ONION_SERVICES_FILE=/etc/torrc.d/${PROJECT_NAME} ONION_SERVICES_FILE=/etc/torrc.d/${PROJECT_NAME}
function torrc_migrate { function torrc_migrate {
if [ -f $ONION_SERVICES_FILE ]; then if [ -f "$ONION_SERVICES_FILE" ]; then
if grep -q "#%include /etc/torrc.d" /etc/tor/torrc; then if grep -q "#%include /etc/torrc.d" /etc/tor/torrc; then
sed -i 's|#%include /etc/torrc.d|%include /etc/torrc.d|g' /etc/tor/torrc sed -i 's|#%include /etc/torrc.d|%include /etc/torrc.d|g' /etc/tor/torrc
systemctl restart tor systemctl restart tor
@ -45,9 +45,9 @@ function torrc_migrate {
mkdir /etc/torrc.d mkdir /etc/torrc.d
grep "HiddenServiceDir\\|HiddenServiceVersion\\|HiddenServicePort" /etc/tor/torrc | grep -v "#HiddenServiceDir" >> $ONION_SERVICES_FILE grep "HiddenServiceDir\\|HiddenServiceVersion\\|HiddenServicePort" /etc/tor/torrc | grep -v "#HiddenServiceDir" >> "$ONION_SERVICES_FILE"
if ! grep "HiddenServiceVersion" $ONION_SERVICES_FILE; then if ! grep "HiddenServiceVersion" "$ONION_SERVICES_FILE"; then
systemctl restart tor systemctl restart tor
return return
fi fi
@ -121,17 +121,17 @@ function remove_onion_service {
nick="$3" nick="$3"
if [ ${#nick} -gt 0 ]; then if [ ${#nick} -gt 0 ]; then
sed -i "/stealth ${nick}/d" $ONION_SERVICES_FILE sed -i "/stealth ${nick}/d" "$ONION_SERVICES_FILE"
fi fi
sed -i "/hidden_service_${onion_service_name}/,+1 d" $ONION_SERVICES_FILE sed -i "/hidden_service_${onion_service_name}/,+1 d" "$ONION_SERVICES_FILE"
sed -i "/hidden_service_${onion_service_name}_mobile/,+1 d" $ONION_SERVICES_FILE sed -i "/hidden_service_${onion_service_name}_mobile/,+1 d" "$ONION_SERVICES_FILE"
sed -i "/127.0.0.1:${onion_service_port_to}/d" $ONION_SERVICES_FILE sed -i "/127.0.0.1:${onion_service_port_to}/d" "$ONION_SERVICES_FILE"
if [ "$3" ]; then if [ "$3" ]; then
sed -i "/127.0.0.1:${3}/d" $ONION_SERVICES_FILE sed -i "/127.0.0.1:${3}/d" "$ONION_SERVICES_FILE"
if [ "$4" ]; then if [ "$4" ]; then
sed -i "/127.0.0.1:${4}/d" $ONION_SERVICES_FILE sed -i "/127.0.0.1:${4}/d" "$ONION_SERVICES_FILE"
if [ "$5" ]; then if [ "$5" ]; then
sed -i "/127.0.0.1:${5}/d" $ONION_SERVICES_FILE sed -i "/127.0.0.1:${5}/d" "$ONION_SERVICES_FILE"
fi fi
fi fi
fi fi
@ -164,16 +164,16 @@ function add_onion_service {
USE_V2_ONION_ADDRESS= USE_V2_ONION_ADDRESS=
exit 877367 exit 877367
fi fi
if ! grep -q "hidden_service_${onion_service_name}" $ONION_SERVICES_FILE; then if ! grep -q "hidden_service_${onion_service_name}" "$ONION_SERVICES_FILE"; then
echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}${onion_service_name}/" >> $ONION_SERVICES_FILE echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}${onion_service_name}/" >> "$ONION_SERVICES_FILE"
if [ ! $USE_V2_ONION_ADDRESS ]; then if [ ! $USE_V2_ONION_ADDRESS ]; then
echo 'HiddenServiceVersion 3' >> $ONION_SERVICES_FILE echo 'HiddenServiceVersion 3' >> "$ONION_SERVICES_FILE"
else else
echo 'HiddenServiceVersion 2' >> $ONION_SERVICES_FILE echo 'HiddenServiceVersion 2' >> "$ONION_SERVICES_FILE"
fi fi
echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> $ONION_SERVICES_FILE echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> "$ONION_SERVICES_FILE"
if [ ${#onion_stealth_name} -gt 0 ]; then if [ ${#onion_stealth_name} -gt 0 ]; then
echo "HiddenServiceAuthorizeClient stealth ${onion_stealth_name}" >> $ONION_SERVICES_FILE echo "HiddenServiceAuthorizeClient stealth ${onion_stealth_name}" >> "$ONION_SERVICES_FILE"
fi fi
fi fi