Tidying gnusocial utils

This commit is contained in:
Bob Mottram 2018-02-25 22:15:36 +00:00
parent 05f39281f2
commit 8b4ddff6eb
6 changed files with 710 additions and 722 deletions

View File

@ -131,7 +131,7 @@ function create_freedns_updater {
} }
function add_ddns_domain { function add_ddns_domain {
if [ ! $1 ]; then if [ ! "$1" ]; then
echo $'ddns domain not specified' echo $'ddns domain not specified'
exit 5638 exit 5638
fi fi
@ -147,10 +147,10 @@ function add_ddns_domain {
exit 5745 exit 5745
fi fi
if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then
echo '' >> /etc/inadyn.conf { echo '';
echo "system $DDNS_PROVIDER" >> /etc/inadyn.conf echo "system $DDNS_PROVIDER";
echo ' ssl' >> /etc/inadyn.conf echo ' ssl';
echo " checkip-url $GET_IP_ADDRESS_URL /" >> /etc/inadyn.conf echo " checkip-url $GET_IP_ADDRESS_URL /"; } >> /etc/inadyn.conf
if [ $DDNS_USERNAME ]; then if [ $DDNS_USERNAME ]; then
echo " username $DDNS_USERNAME" >> /etc/inadyn.conf echo " username $DDNS_USERNAME" >> /etc/inadyn.conf
fi fi
@ -168,7 +168,7 @@ function add_ddns_domain {
} }
function remove_ddns_domain { function remove_ddns_domain {
if [ ! $1 ]; then if [ ! "$1" ]; then
echo $'ddns domain not specified' echo $'ddns domain not specified'
exit 5638 exit 5638
fi fi
@ -203,14 +203,14 @@ function configure_dns {
# allow changes to resolv.conf # allow changes to resolv.conf
chattr -i $resolvconf chattr -i $resolvconf
echo 'domain localdomain' > $resolvconf { echo 'domain localdomain';
echo 'search localdomain' >> $resolvconf echo 'search localdomain';
echo "nameserver $NAMESERVER1" >> $resolvconf echo "nameserver $NAMESERVER1";
echo "nameserver $NAMESERVER2" >> $resolvconf echo "nameserver $NAMESERVER2";
echo "nameserver $NAMESERVER3" >> $resolvconf echo "nameserver $NAMESERVER3";
echo "nameserver $NAMESERVER4" >> $resolvconf echo "nameserver $NAMESERVER4";
echo "nameserver $NAMESERVER5" >> $resolvconf echo "nameserver $NAMESERVER5";
echo "nameserver $NAMESERVER6" >> $resolvconf echo "nameserver $NAMESERVER6"; } > $resolvconf
# prevent resolv.conf from changing # prevent resolv.conf from changing
resolvconf -u resolvconf -u
@ -222,7 +222,7 @@ function set_hostname {
DEFAULT_DOMAIN_NAME="$1" DEFAULT_DOMAIN_NAME="$1"
echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname
hostname $DEFAULT_DOMAIN_NAME hostname "$DEFAULT_DOMAIN_NAME"
echo "$DEFAULT_DOMAIN_NAME" > /etc/mailname echo "$DEFAULT_DOMAIN_NAME" > /etc/mailname
if grep -q "127.0.1.1" /etc/hosts; then if grep -q "127.0.1.1" /etc/hosts; then
@ -238,7 +238,7 @@ function set_your_domain_name {
fi fi
function_check set_hostname function_check set_hostname
set_hostname $DEFAULT_DOMAIN_NAME set_hostname "$DEFAULT_DOMAIN_NAME"
mark_completed "${FUNCNAME[0]}" mark_completed "${FUNCNAME[0]}"
} }

View File

@ -32,44 +32,45 @@ TOMB_REPO="https://github.com/dyne/Tomb"
TOMB_COMMIT='c80ebd6d6ed77980eb5b559757e03ea13a29bdd1' TOMB_COMMIT='c80ebd6d6ed77980eb5b559757e03ea13a29bdd1'
function mesh_install_tomb { function mesh_install_tomb {
chroot ${rootdir} apt-get -yq install cryptsetup zsh pinentry-curses # shellcheck disable=SC2154
chroot "${rootdir}" apt-get -yq install cryptsetup zsh pinentry-curses
if [ ! -d ${rootdir}/$INSTALL_DIR ]; then if [ ! -d "${rootdir}/$INSTALL_DIR" ]; then
mkdir -p ${rootdir}/$INSTALL_DIR mkdir -p "${rootdir}/$INSTALL_DIR"
fi fi
if [ -d /repos/tomb ]; then if [ -d /repos/tomb ]; then
mkdir ${rootdir}/$INSTALL_DIR/tomb mkdir "${rootdir}/$INSTALL_DIR/tomb"
cp -r -p /repos/tomb/. ${rootdir}/$INSTALL_DIR/tomb cp -r -p /repos/tomb/. "${rootdir}/$INSTALL_DIR/tomb"
cd ${rootdir}/$INSTALL_DIR/tomb cd "${rootdir}/$INSTALL_DIR/tomb" || exit 3648368
git pull git pull
else else
git_clone $TOMB_REPO ${rootdir}/$INSTALL_DIR/tomb git_clone "$TOMB_REPO" "${rootdir}/$INSTALL_DIR/tomb"
fi fi
cd ${rootdir}/$INSTALL_DIR/tomb cd "${rootdir}/$INSTALL_DIR/tomb" || exit 7346384
git checkout $TOMB_COMMIT -b $TOMB_COMMIT git checkout $TOMB_COMMIT -b $TOMB_COMMIT
chroot ${rootdir} /bin/bash -x <<EOF chroot "${rootdir}" /bin/bash -x <<EOF
cd $INSTALL_DIR/tomb cd $INSTALL_DIR/tomb
make install make install
EOF EOF
if [ ! -f ${rootdir}/usr/local/bin/tomb ]; then if [ ! -f "${rootdir}/usr/local/bin/tomb" ]; then
exit 93462 exit 93462
fi fi
} }
function install_tomb { function install_tomb {
if [ $INSTALLING_MESH ]; then if [ "$INSTALLING_MESH" ]; then
mesh_install_tomb mesh_install_tomb
return return
fi fi
function_check set_repo_commit function_check set_repo_commit
set_repo_commit $INSTALL_DIR/tomb "tomb commit" "$TOMB_COMMIT" $TOMB_REPO set_repo_commit "$INSTALL_DIR/tomb" "tomb commit" "$TOMB_COMMIT" "$TOMB_REPO"
if [ -f $COMPLETION_FILE ]; then if [ -f "$COMPLETION_FILE" ]; then
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
return return
fi fi
@ -77,22 +78,22 @@ function install_tomb {
apt-get -yq install cryptsetup zsh pinentry-curses apt-get -yq install cryptsetup zsh pinentry-curses
if [ ! -d $INSTALL_DIR ]; then if [ ! -d "$INSTALL_DIR" ]; then
mkdir -p $INSTALL_DIR mkdir -p "$INSTALL_DIR"
fi fi
if [ -d /repos/tomb ]; then if [ -d /repos/tomb ]; then
mkdir $INSTALL_DIR/tomb mkdir "$INSTALL_DIR/tomb"
cp -r -p /repos/tomb/. $INSTALL_DIR/tomb cp -r -p /repos/tomb/. "$INSTALL_DIR/tomb"
cd $INSTALL_DIR/tomb cd "$INSTALL_DIR/tomb" || exit 7684638
git pull git pull
else else
git_clone $TOMB_REPO $INSTALL_DIR/tomb git_clone "$TOMB_REPO" "$INSTALL_DIR/tomb"
fi fi
cd $INSTALL_DIR/tomb cd "$INSTALL_DIR/tomb" || exit 364863463
git checkout $TOMB_COMMIT -b $TOMB_COMMIT git checkout "$TOMB_COMMIT" -b "$TOMB_COMMIT"
set_completion_param "tomb commit" "$TOMB_COMMIT" set_completion_param "tomb commit" "$TOMB_COMMIT"
make install make install

View File

@ -33,9 +33,9 @@ function install_final {
return return
fi fi
# unmount any attached usb drive # unmount any attached usb drive
if [ -d $USB_MOUNT ]; then if [ -d "$USB_MOUNT" ]; then
umount $USB_MOUNT umount "$USB_MOUNT"
rm -rf $USB_MOUNT rm -rf "$USB_MOUNT"
fi fi
function_check split_gpg_key_into_fragments function_check split_gpg_key_into_fragments
split_gpg_key_into_fragments split_gpg_key_into_fragments
@ -63,32 +63,32 @@ $(get_ssh_server_key)
echo '' echo ''
# add user menu on ssh login # add user menu on ssh login
if ! grep -q 'controluser' /home/$MY_USERNAME/.bashrc; then if ! grep -q 'controluser' "/home/$MY_USERNAME/.bashrc"; then
echo 'controluser' >> /home/$MY_USERNAME/.bashrc echo 'controluser' >> "/home/$MY_USERNAME/.bashrc"
fi fi
if [ ! -f $IMAGE_PASSWORD_FILE ]; then if [ ! -f "$IMAGE_PASSWORD_FILE" ]; then
if [ -f /root/${PROJECT_NAME}-wifi.cfg ]; then if [ -f "/root/${PROJECT_NAME}-wifi.cfg" ]; then
create_wifi_startup_script create_wifi_startup_script
echo '' echo ''
echo $'Shutting down the system. Detatch the ethernet cable, attach wifi dongle, then power on again.' echo $'Shutting down the system. Detatch the ethernet cable, attach wifi dongle, then power on again.'
echo '' echo ''
${PROJECT_NAME}-logging off --restart "${PROJECT_NAME}-logging" off --restart
systemctl poweroff systemctl poweroff
return return
fi fi
echo $'Turning off logging' echo $'Turning off logging'
${PROJECT_NAME}-logging off --restart "${PROJECT_NAME}-logging" off --restart
echo $'Rebooting the system' echo $'Rebooting the system'
systemctl reboot -i systemctl reboot -i
fi fi
echo $'Turning off logging' echo $'Turning off logging'
${PROJECT_NAME}-logging off --restart "${PROJECT_NAME}-logging" off --restart
} }
function update_installed_apps_list { function update_installed_apps_list {
# Why does this secondary file exist, apart from COMPLETION_FILE ? # Why does this secondary file exist, apart from COMPLETION_FILE ?
# It's so that it is visible to unprivileged users from the user control panel # It's so that it is visible to unprivileged users from the user control panel
cat $COMPLETION_FILE | grep "install_" > /usr/share/${PROJECT_NAME}/installed.txt grep "install_" "$COMPLETION_FILE" > "/usr/share/${PROJECT_NAME}/installed.txt"
} }
function create_default_user_removal_daemon { function create_default_user_removal_daemon {
@ -96,31 +96,31 @@ function create_default_user_removal_daemon {
first_start_daemon_filename=/etc/systemd/system/firststart.service first_start_daemon_filename=/etc/systemd/system/firststart.service
first_start_script=/usr/local/bin/firststart first_start_script=/usr/local/bin/firststart
echo '#!/bin/bash' > $first_start_script { echo '#!/bin/bash';
echo 'if [ -d /home/fbone]; then' >> $first_start_script echo 'if [ -d /home/fbone]; then';
echo ' userdel -r fbone' >> $first_start_script echo ' userdel -r fbone';
echo ' if [ -d /home/fbone]; then' >> $first_start_script echo ' if [ -d /home/fbone]; then';
echo ' rm -rf /home/fbone' >> $first_start_script echo ' rm -rf /home/fbone';
echo ' fi' >> $first_start_script echo ' fi';
echo 'fi' >> $first_start_script echo 'fi';
echo 'systemctl disable firststart' >> $first_start_script echo 'systemctl disable firststart';
echo "rm $first_start_daemon_filename" >> $first_start_script echo "rm $first_start_daemon_filename"; } > $first_start_script
chmod +x $first_start_script chmod +x $first_start_script
echo '[Unit]' > $first_start_daemon_filename { echo '[Unit]';
echo 'Description=Daemon run on first boot' >> $first_start_daemon_filename echo 'Description=Daemon run on first boot';
echo 'After=syslog.target' >> $first_start_daemon_filename echo 'After=syslog.target';
echo 'After=network.target' >> $first_start_daemon_filename echo 'After=network.target';
echo '' >> $first_start_daemon_filename echo '';
echo '[Service]' >> $first_start_daemon_filename echo '[Service]';
echo 'User=root' >> $first_start_daemon_filename echo 'User=root';
echo 'Group=root' >> $first_start_daemon_filename echo 'Group=root';
echo "ExecStart=$first_start_script" >> $first_start_daemon_filename echo "ExecStart=$first_start_script";
echo 'StandardOutput=syslog' >> $first_start_daemon_filename echo 'StandardOutput=syslog';
echo 'StandardError=syslog' >> $first_start_daemon_filename echo 'StandardError=syslog';
echo '' >> $first_start_daemon_filename echo '';
echo '[Install]' >> $first_start_daemon_filename echo '[Install]';
echo 'WantedBy=multi-user.target' >> $first_start_daemon_filename echo 'WantedBy=multi-user.target'; } > $first_start_daemon_filename
systemctl enable firststart systemctl enable firststart
} }

View File

@ -47,7 +47,7 @@ function save_firewall_settings {
} }
function firewall_block_bad_ip_ranges { function firewall_block_bad_ip_ranges {
if [ $INSTALLING_MESH ]; then if [ "$INSTALLING_MESH" ]; then
return return
fi fi
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
@ -135,13 +135,13 @@ function firewall_enable_vpn {
} }
function configure_firewall { function configure_firewall {
if [ $INSTALLING_MESH ]; then if [ "$INSTALLING_MESH" ]; then
mesh_firewall mesh_firewall
return return
fi fi
if grep -q "RELATED" /etc/firewall.conf; then if grep -q "RELATED" /etc/firewall.conf; then
# recreate the firewall to remove RELATED # recreate the firewall to remove RELATED
sed -i "/firewall/d" $COMPLETION_FILE sed -i "/firewall/d" "$COMPLETION_FILE"
fi fi
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
return return
@ -276,10 +276,10 @@ function configure_internet_protocol {
echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
fi fi
if ! grep -q "keepalive" /etc/sysctl.conf; then if ! grep -q "keepalive" /etc/sysctl.conf; then
echo '# keepalive' >> /etc/sysctl.conf { echo '# keepalive';
echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_probes = 9';
echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_intvl = 75';
echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_time = 7200'; } >> /etc/sysctl.conf
fi fi
if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
@ -335,103 +335,100 @@ function configure_internet_protocol {
} }
function mesh_firewall { function mesh_firewall {
FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service # shellcheck disable=SC2154
FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT { echo '#!/bin/bash';
echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT echo 'iptables -P INPUT ACCEPT';
echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -P INPUT ACCEPT';
echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT echo 'iptables -F';
echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -F';
echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT echo 'iptables -t nat -F';
echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -t nat -F';
echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT echo 'iptables -X';
echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -X';
echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -P INPUT DROP';
echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -P INPUT DROP';
echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -i lo -j ACCEPT';
echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -i lo -j ACCEPT';
echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
echo '' >> $MESH_FIREWALL_SCRIPT echo '';
echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT echo '# Make sure incoming tcp connections are SYN packets';
echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
echo '' >> $MESH_FIREWALL_SCRIPT echo '';
echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT echo '# Drop packets with incoming fragments';
echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -f -j DROP';
echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -f -j DROP';
echo '' >> $MESH_FIREWALL_SCRIPT echo '';
echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT echo '# Drop bogons';
echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
echo '' >> $MESH_FIREWALL_SCRIPT echo '';
echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT echo '# Incoming malformed NULL packets:';
echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
echo '' >> $MESH_FIREWALL_SCRIPT echo '';
echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
chmod +x $MESH_FIREWALL_SCRIPT chmod +x "$MESH_FIREWALL_SCRIPT"
echo '[Unit]' > $FIREWALL_FILENAME { echo '[Unit]';
echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME echo 'Description=Mesh Firewall';
echo '' >> $FIREWALL_FILENAME echo '';
echo '[Service]' >> $FIREWALL_FILENAME echo '[Service]';
echo 'Type=oneshot' >> $FIREWALL_FILENAME echo 'Type=oneshot';
echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME echo 'ExecStart=/usr/bin/mesh-firewall';
echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME echo 'RemainAfterExit=no';
echo '' >> $FIREWALL_FILENAME echo '';
echo 'TimeoutSec=30' >> $FIREWALL_FILENAME echo 'TimeoutSec=30';
echo '' >> $FIREWALL_FILENAME echo '';
echo '[Install]' >> $FIREWALL_FILENAME echo '[Install]';
echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME echo 'WantedBy=multi-user.target'; } > "$FIREWALL_FILENAME"
chmod +x $FIREWALL_FILENAME chmod +x "$FIREWALL_FILENAME"
chroot "$rootdir" systemctl enable meshfirewall chroot "$rootdir" systemctl enable meshfirewall
} }
function firewall_add { function firewall_add {
firewall_name=$(echo "$1" | sed "s| |-|g") firewall_name=$(string="$1" ; echo "${string// /-}")
firewall_port=$2 firewall_port=$2
firewall_protocol="$3" firewall_protocol="$3"
if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then if ! grep -q "${firewall_name}=${firewall_port}" "$FIREWALL_CONFIG"; then
echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG echo "${firewall_name}=${firewall_port}" >> "$FIREWALL_CONFIG"
if [ ! ${firewall_protocol} ]; then if [ ! "${firewall_protocol}" ]; then
iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
fi fi
iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
fi fi
else else
if [[ "${firewall_protocol}" == *"udp"* ]]; then if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
fi fi
fi fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then if [[ "${firewall_protocol}" == *"tcp"* ]]; then
iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
fi fi
fi fi
fi fi
@ -440,33 +437,29 @@ function firewall_add {
} }
function firewall_add_range { function firewall_add_range {
firewall_name=$(echo "$1" | sed "s| |-|g") firewall_name=$(string="$1" ; echo "${string// /-}")
firewall_port_start=$2 firewall_port_start=$2
firewall_port_end=$3 firewall_port_end=$3
firewall_protocol="$4" firewall_protocol="$4"
if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" "$FIREWALL_CONFIG"; then
echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> "$FIREWALL_CONFIG"
if [ ! ${firewall_protocol} ]; then if [ ! "${firewall_protocol}" ]; then
iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi fi
iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi fi
else else
if [[ "${firewall_protocol}" == *"udp"* ]]; then if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi fi
fi fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then if [[ "${firewall_protocol}" == *"tcp"* ]]; then
iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi fi
fi fi
fi fi
@ -479,23 +472,23 @@ function firewall_remove {
firewall_port=$1 firewall_port=$1
firewall_protocol="$2" firewall_protocol="$2"
if [ ! -f $FIREWALL_CONFIG ]; then if [ ! -f "$FIREWALL_CONFIG" ]; then
return return
fi fi
if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then if grep -q "=${firewall_port}" "$FIREWALL_CONFIG"; then
if [ ! ${firewall_protocol} ]; then if [ ! "${firewall_protocol}" ]; then
iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
else else
if [[ "${firewall_protocol}" == *"udp"* ]]; then if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
fi fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then if [[ "${firewall_protocol}" == *"tcp"* ]]; then
iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
fi fi
fi fi
sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG sed -i "/=${firewall_port}/d" "$FIREWALL_CONFIG"
save_firewall_settings save_firewall_settings
fi fi
} }
@ -509,7 +502,7 @@ function domain_to_hex_string {
characters=$(echo -n "$segment" | wc -c) characters=$(echo -n "$segment" | wc -c)
hexnum=$(echo "obase=16; $characters" | bc) hexnum=$(echo "obase=16; $characters" | bc)
echo -n "|" echo -n "|"
if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then if [ "$(echo -n "$hexnum" | wc -c)" -lt 2 ]; then
echo -n "0" echo -n "0"
fi fi
echo -n "$hexnum|$segment" echo -n "$hexnum|$segment"
@ -523,20 +516,19 @@ function firewall_block_domain {
blocked_domain="$1" blocked_domain="$1"
if [[ "$blocked_domain" == *'@'* ]]; then if [[ "$blocked_domain" == *'@'* ]]; then
# Don't try to block email/microblog addresses # Don't try to block email/microblog addresses
echo "${blocked_domain}" >> $FIREWALL_DOMAINS echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
return return
fi fi
if ! grep -q "$blocked_domain" $FIREWALL_DOMAINS; then if ! grep -q "$blocked_domain" "$FIREWALL_DOMAINS"; then
hexstr=$(domain_to_hex_string $blocked_domain) hexstr=$(domain_to_hex_string "$blocked_domain")
iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP if ! iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP; then
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
echo "${blocked_domain}" >> $FIREWALL_DOMAINS echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
save_firewall_settings save_firewall_settings
fi fi
@ -559,13 +551,12 @@ function firewall_block_ip {
# Don't try to block email/microblog addresses # Don't try to block email/microblog addresses
return return
fi fi
if ! grep -q "$blocked_ip" $FIREWALL_DOMAINS; then if ! grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
iptables -C INPUT -s $blocked_ip -j DROP if ! iptables -C INPUT -s "$blocked_ip" -j DROP; then
if [ ! "$?" = "0" ]; then iptables -A INPUT -s "$blocked_ip" -j DROP
iptables -A INPUT -s $blocked_ip -j DROP iptables -A OUTPUT -s "$blocked_ip" -j DROP
iptables -A OUTPUT -s $blocked_ip -j DROP
echo "${blocked_ip}" >> $FIREWALL_DOMAINS echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
save_firewall_settings save_firewall_settings
fi fi
fi fi
@ -577,31 +568,31 @@ function firewall_unblock_ip {
# Don't try to block email/microblog addresses # Don't try to block email/microblog addresses
return return
fi fi
if grep -q "$blocked_ip" $FIREWALL_DOMAINS; then if grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
iptables -D INPUT -s $blocked_ip -j DROP iptables -D INPUT -s "$blocked_ip" -j DROP
iptables -D OUTPUT -s $blocked_ip -j DROP iptables -D OUTPUT -s "$blocked_ip" -j DROP
sed -i '/$blocked_ip/d' $FIREWALL_DOMAINS sed -i "/$blocked_ip/d" "$FIREWALL_DOMAINS"
echo "${blocked_ip}" >> $FIREWALL_DOMAINS echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
save_firewall_settings save_firewall_settings
fi fi
} }
function firewall_refresh_blocklist { function firewall_refresh_blocklist {
if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then if [ ! -f "/root/${PROJECT_NAME}-firewall-domains.cfg" ]; then
return return
fi fi
while read blocked_domain; do while read -r blocked_domain; do
firewall_block_domain $blocked_domain firewall_block_domain "$blocked_domain"
done </root/${PROJECT_NAME}-firewall-domains.cfg done <"/root/${PROJECT_NAME}-firewall-domains.cfg"
} }
function firewall_unblock_domain { function firewall_unblock_domain {
unblocked_domain="$1" unblocked_domain="$1"
if grep -q "${unblocked_domain}" $FIREWALL_DOMAINS; then if grep -q "${unblocked_domain}" "$FIREWALL_DOMAINS"; then
if [[ "${unblocked_domain}" != *'@'* ]]; then if [[ "${unblocked_domain}" != *'@'* ]]; then
hexstr=$(domain_to_hex_string $unblocked_domain) hexstr=$(domain_to_hex_string "$unblocked_domain")
iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
@ -610,7 +601,7 @@ function firewall_unblock_domain {
iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
save_firewall_settings save_firewall_settings
fi fi
sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS sed -i "/${unblocked_domain}/d" "$FIREWALL_DOMAINS"
fi fi
} }

View File

@ -37,22 +37,21 @@ function git_clone {
} }
function git_pull { function git_pull {
if [ ! $1 ]; then if [ ! "$1" ]; then
echo $'git_pull no repo specified' echo $'git_pull no repo specified'
fi fi
git merge --abort git merge --abort
git stash git stash
git remote set-url origin $1 git remote set-url origin "$1"
git checkout master git checkout master
git pull git pull
if [ $2 ]; then if [ "$2" ]; then
# delete any existing branch # delete any existing branch
git branch -D $2 git branch -D "$2"
# check out the new branch # check out the new branch
git checkout $2 -b $2 if ! git checkout "$2" -b "$2"; then
if [ ! "$?" = "0" ]; then
echo $"Unable to checkout $1 $2" echo $"Unable to checkout $1 $2"
exit 72357 exit 72357
fi fi
@ -63,8 +62,8 @@ function commit_has_changed {
repo_dir=$1 repo_dir=$1
repo_commit_name=$2 repo_commit_name=$2
repo_commit=$3 repo_commit=$3
if [ -d $repo_dir ]; then if [ -d "$repo_dir" ]; then
if grep -q "$repo_commit_name" $COMPLETION_FILE; then if grep -q "$repo_commit_name" "$COMPLETION_FILE"; then
CURRENT_REPO_COMMIT=$(get_completion_param "$repo_commit_name") CURRENT_REPO_COMMIT=$(get_completion_param "$repo_commit_name")
if [[ "$CURRENT_REPO_COMMIT" != "$repo_commit" ]]; then if [[ "$CURRENT_REPO_COMMIT" != "$repo_commit" ]]; then
echo "1" echo "1"
@ -86,13 +85,13 @@ function set_repo_commit {
repo_commit=$3 repo_commit=$3
repo_url=$4 repo_url=$4
if [[ $(commit_has_changed $repo_dir $repo_commit_name $repo_commit) == "1" ]]; then if [[ $(commit_has_changed "$repo_dir" "$repo_commit_name" "$repo_commit") == "1" ]]; then
cd $repo_dir cd "$repo_dir" || exit 3856835
git_pull $repo_url $repo_commit git_pull "$repo_url" "$repo_commit"
# application specific stuff after updating the repo # application specific stuff after updating the repo
if [[ $repo_dir == *"www"* ]]; then if [[ $repo_dir == *"www"* ]]; then
chown -R www-data:www-data $repo_dir chown -R www-data:www-data "$repo_dir"
fi fi
if [[ $repo_dir == *"gpgit" ]]; then if [[ $repo_dir == *"gpgit" ]]; then
if [ ! -f /usr/bin/gpgit.pl ]; then if [ ! -f /usr/bin/gpgit.pl ]; then
@ -107,12 +106,12 @@ function set_repo_commit {
fi fi
if [[ $repo_dir == *"cleanup-maildir" ]]; then if [[ $repo_dir == *"cleanup-maildir" ]]; then
if [ ! -f /usr/bin/cleanup-maildir ]; then if [ ! -f /usr/bin/cleanup-maildir ]; then
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin cp "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" /usr/bin
else else
HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}') HASH1=$(sha256sum "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" | awk -F ' ' '{print $1}')
HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}') HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}')
if [[ "$HASH1" != "$HASH2" ]]; then if [[ "$HASH1" != "$HASH2" ]]; then
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin cp "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" /usr/bin
fi fi
fi fi
fi fi

File diff suppressed because it is too large Load Diff