From ab0ef66923fb4310e80fdfcee1ba2a49d3fca67a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Tue, 8 Nov 2016 17:52:49 +0000
Subject: [PATCH] lychee app

---
 src/freedombone-app-lychee | 488 +++++++++++++++++++++++++++++++++++++
 1 file changed, 488 insertions(+)
 create mode 100755 src/freedombone-app-lychee

diff --git a/src/freedombone-app-lychee b/src/freedombone-app-lychee
new file mode 100755
index 00000000..4a67d90b
--- /dev/null
+++ b/src/freedombone-app-lychee
@@ -0,0 +1,488 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Lychee photo album
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+VARIANTS="full full-vim writer"
+
+IN_DEFAULT_INSTALL=0
+SHOW_ON_ABOUT=1
+
+LYCHEE_DOMAIN_NAME=
+LYCHEE_CODE=
+LYCHEE_ONION_PORT=8105
+LYCHEE_REPO="https://github.com/electerious/Lychee"
+LYCHEE_COMMIT='3eaaed72715b30bf10ce66a5f75268467bcb728d'
+
+lychee_variables=(LYCHEE_REPO
+                  LYCHEE_COMMIT
+                  LYCHEE_DOMAIN_NAME
+                  LYCHEE_CODE
+                  ONION_ONLY
+                  DDNS_PROVIDER
+                  MY_USERNAME)
+
+
+function remove_user_lychee {
+    remove_username="$1"
+
+}
+
+function add_user_lychee {
+    if [[ $(app_is_installed lychee) == "0" ]]; then
+        echo '0'
+        return
+    fi
+
+    new_username="$1"
+    new_user_password="$2"
+
+    echo '0'
+}
+
+function install_interactive_lychee {
+    if [ ! $ONION_ONLY ]; then
+        ONION_ONLY='no'
+    fi
+
+    if [[ $ONION_ONLY != "no" ]]; then
+        LYCHEE_DOMAIN_NAME='lychee.local'
+        write_config_param "LYCHEE_DOMAIN_NAME" "$LYCHEE_DOMAIN_NAME"
+    else
+        function_check interactive_site_details
+        interactive_site_details "lychee" "LYCHEE_DOMAIN_NAME" "LYCHEE_CODE"
+    fi
+    APP_INSTALLED=1
+}
+
+function change_password_lychee {
+    set_completion_param "lychee domain" "$LYCHEE_DOMAIN_NAME"
+    LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain")
+
+    LYCHEE_USERNAME="$1"
+    LYCHEE_PASSWORD="$2"
+    if [ ${#LYCHEE_PASSWORD} -lt 8 ]; then
+        echo $'Lychee password is too short'
+        return
+    fi
+}
+
+function reconfigure_lychee {
+    echo -n ''
+}
+
+function upgrade_lychee {
+    read_config_param "LYCHEE_DOMAIN_NAME"
+
+    function_check set_repo_commit
+    set_repo_commit /var/www/$LYCHEE_DOMAIN_NAME/htdocs "lychee commit" "$LYCHEE_COMMIT" $LYCHEE_REPO
+}
+
+function backup_local_lychee {
+    LYCHEE_DOMAIN_NAME='lychee.local'
+    if grep -q "lychee domain" $COMPLETION_FILE; then
+        LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain")
+    fi
+
+    source_directory=/var/www/${LYCHEE_DOMAIN_NAME}/htdocs
+    if [ -d $source_directory ]; then
+        dest_directory=lychee
+        function_check suspend_site
+        suspend_site ${LYCHEE_DOMAIN_NAME}
+
+        function_check backup_directory_to_usb
+        backup_directory_to_usb $source_directory $dest_directory
+
+        function_check restart_site
+        restart_site
+    fi
+}
+
+function restore_local_lychee {
+    LYCHEE_DOMAIN_NAME='lychee.local'
+    if grep -q "lychee domain" $COMPLETION_FILE; then
+        LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain")
+    fi
+    if [ $LYCHEE_DOMAIN_NAME ]; then
+        temp_restore_dir=/root/templychee
+        if [ -d $USB_MOUNT/backup/lychee ]; then
+            restore_directory_from_usb $temp_restore_dir lychee
+        else
+            restore_directory_from_usb $temp_restore_dir blog
+        fi
+        if [ -d /var/www/${LYCHEE_DOMAIN_NAME}/htdocs ]; then
+            if [ -d /var/www/${LYCHEE_DOMAIN_NAME}/previous ]; then
+                rm -rf /var/www/${LYCHEE_DOMAIN_NAME}/previous
+            fi
+            mv /var/www/${LYCHEE_DOMAIN_NAME}/htdocs /var/www/${LYCHEE_DOMAIN_NAME}/previous
+        fi
+        temp_source_dir=$(find ${temp_restore_dir} -name htdocs)
+        cp -r ${temp_source_dir} /var/www/${LYCHEE_DOMAIN_NAME}/
+        if [ ! "$?" = "0" ]; then
+            if [ -d /var/www/${LYCHEE_DOMAIN_NAME}/previous ]; then
+                mv /var/www/${LYCHEE_DOMAIN_NAME}/previous /var/www/${LYCHEE_DOMAIN_NAME}/htdocs
+            fi
+            set_user_permissions
+            backup_unmount_drive
+            exit 54675
+        fi
+        rm -rf ${temp_restore_dir}
+        chown -R www-data:www-data /var/www/${LYCHEE_DOMAIN_NAME}/htdocs
+        # Ensure that the bundled SSL cert is being used
+        if [ -f /etc/ssl/certs/${LYCHEE_DOMAIN_NAME}.bundle.crt ]; then
+            sed -i "s|${LYCHEE_DOMAIN_NAME}.crt|${LYCHEE_DOMAIN_NAME}.bundle.crt|g" /etc/nginx/sites-available/${LYCHEE_DOMAIN_NAME}
+        fi
+        if [ -d /etc/letsencrypt/live/${LYCHEE_DOMAIN_NAME} ]; then
+            ln -s /etc/letsencrypt/live/${LYCHEE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${LYCHEE_DOMAIN_NAME}.key
+            ln -s /etc/letsencrypt/live/${LYCHEE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${LYCHEE_DOMAIN_NAME}.pem
+        fi
+    fi
+}
+
+function backup_remote_lychee {
+    if grep -q "lychee domain" $COMPLETION_FILE; then
+        LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain")
+        temp_backup_dir=/var/www/${LYCHEE_DOMAIN_NAME}/htdocs
+        if [ -d $temp_backup_dir ]; then
+            echo $"Backing up lychee"
+            backup_directory_to_friend $temp_backup_dir lychee
+            echo $"Backup of lychee complete"
+        else
+            echo $"Lychee domain specified but not found in $temp_backup_dir"
+            exit 2578
+        fi
+    fi
+}
+
+function restore_remote_lychee {
+    if [ -d $SERVER_DIRECTORY/backup/lychee ]; then
+        LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain")
+        echo $"Restoring lychee installation $LYCHEE_DOMAIN_NAME"
+        temp_restore_dir=/root/templychee
+        mkdir $temp_restore_dir
+        function_check restore_directory_from_friend
+        restore_directory_from_friend $temp_restore_dir lychee
+        if [ -d /var/www/${LYCHEE_DOMAIN_NAME}/htdocs ]; then
+            if [ -d /var/www/${LYCHEE_DOMAIN_NAME}/previous ]; then
+                rm -rf /var/www/${LYCHEE_DOMAIN_NAME}/previous
+            fi
+            mv /var/www/${LYCHEE_DOMAIN_NAME}/htdocs /var/www/${LYCHEE_DOMAIN_NAME}/previous
+        fi
+        temp_source_dir=$(find ${temp_restore_dir} -name htdocs)
+        cp -r ${temp_source_dir} /var/www/${LYCHEE_DOMAIN_NAME}/
+        if [ ! "$?" = "0" ]; then
+            if [ -d /var/www/${LYCHEE_DOMAIN_NAME}/previous ]; then
+                mv /var/www/${LYCHEE_DOMAIN_NAME}/previous /var/www/${LYCHEE_DOMAIN_NAME}/htdocs
+            fi
+            exit 593
+        fi
+        rm -rf ${temp_restore_dir}
+        # Ensure that the bundled SSL cert is being used
+        if [ -f /etc/ssl/certs/${LYCHEE_DOMAIN_NAME}.bundle.crt ]; then
+            sed -i "s|${LYCHEE_DOMAIN_NAME}.crt|${LYCHEE_DOMAIN_NAME}.bundle.crt|g" /etc/nginx/sites-available/${LYCHEE_DOMAIN_NAME}
+        fi
+        if [ -d /etc/letsencrypt/live/${LYCHEE_DOMAIN_NAME} ]; then
+            ln -s /etc/letsencrypt/live/${LYCHEE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${LYCHEE_DOMAIN_NAME}.key
+            ln -s /etc/letsencrypt/live/${LYCHEE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${LYCHEE_DOMAIN_NAME}.pem
+        fi
+        echo $"Restore of lychee complete"
+    fi
+}
+
+function remove_lychee {
+    if [ ${#LYCHEE_DOMAIN_NAME} -eq 0 ]; then
+        return
+    fi
+
+    read_config_param "LYCHEE_DOMAIN_NAME"
+    nginx_dissite $LYCHEE_DOMAIN_NAME
+    remove_certs ${LYCHEE_DOMAIN_NAME}
+    if [ -f /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME ]; then
+        rm -f /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    fi
+    if [ -d /var/www/$LYCHEE_DOMAIN_NAME ]; then
+        rm -rf /var/www/$LYCHEE_DOMAIN_NAME
+    fi
+    remove_config_param LYCHEE_DOMAIN_NAME
+    remove_config_param LYCHEE_CODE
+    function_check remove_onion_service
+    remove_onion_service lychee ${LYCHEE_ONION_PORT}
+    remove_completion_param "install_lychee"
+    sed -i '/Lychee/d' $COMPLETION_FILE
+    sed -i '/lychee/d' $COMPLETION_FILE
+    sed -i '/lychee/d' /home/$MY_USERNAME/README
+    sed -i '/Lychee/d' /home/$MY_USERNAME/README
+
+    function_check remove_ddns_domain
+    remove_ddns_domain $LYCHEE_DOMAIN_NAME
+}
+
+function get_lychee_admin_password {
+    if [ -f /home/$MY_USERNAME/README ]; then
+        if grep -q "Your lychee password is" /home/$MY_USERNAME/README; then
+            LYCHEE_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Your lychee password is" | awk -F ':' '{print $2}' | sed 's/^ *//')
+        fi
+    fi
+}
+
+function install_lychee_website {
+    function_check nginx_http_redirect
+    nginx_http_redirect $LYCHEE_DOMAIN_NAME
+    echo 'server {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    root /var/www/$LYCHEE_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    server_name $LYCHEE_DOMAIN_NAME;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    access_log off;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    error_log /var/log/nginx/${LYCHEE_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    index index.php;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    charset utf-8;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    function_check nginx_ssl
+    nginx_ssl $LYCHEE_DOMAIN_NAME
+    function_check nginx_disable_sniffing
+    nginx_disable_sniffing $LYCHEE_DOMAIN_NAME
+    echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location / {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    function_check nginx_limits
+    nginx_limits $LYCHEE_DOMAIN_NAME
+    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        allow all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        expires 30d;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # block these file types' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # or a unix socket' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    #deny access to store' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /store {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '      deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '      deny  all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '}' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+}
+
+function install_lychee_website_onion {
+    echo 'server {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    listen 127.0.0.1:${LYCHEE_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    root /var/www/$LYCHEE_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    server_name $LYCHEE_DOMAIN_NAME;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    access_log off;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    error_log /var/log/nginx/${LYCHEE_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    index index.php;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    charset utf-8;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    function_check nginx_disable_sniffing
+    nginx_disable_sniffing $LYCHEE_DOMAIN_NAME
+    echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location / {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    function_check nginx_limits
+    nginx_limits $LYCHEE_DOMAIN_NAME
+    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        allow all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        expires 30d;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # block these file types' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # or a unix socket' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    function_check nginx_limits
+    nginx_limits $LYCHEE_DOMAIN_NAME
+    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    #deny access to store' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /store {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '        deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '      deny all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '      deny  all;' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '    }' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    echo '}' >> /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+}
+
+function install_lychee_from_repo {
+    if [ ! -d /var/www/$LYCHEE_DOMAIN_NAME ]; then
+        mkdir /var/www/$LYCHEE_DOMAIN_NAME
+    fi
+
+    cd /var/www/$LYCHEE_DOMAIN_NAME
+    git_clone $LYCHEE_REPO htdocs
+    cd htdocs
+    git checkout $LYCHEE_COMMIT -b $LYCHEE_COMMIT
+    set_completion_param "lychee commit" "$LYCHEE_COMMIT"
+}
+
+function install_lychee {
+    if [ ! $ONION_ONLY ]; then
+        ONION_ONLY='no'
+    fi
+
+    if [ ! $LYCHEE_DOMAIN_NAME ]; then
+        echo $'The lychee domain name was not specified'
+        exit 543672
+    fi
+
+    # for the avatar changing command
+    apt-get -yq install imagemagick exif zip
+
+    function_check install_lychee_from_repo
+    install_lychee_from_repo
+
+    if [[ $ONION_ONLY == "no" ]]; then
+        function_check install_lychee_website
+        install_lychee_website
+    else
+        echo -n '' > /etc/nginx/sites-available/$LYCHEE_DOMAIN_NAME
+    fi
+    function_check install_lychee_website_onion
+    install_lychee_website_onion
+
+    function_check create_site_certificate
+    create_site_certificate $LYCHEE_DOMAIN_NAME 'yes'
+
+    function_check configure_php
+    configure_php
+
+    chown -R www-data:www-data /var/www/$LYCHEE_DOMAIN_NAME/htdocs
+
+    LYCHEE_ONION_HOSTNAME=$(add_onion_service lychee 80 ${LYCHEE_ONION_PORT})
+
+    function_check nginx_ensite
+    nginx_ensite $LYCHEE_DOMAIN_NAME
+
+    systemctl restart php5-fpm
+    systemctl restart nginx
+
+    if ! grep -q "Lychee onion domain" /home/$MY_USERNAME/README; then
+        echo $"Lychee onion domain: ${LYCHEE_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+        echo $"Log into your lychee at https://${LYCHEE_ONION_HOSTNAME}/login" >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+        chmod 600 /home/$MY_USERNAME/README
+    fi
+
+    function_check add_ddns_domain
+    add_ddns_domain $LYCHEE_DOMAIN_NAME
+
+    set_completion_param "lychee domain" "$LYCHEE_DOMAIN_NAME"
+    APP_INSTALLED=1
+}
+
+# NOTE: deliberately no exit 0