This commit is contained in:
Bob Mottram 2018-03-23 17:20:38 +00:00
commit e909a996ef
18 changed files with 602 additions and 512 deletions

View File

@ -10,7 +10,7 @@
[[file:images/logo.png]] [[file:images/logo.png]]
#+END_CENTER #+END_CENTER
#+BEGIN_EXPORT html #+BEGIN_EXPORT HTML
<center> <center>
<h1>Social Instance</h1> <h1>Social Instance</h1>
</center> </center>

Binary file not shown.

Binary file not shown.

View File

@ -614,6 +614,10 @@ function remove_gnusocial {
sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
if [ -f /usr/bin/gnusocial-firewall ]; then
rm /usr/bin/gnusocial-firewall
fi
function_check remove_ddns_domain function_check remove_ddns_domain
remove_ddns_domain "$GNUSOCIAL_DOMAIN_NAME" remove_ddns_domain "$GNUSOCIAL_DOMAIN_NAME"
} }

View File

@ -9,15 +9,6 @@
# Freedom in the Cloud # Freedom in the Cloud
# #
# Pleroma backend application # Pleroma backend application
# https://git.pleroma.social/pleroma/pleroma/wikis/Installing-on-Debian-Based-Distributions
#
# Show stopper: This is dependent on https://placehold.it for avatar images,
# so at present it's not usable until a first party placeholder image system
# is included.
#
# There is also a possible issue with the chat system which uses an object called
# "Agent" which may not be supported with the version of elixir within the
# Debian package. This only applies if you're installing from the latest commit.
# #
# License # License
# ======= # =======
@ -47,7 +38,7 @@ PLEROMA_CODE=
PLEROMA_PORT=4000 PLEROMA_PORT=4000
PLEROMA_ONION_PORT=8011 PLEROMA_ONION_PORT=8011
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git" PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
PLEROMA_COMMIT='59a76ea464998476f8c4814324647f4ae4a7f2cb' PLEROMA_COMMIT='c50c7745bc8b8f52ba07c69c0d2505df54da0f59'
PLEROMA_ADMIN_PASSWORD= PLEROMA_ADMIN_PASSWORD=
PLEROMA_DIR=/etc/pleroma PLEROMA_DIR=/etc/pleroma
PLEROMA_SECRET_KEY="" PLEROMA_SECRET_KEY=""
@ -254,7 +245,6 @@ function pleroma_recompile {
if [ -f /etc/systemd/system/pleroma.service ]; then if [ -f /etc/systemd/system/pleroma.service ]; then
systemctl restart pleroma systemctl restart pleroma
fi fi
} }
function logging_on_pleroma { function logging_on_pleroma {
@ -733,6 +723,11 @@ function upgrade_pleroma {
return return
fi fi
pleroma_registrations=open
if grep -q 'registrations_open: false' $PLEROMA_DIR/config/config.exs; then
pleroma_registrations=
fi
# make a copy of the configuration # make a copy of the configuration
cp $PLEROMA_DIR/priv/static/static/config.json $PLEROMA_DIR/priv/static/static/config_prev.json cp $PLEROMA_DIR/priv/static/static/config.json $PLEROMA_DIR/priv/static/static/config_prev.json
@ -760,12 +755,19 @@ function upgrade_pleroma {
sudo -u pleroma mix deps.get sudo -u pleroma mix deps.get
if [ ! $pleroma_registrations ]; then
sed -i 's|registrations_open: true|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
sed -i 's|registrations_open: True|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
fi
pleroma_recompile pleroma_recompile
# migrate database # migrate database
sudo -u pleroma mix deps.clean --build mime sudo -u pleroma mix deps.clean --build mime
sudo -u pleroma mix ecto.migrate sudo -u pleroma mix ecto.migrate
pleroma_custom_logo "$PLEROMA_DIR"
expire_pleroma_posts "$PLEROMA_DOMAIN_NAME" "$PLEROMA_EXPIRE_MONTHS" expire_pleroma_posts "$PLEROMA_DOMAIN_NAME" "$PLEROMA_EXPIRE_MONTHS"
create_pleroma_blocklist create_pleroma_blocklist
@ -934,6 +936,10 @@ function remove_pleroma {
sed -i '/pleroma commit/d' "$COMPLETION_FILE" sed -i '/pleroma commit/d' "$COMPLETION_FILE"
sed -i "/$blocking_script_file/d" /etc/crontab sed -i "/$blocking_script_file/d" /etc/crontab
if [ -f /usr/bin/pleroma-blocking ]; then
rm /usr/bin/pleroma-blocking
fi
function_check remove_ddns_domain function_check remove_ddns_domain
remove_ddns_domain "$PLEROMA_DOMAIN_NAME" remove_ddns_domain "$PLEROMA_DOMAIN_NAME"
} }
@ -1183,6 +1189,13 @@ function install_pleroma {
sed -i 's|registrations_open:.*|registrations_open: true,|g' $PLEROMA_DIR/config/config.exs sed -i 's|registrations_open:.*|registrations_open: true,|g' $PLEROMA_DIR/config/config.exs
sed -i 's|"registrationOpen":.*|"registrationOpen": true,|g' $PLEROMA_DIR/priv/static/static/config.json sed -i 's|"registrationOpen":.*|"registrationOpen": true,|g' $PLEROMA_DIR/priv/static/static/config.json
if ! grep -q "media_proxy" $PLEROMA_DIR/priv/static/static/config.json; then
sed -i '/"name":/a "media_proxy": false,' $PLEROMA_DIR/priv/static/static/config.json
sed -i 's|"media_proxy"| "media_proxy"|g' $PLEROMA_DIR/priv/static/static/config.json
else
sed -i 's|"media_proxy".*|"media_proxy": false,|g' $PLEROMA_DIR/priv/static/static/config.json
fi
systemctl daemon-reload systemctl daemon-reload
systemctl enable pleroma systemctl enable pleroma
systemctl start pleroma systemctl start pleroma

View File

@ -627,6 +627,10 @@ function remove_postactiv {
sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
if [ -f /usr/bin/postactiv-firewall ]; then
rm /usr/bin/postactiv-firewall
fi
function_check remove_ddns_domain function_check remove_ddns_domain
remove_ddns_domain "$POSTACTIV_DOMAIN_NAME" remove_ddns_domain "$POSTACTIV_DOMAIN_NAME"
} }

View File

@ -45,14 +45,14 @@ XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+
XMPP_ECC_CURVE='"secp384r1"' XMPP_ECC_CURVE='"secp384r1"'
prosody_latest_version='0.10' prosody_latest_version='0.10'
prosody_nightly=410 prosody_nightly=468
prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb' prosody_nightly_hash='c72aaab1182a86090188284f443d2f819889ca242d4e955258ef60f4c7c9a1ba'
prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly} prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz" prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
# From https://hg.prosody.im/prosody-modules # From https://hg.prosody.im/prosody-modules
prosody_modules_filename='prosody-modules-20180104.tar.gz' prosody_modules_filename='prosody-modules-20180322.tar.gz'
prosody_modules_hash='7c81b4ed8a90130b4db5902dc1f299ad1c4dab57a0970552b71cb2042a490bc1' prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072'
xmpp_variables=(ONION_ONLY xmpp_variables=(ONION_ONLY
INSTALLED_WITHIN_DOCKER INSTALLED_WITHIN_DOCKER
@ -414,10 +414,16 @@ function prosody_daemon_restart_script {
# On rare occasions the daemon appears to get stuck # On rare occasions the daemon appears to get stuck
# i.e. still active, but not accepting connections # i.e. still active, but not accepting connections
# This ensures that it will unstick itself at least once per day # This ensures that it will unstick itself at least once per day
if [ ! -f /etc/cron.daily/prosody ]; then if [ -f /etc/cron.daily/prosody ]; then
echo '#!/bin/bash' > /etc/cron.daily/prosody rm /etc/cron.daily/prosody
echo 'systemctl restart prosody' >> /etc/cron.daily/prosody fi
chmod +x /etc/cron.daily/prosody if [ ! -f /etc/cron.hourly/prosody ]; then
{ echo '#!/bin/bash';
echo "is_active=\$(systemctl is-active prosody)";
echo "if [[ \"\$is_active\" != 'active' ]]; then";
echo ' systemctl restart prosody'
echo 'fi'; } > /etc/cron.hourly/prosody
chmod +x /etc/cron.hourly/prosody
fi fi
} }
@ -667,13 +673,13 @@ function xmpp_contact_info {
return return
fi fi
{ 'contact_info = {'; { echo 'contact_info = {';
"abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };"; echo "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
"admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };"; echo "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
"feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };"; echo "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
"security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };"; echo "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
"support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };"; echo "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
'};'; } >> "$filename" echo '};'; } >> "$filename"
} }
function xmpp_modules { function xmpp_modules {
@ -867,6 +873,7 @@ function xmpp_create_config {
echo 'http_upload_file_size_limit = 307200'; echo 'http_upload_file_size_limit = 307200';
echo ''; echo '';
echo "Component \"chat.${DEFAULT_DOMAIN_NAME}\" \"muc\""; echo "Component \"chat.${DEFAULT_DOMAIN_NAME}\" \"muc\"";
echo ' restrict_room_creation = true';
echo ' name = "Chatrooms"'; echo ' name = "Chatrooms"';
echo ' modules_enabled = {'; echo ' modules_enabled = {';
echo ' "muc_limits";'; echo ' "muc_limits";';

View File

@ -57,8 +57,6 @@ MY_GPG_PRIVATE_KEY=
# optionally specify your public key ID # optionally specify your public key ID
MY_GPG_PUBLIC_KEY_ID= MY_GPG_PUBLIC_KEY_ID=
EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp"
# automatic archiving of email # automatic archiving of email
CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir" CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir"
CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86' CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86'
@ -150,6 +148,71 @@ function configure_email_onion {
set_completion_param "email onion domain" "${onion_address}" set_completion_param "email onion domain" "${onion_address}"
add_email_hostname "$onion_address" add_email_hostname "$onion_address"
apt-get -yq install tinycdb perl
# MX record should be:
# _onion-mx._tcp.$DEFAULT_DOMAIN_NAME. 3600 IN SRV 0 5 25 $onion_address
echo "$DEFAULT_DOMAIN_NAME $onion_address" > /etc/exim4/onionrelay.txt
cdb -m -c -t ~/onionrelay.tmp /etc/exim4/onionrelay.cdb /etc/exim4/onionrelay.txt
{ echo "perl_startup = do '/etc/exim4/perl-routines.pl'";
echo "perl_at_start"; } > /etc/exim4/conf.d/main/perl
{ echo "use Net::DNS::Resolver;";
echo "sub onionLookup {";
echo " my \$hostname = shift;";
echo " my \$res = Net::DNS::Resolver->new(nameservers => [qw(127.0.0.1)],);";
echo " \$res->port(5300);";
echo " my \$query = \$res->search(\$hostname);";
echo " foreach my \$rr (\$query->answer) {";
echo " next unless \$rr->type eq \"A\";";
echo " return \$rr->address;";
echo " }";
echo " return 'no_such_host';";
echo "}"; } > /etc/exim4/perl-routines.pl
{ echo "ONION_RELAYDB=/etc/exim4/onionrelay.cdb";
echo "domainlist onion_relays = cdb;ONION_RELAYDB"; } > /etc/exim4/conf.d/domainlists
{ echo "# send things over tor where we have an entry for it";
echo "onionrelays:";
echo " driver = manualroute";
echo " domains = +onion_relays";
echo " transport = onion_relay";
echo " # get the automap IP for the onion address from the tor daemon";
echo " route_data = \${perl{onionLookup}{\${lookup{\$domain}cdb{ONION_RELAYDB}}}}";
echo " no_more"; } > /etc/exim4/conf.d/router/50_exim4-config-onion
{ echo "onion_relay:";
echo " driver = smtp";
echo " socks_proxy = 127.0.0.1 port=9050"; } > /etc/exim4/conf.d/transport/50_exim4-config_onion
if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
else
sed -i 's|#AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
sed -i 's|AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
fi
if ! grep -q "DNSPort " /etc/tor/torrc; then
echo 'DNSPort 5300' >> /etc/tor/torrc
else
sed -i 's|#DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
sed -i 's|DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
fi
if ! grep -q "DNSListenAddress" /etc/tor/torrc; then
echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc
else
sed -i 's|#DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
sed -i 's|DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
fi
dpkg-reconfigure --frontend noninteractive exim4-config
systemctl restart tor
systemctl restart exim4
mark_completed "${FUNCNAME[0]}" mark_completed "${FUNCNAME[0]}"
} }

View File

@ -129,129 +129,10 @@ fi
function any_key { function any_key {
echo '' echo ''
# shellcheck disable=SC2034
read -n1 -rsp $"Press any key to continue..." key read -n1 -rsp $"Press any key to continue..." key
} }
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function get_app_icann_address {
app_name="$1"
if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
return
else
app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
if [ "$app_name_upper" ]; then
param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
if [ "${param_value}" ]; then
echo "${param_value}"
return
fi
fi
fi
echo "${DEFAULT_DOMAIN_NAME}"
}
function passwords_select_user {
SELECTED_USERNAME=
# shellcheck disable=SC2207
users_array=($(ls /home))
delete=(git)
# shellcheck disable=SC2068
for del in ${delete[@]}
do
# shellcheck disable=SC2206
users_array=(${users_array[@]/$del})
done
i=0
W=()
name=()
# shellcheck disable=SC2068
for u in ${users_array[@]}
do
if [[ $(is_valid_user "$u") == "1" ]]; then
i=$((i+1))
W+=("$i" "$u")
name+=("$u")
fi
done
if [ $i -eq 1 ]; then
SELECTED_USERNAME="${name[0]}"
else
# shellcheck disable=SC2068
user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
SELECTED_USERNAME="${name[$((user_index-1))]}"
fi
fi
}
function passwords_show_apps {
SELECTED_APP=
i=0
W=()
name=()
# shellcheck disable=SC2068
for a in ${APPS_AVAILABLE[@]}
do
if [[ $(function_exists "change_password_${a}") == "1" ]]; then
i=$((i+1))
W+=("$i" "$a")
name+=("$a")
fi
done
i=$((i+1))
W+=("$i" "mariadb")
name+=("mariadb")
# shellcheck disable=SC2068
selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
SELECTED_APP="${name[$((selected_app_index-1))]}"
fi
}
function reset_password_tries { function reset_password_tries {
passwords_select_user passwords_select_user
if [ ! "$SELECTED_USERNAME" ]; then if [ ! "$SELECTED_USERNAME" ]; then
@ -262,67 +143,6 @@ function reset_password_tries {
--msgbox $"Password tries have been reset for $SELECTED_USERNAME" 6 60 --msgbox $"Password tries have been reset for $SELECTED_USERNAME" 6 60
} }
function view_or_change_passwords {
passwords_select_user
if [ ! "$SELECTED_USERNAME" ]; then
return
fi
detect_installed_apps
passwords_show_apps
if [ ! "$SELECTED_APP" ]; then
return
fi
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
icann_address=$(get_app_icann_address "${SELECTED_APP}")
onion_address=$(get_app_onion_address "${SELECTED_APP}")
titlestr=$"View or Change Password"
if [ ${#onion_address} -gt 0 ]; then
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
else
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
fi
if [ -f /root/.nostore ]; then
titlestr=$"Change Password"
if [ ${#onion_address} -gt 0 ]; then
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
else
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
fi
fi
if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
dialog --title $"MariaDB database password" \
--msgbox "\\n ${CURR_PASSWORD}" 7 40
return
fi
data=$(mktemp 2>/dev/null)
dialog --title "$titlestr" \
--backtitle $"Freedombone Control Panel" \
--inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
sel=$?
case $sel in
0)
CURR_PASSWORD=$(<"$data")
if [ ${#CURR_PASSWORD} -gt 8 ]; then
"${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
"change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
dialog --title $"Change password" \
--msgbox $"The password was changed" 6 40
else
dialog --title $"Change password" \
--msgbox $"The password given must be at least 8 characters" 6 40
fi
;;
esac
rm -f "$data"
}
function check_for_updates { function check_for_updates {
if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then
dialog --title $"Check for updates" \ dialog --title $"Check for updates" \
@ -383,34 +203,59 @@ function pad_string {
echo -n -e "$1" | sed -e :a -e 's/^.\{1,25\}$/& /;ta' echo -n -e "$1" | sed -e :a -e 's/^.\{1,25\}$/& /;ta'
} }
function show_tor_bridges {
if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
if grep -q "BridgeRelay 1" /etc/tor/torrc; then
read_config_param 'TOR_BRIDGE_PORT'
read_config_param 'TOR_BRIDGE_NICKNAME'
if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
W+=($"Your Tor Bridge" "$(get_ipv4_address):${TOR_BRIDGE_PORT} ${TOR_BRIDGE_NICKNAME}")
fi
fi
fi
bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
if [ ${#bridges_list} -gt 0 ]; then
for i in "${bridges_list[@]}"
do
bridgestr=$(i//Bridge /)
W+=($"Tor Bridge" "$bridgestr")
done
fi
}
function show_domains { function show_domains {
read_config_param "DEFAULT_DOMAIN_NAME" read_config_param "DEFAULT_DOMAIN_NAME"
echo 'Domains' W=()
echo '======='
echo '' W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
echo -n -e "$(pad_string 'Name')" ipv6_address="$(get_ipv6_address)"
echo -n -e "$(pad_string 'ICANN')" if [ ${#ipv6_address} -gt 0 ]; then
echo -n -e "$(pad_string 'Tor')" W+=("IPv6" "${ipv6_address}")
echo '' fi
echo '--------------------------------------------------------------------------'
if grep -q "ssh onion domain" "$COMPLETION_FILE"; then if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
echo -n -e "$(pad_string 'ssh')" domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")" W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
fi fi
if grep -q "email onion domain" "$COMPLETION_FILE"; then if grep -q "email onion domain" "$COMPLETION_FILE"; then
echo -n -e "$(pad_string 'Email')" domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")" W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
fi fi
if grep -q "sks onion domain" "$COMPLETION_FILE"; then if grep -q "sks onion domain" "$COMPLETION_FILE"; then
read_config_param "KEYSERVER_DOMAIN_NAME" read_config_param "KEYSERVER_DOMAIN_NAME"
echo -n -e "$(pad_string 'SKS')" domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
echo -n -e "$(pad_string "${KEYSERVER_DOMAIN_NAME}")" W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
fi fi
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
if [ -f $INTRODUCER_FILENAME ]; then
W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
fi
show_tor_bridges
# shellcheck disable=SC2068 # shellcheck disable=SC2068
for app_name in ${APPS_INSTALLED_NAMES[@]} for app_name in ${APPS_INSTALLED_NAMES[@]}
do do
@ -446,36 +291,43 @@ function show_domains {
onion_address="-" onion_address="-"
fi fi
echo -n -e "$(pad_string "${app_name}")" if [[ "${icann_address}" != '-' ]]; then
echo -n -e "$(pad_string "${icann_address}")" if [[ "${onion_address}" != '-' ]]; then
echo "${onion_address}" W+=("${app_name}" "${icann_address} / ${onion_address}")
else
W+=("${app_name}" "${icann_address}")
fi
else
W+=("${app_name}" "${onion_address}")
fi
if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
onion_address=$(get_app_onion_address "${app_name}" "mobile") onion_address=$(get_app_onion_address "${app_name}" "mobile")
echo -n -e "$(pad_string "${app_name} (mobile)")" if [[ "${icann_address}" != '-' ]]; then
echo -n -e "$(pad_string "${icann_address}")" W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
echo "${onion_address}" else
W+=("${app_name} (mobile)" "${onion_address}")
fi
fi fi
fi fi
done done
if grep -q "rss reader domain" "$COMPLETION_FILE"; then if grep -q "rss reader domain" "$COMPLETION_FILE"; then
if [ -d /var/lib/tor/hidden_service_ttrss ]; then if [ -d /var/lib/tor/hidden_service_ttrss ]; then
echo -n -e "$(pad_string 'RSS reader')" domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
RSSDOM='-' W+=("RSS Reader" "${domain_onion}")
echo -n -e "$(pad_string ${RSSDOM})"
echo -n "$(cat /var/lib/tor/hidden_service_ttrss/hostname)"
echo ''
fi fi
if [ -d /var/lib/tor/hidden_service_mobilerss ]; then if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
echo -n -e "$(pad_string 'RSS mobile')" domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
RSSMOBILEDOM='-' W+=("RSS mobile" "${domain_onion}")
echo -n -e "$(pad_string ${RSSMOBILEDOM})"
echo -n "$(cat /var/lib/tor/hidden_service_mobilerss/hostname)"
echo ''
fi fi
fi fi
echo ''
width=$(tput cols)
height=$(tput lines)
# shellcheck disable=SC2068
dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
} }
function show_users { function show_users {
@ -525,34 +377,6 @@ function show_ip_addresses {
echo '' echo ''
} }
function show_tor_bridges {
bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
if [ ${#bridges_list} -gt 0 ]; then
echo $'Tor Bridges'
echo '==========='
echo ''
echo "${bridges_list}"
echo ''
echo ''
fi
if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
if grep -q "BridgeRelay 1" /etc/tor/torrc; then
read_config_param 'TOR_BRIDGE_PORT'
read_config_param 'TOR_BRIDGE_NICKNAME'
if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
echo "Tor bridge on this system"
echo '========================='
echo ''
echo "IP Address: $(get_ipv4_address)"
echo "Port: ${TOR_BRIDGE_PORT}"
echo "Nickname: ${TOR_BRIDGE_NICKNAME}"
echo ''
echo ''
fi
fi
fi
}
function show_ssh_public_key { function show_ssh_public_key {
echo $'SSH Public Keys' echo $'SSH Public Keys'
echo '===============' echo '==============='
@ -562,33 +386,18 @@ function show_ssh_public_key {
echo '' echo ''
} }
function show_tahoelafs_introducer {
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
if [ ! -f $INTRODUCER_FILENAME ]; then
return
fi
echo $'Tahoe-LAFS introducer'
echo '====================='
echo ''
cat $INTRODUCER_FILENAME
echo ''
echo ''
}
function show_about { function show_about {
detect_apps detect_apps
get_apps_installed_names get_apps_installed_names
clear #clear
echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ====" #echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
echo '' #echo ''
show_ip_addresses #show_ip_addresses
show_tor_bridges #show_ssh_public_key
show_ssh_public_key
show_domains show_domains
show_tahoelafs #show_users
show_users #any_key
any_key
} }
function select_user { function select_user {
@ -1265,30 +1074,6 @@ function restore_data_remote {
rm -f "$data" rm -f "$data"
} }
function ping_enable_disable {
ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
enable_ping="no"
dialog --title $"Enable Ping / ICMP" \
--backtitle $"Freedombone Control Panel" \
--defaultno \
--yesno "$ping_str" 10 60
sel=$?
case $sel in
0) enable_ping="yes";;
255) return;;
esac
if [[ $enable_ping == "yes" ]]; then
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
}
function logging_on_off { function logging_on_off {
logging="no" logging="no"
dialog --title $"Logging" \ dialog --title $"Logging" \
@ -1326,82 +1111,6 @@ function restore_gpg_key {
function security_settings { function security_settings {
"${PROJECT_NAME}-sec" "${PROJECT_NAME}-sec"
any_key
}
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
} }
function format_drive { function format_drive {
@ -1775,19 +1484,6 @@ function reinstall_mariadb {
--msgbox $"MariaDB has been reinstalled" 6 40 --msgbox $"MariaDB has been reinstalled" 6 40
} }
function show_firewall {
clear
echo $"Firewall Settings"
echo ''
while read -r line; do
firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
echo -n -e "$(pad_string "${firewall_name}")"
echo "${firewall_port}"
done < "$FIREWALL_CONFIG"
any_key
}
function email_extra_domains { function email_extra_domains {
email_hostnames=$(grep "dc_other_hostnames" /etc/exim4/update-exim4.conf.conf | awk -F "'" '{print $2}') email_hostnames=$(grep "dc_other_hostnames" /etc/exim4/update-exim4.conf.conf | awk -F "'" '{print $2}')
@ -2198,7 +1894,7 @@ function menu_wifi {
function menu_app_settings { function menu_app_settings {
detect_installable_apps detect_installable_apps
applist="" W=()
appnames=() appnames=()
n=1 n=1
app_index=0 app_index=0
@ -2207,7 +1903,7 @@ function menu_app_settings {
do do
if [[ ${APPS_INSTALLED[$app_index]} != "0" ]]; then if [[ ${APPS_INSTALLED[$app_index]} != "0" ]]; then
if [[ $(function_exists "configure_interactive_${a}") == "1" ]]; then if [[ $(function_exists "configure_interactive_${a}") == "1" ]]; then
applist="$applist $n $a off" W+=("$n" "$a")
n=$((n+1)) n=$((n+1))
appnames+=("$a") appnames+=("$a")
fi fi
@ -2217,23 +1913,18 @@ function menu_app_settings {
if [ $n -le 1 ]; then if [ $n -le 1 ]; then
return return
fi fi
backstr=$'Exit'
applist="$applist $n $backstr on"
appnames+=("Exit")
# shellcheck disable=SC2086 # shellcheck disable=SC2086
choice=$(dialog --stdout --backtitle $"Freedombone" \ choice=$(dialog --backtitle $"Freedombone" \
--title $"Change settings for an App" \ --title $"Change settings for an App" \
--radiolist $'Choose:' \ --menu $'Choose:' \
26 40 30 $applist) 26 40 30 "${W[@]}" 3>&2 2>&1 1>&3)
# shellcheck disable=SC2181 # shellcheck disable=SC2181
if [ $? -eq 0 ]; then if [ "$choice" ]; then
app_index=$((choice-1)) app_index=$((choice-1))
chosen_app=${appnames[$app_index]} chosen_app=${appnames[$app_index]}
if [[ $chosen_app != "Exit" ]]; then "configure_interactive_${chosen_app}"
"configure_interactive_${chosen_app}"
fi
fi fi
} }
@ -2241,29 +1932,24 @@ function menu_top_level {
while true while true
do do
W=(1 $"About this system" W=(1 $"About this system"
2 $"Passwords" 2 $"Backup and Restore"
3 $"Backup and Restore" 3 $"App Settings"
4 $"Show Firewall" 4 $"Add/Remove Apps"
5 $"Verify Tripwire Code" 5 $"Logging on/off"
6 $"Reset Tripwire" 6 $"Manage Users"
7 $"App Settings" 7 $"Email Menu"
8 $"Add/Remove Apps" 8 $"Domain or User Blocking"
9 $"Logging on/off" 9 $"Security Settings"
10 $"Ping enable/disable" 10 $"Change the name of this system"
11 $"Manage Users" 11 $"Set a static local IP address"
12 $"Email Menu" 12 $"Wifi menu"
13 $"Domain or User Blocking" 13 $"Add Clacks"
14 $"Security Settings" 14 $"Check for updates"
15 $"Change the name of this system" 15 $"Power off the system"
16 $"Set a static local IP address" 16 $"Restart the system")
17 $"Wifi menu"
18 $"Add Clacks"
19 $"Check for updates"
20 $"Power off the system"
21 $"Restart the system")
# shellcheck disable=SC2068 # shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 28 60 28 "${W[@]}" 3>&2 2>&1 1>&3) selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 24 60 24 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then if [ ! "$selection" ]; then
break break
@ -2273,30 +1959,24 @@ function menu_top_level {
case $selection in case $selection in
1) show_about;; 1) show_about;;
2) view_or_change_passwords;; 2) menu_backup_restore;;
3) menu_backup_restore;; 3) menu_app_settings;;
4) show_firewall;; 4) if ! /usr/local/bin/addremove; then
5) show_tripwire_verification_code
any_key_verify;;
6) reset_tripwire;;
7) menu_app_settings;;
8) if ! /usr/local/bin/addremove; then
any_key any_key
fi fi
;; ;;
9) logging_on_off;; 5) logging_on_off;;
10) ping_enable_disable;; 6) menu_users;;
11) menu_users;; 7) menu_email;;
12) menu_email;; 8) domain_blocking;;
13) domain_blocking;; 9) security_settings;;
14) security_settings;; 10) change_system_name;;
15) change_system_name;; 11) set_static_IP;;
16) set_static_IP;; 12) menu_wifi;;
17) menu_wifi;; 13) add_clacks;;
18) add_clacks;; 14) check_for_updates;;
19) check_for_updates;; 15) shut_down_system;;
20) shut_down_system;; 16) restart_system;;
21) restart_system;;
esac esac
done done
} }

View File

@ -890,7 +890,6 @@ function menu_top_level {
selection=$(dialog --backtitle $"Freedombone User Control Panel" --title $"User Control Panel" --menu $"Choose an operation, or ESC to log out:" 20 60 13 "${W[@]}" 3>&2 2>&1 1>&3) selection=$(dialog --backtitle $"Freedombone User Control Panel" --title $"User Control Panel" --menu $"Choose an operation, or ESC to log out:" 20 60 13 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then if [ ! "$selection" ]; then
kill -HUP "$(pgrep -s 0 -o)" kill -HUP "$(pgrep -s 0 -o)"
break
fi fi
case $selection in case $selection in

View File

@ -69,6 +69,240 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
MY_USERNAME= MY_USERNAME=
function ping_enable_disable {
ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
enable_ping="no"
dialog --title $"Enable Ping / ICMP" \
--backtitle $"Freedombone Control Panel" \
--defaultno \
--yesno "$ping_str" 10 60
sel=$?
case $sel in
0) enable_ping="yes";;
255) return;;
esac
if [[ $enable_ping == "yes" ]]; then
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
}
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
}
function passwords_show_apps {
SELECTED_APP=
i=0
W=()
name=()
# shellcheck disable=SC2068
for a in ${APPS_AVAILABLE[@]}
do
if grep -q "change_password_" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${a}"; then
i=$((i+1))
W+=("$i" "$a")
name+=("$a")
fi
done
i=$((i+1))
W+=("$i" "mariadb")
name+=("mariadb")
# shellcheck disable=SC2068
selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"User $SELECTED_USERNAME: Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
SELECTED_APP="${name[$((selected_app_index-1))]}"
fi
}
function view_or_change_passwords {
passwords_select_user
if [ ! "$SELECTED_USERNAME" ]; then
return
fi
detect_installed_apps
passwords_show_apps
if [ ! "$SELECTED_APP" ]; then
return
fi
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
icann_address=$(get_app_icann_address "${SELECTED_APP}")
onion_address=$(get_app_onion_address "${SELECTED_APP}")
titlestr=$"View or Change Password"
if [ ${#onion_address} -gt 0 ]; then
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
else
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
fi
if [ -f /root/.nostore ]; then
titlestr=$"Change Password"
if [ ${#onion_address} -gt 0 ]; then
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
else
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
fi
fi
if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
dialog --title $"MariaDB database password" \
--msgbox "\\n ${CURR_PASSWORD}" 7 40
return
fi
data=$(mktemp 2>/dev/null)
dialog --title "$titlestr" \
--backtitle $"Freedombone Control Panel" \
--inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
sel=$?
case $sel in
0)
CURR_PASSWORD=$(<"$data")
if [ ${#CURR_PASSWORD} -gt 8 ]; then
"${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
"change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
dialog --title $"Change password" \
--msgbox $"The password was changed" 6 40
else
dialog --title $"Change password" \
--msgbox $"The password given must be at least 8 characters" 6 40
fi
;;
esac
rm -f "$data"
}
function show_firewall {
W=()
while read -r line; do
firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
W+=("${firewall_name}" "${firewall_port}")
done < "$FIREWALL_CONFIG"
# shellcheck disable=SC2068
dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Firewall" --menu $"Press ESC to return to main menu" 28 50 28 "${W[@]}" 3>&2 2>&1 1>&3
}
function export_passwords { function export_passwords {
detect_usb_drive detect_usb_drive
dialog --title $"Export passwords to USB drive $USB_DRIVE" \ dialog --title $"Export passwords to USB drive $USB_DRIVE" \
@ -962,24 +1196,27 @@ function menu_tor_bridges {
} }
function menu_security_settings { function menu_security_settings {
W=(1 $"Run STIG tests" W=(1 $"Passwords"
2 $"Fix STIG test failures" 2 $"Run STIG tests"
3 $"Show ssh host public key" 3 $"Fix STIG test failures"
4 $"Tor bridges" 4 $"Show tripwire verification code"
5 $"Password storage" 5 $"Reset tripwire"
6 $"Export passwords" 6 $"Enable or disable ping"
7 $"Regenerate ssh host keys" 7 $"Show ssh host public key"
8 $"Regenerate Diffie-Hellman keys" 8 $"Tor bridges"
9 $"Update cipersuite" 9 $"Password storage"
10 $"Create a new Let's Encrypt certificate" 10 $"Export passwords"
11 $"Renew Let's Encrypt certificate" 11 $"Regenerate ssh host keys"
12 $"Delete a Let's Encrypt certificate" 12 $"Regenerate Diffie-Hellman keys"
13 $"Enable GPG based authentication (monkeysphere)" 13 $"Update cipersuite"
14 $"Register a website with monkeysphere" 14 $"Create a new Let's Encrypt certificate"
15 $"Allow ssh login with passwords") 15 $"Renew Let's Encrypt certificate"
16 $"Delete a Let's Encrypt certificate"
17 $"Allow ssh login with passwords"
18 $"Show firewall")
# shellcheck disable=SC2068 # shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 23 76 23 "${W[@]}" 3>&2 2>&1 1>&3) selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 25 76 25 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then if [ ! "$selection" ]; then
exit 0 exit 0
@ -1001,13 +1238,17 @@ function menu_security_settings {
case $selection in case $selection in
1) 1)
view_or_change_passwords
exit 0;
;;
2)
clear clear
echo $'Running STIG tests...' echo $'Running STIG tests...'
echo '' echo ''
${PROJECT_NAME}-tests --stig showall ${PROJECT_NAME}-tests --stig showall
exit 0 exit 0
;; ;;
2) 3)
clear clear
echo $'Fixing any STIG failures...' echo $'Fixing any STIG failures...'
echo '' echo ''
@ -1015,53 +1256,65 @@ function menu_security_settings {
echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.' echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.'
exit 0 exit 0
;; ;;
3) 4)
show_tripwire_verification_code
any_key_verify
exit 0
;;
5)
reset_tripwire
exit 0
;;
6)
ping_enable_disable
exit 0
;;
7)
dialog --title $"SSH host public keys" \ dialog --title $"SSH host public keys" \
--msgbox "\\n$(get_ssh_server_key)" 12 60 --msgbox "\\n$(get_ssh_server_key)" 12 60
exit 0 exit 0
;; ;;
4) 8)
menu_tor_bridges menu_tor_bridges
exit 0 exit 0
;; ;;
5) 9)
store_passwords store_passwords
exit 0 exit 0
;; ;;
6) 10)
export_passwords export_passwords
exit 0 exit 0
;; ;;
7) 11)
regenerate_ssh_host_keys regenerate_ssh_host_keys
;; ;;
8) 12)
regenerate_dh_keys regenerate_dh_keys
;; ;;
9) 13)
interactive_setup interactive_setup
update_ciphersuite update_ciphersuite
;; ;;
10) 14)
create_letsencrypt create_letsencrypt
;; ;;
11) 15)
renew_letsencrypt renew_letsencrypt
;; ;;
12) 16)
delete_letsencrypt delete_letsencrypt
;; ;;
13) 17)
enable_monkeysphere
;;
14)
register_website
;;
15)
allow_ssh_passwords allow_ssh_passwords
change_ssh_settings change_ssh_settings
exit 0 exit 0
;; ;;
18)
show_firewall
exit 0
;;
esac esac
change_website_settings change_website_settings

View File

@ -95,6 +95,7 @@ if [ -d "$PROJECT_DIR" ]; then
apt-get -yq -t stretch-backports install certbot apt-get -yq -t stretch-backports install certbot
email_install_tls email_install_tls
email_disable_chunking email_disable_chunking
rm /etc/exim4/exim4.conf.template.bak*
#defrag_filesystem #defrag_filesystem
# reinstall tor from backports # reinstall tor from backports

View File

@ -95,6 +95,28 @@ function qvitter_update_background {
fi fi
} }
function pleroma_custom_logo {
basedir="$1"
if [ "$2" ]; then
if [[ "$2" == *".png" ]]; then
cp "$2" "$basedir/priv/static/static/logo.png"
return
fi
fi
if [ -f "$basedir/priv/static/static/logo.png" ]; then
if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
else
if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
fi
fi
fi
}
function pleroma_set_background_image_from_url { function pleroma_set_background_image_from_url {
basedir="$1" basedir="$1"
domain_name="$2" domain_name="$2"
@ -157,22 +179,7 @@ function pleroma_set_background_image_from_url {
return return
fi fi
# customise the logo pleroma_custom_logo "$basedir"
if [ -f "$basedir/static/logo.png" ]; then
if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
if [ -d "$basedir/priv/static/static" ]; then
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
fi
else
if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
if [ -d "$basedir/priv/static/static" ]; then
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
fi
fi
fi
fi
# customise the title # customise the title
if [ -f "$basedir/static/config.json" ]; then if [ -f "$basedir/static/config.json" ]; then

View File

@ -47,6 +47,24 @@ ROUTER_IP_ADDRESS="192.168.1.254"
MESH_INSTALL_DIR=/var/lib MESH_INSTALL_DIR=/var/lib
function get_app_icann_address {
app_name="$1"
if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
return
else
app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
if [ "$app_name_upper" ]; then
param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
if [ "${param_value}" ]; then
echo "${param_value}"
return
fi
fi
fi
echo "${DEFAULT_DOMAIN_NAME}"
}
function install_static_network { function install_static_network {
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
return return

View File

@ -39,6 +39,47 @@ MINIMUM_PASSWORD_LENGTH=10
# The default password length used in images # The default password length used in images
DEFAULT_PASSWORD_LENGTH=20 DEFAULT_PASSWORD_LENGTH=20
function passwords_select_user {
SELECTED_USERNAME=
# shellcheck disable=SC2207
users_array=($(ls /home))
delete=(git)
# shellcheck disable=SC2068
for del in ${delete[@]}
do
# shellcheck disable=SC2206
users_array=(${users_array[@]/$del})
done
i=0
W=()
name=()
# shellcheck disable=SC2068
for u in ${users_array[@]}
do
if [[ $(is_valid_user "$u") == "1" ]]; then
i=$((i+1))
W+=("$i" "$u")
name+=("$u")
fi
done
if [ $i -eq 1 ]; then
SELECTED_USERNAME="${name[0]}"
else
# shellcheck disable=SC2068
user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
# shellcheck disable=SC2034
SELECTED_USERNAME="${name[$((user_index-1))]}"
fi
fi
}
function enforce_good_passwords { function enforce_good_passwords {
# because humans are generally bad at choosing passwords # because humans are generally bad at choosing passwords
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then