Merge branch 'stretch' of https://github.com/bashrc/freedombone
This commit is contained in:
commit
e909a996ef
|
@ -10,7 +10,7 @@
|
|||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
#+BEGIN_EXPORT HTML
|
||||
<center>
|
||||
<h1>Social Instance</h1>
|
||||
</center>
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -614,6 +614,10 @@ function remove_gnusocial {
|
|||
sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
|
||||
sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
|
||||
|
||||
if [ -f /usr/bin/gnusocial-firewall ]; then
|
||||
rm /usr/bin/gnusocial-firewall
|
||||
fi
|
||||
|
||||
function_check remove_ddns_domain
|
||||
remove_ddns_domain "$GNUSOCIAL_DOMAIN_NAME"
|
||||
}
|
||||
|
|
|
@ -9,15 +9,6 @@
|
|||
# Freedom in the Cloud
|
||||
#
|
||||
# Pleroma backend application
|
||||
# https://git.pleroma.social/pleroma/pleroma/wikis/Installing-on-Debian-Based-Distributions
|
||||
#
|
||||
# Show stopper: This is dependent on https://placehold.it for avatar images,
|
||||
# so at present it's not usable until a first party placeholder image system
|
||||
# is included.
|
||||
#
|
||||
# There is also a possible issue with the chat system which uses an object called
|
||||
# "Agent" which may not be supported with the version of elixir within the
|
||||
# Debian package. This only applies if you're installing from the latest commit.
|
||||
#
|
||||
# License
|
||||
# =======
|
||||
|
@ -47,7 +38,7 @@ PLEROMA_CODE=
|
|||
PLEROMA_PORT=4000
|
||||
PLEROMA_ONION_PORT=8011
|
||||
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
|
||||
PLEROMA_COMMIT='59a76ea464998476f8c4814324647f4ae4a7f2cb'
|
||||
PLEROMA_COMMIT='c50c7745bc8b8f52ba07c69c0d2505df54da0f59'
|
||||
PLEROMA_ADMIN_PASSWORD=
|
||||
PLEROMA_DIR=/etc/pleroma
|
||||
PLEROMA_SECRET_KEY=""
|
||||
|
@ -254,7 +245,6 @@ function pleroma_recompile {
|
|||
if [ -f /etc/systemd/system/pleroma.service ]; then
|
||||
systemctl restart pleroma
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
function logging_on_pleroma {
|
||||
|
@ -733,6 +723,11 @@ function upgrade_pleroma {
|
|||
return
|
||||
fi
|
||||
|
||||
pleroma_registrations=open
|
||||
if grep -q 'registrations_open: false' $PLEROMA_DIR/config/config.exs; then
|
||||
pleroma_registrations=
|
||||
fi
|
||||
|
||||
# make a copy of the configuration
|
||||
cp $PLEROMA_DIR/priv/static/static/config.json $PLEROMA_DIR/priv/static/static/config_prev.json
|
||||
|
||||
|
@ -760,12 +755,19 @@ function upgrade_pleroma {
|
|||
|
||||
sudo -u pleroma mix deps.get
|
||||
|
||||
if [ ! $pleroma_registrations ]; then
|
||||
sed -i 's|registrations_open: true|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
|
||||
sed -i 's|registrations_open: True|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
|
||||
fi
|
||||
|
||||
pleroma_recompile
|
||||
|
||||
# migrate database
|
||||
sudo -u pleroma mix deps.clean --build mime
|
||||
sudo -u pleroma mix ecto.migrate
|
||||
|
||||
pleroma_custom_logo "$PLEROMA_DIR"
|
||||
|
||||
expire_pleroma_posts "$PLEROMA_DOMAIN_NAME" "$PLEROMA_EXPIRE_MONTHS"
|
||||
create_pleroma_blocklist
|
||||
|
||||
|
@ -934,6 +936,10 @@ function remove_pleroma {
|
|||
sed -i '/pleroma commit/d' "$COMPLETION_FILE"
|
||||
sed -i "/$blocking_script_file/d" /etc/crontab
|
||||
|
||||
if [ -f /usr/bin/pleroma-blocking ]; then
|
||||
rm /usr/bin/pleroma-blocking
|
||||
fi
|
||||
|
||||
function_check remove_ddns_domain
|
||||
remove_ddns_domain "$PLEROMA_DOMAIN_NAME"
|
||||
}
|
||||
|
@ -1183,6 +1189,13 @@ function install_pleroma {
|
|||
sed -i 's|registrations_open:.*|registrations_open: true,|g' $PLEROMA_DIR/config/config.exs
|
||||
sed -i 's|"registrationOpen":.*|"registrationOpen": true,|g' $PLEROMA_DIR/priv/static/static/config.json
|
||||
|
||||
if ! grep -q "media_proxy" $PLEROMA_DIR/priv/static/static/config.json; then
|
||||
sed -i '/"name":/a "media_proxy": false,' $PLEROMA_DIR/priv/static/static/config.json
|
||||
sed -i 's|"media_proxy"| "media_proxy"|g' $PLEROMA_DIR/priv/static/static/config.json
|
||||
else
|
||||
sed -i 's|"media_proxy".*|"media_proxy": false,|g' $PLEROMA_DIR/priv/static/static/config.json
|
||||
fi
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable pleroma
|
||||
systemctl start pleroma
|
||||
|
|
|
@ -627,6 +627,10 @@ function remove_postactiv {
|
|||
sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
|
||||
sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
|
||||
|
||||
if [ -f /usr/bin/postactiv-firewall ]; then
|
||||
rm /usr/bin/postactiv-firewall
|
||||
fi
|
||||
|
||||
function_check remove_ddns_domain
|
||||
remove_ddns_domain "$POSTACTIV_DOMAIN_NAME"
|
||||
}
|
||||
|
|
|
@ -45,14 +45,14 @@ XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+
|
|||
XMPP_ECC_CURVE='"secp384r1"'
|
||||
|
||||
prosody_latest_version='0.10'
|
||||
prosody_nightly=410
|
||||
prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb'
|
||||
prosody_nightly=468
|
||||
prosody_nightly_hash='c72aaab1182a86090188284f443d2f819889ca242d4e955258ef60f4c7c9a1ba'
|
||||
prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
|
||||
prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
|
||||
|
||||
# From https://hg.prosody.im/prosody-modules
|
||||
prosody_modules_filename='prosody-modules-20180104.tar.gz'
|
||||
prosody_modules_hash='7c81b4ed8a90130b4db5902dc1f299ad1c4dab57a0970552b71cb2042a490bc1'
|
||||
prosody_modules_filename='prosody-modules-20180322.tar.gz'
|
||||
prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072'
|
||||
|
||||
xmpp_variables=(ONION_ONLY
|
||||
INSTALLED_WITHIN_DOCKER
|
||||
|
@ -414,10 +414,16 @@ function prosody_daemon_restart_script {
|
|||
# On rare occasions the daemon appears to get stuck
|
||||
# i.e. still active, but not accepting connections
|
||||
# This ensures that it will unstick itself at least once per day
|
||||
if [ ! -f /etc/cron.daily/prosody ]; then
|
||||
echo '#!/bin/bash' > /etc/cron.daily/prosody
|
||||
echo 'systemctl restart prosody' >> /etc/cron.daily/prosody
|
||||
chmod +x /etc/cron.daily/prosody
|
||||
if [ -f /etc/cron.daily/prosody ]; then
|
||||
rm /etc/cron.daily/prosody
|
||||
fi
|
||||
if [ ! -f /etc/cron.hourly/prosody ]; then
|
||||
{ echo '#!/bin/bash';
|
||||
echo "is_active=\$(systemctl is-active prosody)";
|
||||
echo "if [[ \"\$is_active\" != 'active' ]]; then";
|
||||
echo ' systemctl restart prosody'
|
||||
echo 'fi'; } > /etc/cron.hourly/prosody
|
||||
chmod +x /etc/cron.hourly/prosody
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -667,13 +673,13 @@ function xmpp_contact_info {
|
|||
return
|
||||
fi
|
||||
|
||||
{ 'contact_info = {';
|
||||
"abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
"admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
"feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
"security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
"support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
'};'; } >> "$filename"
|
||||
{ echo 'contact_info = {';
|
||||
echo "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
echo "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
echo "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
echo "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
echo "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
|
||||
echo '};'; } >> "$filename"
|
||||
}
|
||||
|
||||
function xmpp_modules {
|
||||
|
@ -867,6 +873,7 @@ function xmpp_create_config {
|
|||
echo 'http_upload_file_size_limit = 307200';
|
||||
echo '';
|
||||
echo "Component \"chat.${DEFAULT_DOMAIN_NAME}\" \"muc\"";
|
||||
echo ' restrict_room_creation = true';
|
||||
echo ' name = "Chatrooms"';
|
||||
echo ' modules_enabled = {';
|
||||
echo ' "muc_limits";';
|
||||
|
|
|
@ -57,8 +57,6 @@ MY_GPG_PRIVATE_KEY=
|
|||
# optionally specify your public key ID
|
||||
MY_GPG_PUBLIC_KEY_ID=
|
||||
|
||||
EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp"
|
||||
|
||||
# automatic archiving of email
|
||||
CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir"
|
||||
CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86'
|
||||
|
@ -150,6 +148,71 @@ function configure_email_onion {
|
|||
set_completion_param "email onion domain" "${onion_address}"
|
||||
add_email_hostname "$onion_address"
|
||||
|
||||
apt-get -yq install tinycdb perl
|
||||
|
||||
# MX record should be:
|
||||
# _onion-mx._tcp.$DEFAULT_DOMAIN_NAME. 3600 IN SRV 0 5 25 $onion_address
|
||||
|
||||
echo "$DEFAULT_DOMAIN_NAME $onion_address" > /etc/exim4/onionrelay.txt
|
||||
cdb -m -c -t ~/onionrelay.tmp /etc/exim4/onionrelay.cdb /etc/exim4/onionrelay.txt
|
||||
|
||||
{ echo "perl_startup = do '/etc/exim4/perl-routines.pl'";
|
||||
echo "perl_at_start"; } > /etc/exim4/conf.d/main/perl
|
||||
|
||||
{ echo "use Net::DNS::Resolver;";
|
||||
echo "sub onionLookup {";
|
||||
echo " my \$hostname = shift;";
|
||||
echo " my \$res = Net::DNS::Resolver->new(nameservers => [qw(127.0.0.1)],);";
|
||||
echo " \$res->port(5300);";
|
||||
echo " my \$query = \$res->search(\$hostname);";
|
||||
echo " foreach my \$rr (\$query->answer) {";
|
||||
echo " next unless \$rr->type eq \"A\";";
|
||||
echo " return \$rr->address;";
|
||||
echo " }";
|
||||
echo " return 'no_such_host';";
|
||||
echo "}"; } > /etc/exim4/perl-routines.pl
|
||||
|
||||
{ echo "ONION_RELAYDB=/etc/exim4/onionrelay.cdb";
|
||||
echo "domainlist onion_relays = cdb;ONION_RELAYDB"; } > /etc/exim4/conf.d/domainlists
|
||||
|
||||
{ echo "# send things over tor where we have an entry for it";
|
||||
echo "onionrelays:";
|
||||
echo " driver = manualroute";
|
||||
echo " domains = +onion_relays";
|
||||
echo " transport = onion_relay";
|
||||
echo " # get the automap IP for the onion address from the tor daemon";
|
||||
echo " route_data = \${perl{onionLookup}{\${lookup{\$domain}cdb{ONION_RELAYDB}}}}";
|
||||
echo " no_more"; } > /etc/exim4/conf.d/router/50_exim4-config-onion
|
||||
|
||||
{ echo "onion_relay:";
|
||||
echo " driver = smtp";
|
||||
echo " socks_proxy = 127.0.0.1 port=9050"; } > /etc/exim4/conf.d/transport/50_exim4-config_onion
|
||||
|
||||
if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
|
||||
echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
|
||||
else
|
||||
sed -i 's|#AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
|
||||
sed -i 's|AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
|
||||
fi
|
||||
|
||||
if ! grep -q "DNSPort " /etc/tor/torrc; then
|
||||
echo 'DNSPort 5300' >> /etc/tor/torrc
|
||||
else
|
||||
sed -i 's|#DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
|
||||
sed -i 's|DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
|
||||
fi
|
||||
|
||||
if ! grep -q "DNSListenAddress" /etc/tor/torrc; then
|
||||
echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc
|
||||
else
|
||||
sed -i 's|#DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
|
||||
sed -i 's|DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
|
||||
fi
|
||||
|
||||
dpkg-reconfigure --frontend noninteractive exim4-config
|
||||
systemctl restart tor
|
||||
systemctl restart exim4
|
||||
|
||||
mark_completed "${FUNCNAME[0]}"
|
||||
}
|
||||
|
||||
|
|
|
@ -129,129 +129,10 @@ fi
|
|||
|
||||
function any_key {
|
||||
echo ''
|
||||
# shellcheck disable=SC2034
|
||||
read -n1 -rsp $"Press any key to continue..." key
|
||||
}
|
||||
|
||||
function any_key_verify {
|
||||
echo ''
|
||||
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
|
||||
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
data=$(mktemp 2>/dev/null)
|
||||
dialog --title $"Check tripwire hash" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
GIVEN_HASH=$(<"$data")
|
||||
if [ ${#GIVEN_HASH} -gt 8 ]; then
|
||||
if [[ "$GIVEN_HASH" == *' '* ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nThe hash should not contain any spaces" 10 40
|
||||
else
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
|
||||
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
|
||||
else
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f "$data"
|
||||
}
|
||||
|
||||
function get_app_icann_address {
|
||||
app_name="$1"
|
||||
if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
|
||||
grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
|
||||
return
|
||||
else
|
||||
app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
|
||||
if [ "$app_name_upper" ]; then
|
||||
param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
|
||||
if [ "${param_value}" ]; then
|
||||
echo "${param_value}"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo "${DEFAULT_DOMAIN_NAME}"
|
||||
}
|
||||
|
||||
function passwords_select_user {
|
||||
SELECTED_USERNAME=
|
||||
|
||||
# shellcheck disable=SC2207
|
||||
users_array=($(ls /home))
|
||||
|
||||
delete=(git)
|
||||
# shellcheck disable=SC2068
|
||||
for del in ${delete[@]}
|
||||
do
|
||||
# shellcheck disable=SC2206
|
||||
users_array=(${users_array[@]/$del})
|
||||
done
|
||||
|
||||
i=0
|
||||
W=()
|
||||
name=()
|
||||
# shellcheck disable=SC2068
|
||||
for u in ${users_array[@]}
|
||||
do
|
||||
if [[ $(is_valid_user "$u") == "1" ]]; then
|
||||
i=$((i+1))
|
||||
W+=("$i" "$u")
|
||||
name+=("$u")
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $i -eq 1 ]; then
|
||||
SELECTED_USERNAME="${name[0]}"
|
||||
else
|
||||
# shellcheck disable=SC2068
|
||||
user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
|
||||
|
||||
# shellcheck disable=SC2181
|
||||
if [ $? -eq 0 ]; then
|
||||
SELECTED_USERNAME="${name[$((user_index-1))]}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function passwords_show_apps {
|
||||
SELECTED_APP=
|
||||
i=0
|
||||
W=()
|
||||
name=()
|
||||
# shellcheck disable=SC2068
|
||||
for a in ${APPS_AVAILABLE[@]}
|
||||
do
|
||||
if [[ $(function_exists "change_password_${a}") == "1" ]]; then
|
||||
i=$((i+1))
|
||||
W+=("$i" "$a")
|
||||
name+=("$a")
|
||||
fi
|
||||
done
|
||||
i=$((i+1))
|
||||
W+=("$i" "mariadb")
|
||||
name+=("mariadb")
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
|
||||
|
||||
# shellcheck disable=SC2181
|
||||
if [ $? -eq 0 ]; then
|
||||
SELECTED_APP="${name[$((selected_app_index-1))]}"
|
||||
fi
|
||||
}
|
||||
|
||||
function reset_password_tries {
|
||||
passwords_select_user
|
||||
if [ ! "$SELECTED_USERNAME" ]; then
|
||||
|
@ -262,67 +143,6 @@ function reset_password_tries {
|
|||
--msgbox $"Password tries have been reset for $SELECTED_USERNAME" 6 60
|
||||
}
|
||||
|
||||
function view_or_change_passwords {
|
||||
passwords_select_user
|
||||
if [ ! "$SELECTED_USERNAME" ]; then
|
||||
return
|
||||
fi
|
||||
detect_installed_apps
|
||||
passwords_show_apps
|
||||
if [ ! "$SELECTED_APP" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
|
||||
|
||||
icann_address=$(get_app_icann_address "${SELECTED_APP}")
|
||||
onion_address=$(get_app_onion_address "${SELECTED_APP}")
|
||||
|
||||
titlestr=$"View or Change Password"
|
||||
if [ ${#onion_address} -gt 0 ]; then
|
||||
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
|
||||
else
|
||||
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
|
||||
fi
|
||||
|
||||
if [ -f /root/.nostore ]; then
|
||||
titlestr=$"Change Password"
|
||||
if [ ${#onion_address} -gt 0 ]; then
|
||||
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
|
||||
else
|
||||
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
|
||||
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
|
||||
dialog --title $"MariaDB database password" \
|
||||
--msgbox "\\n ${CURR_PASSWORD}" 7 40
|
||||
return
|
||||
fi
|
||||
|
||||
data=$(mktemp 2>/dev/null)
|
||||
dialog --title "$titlestr" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
CURR_PASSWORD=$(<"$data")
|
||||
if [ ${#CURR_PASSWORD} -gt 8 ]; then
|
||||
"${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
|
||||
"change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
|
||||
dialog --title $"Change password" \
|
||||
--msgbox $"The password was changed" 6 40
|
||||
else
|
||||
dialog --title $"Change password" \
|
||||
--msgbox $"The password given must be at least 8 characters" 6 40
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f "$data"
|
||||
}
|
||||
|
||||
function check_for_updates {
|
||||
if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then
|
||||
dialog --title $"Check for updates" \
|
||||
|
@ -383,34 +203,59 @@ function pad_string {
|
|||
echo -n -e "$1" | sed -e :a -e 's/^.\{1,25\}$/& /;ta'
|
||||
}
|
||||
|
||||
function show_tor_bridges {
|
||||
if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
|
||||
if grep -q "BridgeRelay 1" /etc/tor/torrc; then
|
||||
read_config_param 'TOR_BRIDGE_PORT'
|
||||
read_config_param 'TOR_BRIDGE_NICKNAME'
|
||||
if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
|
||||
W+=($"Your Tor Bridge" "$(get_ipv4_address):${TOR_BRIDGE_PORT} ${TOR_BRIDGE_NICKNAME}")
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
|
||||
if [ ${#bridges_list} -gt 0 ]; then
|
||||
for i in "${bridges_list[@]}"
|
||||
do
|
||||
bridgestr=$(i//Bridge /)
|
||||
W+=($"Tor Bridge" "$bridgestr")
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
function show_domains {
|
||||
read_config_param "DEFAULT_DOMAIN_NAME"
|
||||
|
||||
echo 'Domains'
|
||||
echo '======='
|
||||
echo ''
|
||||
echo -n -e "$(pad_string 'Name')"
|
||||
echo -n -e "$(pad_string 'ICANN')"
|
||||
echo -n -e "$(pad_string 'Tor')"
|
||||
echo ''
|
||||
echo '--------------------------------------------------------------------------'
|
||||
W=()
|
||||
|
||||
W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
|
||||
ipv6_address="$(get_ipv6_address)"
|
||||
if [ ${#ipv6_address} -gt 0 ]; then
|
||||
W+=("IPv6" "${ipv6_address}")
|
||||
fi
|
||||
|
||||
|
||||
if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
|
||||
echo -n -e "$(pad_string 'ssh')"
|
||||
echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")"
|
||||
grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
|
||||
domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
||||
W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
|
||||
fi
|
||||
if grep -q "email onion domain" "$COMPLETION_FILE"; then
|
||||
echo -n -e "$(pad_string 'Email')"
|
||||
echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")"
|
||||
grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
|
||||
domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
||||
W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
|
||||
fi
|
||||
if grep -q "sks onion domain" "$COMPLETION_FILE"; then
|
||||
read_config_param "KEYSERVER_DOMAIN_NAME"
|
||||
echo -n -e "$(pad_string 'SKS')"
|
||||
echo -n -e "$(pad_string "${KEYSERVER_DOMAIN_NAME}")"
|
||||
grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
|
||||
domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
||||
W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
|
||||
fi
|
||||
|
||||
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
|
||||
if [ -f $INTRODUCER_FILENAME ]; then
|
||||
W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
|
||||
fi
|
||||
|
||||
show_tor_bridges
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
for app_name in ${APPS_INSTALLED_NAMES[@]}
|
||||
do
|
||||
|
@ -446,36 +291,43 @@ function show_domains {
|
|||
onion_address="-"
|
||||
fi
|
||||
|
||||
echo -n -e "$(pad_string "${app_name}")"
|
||||
echo -n -e "$(pad_string "${icann_address}")"
|
||||
echo "${onion_address}"
|
||||
if [[ "${icann_address}" != '-' ]]; then
|
||||
if [[ "${onion_address}" != '-' ]]; then
|
||||
W+=("${app_name}" "${icann_address} / ${onion_address}")
|
||||
else
|
||||
W+=("${app_name}" "${icann_address}")
|
||||
fi
|
||||
else
|
||||
W+=("${app_name}" "${onion_address}")
|
||||
fi
|
||||
|
||||
if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
|
||||
onion_address=$(get_app_onion_address "${app_name}" "mobile")
|
||||
echo -n -e "$(pad_string "${app_name} (mobile)")"
|
||||
echo -n -e "$(pad_string "${icann_address}")"
|
||||
echo "${onion_address}"
|
||||
if [[ "${icann_address}" != '-' ]]; then
|
||||
W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
|
||||
else
|
||||
W+=("${app_name} (mobile)" "${onion_address}")
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
if grep -q "rss reader domain" "$COMPLETION_FILE"; then
|
||||
if [ -d /var/lib/tor/hidden_service_ttrss ]; then
|
||||
echo -n -e "$(pad_string 'RSS reader')"
|
||||
RSSDOM='-'
|
||||
echo -n -e "$(pad_string ${RSSDOM})"
|
||||
echo -n "$(cat /var/lib/tor/hidden_service_ttrss/hostname)"
|
||||
echo ''
|
||||
domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
|
||||
W+=("RSS Reader" "${domain_onion}")
|
||||
fi
|
||||
if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
|
||||
echo -n -e "$(pad_string 'RSS mobile')"
|
||||
RSSMOBILEDOM='-'
|
||||
echo -n -e "$(pad_string ${RSSMOBILEDOM})"
|
||||
echo -n "$(cat /var/lib/tor/hidden_service_mobilerss/hostname)"
|
||||
echo ''
|
||||
domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
|
||||
W+=("RSS mobile" "${domain_onion}")
|
||||
fi
|
||||
fi
|
||||
echo ''
|
||||
|
||||
width=$(tput cols)
|
||||
height=$(tput lines)
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
|
||||
}
|
||||
|
||||
function show_users {
|
||||
|
@ -525,34 +377,6 @@ function show_ip_addresses {
|
|||
echo ''
|
||||
}
|
||||
|
||||
function show_tor_bridges {
|
||||
bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
|
||||
if [ ${#bridges_list} -gt 0 ]; then
|
||||
echo $'Tor Bridges'
|
||||
echo '==========='
|
||||
echo ''
|
||||
echo "${bridges_list}"
|
||||
echo ''
|
||||
echo ''
|
||||
fi
|
||||
if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
|
||||
if grep -q "BridgeRelay 1" /etc/tor/torrc; then
|
||||
read_config_param 'TOR_BRIDGE_PORT'
|
||||
read_config_param 'TOR_BRIDGE_NICKNAME'
|
||||
if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
|
||||
echo "Tor bridge on this system"
|
||||
echo '========================='
|
||||
echo ''
|
||||
echo "IP Address: $(get_ipv4_address)"
|
||||
echo "Port: ${TOR_BRIDGE_PORT}"
|
||||
echo "Nickname: ${TOR_BRIDGE_NICKNAME}"
|
||||
echo ''
|
||||
echo ''
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function show_ssh_public_key {
|
||||
echo $'SSH Public Keys'
|
||||
echo '==============='
|
||||
|
@ -562,33 +386,18 @@ function show_ssh_public_key {
|
|||
echo ''
|
||||
}
|
||||
|
||||
function show_tahoelafs_introducer {
|
||||
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
|
||||
if [ ! -f $INTRODUCER_FILENAME ]; then
|
||||
return
|
||||
fi
|
||||
echo $'Tahoe-LAFS introducer'
|
||||
echo '====================='
|
||||
echo ''
|
||||
cat $INTRODUCER_FILENAME
|
||||
echo ''
|
||||
echo ''
|
||||
}
|
||||
|
||||
function show_about {
|
||||
detect_apps
|
||||
get_apps_installed_names
|
||||
|
||||
clear
|
||||
echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
|
||||
echo ''
|
||||
show_ip_addresses
|
||||
show_tor_bridges
|
||||
show_ssh_public_key
|
||||
#clear
|
||||
#echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
|
||||
#echo ''
|
||||
#show_ip_addresses
|
||||
#show_ssh_public_key
|
||||
show_domains
|
||||
show_tahoelafs
|
||||
show_users
|
||||
any_key
|
||||
#show_users
|
||||
#any_key
|
||||
}
|
||||
|
||||
function select_user {
|
||||
|
@ -1265,30 +1074,6 @@ function restore_data_remote {
|
|||
rm -f "$data"
|
||||
}
|
||||
|
||||
function ping_enable_disable {
|
||||
ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
|
||||
enable_ping="no"
|
||||
dialog --title $"Enable Ping / ICMP" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--defaultno \
|
||||
--yesno "$ping_str" 10 60
|
||||
sel=$?
|
||||
case $sel in
|
||||
0) enable_ping="yes";;
|
||||
255) return;;
|
||||
esac
|
||||
|
||||
if [[ $enable_ping == "yes" ]]; then
|
||||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
else
|
||||
iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
fi
|
||||
}
|
||||
|
||||
function logging_on_off {
|
||||
logging="no"
|
||||
dialog --title $"Logging" \
|
||||
|
@ -1326,82 +1111,6 @@ function restore_gpg_key {
|
|||
|
||||
function security_settings {
|
||||
"${PROJECT_NAME}-sec"
|
||||
any_key
|
||||
}
|
||||
|
||||
function show_tripwire_verification_code {
|
||||
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
return
|
||||
fi
|
||||
clear
|
||||
echo ''
|
||||
echo $'Tripwire Verification Code'
|
||||
echo ''
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
|
||||
echo -n "$DBHASH" | qrencode -t UTF8
|
||||
echo ''
|
||||
echo "$DBHASH"
|
||||
echo ''
|
||||
}
|
||||
|
||||
function reset_tripwire {
|
||||
if [ ! -f /usr/bin/reset-tripwire ]; then
|
||||
echo $'Missing /usr/bin/reset-tripwire'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
|
||||
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
|
||||
else
|
||||
echo $'Error: missing local key'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
fi
|
||||
clear
|
||||
echo $'Turing off logging...'
|
||||
"${PROJECT_NAME}-logging" off
|
||||
echo $'Locking down permissions...'
|
||||
lockdown_permissions
|
||||
echo $'Creating configuration...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
|
||||
echo $'Resetting policy...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
|
||||
echo $'Creating tripwire database'
|
||||
echo '
|
||||
|
||||
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
|
||||
echo $'Resetting the Tripwire...'
|
||||
echo ''
|
||||
echo '
|
||||
|
||||
' | reset-tripwire
|
||||
echo ''
|
||||
|
||||
# Sometimes nginx fails to restart if matrix is installed
|
||||
# Restart matrix first
|
||||
if [ -d /etc/matrix ]; then
|
||||
systemctl restart matrix
|
||||
systemctl restart nginx
|
||||
fi
|
||||
|
||||
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
show_tripwire_verification_code
|
||||
echo $'Tripwire is now reset. Take a note of the above hash, or record'
|
||||
echo $'the QR code using a mobile device. This will enable you to independently'
|
||||
echo $'verify the integrity of the tripwire.'
|
||||
else
|
||||
echo $'ERROR: tripwire database was not created'
|
||||
fi
|
||||
any_key
|
||||
}
|
||||
|
||||
function format_drive {
|
||||
|
@ -1775,19 +1484,6 @@ function reinstall_mariadb {
|
|||
--msgbox $"MariaDB has been reinstalled" 6 40
|
||||
}
|
||||
|
||||
function show_firewall {
|
||||
clear
|
||||
echo $"Firewall Settings"
|
||||
echo ''
|
||||
while read -r line; do
|
||||
firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
|
||||
firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
|
||||
echo -n -e "$(pad_string "${firewall_name}")"
|
||||
echo "${firewall_port}"
|
||||
done < "$FIREWALL_CONFIG"
|
||||
any_key
|
||||
}
|
||||
|
||||
function email_extra_domains {
|
||||
email_hostnames=$(grep "dc_other_hostnames" /etc/exim4/update-exim4.conf.conf | awk -F "'" '{print $2}')
|
||||
|
||||
|
@ -2198,7 +1894,7 @@ function menu_wifi {
|
|||
function menu_app_settings {
|
||||
detect_installable_apps
|
||||
|
||||
applist=""
|
||||
W=()
|
||||
appnames=()
|
||||
n=1
|
||||
app_index=0
|
||||
|
@ -2207,7 +1903,7 @@ function menu_app_settings {
|
|||
do
|
||||
if [[ ${APPS_INSTALLED[$app_index]} != "0" ]]; then
|
||||
if [[ $(function_exists "configure_interactive_${a}") == "1" ]]; then
|
||||
applist="$applist $n $a off"
|
||||
W+=("$n" "$a")
|
||||
n=$((n+1))
|
||||
appnames+=("$a")
|
||||
fi
|
||||
|
@ -2217,53 +1913,43 @@ function menu_app_settings {
|
|||
if [ $n -le 1 ]; then
|
||||
return
|
||||
fi
|
||||
backstr=$'Exit'
|
||||
applist="$applist $n $backstr on"
|
||||
appnames+=("Exit")
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
choice=$(dialog --stdout --backtitle $"Freedombone" \
|
||||
choice=$(dialog --backtitle $"Freedombone" \
|
||||
--title $"Change settings for an App" \
|
||||
--radiolist $'Choose:' \
|
||||
26 40 30 $applist)
|
||||
--menu $'Choose:' \
|
||||
26 40 30 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
|
||||
# shellcheck disable=SC2181
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ "$choice" ]; then
|
||||
app_index=$((choice-1))
|
||||
chosen_app=${appnames[$app_index]}
|
||||
if [[ $chosen_app != "Exit" ]]; then
|
||||
"configure_interactive_${chosen_app}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function menu_top_level {
|
||||
while true
|
||||
do
|
||||
W=(1 $"About this system"
|
||||
2 $"Passwords"
|
||||
3 $"Backup and Restore"
|
||||
4 $"Show Firewall"
|
||||
5 $"Verify Tripwire Code"
|
||||
6 $"Reset Tripwire"
|
||||
7 $"App Settings"
|
||||
8 $"Add/Remove Apps"
|
||||
9 $"Logging on/off"
|
||||
10 $"Ping enable/disable"
|
||||
11 $"Manage Users"
|
||||
12 $"Email Menu"
|
||||
13 $"Domain or User Blocking"
|
||||
14 $"Security Settings"
|
||||
15 $"Change the name of this system"
|
||||
16 $"Set a static local IP address"
|
||||
17 $"Wifi menu"
|
||||
18 $"Add Clacks"
|
||||
19 $"Check for updates"
|
||||
20 $"Power off the system"
|
||||
21 $"Restart the system")
|
||||
2 $"Backup and Restore"
|
||||
3 $"App Settings"
|
||||
4 $"Add/Remove Apps"
|
||||
5 $"Logging on/off"
|
||||
6 $"Manage Users"
|
||||
7 $"Email Menu"
|
||||
8 $"Domain or User Blocking"
|
||||
9 $"Security Settings"
|
||||
10 $"Change the name of this system"
|
||||
11 $"Set a static local IP address"
|
||||
12 $"Wifi menu"
|
||||
13 $"Add Clacks"
|
||||
14 $"Check for updates"
|
||||
15 $"Power off the system"
|
||||
16 $"Restart the system")
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 28 60 28 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 24 60 24 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
|
||||
if [ ! "$selection" ]; then
|
||||
break
|
||||
|
@ -2273,30 +1959,24 @@ function menu_top_level {
|
|||
|
||||
case $selection in
|
||||
1) show_about;;
|
||||
2) view_or_change_passwords;;
|
||||
3) menu_backup_restore;;
|
||||
4) show_firewall;;
|
||||
5) show_tripwire_verification_code
|
||||
any_key_verify;;
|
||||
6) reset_tripwire;;
|
||||
7) menu_app_settings;;
|
||||
8) if ! /usr/local/bin/addremove; then
|
||||
2) menu_backup_restore;;
|
||||
3) menu_app_settings;;
|
||||
4) if ! /usr/local/bin/addremove; then
|
||||
any_key
|
||||
fi
|
||||
;;
|
||||
9) logging_on_off;;
|
||||
10) ping_enable_disable;;
|
||||
11) menu_users;;
|
||||
12) menu_email;;
|
||||
13) domain_blocking;;
|
||||
14) security_settings;;
|
||||
15) change_system_name;;
|
||||
16) set_static_IP;;
|
||||
17) menu_wifi;;
|
||||
18) add_clacks;;
|
||||
19) check_for_updates;;
|
||||
20) shut_down_system;;
|
||||
21) restart_system;;
|
||||
5) logging_on_off;;
|
||||
6) menu_users;;
|
||||
7) menu_email;;
|
||||
8) domain_blocking;;
|
||||
9) security_settings;;
|
||||
10) change_system_name;;
|
||||
11) set_static_IP;;
|
||||
12) menu_wifi;;
|
||||
13) add_clacks;;
|
||||
14) check_for_updates;;
|
||||
15) shut_down_system;;
|
||||
16) restart_system;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
|
|
@ -890,7 +890,6 @@ function menu_top_level {
|
|||
selection=$(dialog --backtitle $"Freedombone User Control Panel" --title $"User Control Panel" --menu $"Choose an operation, or ESC to log out:" 20 60 13 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
if [ ! "$selection" ]; then
|
||||
kill -HUP "$(pgrep -s 0 -o)"
|
||||
break
|
||||
fi
|
||||
|
||||
case $selection in
|
||||
|
|
|
@ -69,6 +69,240 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
|
|||
|
||||
MY_USERNAME=
|
||||
|
||||
function ping_enable_disable {
|
||||
ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
|
||||
enable_ping="no"
|
||||
dialog --title $"Enable Ping / ICMP" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--defaultno \
|
||||
--yesno "$ping_str" 10 60
|
||||
sel=$?
|
||||
case $sel in
|
||||
0) enable_ping="yes";;
|
||||
255) return;;
|
||||
esac
|
||||
|
||||
if [[ $enable_ping == "yes" ]]; then
|
||||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
else
|
||||
iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
fi
|
||||
}
|
||||
|
||||
function any_key_verify {
|
||||
echo ''
|
||||
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
|
||||
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
data=$(mktemp 2>/dev/null)
|
||||
dialog --title $"Check tripwire hash" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
GIVEN_HASH=$(<"$data")
|
||||
if [ ${#GIVEN_HASH} -gt 8 ]; then
|
||||
if [[ "$GIVEN_HASH" == *' '* ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nThe hash should not contain any spaces" 10 40
|
||||
else
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
|
||||
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
|
||||
else
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f "$data"
|
||||
}
|
||||
|
||||
function show_tripwire_verification_code {
|
||||
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
return
|
||||
fi
|
||||
clear
|
||||
echo ''
|
||||
echo $'Tripwire Verification Code'
|
||||
echo ''
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
|
||||
echo -n "$DBHASH" | qrencode -t UTF8
|
||||
echo ''
|
||||
echo "$DBHASH"
|
||||
echo ''
|
||||
}
|
||||
|
||||
function reset_tripwire {
|
||||
if [ ! -f /usr/bin/reset-tripwire ]; then
|
||||
echo $'Missing /usr/bin/reset-tripwire'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
|
||||
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
|
||||
else
|
||||
echo $'Error: missing local key'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
fi
|
||||
clear
|
||||
echo $'Turing off logging...'
|
||||
"${PROJECT_NAME}-logging" off
|
||||
echo $'Locking down permissions...'
|
||||
lockdown_permissions
|
||||
echo $'Creating configuration...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
|
||||
echo $'Resetting policy...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
|
||||
echo $'Creating tripwire database'
|
||||
echo '
|
||||
|
||||
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
|
||||
echo $'Resetting the Tripwire...'
|
||||
echo ''
|
||||
echo '
|
||||
|
||||
' | reset-tripwire
|
||||
echo ''
|
||||
|
||||
# Sometimes nginx fails to restart if matrix is installed
|
||||
# Restart matrix first
|
||||
if [ -d /etc/matrix ]; then
|
||||
systemctl restart matrix
|
||||
systemctl restart nginx
|
||||
fi
|
||||
|
||||
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
show_tripwire_verification_code
|
||||
echo $'Tripwire is now reset. Take a note of the above hash, or record'
|
||||
echo $'the QR code using a mobile device. This will enable you to independently'
|
||||
echo $'verify the integrity of the tripwire.'
|
||||
else
|
||||
echo $'ERROR: tripwire database was not created'
|
||||
fi
|
||||
any_key
|
||||
}
|
||||
|
||||
function passwords_show_apps {
|
||||
SELECTED_APP=
|
||||
i=0
|
||||
W=()
|
||||
name=()
|
||||
# shellcheck disable=SC2068
|
||||
for a in ${APPS_AVAILABLE[@]}
|
||||
do
|
||||
if grep -q "change_password_" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${a}"; then
|
||||
i=$((i+1))
|
||||
W+=("$i" "$a")
|
||||
name+=("$a")
|
||||
fi
|
||||
done
|
||||
i=$((i+1))
|
||||
W+=("$i" "mariadb")
|
||||
name+=("mariadb")
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"User $SELECTED_USERNAME: Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
|
||||
|
||||
# shellcheck disable=SC2181
|
||||
if [ $? -eq 0 ]; then
|
||||
SELECTED_APP="${name[$((selected_app_index-1))]}"
|
||||
fi
|
||||
}
|
||||
|
||||
function view_or_change_passwords {
|
||||
passwords_select_user
|
||||
if [ ! "$SELECTED_USERNAME" ]; then
|
||||
return
|
||||
fi
|
||||
detect_installed_apps
|
||||
passwords_show_apps
|
||||
if [ ! "$SELECTED_APP" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
|
||||
|
||||
icann_address=$(get_app_icann_address "${SELECTED_APP}")
|
||||
onion_address=$(get_app_onion_address "${SELECTED_APP}")
|
||||
|
||||
titlestr=$"View or Change Password"
|
||||
if [ ${#onion_address} -gt 0 ]; then
|
||||
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
|
||||
else
|
||||
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
|
||||
fi
|
||||
|
||||
if [ -f /root/.nostore ]; then
|
||||
titlestr=$"Change Password"
|
||||
if [ ${#onion_address} -gt 0 ]; then
|
||||
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
|
||||
else
|
||||
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
|
||||
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
|
||||
dialog --title $"MariaDB database password" \
|
||||
--msgbox "\\n ${CURR_PASSWORD}" 7 40
|
||||
return
|
||||
fi
|
||||
|
||||
data=$(mktemp 2>/dev/null)
|
||||
dialog --title "$titlestr" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
CURR_PASSWORD=$(<"$data")
|
||||
if [ ${#CURR_PASSWORD} -gt 8 ]; then
|
||||
"${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
|
||||
"change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
|
||||
dialog --title $"Change password" \
|
||||
--msgbox $"The password was changed" 6 40
|
||||
else
|
||||
dialog --title $"Change password" \
|
||||
--msgbox $"The password given must be at least 8 characters" 6 40
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f "$data"
|
||||
}
|
||||
|
||||
function show_firewall {
|
||||
W=()
|
||||
while read -r line; do
|
||||
firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
|
||||
firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
|
||||
W+=("${firewall_name}" "${firewall_port}")
|
||||
done < "$FIREWALL_CONFIG"
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Firewall" --menu $"Press ESC to return to main menu" 28 50 28 "${W[@]}" 3>&2 2>&1 1>&3
|
||||
}
|
||||
|
||||
function export_passwords {
|
||||
detect_usb_drive
|
||||
dialog --title $"Export passwords to USB drive $USB_DRIVE" \
|
||||
|
@ -962,24 +1196,27 @@ function menu_tor_bridges {
|
|||
}
|
||||
|
||||
function menu_security_settings {
|
||||
W=(1 $"Run STIG tests"
|
||||
2 $"Fix STIG test failures"
|
||||
3 $"Show ssh host public key"
|
||||
4 $"Tor bridges"
|
||||
5 $"Password storage"
|
||||
6 $"Export passwords"
|
||||
7 $"Regenerate ssh host keys"
|
||||
8 $"Regenerate Diffie-Hellman keys"
|
||||
9 $"Update cipersuite"
|
||||
10 $"Create a new Let's Encrypt certificate"
|
||||
11 $"Renew Let's Encrypt certificate"
|
||||
12 $"Delete a Let's Encrypt certificate"
|
||||
13 $"Enable GPG based authentication (monkeysphere)"
|
||||
14 $"Register a website with monkeysphere"
|
||||
15 $"Allow ssh login with passwords")
|
||||
W=(1 $"Passwords"
|
||||
2 $"Run STIG tests"
|
||||
3 $"Fix STIG test failures"
|
||||
4 $"Show tripwire verification code"
|
||||
5 $"Reset tripwire"
|
||||
6 $"Enable or disable ping"
|
||||
7 $"Show ssh host public key"
|
||||
8 $"Tor bridges"
|
||||
9 $"Password storage"
|
||||
10 $"Export passwords"
|
||||
11 $"Regenerate ssh host keys"
|
||||
12 $"Regenerate Diffie-Hellman keys"
|
||||
13 $"Update cipersuite"
|
||||
14 $"Create a new Let's Encrypt certificate"
|
||||
15 $"Renew Let's Encrypt certificate"
|
||||
16 $"Delete a Let's Encrypt certificate"
|
||||
17 $"Allow ssh login with passwords"
|
||||
18 $"Show firewall")
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 23 76 23 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 25 76 25 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
|
||||
if [ ! "$selection" ]; then
|
||||
exit 0
|
||||
|
@ -1001,13 +1238,17 @@ function menu_security_settings {
|
|||
|
||||
case $selection in
|
||||
1)
|
||||
view_or_change_passwords
|
||||
exit 0;
|
||||
;;
|
||||
2)
|
||||
clear
|
||||
echo $'Running STIG tests...'
|
||||
echo ''
|
||||
${PROJECT_NAME}-tests --stig showall
|
||||
exit 0
|
||||
;;
|
||||
2)
|
||||
3)
|
||||
clear
|
||||
echo $'Fixing any STIG failures...'
|
||||
echo ''
|
||||
|
@ -1015,53 +1256,65 @@ function menu_security_settings {
|
|||
echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.'
|
||||
exit 0
|
||||
;;
|
||||
3)
|
||||
4)
|
||||
show_tripwire_verification_code
|
||||
any_key_verify
|
||||
exit 0
|
||||
;;
|
||||
5)
|
||||
reset_tripwire
|
||||
exit 0
|
||||
;;
|
||||
|
||||
6)
|
||||
ping_enable_disable
|
||||
exit 0
|
||||
;;
|
||||
7)
|
||||
dialog --title $"SSH host public keys" \
|
||||
--msgbox "\\n$(get_ssh_server_key)" 12 60
|
||||
exit 0
|
||||
;;
|
||||
4)
|
||||
8)
|
||||
menu_tor_bridges
|
||||
exit 0
|
||||
;;
|
||||
5)
|
||||
9)
|
||||
store_passwords
|
||||
exit 0
|
||||
;;
|
||||
6)
|
||||
10)
|
||||
export_passwords
|
||||
exit 0
|
||||
;;
|
||||
7)
|
||||
11)
|
||||
regenerate_ssh_host_keys
|
||||
;;
|
||||
8)
|
||||
12)
|
||||
regenerate_dh_keys
|
||||
;;
|
||||
9)
|
||||
13)
|
||||
interactive_setup
|
||||
update_ciphersuite
|
||||
;;
|
||||
10)
|
||||
14)
|
||||
create_letsencrypt
|
||||
;;
|
||||
11)
|
||||
15)
|
||||
renew_letsencrypt
|
||||
;;
|
||||
12)
|
||||
16)
|
||||
delete_letsencrypt
|
||||
;;
|
||||
13)
|
||||
enable_monkeysphere
|
||||
;;
|
||||
14)
|
||||
register_website
|
||||
;;
|
||||
15)
|
||||
17)
|
||||
allow_ssh_passwords
|
||||
change_ssh_settings
|
||||
exit 0
|
||||
;;
|
||||
18)
|
||||
show_firewall
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
change_website_settings
|
||||
|
|
|
@ -95,6 +95,7 @@ if [ -d "$PROJECT_DIR" ]; then
|
|||
apt-get -yq -t stretch-backports install certbot
|
||||
email_install_tls
|
||||
email_disable_chunking
|
||||
rm /etc/exim4/exim4.conf.template.bak*
|
||||
#defrag_filesystem
|
||||
|
||||
# reinstall tor from backports
|
||||
|
|
|
@ -95,6 +95,28 @@ function qvitter_update_background {
|
|||
fi
|
||||
}
|
||||
|
||||
function pleroma_custom_logo {
|
||||
basedir="$1"
|
||||
if [ "$2" ]; then
|
||||
if [[ "$2" == *".png" ]]; then
|
||||
cp "$2" "$basedir/priv/static/static/logo.png"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -f "$basedir/priv/static/static/logo.png" ]; then
|
||||
if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
|
||||
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
|
||||
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
|
||||
else
|
||||
if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
|
||||
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
|
||||
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function pleroma_set_background_image_from_url {
|
||||
basedir="$1"
|
||||
domain_name="$2"
|
||||
|
@ -157,22 +179,7 @@ function pleroma_set_background_image_from_url {
|
|||
return
|
||||
fi
|
||||
|
||||
# customise the logo
|
||||
if [ -f "$basedir/static/logo.png" ]; then
|
||||
if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
|
||||
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
|
||||
if [ -d "$basedir/priv/static/static" ]; then
|
||||
cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
|
||||
fi
|
||||
else
|
||||
if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
|
||||
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
|
||||
if [ -d "$basedir/priv/static/static" ]; then
|
||||
cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
pleroma_custom_logo "$basedir"
|
||||
|
||||
# customise the title
|
||||
if [ -f "$basedir/static/config.json" ]; then
|
||||
|
|
|
@ -47,6 +47,24 @@ ROUTER_IP_ADDRESS="192.168.1.254"
|
|||
|
||||
MESH_INSTALL_DIR=/var/lib
|
||||
|
||||
function get_app_icann_address {
|
||||
app_name="$1"
|
||||
if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
|
||||
grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
|
||||
return
|
||||
else
|
||||
app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
|
||||
if [ "$app_name_upper" ]; then
|
||||
param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
|
||||
if [ "${param_value}" ]; then
|
||||
echo "${param_value}"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo "${DEFAULT_DOMAIN_NAME}"
|
||||
}
|
||||
|
||||
function install_static_network {
|
||||
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
|
||||
return
|
||||
|
|
|
@ -39,6 +39,47 @@ MINIMUM_PASSWORD_LENGTH=10
|
|||
# The default password length used in images
|
||||
DEFAULT_PASSWORD_LENGTH=20
|
||||
|
||||
function passwords_select_user {
|
||||
SELECTED_USERNAME=
|
||||
|
||||
# shellcheck disable=SC2207
|
||||
users_array=($(ls /home))
|
||||
|
||||
delete=(git)
|
||||
# shellcheck disable=SC2068
|
||||
for del in ${delete[@]}
|
||||
do
|
||||
# shellcheck disable=SC2206
|
||||
users_array=(${users_array[@]/$del})
|
||||
done
|
||||
|
||||
i=0
|
||||
W=()
|
||||
name=()
|
||||
# shellcheck disable=SC2068
|
||||
for u in ${users_array[@]}
|
||||
do
|
||||
if [[ $(is_valid_user "$u") == "1" ]]; then
|
||||
i=$((i+1))
|
||||
W+=("$i" "$u")
|
||||
name+=("$u")
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $i -eq 1 ]; then
|
||||
SELECTED_USERNAME="${name[0]}"
|
||||
else
|
||||
# shellcheck disable=SC2068
|
||||
user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
|
||||
|
||||
# shellcheck disable=SC2181
|
||||
if [ $? -eq 0 ]; then
|
||||
# shellcheck disable=SC2034
|
||||
SELECTED_USERNAME="${name[$((user_index-1))]}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function enforce_good_passwords {
|
||||
# because humans are generally bad at choosing passwords
|
||||
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
|
||||
|
|
Loading…
Reference in New Issue