#!/bin/bash # Freedombone install script intended for use with Debian Jessie # # Note on dynamic dns # =================== # # I'm not particularly trying to promote freedns.afraid.org # as a service, it just happens to be a dynamic DNS system which # provides free (as in beer) accounts, and I'm trying to make the # process of setting up a working server as trivial as possible. # Other dynamic DNS systems are available, and if you're using # something different then comment out the section within # argument_checks and the call to dynamic_dns_freedns. # # Prerequisites # ============= # # cd ~/ # wget http://freedombone.uk.to/debian-jessie-console-armhf-2014-08-13.tar.xz # # Verify it. # # sha256sum debian-jessie-console-armhf-2014-08-13.tar.xz # fc225cfb3c2dfad92cccafa97e92c3cd3db9d94f4771af8da364ef59609f43de # # Uncompress it. # # tar xJf debian-jessie-console-armhf-2014-08-13.tar.xz # cd debian-jessie-console-armhf-2014-08-13 # # sudo apt-get install u-boot-tools dosfstools git-core kpartx wget parted # sudo ./setup_sdcard.sh --mmc /dev/sdX --dtb beaglebone # # When finished eject the micrtoSD then reinsert it # # sudo cp /media/$USER/BOOT/bbb-uEnv.txt /media/$USER/BOOT/uEnv.txt # sync # # Eject microSD, insert into BBB, attach USB cable between BBB and laptop. # On Ubuntu wait until you see the "connected" message. # # ssh-keygen -f "/home/$USER/.ssh/known_hosts" -R 192.168.7.2 # ssh debian@192.168.7.2 (password "temppwd") # su (password "root") # passwd # adduser $MY_USERNAME # sed -i '/iface eth0 inet dhcp/a\iface eth0 inet static' /etc/network/interfaces # sed -i '/iface eth0 inet static/a\ dns-nameservers 213.73.91.35 85.214.20.141' /etc/network/interfaces # sed -i "/iface eth0 inet static/a\ gateway $MY_ROUTER_IP" /etc/network/interfaces # sed -i '/iface eth0 inet static/a\ netmask 255.255.255.0' /etc/network/interfaces # sed -i "/iface eth0 inet static/a\ address $MY_BBB_STATIC_IP" /etc/network/interfaces # sed -i '/iface usb0 inet static/,/ gateway 192.168.7.1/ s/^/#/' /etc/network/interfaces # shutdown now # # Connect BBB to router # # scp install-freedombone.sh $MY_USERNAME@$MY_BBB_STATIC_IP:/home/$MY_USERNAME # ssh $MY_USERNAME@$MY_BBB_STATIC_IP # su # ./install-freedombone.sh [DOMAIN_NAME] [MY_USERNAME] DOMAIN_NAME=$1 MY_USERNAME=$2 FREEDNS_SUBDOMAIN_CODE=$3 SYSTEM_TYPE=$4 # Different system variants which may be specified within # the SYSTEM_TYPE option VARIANT_WRITER="writer" VARIANT_CLOUD="cloud" VARIANT_CHAT="chat" VARIANT_MAILBOX="mailbox" VARIANT_SOCIAL="social" SSH_PORT=2222 KERNEL_VERSION="v3.15.10-bone7" USE_HWRNG="yes" INSTALLED_WITHIN_DOCKER="no" # If you want to run an encrypted mailing list specify its name here. # There should be no spaces in the name PRIVATE_MAILING_LIST= # Domain name or freedns subdomain for microblog installation MICROBLOG_DOMAIN_NAME= MICROBLOG_FREEDNS_SUBDOMAIN_CODE= MICROBLOG_REPO="git://gitorious.org/social/mainline.git" MICROBLOG_ADMIN_PASSWORD= # Domain name or redmatrix installation REDMATRIX_DOMAIN_NAME= REDMATRIX_FREEDNS_SUBDOMAIN_CODE= REDMATRIX_REPO="" # Domain name or freedns subdomain for Owncloud installation OWNCLOUD_DOMAIN_NAME= # Freedns dynamic dns code for owncloud OWNCLOUD_FREEDNS_SUBDOMAIN_CODE= OWNCLOUD_ARCHIVE="owncloud-7.0.2.tar.bz2" OWNCLOUD_DOWNLOAD="https://download.owncloud.org/community/$OWNCLOUD_ARCHIVE" OWNCLOUD_HASH="ea07124a1b9632aa5227240d655e4d84967fb6dd49e4a16d3207d6179d031a3a" # Domain name or freedns subdomain for your wiki WIKI_FREEDNS_SUBDOMAIN_CODE= WIKI_DOMAIN_NAME= WIKI_ARCHIVE="dokuwiki-stable.tgz" WIKI_DOWNLOAD="http://download.dokuwiki.org/src/dokuwiki/$WIKI_ARCHIVE" WIKI_HASH="a0e79986b87b2744421ce3c33b43a21f296deadd81b1789c25fa4bb095e8e470" # see https://www.dokuwiki.org/template:mnml-blog # https://andreashaerter.com/tmp/downloads/dokuwiki-template-mnml-blog/CHECKSUMS.asc WIKI_MNML_BLOG_ADDON_ARCHIVE="mnml-blog.tar.gz" WIKI_MNML_BLOG_ADDON="https://andreashaerter.com/downloads/dokuwiki-template-mnml-blog/latest" WIKI_MNML_BLOG_ADDON_HASH="428c280d09ee14326fef5cd6f6772ecfcd532f7b6779cd992ff79a97381cf39f" # see https://www.dokuwiki.org/plugin:blogtng WIKI_BLOGTNG_ADDON_NAME="dokufreaks-plugin-blogtng-93a3fec" WIKI_BLOGTNG_ADDON_ARCHIVE="$WIKI_BLOGTNG_ADDON_NAME.zip" WIKI_BLOGTNG_ADDON="https://github.com/dokufreaks/plugin-blogtng/zipball/master" WIKI_BLOGTNG_ADDON_HASH="212b3ad918fdc92b2d49ef5d36bc9e086eab27532931ba6b87e05f35fd402a27" # see https://www.dokuwiki.org/plugin:sqlite WIKI_SQLITE_ADDON_NAME="cosmocode-sqlite-7be4003" WIKI_SQLITE_ADDON_ARCHIVE="$WIKI_SQLITE_ADDON_NAME.tar.gz" WIKI_SQLITE_ADDON="https://github.com/cosmocode/sqlite/tarball/master" WIKI_SQLITE_ADDON_HASH="930335e647c7e62f3068689c256ee169fad2426b64f8360685d391ecb5eeda0c" GPG_KEYSERVER="hkp://keys.gnupg.net" # optionally you can provide your exported GPG key pair here # Note that the private key file will be deleted after use # If these are unspecified then a new GPG key will be created MY_GPG_PUBLIC_KEY= MY_GPG_PRIVATE_KEY= # If you have existing mail within a Maildir # you can specify the directory here and the files # will be imported IMPORT_MAILDIR= # The Debian package repository to use. DEBIAN_REPO="ftp.de.debian.org" DEBIAN_VERSION="jessie" # Directory where source code is downloaded and compiled INSTALL_DIR=$HOME/build # device name for an attached usb drive USB_DRIVE=/dev/sda1 # memory limit for php in MB MAX_PHP_MEMORY=32 # default MariaDB password MARIADB_PASSWORD= export DEBIAN_FRONTEND=noninteractive # File which keeps track of what has already been installed COMPLETION_FILE=$HOME/freedombone-completed.txt if [ ! -f $COMPLETION_FILE ]; then touch $COMPLETION_FILE fi function show_help { echo '' echo './install-freedombone.sh [domain] [username] [subdomain code] [system type]' echo '' echo 'domain' echo '------' echo 'This is your domain name or freedns subdomain.' echo '' echo 'username' echo '--------' echo '' echo 'This will be your username on the system. It should be all' echo 'lower case and contain no spaces' echo '' echo 'subdomain code' echo '--------------' echo 'This is the freedns dynamic DNS code for your subdomain.' echo "To find it from https://freedns.afraid.org select 'Dynamic DNS'," echo "then 'quick cron example' and copy the code located between " echo "'?' and '=='." echo '' echo 'system type' echo '-----------' echo 'This can either be blank if you wish to install the full system,' echo "or for more specialised variants you can specify '$VARIANT_MAILBOX', '$VARIANT_CLOUD'," echo "'$VARIANT_CHAT', '$VARIANT_SOCIAL' or '$VARIANT_WRITER'" echo '' } function argument_checks { if [ ! -d /home/$MY_USERNAME ]; then echo "There is no user '$MY_USERNAME' on the system. Use 'adduser $MY_USERNAME' to create the user." exit 1 fi if [ ! $DOMAIN_NAME ]; then show_help exit 2 fi if [ ! $MY_USERNAME ]; then show_help exit 3 fi if [ ! $FREEDNS_SUBDOMAIN_CODE ]; then show_help exit 4 fi if [ $SYSTEM_TYPE ]; then if [[ $SYSTEM_TYPE != $VARIANT_WRITER && $SYSTEM_TYPE != $VARIANT_CLOUD && $SYSTEM_TYPE != $VARIANT_CHAT && $SYSTEM_TYPE != $VARIANT_MAILBOX && $SYSTEM_TYPE != $VARIANT_SOCIAL ]]; then echo "'$SYSTEM_TYPE' is an unrecognised Freedombone variant." exit 30 fi fi } function change_login_message { if grep -Fxq "change_login_message" $COMPLETION_FILE; then return fi echo '' > /etc/motd echo ".---. . . " >> /etc/motd echo "| | | " >> /etc/motd echo "|--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. " >> /etc/motd echo "| | (.-' (.-' ( | ( )| | | | )( )| | (.-' " >> /etc/motd echo "' ' --' --' -' - -' ' ' -' -' -' ' - --'" >> /etc/motd if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then echo ' . . . . . ' >> /etc/motd echo ' \ \ / / o _|_ ' >> /etc/motd echo ' \ \ /.--.. | .-. .--.' >> /etc/motd echo " \/ \/ | | | (.-' | " >> /etc/motd echo " ' ' ' -' - -' --'' " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then echo ' .--.. . ' >> /etc/motd echo ' : | | ' >> /etc/motd echo ' | | .-. . . .-.| ' >> /etc/motd echo ' : |( )| |( | ' >> /etc/motd echo " --' - -' -- - -' -" >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then echo ' .--.. . ' >> /etc/motd echo ' : | _|_ ' >> /etc/motd echo ' | |--. .-. | ' >> /etc/motd echo ' : | |( ) | ' >> /etc/motd echo " --'' - -' - -' " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then echo ' .-. . ' >> /etc/motd echo ' ( ) o | ' >> /etc/motd echo ' -. .-. .-. . .-. | ' >> /etc/motd echo ' ( )( )( | ( ) | ' >> /etc/motd echo " -' -' -'-' - -' - - " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then echo ' . . . . ' >> /etc/motd echo ' |\ /| o | | ' >> /etc/motd echo ' | \/ | .-. . | |.-. .-.-. ,- ' >> /etc/motd echo ' | |( ) | | | )( ) : ' >> /etc/motd echo ' ' ' -' --' - -' -' -'-' - ' >> /etc/motd fi echo '' >> /etc/motd echo ' Freedom in the Cloud' >> /etc/motd echo '' >> /etc/motd echo 'change_login_message' >> $COMPLETION_FILE } function search_for_attached_usb_drive { # If a USB drive is attached then search for email, # gpg, ssh keys and emacs configuration if grep -Fxq "search_for_attached_usb_drive" $COMPLETION_FILE; then return fi if [ -b $USB_DRIVE ]; then if [ ! -d /media/usb ]; then echo 'Mounting USB drive' mkdir /media/usb mount $USB_DRIVE /media/usb fi if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then if [ -d /media/usb/Maildir ]; then echo 'Maildir found on USB drive' IMPORT_MAILDIR=/media/usb/Maildir fi if [ -d /media/usb/.gnupg ]; then echo 'Importing GPG keyring' cp -r /media/usb/.gnupg /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg if [ -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then shred -zu /media/usb/.gnupg/secring.gpg shred -zu /media/usb/.gnupg/random_seed shred -zu /media/usb/.gnupg/trustdb.gpg rm -rf /media/usb/.gnupg else echo 'GPG files did not copy' exit 7 fi fi if [ -f /media/usb/private_key.gpg ]; then echo 'GPG private key found on USB drive' MY_GPG_PRIVATE_KEY=/media/usb/private_key.gpg fi if [ -f /media/usb/public_key.gpg ]; then echo 'GPG public key found on USB drive' MY_GPG_PUBLIC_KEY=/media/usb/public_key.gpg fi fi if [ -d /media/usb/.ssh ]; then echo 'Importing ssh keys' cp -r /media/usb/.ssh /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh # for security delete the ssh keys from the usb drive if [ -f /home/$MY_USERNAME/.ssh/id_rsa ]; then shred -zu /media/usb/.ssh/id_rsa shred -zu /media/usb/.ssh/id_rsa.pub shred -zu /media/usb/.ssh/known_hosts rm -rf /media/usb/.ssh else echo 'ssh files did not copy' exit 8 fi fi if [ -f /media/usb/.emacs ]; then echo 'Importing .emacs file' cp -f /media/usb/.emacs /home/$MY_USERNAME/.emacs chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs fi if [ -d /media/usb/.emacs.d ]; then echo 'Importing .emacs.d directory' cp -r /media/usb/.emacs.d /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d fi if [ -d /media/usb/personal ]; then echo 'Importing personal directory' cp -r /media/usb/personal /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal fi else if [ -d /media/usb ]; then umount /media/usb rm -rf /media/usb fi echo 'No USB drive attached' fi echo 'search_for_attached_usb_drive' >> $COMPLETION_FILE } function remove_proprietary_repos { if grep -Fxq "remove_proprietary_repos" $COMPLETION_FILE; then return fi sed -i 's/ non-free//g' /etc/apt/sources.list echo 'remove_proprietary_repos' >> $COMPLETION_FILE } function change_debian_repos { if grep -Fxq "change_debian_repos" $COMPLETION_FILE; then return fi rm -rf /var/lib/apt/lists/* apt-get clean sed -i "s/ftp.us.debian.org/$DEBIAN_REPO/g" /etc/apt/sources.list # ensure that there is a security repo if ! grep -q "security" /etc/apt/sources.list; then if grep -q "jessie" /etc/apt/sources.list; then echo "deb http://security.debian.org/ jessie/updates main contrib" >> /etc/apt/sources.list echo "#deb-src http://security.debian.org/ jessie/updates main contrib" >> /etc/apt/sources.list else if grep -q "wheezy" /etc/apt/sources.list; then echo "deb http://security.debian.org/ wheezy/updates main contrib" >> /etc/apt/sources.list echo "#deb-src http://security.debian.org/ wheezy/updates main contrib" >> /etc/apt/sources.list fi fi fi apt-get update apt-get -y --force-yes install apt-transport-https echo 'change_debian_repos' >> $COMPLETION_FILE } function initial_setup { if grep -Fxq "initial_setup" $COMPLETION_FILE; then return fi apt-get -y remove --purge apache* apt-get -y dist-upgrade apt-get -y install ca-certificates emacs24 echo 'initial_setup' >> $COMPLETION_FILE } function install_editor { if grep -Fxq "install_editor" $COMPLETION_FILE; then return fi update-alternatives --set editor /usr/bin/emacs24 echo 'install_editor' >> $COMPLETION_FILE } function enable_backports { if grep -Fxq "enable_backports" $COMPLETION_FILE; then return fi if ! grep -Fxq "deb http://$DEBIAN_REPO/debian jessie-backports main" /etc/apt/sources.list; then echo "deb http://$DEBIAN_REPO/debian jessie-backports main" >> /etc/apt/sources.list fi echo 'enable_backports' >> $COMPLETION_FILE } function update_the_kernel { if grep -Fxq "update_the_kernel" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then return fi cd /opt/scripts/tools ./update_kernel.sh --kernel $KERNEL_VERSION echo 'update_the_kernel' >> $COMPLETION_FILE } function enable_zram { if grep -Fxq "enable_zram" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then return fi if ! grep -q "options zram num_devices=1" /etc/modprobe.d/zram.conf; then echo 'options zram num_devices=1' >> /etc/modprobe.d/zram.conf fi echo '#!/bin/bash' > /etc/init.d/zram echo '### BEGIN INIT INFO' >> /etc/init.d/zram echo '# Provides: zram' >> /etc/init.d/zram echo '# Required-Start:' >> /etc/init.d/zram echo '# Required-Stop:' >> /etc/init.d/zram echo '# Default-Start: 2 3 4 5' >> /etc/init.d/zram echo '# Default-Stop: 0 1 6' >> /etc/init.d/zram echo '# Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM)' >> /etc/init.d/zram echo '# Description: Adapted from systemd scripts at https://github.com/mystilleef/FedoraZram' >> /etc/init.d/zram echo '### END INIT INFO' >> /etc/init.d/zram echo 'start() {' >> /etc/init.d/zram echo ' # get the number of CPUs' >> /etc/init.d/zram echo ' num_cpus=$(grep -c processor /proc/cpuinfo)' >> /etc/init.d/zram echo ' # if something goes wrong, assume we have 1' >> /etc/init.d/zram echo ' [ "$num_cpus" != 0 ] || num_cpus=1' >> /etc/init.d/zram echo ' # set decremented number of CPUs' >> /etc/init.d/zram echo ' decr_num_cpus=$((num_cpus - 1))' >> /etc/init.d/zram echo ' # get the amount of memory in the machine' >> /etc/init.d/zram echo ' mem_total_kb=$(grep MemTotal /proc/meminfo | grep -E --only-matching "[[:digit:]]+")' >> /etc/init.d/zram echo ' mem_total=$((mem_total_kb * 1024))' >> /etc/init.d/zram echo ' # load dependency modules' >> /etc/init.d/zram echo ' modprobe zram num_devices=$num_cpus' >> /etc/init.d/zram echo ' # initialize the devices' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' echo $((mem_total / num_cpus)) > /sys/block/zram$i/disksize' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo ' # Creating swap filesystems' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' mkswap /dev/zram$i' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo ' # Switch the swaps on' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' swapon -p 100 /dev/zram$i' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo '}' >> /etc/init.d/zram echo 'stop() {' >> /etc/init.d/zram echo ' # get the number of CPUs' >> /etc/init.d/zram echo ' num_cpus=$(grep -c processor /proc/cpuinfo)' >> /etc/init.d/zram echo ' # set decremented number of CPUs' >> /etc/init.d/zram echo ' decr_num_cpus=$((num_cpus - 1))' >> /etc/init.d/zram echo ' # Switching off swap' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' if [ "$(grep /dev/zram$i /proc/swaps)" != "" ]; then' >> /etc/init.d/zram echo ' swapoff /dev/zram$i' >> /etc/init.d/zram echo ' sleep 1' >> /etc/init.d/zram echo ' fi' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo ' sleep 1' >> /etc/init.d/zram echo ' rmmod zram' >> /etc/init.d/zram echo '}' >> /etc/init.d/zram echo 'case "$1" in' >> /etc/init.d/zram echo ' start)' >> /etc/init.d/zram echo ' start' >> /etc/init.d/zram echo ' ;;' >> /etc/init.d/zram echo ' stop)' >> /etc/init.d/zram echo ' stop' >> /etc/init.d/zram echo ' ;;' >> /etc/init.d/zram echo ' restart)' >> /etc/init.d/zram echo ' stop' >> /etc/init.d/zram echo ' sleep 3' >> /etc/init.d/zram echo ' start' >> /etc/init.d/zram echo ' ;;' >> /etc/init.d/zram echo ' *)' >> /etc/init.d/zram echo ' echo "Usage: $0 {start|stop|restart}"' >> /etc/init.d/zram echo ' RETVAL=1' >> /etc/init.d/zram echo 'esac' >> /etc/init.d/zram echo 'exit $RETVAL' >> /etc/init.d/zram chmod +x /etc/init.d/zram update-rc.d zram defaults echo 'enable_zram' >> $COMPLETION_FILE } function random_number_generator { if grep -Fxq "random_number_generator" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # it is assumed that docker uses the random number # generator of the host system return fi if [[ $USE_HWRNG == "yes" ]]; then apt-get -y --force-yes install rng-tools sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools else apt-get -y --force-yes install haveged fi echo 'random_number_generator' >> $COMPLETION_FILE } function configure_ssh { if grep -Fxq "configure_ssh" $COMPLETION_FILE; then return fi sed -i "s/Port 22/Port $SSH_PORT/g" /etc/ssh/sshd_config sed -i 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/ServerKeyBits 1024/ServerKeyBits 4096/g' /etc/ssh/sshd_config sed -i 's/TCPKeepAlive yes/TCPKeepAlive no/g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config echo 'Ciphers aes256-ctr,aes128-ctr' >> /etc/ssh/sshd_config echo 'MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' >> /etc/ssh/sshd_config apt-get -y --force-yes install fail2ban echo 'configure_ssh' >> $COMPLETION_FILE # Don't reboot if installing within docker # random numbers will come from the host system if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then return fi echo '' echo '' echo ' *** Rebooting to initialise ssh settings and random number generator ***' echo '' echo " *** Reconnect via ssh on port $SSH_PORT, then run this script again ***" echo '' reboot } function regenerate_ssh_keys { if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then return fi rm -f /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server service ssh restart echo 'regenerate_ssh_keys' >> $COMPLETION_FILE } function configure_dns { if grep -Fxq "configure_dns" $COMPLETION_FILE; then return fi echo 'domain localdomain' > /etc/resolv.conf echo 'search localdomain' >> /etc/resolv.conf echo 'nameserver 213.73.91.35' >> /etc/resolv.conf echo 'nameserver 85.214.20.141' >> /etc/resolv.conf echo 'configure_dns' >> $COMPLETION_FILE } function set_your_domain_name { if grep -Fxq "set_your_domain_name" $COMPLETION_FILE; then return fi echo "$DOMAIN_NAME" > /etc/hostname hostname $DOMAIN_NAME sed -i "s/127.0.1.1 arm/127.0.1.1 $DOMAIN_NAME/g" /etc/hosts echo "127.0.1.1 $DOMAIN_NAME" >> /etc/hosts echo 'set_your_domain_name' >> $COMPLETION_FILE } function time_synchronisation { if grep -Fxq "time_synchronisation" $COMPLETION_FILE; then return fi apt-get -y --force-yes install tlsdate apt-get -y remove ntpdate echo '#!/bin/bash' > /usr/bin/updatedate echo 'TIMESOURCE=google.com' >> /usr/bin/updatedate echo 'TIMESOURCE2=www.ptb.de' >> /usr/bin/updatedate echo 'LOGFILE=/var/log/tlsdate.log' >> /usr/bin/updatedate echo 'TIMEOUT=5' >> /usr/bin/updatedate echo "EMAIL=$MY_USERNAME@$DOMAIN_NAME" >> /usr/bin/updatedate echo '# File which contains the previous date as a number' >> /usr/bin/updatedate echo 'BEFORE_DATE_FILE=/var/log/tlsdateprevious.txt' >> /usr/bin/updatedate echo '# File which contains the previous date as a string' >> /usr/bin/updatedate echo 'BEFORE_FULLDATE_FILE=/var/log/tlsdate.txt' >> /usr/bin/updatedate echo 'DATE_BEFORE=$(date)' >> /usr/bin/updatedate echo 'BEFORE=$(date -d "$Y-$M-$D" "+%s")' >> /usr/bin/updatedate echo 'BACKWARDS_BETWEEN=0' >> /usr/bin/updatedate echo '# If the date was previously set' >> /usr/bin/updatedate echo 'if [[ -f "$BEFORE_DATE_FILE" ]]; then' >> /usr/bin/updatedate echo ' BEFORE_FILE=$(cat $BEFORE_DATE_FILE)' >> /usr/bin/updatedate echo ' BEFORE_FULLDATE=$(cat $BEFORE_FULLDATE_FILE)' >> /usr/bin/updatedate echo ' # is the date going backwards?' >> /usr/bin/updatedate echo ' if (( BEFORE_FILE > BEFORE )); then' >> /usr/bin/updatedate echo ' echo -n "Date went backwards between tlsdate updates. " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n "$BEFORE_FILE > $BEFORE, " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo "$BEFORE_FULLDATE > $DATE_BEFORE" >> $LOGFILE' >> /usr/bin/updatedate echo ' # Send a warning email' > /usr/bin/updatedate echo ' echo $(tail $LOGFILE -n 2) | mail -s "tlsdate anomaly" $EMAIL' >> /usr/bin/updatedate echo ' # Try another time source' >> /usr/bin/updatedate echo ' TIMESOURCE=$TIMESOURCE2' >> /usr/bin/updatedate echo ' # try running without any parameters' >> /usr/bin/updatedate echo ' tlsdate >> $LOGFILE' >> /usr/bin/updatedate echo ' BACKWARDS_BETWEEN=1' >> /usr/bin/updatedate echo ' fi' >> /usr/bin/updatedate echo 'fi' >> /usr/bin/updatedate echo '# Set the date' >> /usr/bin/updatedate echo '/usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE -p 443 >> $LOGFILE' >> /usr/bin/updatedate echo 'DATE_AFTER=$(date)' >> /usr/bin/updatedate echo 'AFTER=$(date -d "$Y-$M-$D" '+%s')' >> /usr/bin/updatedate echo '# After setting the date did it go backwards?' >> /usr/bin/updatedate echo 'if (( AFTER < BEFORE )); then' >> /usr/bin/updatedate echo ' echo "Incorrect date: $DATE_BEFORE -> $DATE_AFTER" >> $LOGFILE' >> /usr/bin/updatedate echo ' # Send a warning email' >> /usr/bin/updatedate echo ' echo $(tail $LOGFILE -n 2) | mail -s "tlsdate anomaly" $EMAIL' >> /usr/bin/updatedate echo ' # Try resetting the date from another time source' >> /usr/bin/updatedate echo ' /usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE2 -p 443 >> $LOGFILE' >> /usr/bin/updatedate echo ' DATE_AFTER=$(date)' >> /usr/bin/updatedate echo ' AFTER=$(date -d "$Y-$M-$D" "+%s")' >> /usr/bin/updatedate echo 'else' >> /usr/bin/updatedate echo ' echo -n $TIMESOURCE >> $LOGFILE' >> /usr/bin/updatedate echo ' if [[ -f "$BEFORE_DATE_FILE" ]]; then' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n $BEFORE_FILE >> $LOGFILE' >> /usr/bin/updatedate echo ' fi' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n $BEFORE >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n $AFTER >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo $DATE_AFTER >> $LOGFILE' >> /usr/bin/updatedate echo 'fi' >> /usr/bin/updatedate echo '# Log the last date' >> /usr/bin/updatedate echo 'if [ BACKWARDS_BETWEEN == 0 ]; then' >> /usr/bin/updatedate echo ' echo "$AFTER" > $BEFORE_DATE_FILE' >> /usr/bin/updatedate echo ' echo "$DATE_AFTER" > $BEFORE_FULLDATE_FILE' >> /usr/bin/updatedate echo ' exit 0' >> /usr/bin/updatedate echo 'else' >> /usr/bin/updatedate echo ' exit 1' >> /usr/bin/updatedate echo 'fi' >> /usr/bin/updatedate chmod +x /usr/bin/updatedate echo '*/15 * * * * root /usr/bin/updatedate' >> /etc/crontab service cron restart echo '#!/bin/bash' > /etc/init.d/tlsdate echo '# /etc/init.d/tlsdate' >> /etc/init.d/tlsdate echo '### BEGIN INIT INFO' >> /etc/init.d/tlsdate echo '# Provides: tlsdate' >> /etc/init.d/tlsdate echo '# Required-Start: $remote_fs $syslog' >> /etc/init.d/tlsdate echo '# Required-Stop: $remote_fs $syslog' >> /etc/init.d/tlsdate echo '# Default-Start: 2 3 4 5' >> /etc/init.d/tlsdate echo '# Default-Stop: 0 1 6' >> /etc/init.d/tlsdate echo '# Short-Description: Initially calls tlsdate with the timewarp option' >> /etc/init.d/tlsdate echo '# Description: Initially calls tlsdate with the timewarp option' >> /etc/init.d/tlsdate echo '### END INIT INFO' >> /etc/init.d/tlsdate echo '# Author: Bob Mottram ' >> /etc/init.d/tlsdate echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin"' >> /etc/init.d/tlsdate echo 'LOGFILE="/var/log/tlsdate.log"' >> /etc/init.d/tlsdate echo 'TLSDATECOMMAND="tlsdate --timewarp -l -H www.ptb.de -p 443 >> $LOGFILE"' >> /etc/init.d/tlsdate echo '#Start-Stop here' >> /etc/init.d/tlsdate echo 'case "$1" in' >> /etc/init.d/tlsdate echo ' start)' >> /etc/init.d/tlsdate echo ' echo "tlsdate started"' >> /etc/init.d/tlsdate echo ' $TLSDATECOMMAND' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo ' stop)' >> /etc/init.d/tlsdate echo ' echo "tlsdate stopped"' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo ' restart)' >> /etc/init.d/tlsdate echo ' echo "tlsdate restarted"' >> /etc/init.d/tlsdate echo ' $TLSDATECOMMAND' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo ' *)' >> /etc/init.d/tlsdate echo ' echo "Usage: $0 {start|stop|restart}"' >> /etc/init.d/tlsdate echo ' exit 1' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo 'esac' >> /etc/init.d/tlsdate echo 'exit 0' >> /etc/init.d/tlsdate chmod +x /etc/init.d/tlsdate update-rc.d tlsdate defaults echo 'time_synchronisation' >> $COMPLETION_FILE } function configure_firewall { if grep -Fxq "configure_firewall" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -P INPUT ACCEPT ip6tables -P INPUT ACCEPT iptables -F ip6tables -F iptables -X ip6tables -X iptables -P INPUT DROP ip6tables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT echo 'configure_firewall' >> $COMPLETION_FILE } function save_firewall_settings { iptables-save > /etc/firewall.conf ip6tables-save > /etc/firewall6.conf printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables } function configure_firewall_for_dns { if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_dns' >> $COMPLETION_FILE } function configure_firewall_for_xmpp { if [ ! -d /etc/prosody ]; then return fi if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 5222:5223 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 5269 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 5280:5281 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE } function configure_firewall_for_irc { if [ ! -d /etc/ngircd ]; then return fi if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 6697 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9999 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_irc' >> $COMPLETION_FILE } function configure_firewall_for_ftp { if grep -Fxq "configure_firewall_for_ftp" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -I INPUT -i eth0 -p tcp --dport 1024:65535 --sport 20:21 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_ftp' >> $COMPLETION_FILE } function configure_firewall_for_web_access { if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 32768:61000 --sport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 32768:61000 --sport 443 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE } function configure_firewall_for_web_server { if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE } function configure_firewall_for_ssh { if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport $SSH_PORT -j ACCEPT save_firewall_settings echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE } function configure_firewall_for_git { if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 9418 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_git' >> $COMPLETION_FILE } function configure_firewall_for_email { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_email' >> $COMPLETION_FILE } function configure_internet_protocol { if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then return fi sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf echo '# ignore pings' >> /etc/sysctl.conf echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf echo '# disable ipv6' >> /etc/sysctl.conf echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf echo '# keepalive' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf echo 'configure_internet_protocol' >> $COMPLETION_FILE } function script_to_make_self_signed_certificates { if grep -Fxq "script_to_make_self_signed_certificates" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/makecert echo 'HOSTNAME=$1' >> /usr/bin/makecert echo 'COUNTRY_CODE="US"' >> /usr/bin/makecert echo 'AREA="Free Speech Zone"' >> /usr/bin/makecert echo 'LOCATION="Freedomville"' >> /usr/bin/makecert echo 'ORGANISATION="Freedombone"' >> /usr/bin/makecert echo 'UNIT="Freedombone Unit"' >> /usr/bin/makecert echo 'if ! which openssl > /dev/null ;then' >> /usr/bin/makecert echo ' echo "$0: openssl is not installed, exiting" 1>&2' >> /usr/bin/makecert echo ' exit 1' >> /usr/bin/makecert echo 'fi' >> /usr/bin/makecert echo 'openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt' >> /usr/bin/makecert echo 'openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam' >> /usr/bin/makecert echo 'chmod 400 /etc/ssl/private/$HOSTNAME.key' >> /usr/bin/makecert echo 'chmod 640 /etc/ssl/certs/$HOSTNAME.crt' >> /usr/bin/makecert echo 'chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam' >> /usr/bin/makecert echo 'if [ -f /etc/init.d/nginx ]; then' >> /usr/bin/makecert echo ' /etc/init.d/nginx reload' >> /usr/bin/makecert echo 'fi' >> /usr/bin/makecert echo '# add the public certificate to a separate directory' >> /usr/bin/makecert echo '# so that we can redistribute it easily' >> /usr/bin/makecert echo 'if [ ! -d /etc/ssl/mycerts ]; then' >> /usr/bin/makecert echo ' mkdir /etc/ssl/mycerts' >> /usr/bin/makecert echo 'fi' >> /usr/bin/makecert echo 'cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts' >> /usr/bin/makecert echo '# Create a bundle of your certificates' >> /usr/bin/makecert echo 'cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt' >> /usr/bin/makecert echo 'tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt' >> /usr/bin/makecert chmod +x /usr/bin/makecert echo 'script_to_make_self_signed_certificates' >> $COMPLETION_FILE } function configure_email { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "configure_email" $COMPLETION_FILE; then return fi apt-get -y remove postfix apt-get -y --force-yes install exim4 sasl2-bin swaks libnet-ssleay-perl procmail echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf echo "dc_other_hostnames='$DOMAIN_NAME'" >> /etc/exim4/update-exim4.conf.conf echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf echo "dc_relay_nets='192.168.1.0/24'" >> /etc/exim4/update-exim4.conf.conf echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf update-exim4.conf sed -i "s/START=no/START=yes/g" /etc/default/saslauthd /etc/init.d/saslauthd start # make a tls certificate for email makecert exim mv /etc/ssl/private/exim.key /etc/exim4 mv /etc/ssl/certs/exim.crt /etc/exim4 mv /etc/ssl/certs/exim.dhparam /etc/exim4 chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME = $DOMAIN_NAME\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template fi adduser $MY_USERNAME sasl addgroup Debian-exim sasl /etc/init.d/exim4 restart if [ ! -d /etc/skel/Maildir ]; then mkdir -m 700 /etc/skel/Maildir mkdir -m 700 /etc/skel/Maildir/Sent mkdir -m 700 /etc/skel/Maildir/Sent/tmp mkdir -m 700 /etc/skel/Maildir/Sent/cur mkdir -m 700 /etc/skel/Maildir/Sent/new mkdir -m 700 /etc/skel/Maildir/.learn-spam mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur mkdir -m 700 /etc/skel/Maildir/.learn-spam/new mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp mkdir -m 700 /etc/skel/Maildir/.learn-ham mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur mkdir -m 700 /etc/skel/Maildir/.learn-ham/new mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham fi if [ ! -d /home/$MY_USERNAME/Maildir ]; then mkdir -m 700 /home/$MY_USERNAME/Maildir mkdir -m 700 /home/$MY_USERNAME/Maildir/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/tmp mkdir -m 700 /home/$MY_USERNAME/Maildir/new mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/tmp mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/new mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/new mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/tmp mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/new mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/tmp ln -s /home/$MY_USERNAME/Maildir/.learn-spam /home/$MY_USERNAME/Maildir/spam ln -s /home/$MY_USERNAME/Maildir/.learn-ham /home/$MY_USERNAME/Maildir/ham chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir fi echo 'configure_email' >> $COMPLETION_FILE } function spam_filtering { # NOTE: spamassassin installation currently doesn't work, sa-compile fails with a make error 23/09/2014 if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "spam_filtering" $COMPLETION_FILE; then return fi apt-get -y --force-yes install exim4-daemon-heavy apt-get -y --force-yes install spamassassin sa-update -v sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/spamassassin sed -i 's/# spamd_address = 127.0.0.1 783/spamd_address = 127.0.0.1 783/g' /etc/exim4/exim4.conf.template # This configuration is based on https://wiki.debian.org/DebianSpamAssassin sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt sed -i '/domains = +local_domains : +relay_to_domains/a\ set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt sed -i 's/accept/accept condition = ${if eq{$acl_m0}{rfcnames} {1}{0}}/g' /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'warn message = X-Spam-Score: $spam_score ($spam_bar)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'warn message = X-Spam-Flag: YES' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'warn message = X-Spam-Report: $spam_report' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo '# reject spam at high scores (> 12)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'deny message = This message scored $spam_score spam points.' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' condition = ${if >{$spam_score_int}{120}{1}{0}}' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data # procmail configuration echo 'MAILDIR=$HOME/Maildir' > /home/$MY_USERNAME/.procmailrc echo 'DEFAULT=$MAILDIR/' >> /home/$MY_USERNAME/.procmailrc echo 'LOGFILE=$HOME/log/procmail.log' >> /home/$MY_USERNAME/.procmailrc echo 'LOGABSTRACT=all' >> /home/$MY_USERNAME/.procmailrc echo '# get spamassassin to check emails' >> /home/$MY_USERNAME/.procmailrc echo ':0fw: .spamassassin.lock' >> /home/$MY_USERNAME/.procmailrc echo ' * < 256000' >> /home/$MY_USERNAME/.procmailrc echo '| spamc' >> /home/$MY_USERNAME/.procmailrc echo '# strong spam are discarded' >> /home/$MY_USERNAME/.procmailrc echo ':0' >> /home/$MY_USERNAME/.procmailrc echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc echo '# weak spam are kept just in case - clear this out every now and then' >> /home/$MY_USERNAME/.procmailrc echo ':0' >> /home/$MY_USERNAME/.procmailrc echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc echo '.0-spam/' >> /home/$MY_USERNAME/.procmailrc echo '# otherwise, marginal spam goes here for revision' >> /home/$MY_USERNAME/.procmailrc echo ':0' >> /home/$MY_USERNAME/.procmailrc echo ' * ^X-Spam-Level: \*\*' >> /home/$MY_USERNAME/.procmailrc echo '.spam/' >> /home/$MY_USERNAME/.procmailrc chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc # filtering scripts echo '#!/bin/bash' > /usr/bin/filterspam echo 'USERNAME=$1' >> /usr/bin/filterspam echo 'MAILDIR=/home/$USERNAME/Maildir/.learn-spam' >> /usr/bin/filterspam echo 'if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterspam echo ' exit' >> /usr/bin/filterspam echo 'fi' >> /usr/bin/filterspam echo 'for f in `ls $MAILDIR/cur`' >> /usr/bin/filterspam echo 'do' >> /usr/bin/filterspam echo ' spamc -L spam < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterspam echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterspam echo 'done' >> /usr/bin/filterspam echo 'for f in `ls $MAILDIR/new`' >> /usr/bin/filterspam echo 'do' >> /usr/bin/filterspam echo ' spamc -L spam < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterspam echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterspam echo 'done' >> /usr/bin/filterspam echo '#!/bin/bash' > /usr/bin/filterham echo 'USERNAME=$1' >> /usr/bin/filterham echo 'MAILDIR=/home/$USERNAME/Maildir/.learn-ham' >> /usr/bin/filterham echo 'if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterham echo ' exit' >> /usr/bin/filterham echo 'fi' >> /usr/bin/filterham echo 'for f in `ls $MAILDIR/cur`' >> /usr/bin/filterham echo 'do' >> /usr/bin/filterham echo ' spamc -L ham < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterham echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterham echo 'done' >> /usr/bin/filterham echo 'for f in `ls $MAILDIR/new`' >> /usr/bin/filterham echo 'do' >> /usr/bin/filterham echo ' spamc -L ham < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterham echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterham echo 'done' >> /usr/bin/filterham if ! grep -q "filterspam" /etc/crontab; then echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterspam $MY_USERNAME" >> /etc/crontab fi if ! grep -q "filterham" /etc/crontab; then echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterham $MY_USERNAME" >> /etc/crontab fi chmod 655 /usr/bin/filterspam /usr/bin/filterham sed -i 's/# use_bayes 1/use_bayes 1/g' /etc/mail/spamassassin/local.cf sed -i 's/# bayes_auto_learn 1/bayes_auto_learn 1/g' /etc/mail/spamassassin/local.cf service spamassassin restart service exim4 restart service cron restart echo 'spam_filtering' >> $COMPLETION_FILE } function configure_imap { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "configure_imap" $COMPLETION_FILE; then return fi apt-get -y --force-yes install dovecot-common dovecot-imapd makecert dovecot chown root:dovecot /etc/ssl/certs/dovecot.crt chown root:dovecot /etc/ssl/private/dovecot.key chown root:dovecot /etc/ssl/private/dovecot.dhparams sed -i 's|#ssl = yes|ssl = yes|g' /etc/dovecot/conf.d/10-ssl.conf sed -i 's|ssl_cert = > /etc/dovecot/conf.d/10-ssl.conf sed -i 's/#listen = *, ::/listen = */g' /etc/dovecot/dovecot.conf sed -i 's/#disable_plaintext_auth = yes/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms = plain/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's|# mail_location = maildir:~/Maildir| mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf echo 'configure_imap' >> $COMPLETION_FILE } function configure_gpg { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "configure_gpg" $COMPLETION_FILE; then return fi apt-get -y --force-yes install gnupg if [ ! -d /home/$MY_USERNAME/.gnupg ]; then mkdir /home/$MY_USERNAME/.gnupg echo 'keyserver hkp://keys.gnupg.net' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf fi sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" /home/$MY_USERNAME/.gnupg/gpg.conf if ! grep -q "# default preferences" /home/$MY_USERNAME/.gnupg/gpg.conf; then echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf fi chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then # use your existing GPG keys which were exported if [ ! -f $MY_GPG_PUBLIC_KEY ]; then echo "GPG public key file $MY_GPG_PUBLIC_KEY was not found" exit 5 fi if [ ! -f $MY_GPG_PRIVATE_KEY ]; then echo "GPG private key file $MY_GPG_PRIVATE_KEY was not found" exit 6 fi su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME # for security ensure that the private key file doesn't linger around shred -zu $MY_GPG_PRIVATE_KEY else # Generate a GPG key echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Real: $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Email: $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME shred -zu /home/$MY_USERNAME/gpg-genkey.conf MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $DOMAIN_NAME | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}'" - $MY_USERNAME) MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME fi echo 'configure_gpg' >> $COMPLETION_FILE } function email_client { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "email_client" $COMPLETION_FILE; then return fi apt-get -y --force-yes install mutt-patched lynx abook if [ ! -d /home/$MY_USERNAME/.mutt ]; then mkdir /home/$MY_USERNAME/.mutt fi echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > /home/$MY_USERNAME/.mutt/mailcap chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt echo 'set mbox_type=Maildir' >> /etc/Muttrc echo 'set folder="~/Maildir"' >> /etc/Muttrc echo 'set mask="!^\\.[^.]"' >> /etc/Muttrc echo 'set mbox="~/Maildir"' >> /etc/Muttrc echo 'set record="+Sent"' >> /etc/Muttrc echo 'set postponed="+Drafts"' >> /etc/Muttrc echo 'set trash="+Trash"' >> /etc/Muttrc echo 'set spoolfile="~/Maildir"' >> /etc/Muttrc echo 'auto_view text/x-vcard text/html text/enriched' >> /etc/Muttrc echo 'set editor="emacs"' >> /etc/Muttrc echo 'set header_cache="+.cache"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo 'macro index S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc echo 'macro pager S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc echo 'macro index H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc echo 'macro pager H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# set up the sidebar' >> /etc/Muttrc echo 'set sidebar_width=12' >> /etc/Muttrc echo 'set sidebar_visible=yes' >> /etc/Muttrc echo "set sidebar_delim='|'" >> /etc/Muttrc echo 'set sidebar_sort=yes' >> /etc/Muttrc echo '' >> /etc/Muttrc echo 'set rfc2047_parameters' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# Show inbox and sent items' >> /etc/Muttrc echo 'mailboxes = =Sent' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# Alter these colours as needed for maximum bling' >> /etc/Muttrc echo 'color sidebar_new yellow default' >> /etc/Muttrc echo 'color normal white default' >> /etc/Muttrc echo 'color hdrdefault brightcyan default' >> /etc/Muttrc echo 'color signature green default' >> /etc/Muttrc echo 'color attachment brightyellow default' >> /etc/Muttrc echo 'color quoted green default' >> /etc/Muttrc echo 'color quoted1 white default' >> /etc/Muttrc echo 'color tilde blue default' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# ctrl-n, ctrl-p to select next, prev folder' >> /etc/Muttrc echo '# ctrl-o to open selected folder' >> /etc/Muttrc echo 'bind index \Cp sidebar-prev' >> /etc/Muttrc echo 'bind index \Cn sidebar-next' >> /etc/Muttrc echo 'bind index \Co sidebar-open' >> /etc/Muttrc echo 'bind pager \Cp sidebar-prev' >> /etc/Muttrc echo 'bind pager \Cn sidebar-next' >> /etc/Muttrc echo 'bind pager \Co sidebar-open' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# ctrl-b toggles sidebar visibility' >> /etc/Muttrc echo "macro index,pager \Cb 'toggle sidebar_visible' 'toggle sidebar'" >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# esc-m Mark new messages as read' >> /etc/Muttrc echo 'macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# Collapsing threads' >> /etc/Muttrc echo 'macro index [ "" "collapse/uncollapse thread"' >> /etc/Muttrc echo 'macro index ] "" "collapse/uncollapse all threads"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# threads containing new messages' >> /etc/Muttrc echo 'uncolor index "~(~N)"' >> /etc/Muttrc echo 'color index brightblue default "~(~N)"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# new messages themselves' >> /etc/Muttrc echo 'uncolor index "~N"' >> /etc/Muttrc echo 'color index brightyellow default "~N"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# GPG/PGP integration' >> /etc/Muttrc echo '# this set the number of seconds to keep in memory the passphrase used to encrypt/sign' >> /etc/Muttrc echo 'set pgp_timeout=60' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# automatically sign and encrypt with PGP/MIME' >> /etc/Muttrc echo 'set pgp_autosign # autosign all outgoing mails' >> /etc/Muttrc echo 'set pgp_autoencrypt # Try to encrypt automatically' >> /etc/Muttrc echo 'set pgp_replyencrypt # autocrypt replies to crypted' >> /etc/Muttrc echo 'set pgp_replysign # autosign replies to signed' >> /etc/Muttrc echo 'set pgp_auto_decode=yes # decode attachments' >> /etc/Muttrc echo 'set fcc_clear # Keep cleartext copy of sent encrypted mail' >> /etc/Muttrc echo 'unset smime_is_default' >> /etc/Muttrc echo '' >> /etc/Muttrc echo 'set alias_file=~/.mutt-alias' >> /etc/Muttrc echo 'source ~/.mutt-alias' >> /etc/Muttrc echo 'set query_command= "abook --mutt-query \"%s\""' >> /etc/Muttrc echo 'macro index,pager A "abook --add-email-quiet" "add the sender address to abook"' >> /etc/Muttrc cp -f /etc/Muttrc /home/$MY_USERNAME/.muttrc touch /home/$MY_USERNAME/.mutt-alias chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.muttrc chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt-alias echo 'email_client' >> $COMPLETION_FILE } function folders_for_mailing_lists { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "folders_for_mailing_lists" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/mailinglistrule echo 'MYUSERNAME=$1' >> /usr/bin/mailinglistrule echo 'MAILINGLIST=$2' >> /usr/bin/mailinglistrule echo 'SUBJECTTAG=$3' >> /usr/bin/mailinglistrule echo 'MUTTRC=/home/$MYUSERNAME/.muttrc' >> /usr/bin/mailinglistrule echo 'PM=/home/$MYUSERNAME/.procmailrc' >> /usr/bin/mailinglistrule echo 'LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST' >> /usr/bin/mailinglistrule echo 'if ! [[ $MYUSERNAME && $MAILINGLIST && $SUBJECTTAG ]]; then' >> /usr/bin/mailinglistrule echo ' echo "mailinglistsrule [user name] [mailing list name] [subject tag]"' >> /usr/bin/mailinglistrule echo ' exit 1' >> /usr/bin/mailinglistrule echo 'fi' >> /usr/bin/mailinglistrule echo 'if [ ! -d "$LISTDIR" ]; then' >> /usr/bin/mailinglistrule echo ' mkdir -m 700 $LISTDIR' >> /usr/bin/mailinglistrule echo ' mkdir -m 700 $LISTDIR/tmp' >> /usr/bin/mailinglistrule echo ' mkdir -m 700 $LISTDIR/new' >> /usr/bin/mailinglistrule echo ' mkdir -m 700 $LISTDIR/cur' >> /usr/bin/mailinglistrule echo 'fi' >> /usr/bin/mailinglistrule echo 'chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR' >> /usr/bin/mailinglistrule echo 'echo "" >> $PM' >> /usr/bin/mailinglistrule echo 'echo ":0" >> $PM' >> /usr/bin/mailinglistrule echo 'echo " * ^Subject:.*()\[$SUBJECTTAG\]" >> $PM' >> /usr/bin/mailinglistrule echo 'echo "$LISTDIR/new" >> $PM' >> /usr/bin/mailinglistrule echo 'chown $MYUSERNAME:$MYUSERNAME $PM' >> /usr/bin/mailinglistrule echo 'if [ ! -f "$MUTTRC" ]; then' >> /usr/bin/mailinglistrule echo ' cp /etc/Muttrc $MUTTRC' >> /usr/bin/mailinglistrule echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/mailinglistrule echo 'fi' >> /usr/bin/mailinglistrule echo 'PROCMAILLOG=/home/$MYUSERNAME/log' >> /usr/bin/mailinglistrule echo 'if [ ! -d $PROCMAILLOG ]; then' >> /usr/bin/mailinglistrule echo ' mkdir $PROCMAILLOG' >> /usr/bin/mailinglistrule echo ' chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG' >> /usr/bin/mailinglistrule echo 'fi' >> /usr/bin/mailinglistrule echo 'MUTT_MAILBOXES=$(grep "mailboxes =" $MUTTRC)' >> /usr/bin/mailinglistrule echo 'if [[ $MUTT_MAILBOXES != *$MAILINGLIST* ]]; then' >> /usr/bin/mailinglistrule echo ' sed -i "s|$MUTT_MAILBOXES|$MUTT_MAILBOXES =$MAILINGLIST|g" $MUTTRC' >> /usr/bin/mailinglistrule echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/mailinglistrule echo 'fi' >> /usr/bin/mailinglistrule chmod +x /usr/bin/mailinglistrule echo 'folders_for_mailing_lists' >> $COMPLETION_FILE } function folders_for_email_addresses { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "folders_for_email_addresses" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/emailrule echo 'MYUSERNAME=$1' >> /usr/bin/emailrule echo 'EMAILADDRESS=$2' >> /usr/bin/emailrule echo 'MAILINGLIST=$3' >> /usr/bin/emailrule echo 'MUTTRC=/home/$MYUSERNAME/.muttrc' >> /usr/bin/emailrule echo 'PM=/home/$MYUSERNAME/.procmailrc' >> /usr/bin/emailrule echo 'LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST' >> /usr/bin/emailrule echo 'if ! [[ $MYUSERNAME && $EMAILADDRESS && $MAILINGLIST ]]; then' >> /usr/bin/emailrule echo ' echo "emailrule [user name] [email address] [mailing list name]"' >> /usr/bin/emailrule echo ' exit 1' >> /usr/bin/emailrule echo 'fi' >> /usr/bin/emailrule echo 'if [ ! -d "$LISTDIR" ]; then' >> /usr/bin/emailrule echo ' mkdir -m 700 $LISTDIR' >> /usr/bin/emailrule echo ' mkdir -m 700 $LISTDIR/tmp' >> /usr/bin/emailrule echo ' mkdir -m 700 $LISTDIR/new' >> /usr/bin/emailrule echo ' mkdir -m 700 $LISTDIR/cur' >> /usr/bin/emailrule echo 'fi' >> /usr/bin/emailrule echo 'chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR' >> /usr/bin/emailrule echo 'echo "" >> $PM' >> /usr/bin/emailrule echo 'echo ":0" >> $PM' >> /usr/bin/emailrule echo 'echo " * ^From: $EMAILADDRESS" >> $PM' >> /usr/bin/emailrule echo 'echo "$LISTDIR/new" >> $PM' >> /usr/bin/emailrule echo 'chown $MYUSERNAME:$MYUSERNAME $PM' >> /usr/bin/emailrule echo 'if [ ! -f "$MUTTRC" ]; then' >> /usr/bin/emailrule echo ' cp /etc/Muttrc $MUTTRC' >> /usr/bin/emailrule echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/emailrule echo 'fi' >> /usr/bin/emailrule echo 'PROCMAILLOG=/home/$MYUSERNAME/log' >> /usr/bin/emailrule echo 'if [ ! -d $PROCMAILLOG ]; then' >> /usr/bin/emailrule echo ' mkdir $PROCMAILLOG' >> /usr/bin/emailrule echo ' chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG' >> /usr/bin/emailrule echo 'fi' >> /usr/bin/emailrule echo 'MUTT_MAILBOXES=$(grep "mailboxes =" $MUTTRC)' >> /usr/bin/emailrule echo 'if [[ $MUTT_MAILBOXES != *$MAILINGLIST* ]]; then' >> /usr/bin/emailrule echo ' sed -i "s|$MUTT_MAILBOXES|$MUTT_MAILBOXES =$MAILINGLIST|g" $MUTTRC' >> /usr/bin/emailrule echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/emailrule echo 'fi' >> /usr/bin/emailrule chmod +x /usr/bin/emailrule echo 'folders_for_email_addresses' >> $COMPLETION_FILE } function dynamic_dns_freedns { if grep -Fxq "dynamic_dns_freedns" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/dynamicdns echo '# subdomain name 1' >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns echo '# add any other subdomains below' >> /usr/bin/dynamicdns chmod 600 /usr/bin/dynamicdns chmod +x /usr/bin/dynamicdns if ! grep -q "dynamicdns" /etc/crontab; then sed -i '/# m h dom mon dow user command/a\*/5 * * * * root /usr/bin/timeout 240 /usr/bin/dynamicdns' /etc/crontab fi service cron restart echo 'dynamic_dns_freedns' >> $COMPLETION_FILE } function create_private_mailing_list { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi # This installation doesn't work, results in ruby errors # There is currently no schleuder package for Debian jessie if grep -Fxq "create_private_mailing_list" $COMPLETION_FILE; then return fi if [ ! $PRIVATE_MAILING_LIST ]; then return fi if [ $PRIVATE_MAILING_LIST == $MY_USERNAME ]; then echo 'The name of the private mailing list should not be the' echo 'same as your username' exit 10 fi if [ ! $MY_GPG_PUBLIC_KEY ]; then echo 'To create a private mailing list you need to specify a file' echo 'containing your exported GPG key within MY_GPG_PUBLIC_KEY at' echo 'the top of the script' exit 11 fi apt-get -y --force-yes install ruby ruby-dev ruby-gpgme libgpgme11-dev libmagic-dev gem install schleuder schleuder-fix-gem-dependencies schleuder-init-setup --gem # NOTE: this is version number sensitive and so might need changing ln -s /var/lib/gems/2.1.0/gems/schleuder-2.2.4 /var/lib/schleuder sed -i 's/#smtp_port: 25/smtp_port: 465/g' /etc/schleuder/schleuder.conf sed -i 's/#superadminaddr: root@localhost/superadminaddr: root@localhost' /etc/schleuder/schleuder.conf schleuder-newlist $PRIVATE_MAILING_LIST@$DOMAIN_NAME -realname "$PRIVATE_MAILING_LIST" -adminaddress $MY_USERNAME@$DOMAIN_NAME -initmember $MY_USERNAME@$DOMAIN_NAME -initmemberkey $MY_GPG_PUBLIC_KEY -nointeractive emailrule $MY_USERNAME $PRIVATE_MAILING_LIST@$DOMAIN_NAME $PRIVATE_MAILING_LIST echo 'schleuder:' > /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' debug_print = "R: schleuder for $local_part@$domain"' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' driver = accept' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' local_part_suffix = +* : -bounce : -sendkey' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' domains = +local_domains' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' user = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' group = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' require_files = schleuder:+/var/lib/schleuder/$domain/${local_part}' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' transport = schleuder_transport' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo 'schleuder_transport:' > /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' debug_print = "T: schleuder_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' driver = pipe' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' home_directory = "/var/lib/schleuder/$domain/$local_part"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' command = "/usr/bin/schleuder $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder chown -R schleuder:schleuder /var/lib/schleuder update-exim4.conf.template -r update-exim4.conf service exim4 restart useradd -d /var/schleuderlists -s /bin/false schleuder adduser Debian-exim schleuder usermod -a -G mail schleuder #exim -d -bt $PRIVATE_MAILING_LIST@$DOMAIN_NAME echo 'create_private_mailing_list' >> $COMPLETION_FILE } function import_email { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi EMAIL_COMPLETE_MSG=' *** Freedombone mailbox installation is complete ***' if grep -Fxq "import_email" $COMPLETION_FILE; then if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then echo $EMAIL_COMPLETE_MSG if [ -d /media/usb ]; then umount /media/usb rm -rf /media/usb echo ' You can now remove the USB drive' fi exit 0 fi return fi if [ $IMPORT_MAILDIR ]; then if [ -d $IMPORT_MAILDIR ]; then echo 'Transfering email files' cp -r $IMPORT_MAILDIR /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir else echo "Email import directory $IMPORT_MAILDIR not found" exit 9 fi fi echo 'import_email' >> $COMPLETION_FILE if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then apt-get -y --force-yes autoremove # unmount any attached usb drive echo '' echo $EMAIL_COMPLETE_MSG echo '' if [ -d /media/usb ]; then umount /media/usb rm -rf /media/usb echo ' You can now remove the USB drive' fi exit 0 fi } function install_web_server { if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then return fi if grep -Fxq "install_web_server" $COMPLETION_FILE; then return fi # remove apache apt-get -y remove --purge apache2 if [ -d /etc/apache2 ]; then rm -rf /etc/apache2 fi # install nginx apt-get -y --force-yes install nginx php5-fpm git # install a script to easily enable and disable nginx virtual hosts if [ ! -d $INSTALL_DIR ]; then mkdir $INSTALL_DIR fi cd $INSTALL_DIR git clone https://github.com/perusio/nginx_ensite cd $INSTALL_DIR/nginx_ensite cp nginx_* /usr/sbin nginx_dissite default echo 'install_web_server' >> $COMPLETION_FILE } function configure_php { sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini } function install_owncloud { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi OWNCLOUD_COMPLETION_MSG1=" *** Freedombone $SYSTEM_TYPE is now installed ***" OWNCLOUD_COMPLETION_MSG2="Open $OWNCLOUD_DOMAIN_NAME in a web browser to complete the setup" if grep -Fxq "install_owncloud" $COMPLETION_FILE; then if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then # unmount any attached usb drive if [ -d /media/usb ]; then umount /media/usb rm -rf /media/usb fi echo '' echo $OWNCLOUD_COMPLETION_MSG1 echo $OWNCLOUD_COMPLETION_MSG2 exit 0 fi return fi # if this is exclusively a cloud setup if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then OWNCLOUD_DOMAIN_NAME=$DOMAIN_NAME OWNCLOUD_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $OWNCLOUD_DOMAIN_NAME ]; then return fi if ! [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then if [ ! $SYSTEM_TYPE ]; then return fi fi apt-get -y --force-yes install php5 php5-gd php-xml-parser php5-intl wget apt-get -y --force-yes install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl bzip2 if [ ! -d /var/www/$OWNCLOUD_DOMAIN_NAME ]; then mkdir /var/www/$OWNCLOUD_DOMAIN_NAME mkdir /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs fi echo 'server {' > /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' log_not_found off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ~ ^/(data|config|\.ht|db_structure\.xml|README) {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # The following 2 rules are only needed with webfinger' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/host-meta /public.php?service=host-meta last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' try_files $uri $uri/ index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ~ ^(.+?\.php)(/.*)?$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' try_files $1 =404;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$1;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_param PATH_INFO $2;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_param HTTPS on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # Optional: set long EXPIRES header on static assets' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " # Optional: Don't log access to assets" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME configure_php if [ ! -f /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key ]; then makecert $OWNCLOUD_DOMAIN_NAME fi # download owncloud cd $INSTALL_DIR if [ ! -f $INSTALL_DIR/$OWNCLOUD_ARCHIVE ]; then wget $OWNCLOUD_DOWNLOAD fi if [ ! -f $INSTALL_DIR/$OWNCLOUD_ARCHIVE ]; then echo 'Owncloud could not be downloaded. Check that it exists at ' echo $OWNCLOUD_DOWNLOAD echo 'And if neccessary update the version number and hash within this script' exit 18 fi # Check that the hash is correct CHECKSUM=$(sha256sum $OWNCLOUD_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $OWNCLOUD_HASH ]]; then echo 'The sha256 hash of the owncloud download is incorrect. Possibly the file may have been tampered with. Check the hash on the Owncloud web site.' echo $CHECKSUM echo $OWNCLOUD_HASH exit 19 fi tar -xjf $OWNCLOUD_ARCHIVE echo 'Copying files...' cp -r owncloud/* /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/apps chown -R www-data:www-data /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/config chown www-data:www-data /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs nginx_ensite $OWNCLOUD_DOMAIN_NAME service php5-fpm restart service nginx restart # update the dynamic DNS if [[ $OWNCLOUD_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$OWNCLOUD_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $OWNCLOUD_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$OWNCLOUD_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi echo 'install_owncloud' >> $COMPLETION_FILE if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then # unmount any attached usb drive if [ -d /media/usb ]; then umount /media/usb rm -rf /media/usb fi echo '' echo $OWNCLOUD_COMPLETION_MSG1 echo $OWNCLOUD_COMPLETION_MSG2 exit 0 fi } function install_xmpp { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "install_xmpp" $COMPLETION_FILE; then return fi apt-get -y --force-yes install prosody if [ ! -f "/etc/ssl/private/xmpp.key" ]; then makecert xmpp fi chown prosody:prosody /etc/ssl/private/xmpp.key chown prosody:prosody /etc/ssl/certs/xmpp.* cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's|/etc/prosody/certs/example.com.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's|/etc/prosody/certs/example.com.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/conf.avail/xmpp.cfg.lua if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua fi sed -i "s/example.com/$DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'modules_enabled = {' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo ' "bosh"; -- Enable mod_bosh' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo ' "tls"; -- Enable mod_tls' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo ' "saslauth"; -- Enable mod_saslauth' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo '}' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua fi ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua sed -i 's|/etc/prosody/certs/localhost.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/prosody.cfg.lua sed -i 's|/etc/prosody/certs/localhost.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/prosody.cfg.lua if ! grep -q "xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/prosody.cfg.lua fi sed -i 's/c2s_require_encryption = false/c2s_require_encryption = true/g' /etc/prosody/prosody.cfg.lua if ! grep -q "s2s_require_encryption" /etc/prosody/prosody.cfg.lua; then sed -i '/c2s_require_encryption/a\s2s_require_encryption = true' /etc/prosody/prosody.cfg.lua fi if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/prosody.cfg.lua; then echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua fi sed -i 's/--"bosh";/"bosh";/g' /etc/prosody/prosody.cfg.lua sed -i 's/authentication = "internal_plain"/authentication = "internal_hashed"/g' /etc/prosody/prosody.cfg.lua sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/prosody.cfg.lua sed -i 's/example.com/$DOMAIN_NAME/g' /etc/prosody/prosody.cfg.lua service prosody restart touch /home/$MY_USERNAME/README if ! grep -q "Your XMPP password is" /home/$MY_USERNAME/README; then XMPP_PASSWORD=$(openssl rand -base64 8) prosodyctl register $MY_USERNAME $DOMAIN_NAME $XMPP_PASSWORD echo "Your XMPP password is: $XMPP_PASSWORD" >> /home/$MY_USERNAME/README echo 'You can change it with: ' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " prosodyctl passwd $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi echo 'install_xmpp' >> $COMPLETION_FILE } function install_irc_server { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "install_irc_server" $COMPLETION_FILE; then return fi apt-get -y --force-yes install ngircd if [ ! "/etc/ssl/private/ngircd.key" ]; then makecert ngircd fi echo '**************************************************' > /etc/ngircd/motd echo '* F R E E D O M B O N E I R C *' >> /etc/ngircd/motd echo '* *' >> /etc/ngircd/motd echo '* Freedom in the Cloud *' >> /etc/ngircd/motd echo '**************************************************' >> /etc/ngircd/motd sed -i 's|MotdFile = /etc/ngircd/ngircd.motd|MotdFile = /etc/ngircd/motd|g' /etc/ngircd/ngircd.conf sed -i "s/irc@irc.example.com/$MY_USERNAME@$DOMAIN_NAME/g" /etc/ngircd/ngircd.conf sed -i "s/irc.example.net/$DOMAIN_NAME/g" /etc/ngircd/ngircd.conf sed -i "s|Yet another IRC Server running on Debian GNU/Linux|IRC Server of $DOMAIN_NAME|g" /etc/ngircd/ngircd.conf sed -i 's/;Password = wealllikedebian/Password =/g' /etc/ngircd/ngircd.conf sed -i 's|;CertFile = /etc/ssl/certs/server.crt|CertFile = /etc/ssl/certs/ngircd.crt|g' /etc/ngircd/ngircd.conf sed -i 's|;DHFile = /etc/ngircd/dhparams.pem|DHFile = /etc/ssl/certs/ngircd.dhparam|g' /etc/ngircd/ngircd.conf sed -i 's|;KeyFile = /etc/ssl/private/server.key|KeyFile = /etc/ssl/private/ngircd.key|g' /etc/ngircd/ngircd.conf sed -i 's/;Ports = 6697, 9999/Ports = 6697, 9999/g' /etc/ngircd/ngircd.conf sed -i 's/;Name = #ngircd/Name = #freedombone/g' /etc/ngircd/ngircd.conf sed -i 's/;Topic = Our ngircd testing channel/Topic = Freedombone chat channel/g' /etc/ngircd/ngircd.conf sed -i 's/;MaxUsers = 23/MaxUsers = 23/g' /etc/ngircd/ngircd.conf sed -i 's|;KeyFile = /etc/ngircd/#chan.key|KeyFile = /etc/ngircd/#freedombone.key|g' /etc/ngircd/ngircd.conf sed -i 's/;CloakHost = cloaked.host/CloakHost = cloaked.host/g' /etc/ngircd/ngircd.conf IRC_SALT=$(openssl rand -base64 32) IRC_OPERATOR_PASSWORD=$(openssl rand -base64 8) sed -i "s|;CloakHostSalt = abcdefghijklmnopqrstuvwxyz|CloakHostSalt = $IRC_SALT|g" /etc/ngircd/ngircd.conf sed -i 's/;ConnectIPv4 = yes/ConnectIPv4 = yes/g' /etc/ngircd/ngircd.conf sed -i 's/;MorePrivacy = no/MorePrivacy = yes/g' /etc/ngircd/ngircd.conf sed -i 's/;RequireAuthPing = no/RequireAuthPing = no/g' /etc/ngircd/ngircd.conf sed -i "s/;Name = TheOper/Name = $MY_USERNAME/g" /etc/ngircd/ngircd.conf sed -i "s/;Password = ThePwd/Password = $IRC_OPERATOR_PASSWORD/g" /etc/ngircd/ngircd.conf service ngircd restart echo 'install_irc_server' >> $COMPLETION_FILE } function install_wiki { if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "install_wiki" $COMPLETION_FILE; then return fi # if this is exclusively a writer setup if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then WIKI_DOMAIN_NAME=$DOMAIN_NAME WIKI_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $WIKI_DOMAIN_NAME ]; then return fi if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then if [ ! $SYSTEM_TYPE ]; then return fi fi apt-get -y --force-yes install php5 php5-gd php-xml-parser php5-intl wget apt-get -y --force-yes install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl bzip2 if [ ! -d /var/www/$WIKI_DOMAIN_NAME ]; then mkdir /var/www/$WIKI_DOMAIN_NAME fi if [ ! -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then mkdir /var/www/$WIKI_DOMAIN_NAME/htdocs fi if [ ! -f /etc/ssl/private/$WIKI_DOMAIN_NAME.key ]; then makecert $WIKI_DOMAIN_NAME fi # download the archive cd $INSTALL_DIR if [ ! -f $INSTALL_DIR/$WIKI_ARCHIVE ]; then wget $WIKI_DOWNLOAD fi if [ ! -f $INSTALL_DIR/$WIKI_ARCHIVE ]; then echo 'Dokuwiki could not be downloaded. Check that it exists at ' echo $WIKI_DOWNLOAD echo 'And if neccessary update the version number and hash within this script' exit 18 fi # Check that the hash is correct CHECKSUM=$(sha256sum $WIKI_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_HASH ]]; then echo 'The sha256 hash of the Dokuwiki download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki web site.' echo $CHECKSUM echo $WIKI_HASH exit 21 fi tar -xzvf $WIKI_ARCHIVE cd dokuwiki-* mv * /var/www/$WIKI_DOMAIN_NAME/htdocs/ chmod -R 755 /var/www/$WIKI_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$WIKI_DOMAIN_NAME/htdocs if ! grep -q "video/ogg" /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf; then echo 'ogv video/ogg' >> /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf echo 'mp4 video/mp4' >> /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf echo 'webm video/webm' >> /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf fi echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " error_log /var/www/$WIKI_DOMAIN_NAME/error.log;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # Uncomment this if you need to redirect HTTP to HTTPS' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' #rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " error_log /var/www/$WIKI_DOMAIN_NAME/error_ssl.log;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME configure_php nginx_ensite $WIKI_DOMAIN_NAME service php5-fpm restart service nginx restart # update the dynamic DNS if [[ $WIKI_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$WIKI_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $WIKI_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$WIKI_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi # add some post-install instructions if ! grep -q "Once you have set up the wiki" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo 'Once you have set up the wiki then remove the install file:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " rm /var/www/$WIKI_DOMAIN_NAME/htdocs/install.php" >> /home/$MY_USERNAME/README fi echo 'install_wiki' >> $COMPLETION_FILE } function install_blog { if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi if grep -Fxq "install_blog" $COMPLETION_FILE; then return fi # if this is exclusively a writer setup if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then WIKI_DOMAIN_NAME=$DOMAIN_NAME WIKI_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $WIKI_DOMAIN_NAME ]; then return fi apt-get -y --force-yes install unzip # download mnml-blog cd $INSTALL_DIR rm -f latest wget $WIKI_MNML_BLOG_ADDON if [ ! -f "$INSTALL_DIR/latest" ]; then echo 'Dokuwiki mnml-blog addon could not be downloaded. Check the Dokuwiki web site and alter WIKI_MNML_BLOG_ADDON at the top of this script as needed.' exit 21 fi mv latest $WIKI_MNML_BLOG_ADDON_ARCHIVE # Check that the mnml-blog download hash is correct CHECKSUM=$(sha256sum $WIKI_MNML_BLOG_ADDON_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_MNML_BLOG_ADDON_HASH ]]; then echo 'The sha256 hash of the mnml-blog download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki mnmlblog web site and alter WIKI_MNML_BLOG_ADDON_HASH if needed.' echo $CHECKSUM echo $WIKI_MNML_BLOG_ADDON_HASH exit 22 fi # download blogTNG wget $WIKI_BLOGTNG_ADDON if [ ! -f "$INSTALL_DIR/master" ]; then echo 'Dokuwiki blogTNG addon could not be downloaded. Check the Dokuwiki web site and alter WIKI_BLOGTNG_ADDON at the top of this script as needed.' exit 23 fi mv master $WIKI_BLOGTNG_ADDON_ARCHIVE # Check that the blogTNG hash is correct CHECKSUM=$(sha256sum $WIKI_BLOGTNG_ADDON_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_BLOGTNG_ADDON_HASH ]]; then echo 'The sha256 hash of the blogTNG download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki blogTNG web site and alter WIKI_BLOGTNG_ADDON_HASH if needed.' echo $CHECKSUM echo $WIKI_BLOGTNG_ADDON_HASH exit 24 fi # download dokuwiki sqlite plugin wget $WIKI_SQLITE_ADDON if [ ! -f "$INSTALL_DIR/master" ]; then echo 'Dokuwiki sqlite addon could not be downloaded. Check the Dokuwiki web site and alter WIKI_SQLITE_ADDON at the top of this script as needed.' exit 25 fi mv master $WIKI_SQLITE_ADDON_ARCHIVE # Check that the sqlite plugin hash is correct CHECKSUM=$(sha256sum $WIKI_SQLITE_ADDON_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_SQLITE_ADDON_HASH ]]; then echo 'The sha256 hash of the Dokuwiki sqlite download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki sqlite plugin web site and alter WIKI_SQLITE_ADDON_HASH if needed.' echo $CHECKSUM echo $WIKI_SQLITE_ADDON_HASH exit 26 fi # install dokuwiki sqlite plugin tar -xzvf $WIKI_SQLITE_ADDON_ARCHIVE if [ -d "$INSTALL_DIR/sqlite" ]; then rm -rf $INSTALL_DIR/sqlite fi mv $WIKI_SQLITE_ADDON_NAME sqlite cp -r sqlite /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/ # install blogTNG if [ -d "$INSTALL_DIR/$WIKI_BLOGTNG_ADDON_NAME" ]; then rm -rf $INSTALL_DIR/$WIKI_BLOGTNG_ADDON_NAME fi unzip $WIKI_BLOGTNG_ADDON_ARCHIVE if [ -d "$INSTALL_DIR/blogtng" ]; then rm -rf $INSTALL_DIR/blogtng fi mv $WIKI_BLOGTNG_ADDON_NAME blogtng cp -r blogtng /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/ # install mnml-blog tar -xzvf $WIKI_MNML_BLOG_ADDON_ARCHIVE cp -r mnml-blog /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/tpl cp -r /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/tpl/mnml-blog/blogtng-tpl/* /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/blogtng/tpl/default/ # make a "freedombone" template so that if the default template gets # changed after an upgrade to blogTNG this doesn't necessarily change the appearance cp -r /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/blogtng/tpl/default /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/blogtng/tpl/freedombone if ! grep -q "To set up your blog" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo "To set up your blog go to" >> /home/$MY_USERNAME/README echo "https://$WIKI_DOMAIN_NAME/doku.php?id=start&do=admin&page=config" >> /home/$MY_USERNAME/README echo 'and set the template to mnml-blog' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'To edit things on the right hand sidebar (links, blogroll, etc) go to' >> /home/$MY_USERNAME/README echo "https://$WIKI_DOMAIN_NAME/doku.php?id=wiki:navigation_sidebar" >> /home/$MY_USERNAME/README echo 'and edit the page' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'To edit things to a header bar (home, contacts, etc) go to' >> /home/$MY_USERNAME/README echo "https://$WIKI_DOMAIN_NAME/doku.php?id=wiki:navigation_header" >> /home/$MY_USERNAME/README echo 'and select the "create this page" at the bottom.' >> /home/$MY_USERNAME/README echo 'You can then add somethething like:' >> /home/$MY_USERNAME/README echo ' * [[:start|Home]]' >> /home/$MY_USERNAME/README echo ' * [[:wiki|Wiki]]' >> /home/$MY_USERNAME/README echo ' * [[:contact|Contact]]' >> /home/$MY_USERNAME/README echo "Go to https://$WIKI_DOMAIN_NAME/doku.php?id=start&do=admin&page=config" >> /home/$MY_USERNAME/README echo 'and check "Show header navigation" to ensure that the header shows' >> /home/$MY_USERNAME/README fi echo 'install_blog' >> $COMPLETION_FILE } function get_mariadb_password { if [ -f /home/$MY_USERNAME/README ]; then if grep -q "MariaDB password" /home/$MY_USERNAME/README; then MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//') fi fi } function get_mariadb_gnusocial_admin_password { if [ -f /home/$MY_USERNAME/README ]; then if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') fi fi } function install_mariadb { if grep -Fxq "install_mariadb" $COMPLETION_FILE; then return fi apt-get -y --force-yes install python-software-properties debconf-utils apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db add-apt-repository 'deb http://mariadb.biz.net.id//repo/10.1/debian sid main' apt-get -y --force-yes install software-properties-common apt-get -y update get_mariadb_password if [ ! $MARIADB_PASSWORD ]; then MARIADB_PASSWORD=$(openssl rand -base64 32) echo '' >> /home/$MY_USERNAME/README echo "Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD" debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD" apt-get -y --force-yes install mariadb-server mysqladmin -u root password "$MARIADB_PASSWORD" echo 'install_mariadb' >> $COMPLETION_FILE } function install_gnu_social { if grep -Fxq "install_gnu_social" $COMPLETION_FILE; then return fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then return fi if [ ! $MICROBLOG_DOMAIN_NAME ]; then return fi install_mariadb get_mariadb_password apt-get -y --force-yes install php-gettext php5-curl php5-gd php5-mysql git if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME ]; then mkdir /var/www/$MICROBLOG_DOMAIN_NAME fi if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then mkdir /var/www/$MICROBLOG_DOMAIN_NAME/htdocs fi if [ ! -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/index.php ]; then cd $INSTALL_DIR git clone $MICROBLOG_REPO gnusocial rm -rf /var/www/$MICROBLOG_DOMAIN_NAME/htdocs mv gnusocial /var/www/$MICROBLOG_DOMAIN_NAME/htdocs chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs chown www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/avatar chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/background chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/file chmod +x /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php fi get_mariadb_gnusocial_admin_password if [ ! $MICROBLOG_ADMIN_PASSWORD ]; then MICROBLOG_ADMIN_PASSWORD=$(openssl rand -base64 32) echo '' >> /home/$MY_USERNAME/README echo "Your MariaDB gnusocial admin password is: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi echo "create database gnusocial; CREATE USER 'gnusocialadmin'@'localhost' IDENTIFIED BY '$MICROBLOG_ADMIN_PASSWORD'; GRANT ALL PRIVILEGES ON gnusocial.* TO 'gnusocialadmin'@'localhost'; quit" > $INSTALL_DIR/batch.sql chmod 600 $INSTALL_DIR/batch.sql mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql shred -zu $INSTALL_DIR/batch.sql if [ ! -f "/etc/aliases" ]; then touch /etc/aliases fi if grep -q "www-data: root" /etc/aliases; then echo 'www-data: root' >> /etc/aliases fi if grep -q "/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" /etc/aliases; then echo "*: /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" >> /etc/aliases fi newaliases # update the dynamic DNS if [[ $MICROBLOG_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$MICROBLOG_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $MICROBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$MICROBLOG_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi echo 'server {' > /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " error_log /var/www/$MICROBLOG_DOMAIN_NAME/error.log;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " error_log /var/www/$MICROBLOG_DOMAIN_NAME/error_ssl.log;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' charset utf-8;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=15768000;";' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # block these file types' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # or a unix socket' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~ /\. {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME configure_php if [ ! -f /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key ]; then makecert $MICROBLOG_DOMAIN_NAME fi nginx_ensite $MICROBLOG_DOMAIN_NAME service php5-fpm restart service nginx restart # some post-install instructions for the user if ! grep -q "To set up your microblog" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo "To set up your microblog go to" >> /home/$MY_USERNAME/README echo "https://$MICROBLOG_DOMAIN_NAME/install.php" >> /home/$MY_USERNAME/README echo 'and enter the following settings:' >> /home/$MY_USERNAME/README echo ' - Set a name for the site' >> /home/$MY_USERNAME/README echo ' - Server SSL: enable' >> /home/$MY_USERNAME/README echo ' - Hostname: localhost' >> /home/$MY_USERNAME/README echo ' - Type: MySql' >> /home/$MY_USERNAME/README echo ' - Name: gnusocial' >> /home/$MY_USERNAME/README echo ' - DB username: gnusocialadmin' >> /home/$MY_USERNAME/README echo " - DB Password; $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo " - Administrator nickname: $MY_USERNAME" >> /home/$MY_USERNAME/README echo " - Administrator password: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo ' - Subscribe to announcements: ticked' >> /home/$MY_USERNAME/README echo ' - Site profile: Community' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo "Navigate to https://$MICROBLOG_DOMAIN_NAME and you can then " >> /home/$MY_USERNAME/README echo 'complete the configuration via the *Admin* section on the header' >> /home/$MY_USERNAME/README echo 'bar. Some recommended admin settings are:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Under the *Site* settings:' >> /home/$MY_USERNAME/README echo ' Text limit: 140' >> /home/$MY_USERNAME/README echo ' Dupe Limit: 60000' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Under the *User* settings:' >> /home/$MY_USERNAME/README echo ' Bio limit: 1000' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Under the *Access* settings:' >> /home/$MY_USERNAME/README echo ' /Invite only/ ticked' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README fi echo 'install_gnu_social' >> $COMPLETION_FILE } function install_redmatrix { if grep -Fxq "install_redmatrix" $COMPLETION_FILE; then return fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then return fi # if this is exclusively a writer setup if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then REDMATRIX_DOMAIN_NAME=$DOMAIN_NAME REDMATRIX_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi install_mariadb apt-get -y --force-yes install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME fi if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME/htdocs ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME/htdocs fi cd $INSTALL_DIR # update the dynamic DNS if [[ $REDMATRIX_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$REDMATRIX_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $REDMATRIX_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$REDMATRIX_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi echo 'install_redmatrix' >> $COMPLETION_FILE } function install_final { if grep -Fxq "install_final" $COMPLETION_FILE; then return fi # unmount any attached usb drive if [ -d /media/usb ]; then umount /media/usb rm -rf /media/usb fi apt-get -y --force-yes autoremove echo 'install_final' >> $COMPLETION_FILE echo '' echo ' *** Freedombone installation is complete. Rebooting... ***' echo '' if [ -f "/home/$MY_USERNAME/README" ]; then echo "See /home/$MY_USERNAME/README for post-installation instructions." echo '' fi reboot } argument_checks configure_firewall configure_firewall_for_ssh configure_firewall_for_dns configure_firewall_for_ftp configure_firewall_for_web_access remove_proprietary_repos change_debian_repos enable_backports configure_dns initial_setup install_editor change_login_message update_the_kernel enable_zram random_number_generator set_your_domain_name time_synchronisation configure_internet_protocol configure_ssh search_for_attached_usb_drive regenerate_ssh_keys script_to_make_self_signed_certificates configure_email #spam_filtering configure_imap configure_gpg email_client configure_firewall_for_email folders_for_mailing_lists folders_for_email_addresses dynamic_dns_freedns #create_private_mailing_list import_email install_web_server configure_firewall_for_web_server install_owncloud install_xmpp configure_firewall_for_xmpp install_irc_server configure_firewall_for_irc install_wiki install_blog install_gnu_social install_redmatrix install_final echo 'Freedombone installation is complete' exit 0