freedomboneeee/src/freedombone-app-xmpp

1272 lines
49 KiB
Bash
Executable File

#!/bin/bash
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
# Freedom in the Cloud
#
# XMPP functions
#
# The two directories for prosody modules seem necessary.
# Trying to remove /usr/lib/prosody/modules causes problems, and that's
# part of the package install.
#
# License
# =======
#
# Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS='full full-vim chat'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1
# Directory where XMPP settings are stored
XMPP_DIRECTORY="/var/lib/prosody"
XMPP_PASSWORD=
XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"'
XMPP_ECC_CURVE='"secp384r1"'
prosody_latest_version='0.10'
prosody_nightly=485
prosody_nightly_hash='1b1b6a0daf9fdd3a88c8762751f01f561714c0bd5d907af631d7d036c9e19d39'
prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
# From https://hg.prosody.im/prosody-modules
prosody_modules_filename='prosody-modules-20180602.tar.gz'
prosody_modules_hash='c8ea99a3c9ed25e6471cd7de991a58715f1478e3bf3c5866b9f34a9ef8a863dd'
xmpp_encryption_warning=$"For security reasons, OMEMO or PGP encryption is required for conversations on this server."
XMPP_SHORT_DESCRIPTION=$'Chat system'
XMPP_DESCRIPTION=$'Chat system'
XMPP_MOBILE_APP_URL='https://f-droid.org/packages/eu.siacs.conversations'
xmpp_variables=(ONION_ONLY
INSTALLED_WITHIN_DOCKER
XMPP_CIPHERS
XMPP_ECC_CURVE
XMPP_ECC_CURVE
MY_USERNAME
MY_EMAIL_ADDRESS
DEFAULT_DOMAIN_NAME
XMPP_DOMAIN_CODE)
function xmpp_update_e2e_policy {
filename="$1"
read_config_param DEFAULT_DOMAIN_NAME
read_config_param ONION_ONLY
if ! grep -q "e2e_policy_muc" "$filename"; then
echo "e2e_policy_muc = \"none\"" >> "$filename"
else
sed -i 's|e2e_policy_muc.*|e2e_policy_muc = "none"|g' "$filename"
fi
if ! grep -q "e2e_policy_chat" "$filename"; then
echo "e2e_policy_chat = \"required\"" >> "$filename"
else
sed -i 's|e2e_policy_chat.*|e2e_policy_chat = "required"|g' "$filename"
fi
if ! grep -q "e2e_policy_message_required_chat" "$filename"; then
echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"" >> "$filename"
else
sed -i "s|e2e_policy_message_required_chat.*|e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"|g" "$filename"
fi
if [[ "$ONION_ONLY" != 'no' ]]; then
XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
sed -i "s|VirtualHost \".*.onion.*|VirtualHost \"${XMPP_ONION_HOSTNAME}\"|g" "$filename"
# TLS is not strictly needed for onion transport security
sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' "$filename"
sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' "$filename"
fi
}
function logging_on_xmpp {
if [ -d /etc/prosody ]; then
if [ ! -d /var/log/prosody ]; then
mkdir /var/log/prosody
chown root:adm /var/log/prosody
fi
if ! grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then
sed -i 's|info = "/dev/null";|info = "/var/log/prosody/prosody.log";|g' /etc/prosody/prosody.cfg.lua
sed -i 's|error = "/dev/null";|error = "/var/log/prosody/prosody.err";|g' /etc/prosody/prosody.cfg.lua
sed -i 's|levels = { "error" }; to = "/dev/null";|levels = { "error" }; to = "syslog";|g' /etc/prosody/prosody.cfg.lua
fi
fi
}
function logging_off_xmpp {
if [ -d /etc/prosody ]; then
if grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then
sed -i 's|info = "/var/log/prosody/prosody.log";|info = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
sed -i 's|error = "/var/log/prosody/prosody.err";|error = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
sed -i 's|levels = { "error" }; to = "syslog";|levels = { "error" }; to = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
$REMOVE_FILES_COMMAND /var/log/prosody/*
rm -rf /var/log/prosody
fi
fi
}
function xmpp_add_onion_address {
domain_name="$1"
onion_address="$2"
if [ ${#domain_name} -eq 0 ]; then
return
fi
if [ ${#onion_address} -eq 0 ]; then
return
fi
if ! grep "${onion_address}" /etc/prosody/prosody.cfg.lua; then
if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua
else
sed -i "/onions_map = {/a [\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua
fi
systemctl restart prosody
fi
}
function xmpp_add_onion_address_interactive {
data=$(mktemp 2>/dev/null)
dialog --backtitle $"Freedombone Control Panel" \
--title $"Add an ICANN to Onion domain mapping" \
--form $"Sepecify an ICANN domain name and its equivalent onion address\\n" 9 50 2 \
$"Domain:" 1 1 "" 1 18 26 25 \
$"Onion address:" 2 1 "" 2 18 26 25 \
2> "$data"
sel=$?
case $sel in
1) rm -f "$data"
return;;
255) rm -f "$data"
return;;
esac
domain_name=$(sed -n 1p < "$data")
onion_address=$(sed -n 2p < "$data")
rm -f "$data"
if [[ "$onion_address" != *".onion" ]]; then
return
fi
if [[ "$domain_name" != *"."* ]]; then
return
fi
xmpp_add_onion_address "$domain_name" "$onion_address"
dialog --title $"Add an ICANN to Onion domain mapping" \
--msgbox $"${domain_name} -> ${onion_address} added" 6 70
}
function xmpp_remove_onion_address {
domain_name="$1"
if [ ${#domain_name} -eq 0 ]; then
return
fi
xmpp_changed=
if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
sed -i "/[\"${domain_name}\"]/d" /etc/prosody/prosody.cfg.lua
xmpp_changed=1
fi
if grep -q "= \"${domain_name}\";" /etc/prosody/prosody.cfg.lua; then
sed -i "/= \"${domain_name}\";/d" /etc/prosody/prosody.cfg.lua
xmpp_changed=1
fi
if [ $xmpp_changed ]; then
systemctl restart prosody
fi
}
function xmpp_remove_onion_address_interactive {
data=$(mktemp 2>/dev/null)
dialog --title $"Remove ICANN to Onion domain mapping" \
--backtitle $"Freedombone Control Panel" \
--inputbox $'Enter the domain name or onion address to be removed' 8 60 2>"$data"
sel=$?
case $sel in
0) domain_name=$(<"$data")
if [[ "$domain_name" != *"."* ]]; then
rm -f "$data"
return
fi
xmpp_remove_onion_address "$domain_name"
dialog --title $"Remove an ICANN to Onion domain mapping" \
--msgbox $"${domain_name} removed" 6 70
;;
esac
rm -f "$data"
}
function configure_interactive_xmpp {
W=(1 $"Add an ICANN to onion domain mapping"
2 $"Remove an ICANN to onion domain mapping")
while true
do
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"XMPP" --menu $"Choose an operation, or ESC to exit:" 10 60 2 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then
break
fi
case $selection in
1) xmpp_add_onion_address_interactive;;
2) xmpp_remove_onion_address_interactive;;
esac
done
}
function remove_user_xmpp {
remove_username="$1"
"${PROJECT_NAME}-pass" -u "$remove_username" --rmapp xmpp
if [[ "$ONION_ONLY" != "no" ]]; then
DOMAIN=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
else
DOMAIN=${HOSTNAME}
fi
prosodyctl deluser "${remove_username}@${DOMAIN}"
}
function add_user_xmpp_client {
new_username="$1"
new_user_password="$2"
if [ -f /usr/local/bin/profanity ]; then
XMPP_CLIENT_DIR=/home/$new_username/.local/share/profanity
XMPP_CLIENT_ACCOUNTS=$XMPP_CLIENT_DIR/accounts
if [ ! -d "$XMPP_CLIENT_DIR" ]; then
mkdir -p "$XMPP_CLIENT_DIR"
fi
if [ ! -d "/home/$new_username/.config/profanity" ]; then
mkdir -p "/home/$new_username/.config/profanity"
fi
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$new_username" "$new_username@$HOSTNAME")
{ echo "[${new_username}@${HOSTNAME}]";
echo 'enabled=true';
echo "jid=${new_username}@${HOSTNAME}";
echo "server=$XMPP_ONION_HOSTNAME";
echo "pgp.keyid=$MY_GPG_PUBLIC_KEY_ID";
echo 'resource=profanity';
echo "muc.service=conference.${HOSTNAME}";
echo "muc.nick=${new_username}";
echo 'presence.last=online';
echo 'presence.login=online';
echo 'priority.online=0';
echo 'priority.chat=0';
echo 'priority.away=0';
echo 'priority.xa=0';
echo 'priority.dnd=0'; } > "$XMPP_CLIENT_ACCOUNTS"
echo '[connection]' > "/home/$new_username/.config/profanity/profrc"
if [[ $ONION_ONLY != "no" ]]; then
echo "account=${new_username}@${XMPP_ONION_HOSTNAME}" >> "/home/$new_username/.config/profanity/profrc"
else
echo "account=${new_username}@${HOSTNAME}" >> "/home/$new_username/.config/profanity/profrc"
fi
{ echo '';
echo '[plugins]';
echo 'load=prof_omemo_plugin.py;';
echo '';
echo '[otr]';
echo 'policy=opportunistic';
echo 'log=off';
echo '';
echo '[pgp]';
echo 'log=off';
echo '';
echo '[ui]';
echo 'enc.warn=true'; } >> "/home/$new_username/.config/profanity/profrc"
chown -R "$new_username":"$new_username" "/home/$new_username/.local"
chown -R "$new_username":"$new_username" "/home/$new_username/.config"
fi
}
function add_user_xmpp {
new_username="$1"
new_user_password="$2"
XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
"${PROJECT_NAME}-pass" -u "$new_username" -a xmpp -p "$new_user_password"
if [[ "$ONION_ONLY" != "no" ]]; then
DOMAIN_NAME=$XMPP_ONION_HOSTNAME
else
DOMAIN_NAME=$HOSTNAME
fi
EMAIL_ADDRESS="$new_username@$DOMAIN_NAME"
if [ ${#new_user_password} -eq 0 ]; then
prosodyctl adduser "$EMAIL_ADDRESS"
else
if ! prosodyctl register "$new_username" "$DOMAIN_NAME" "$new_user_password"; then
exit 653456375
fi
fi
# add the xmpp address to email headers
if [ -f "/home/$new_username/.muttrc" ]; then
if ! grep -q "Jabber-ID" "/home/$new_username/.muttrc"; then
echo "my_hdr Jabber-ID: $EMAIL_ADDRESS" >> "/home/$new_username/.muttrc"
else
sed -i "s|my_hdr Jabber-ID.*|my_hdr Jabber-ID: $EMAIL_ADDRESS|g" "/home/$new_username/.muttrc"
fi
fi
add_user_xmpp_client "$new_username" "$new_user_password"
echo '0'
}
function install_interactive_xmpp {
echo -n ''
APP_INSTALLED=1
}
function change_password_xmpp {
curr_username="$1"
new_user_password="$2"
read_config_param DEFAULT_DOMAIN_NAME
"${PROJECT_NAME}-pass" -u "$curr_username" -a xmpp -p "$new_user_password"
# TODO: this is currently interactive. Really there needs to be a
# non-interactive password change option for prosodyctl
clear
echo ''
echo $'Currently Prosody requires password changes to be done interactively'
prosodyctl passwd "${curr_username}@${DEFAULT_DOMAIN_NAME}"
if [ -f /usr/local/bin/profanity ]; then
XMPP_CLIENT_DIR=/home/$curr_username/.local/share/profanity
XMPP_CLIENT_ACCOUNTS=$XMPP_CLIENT_DIR/accounts
if [ -f "$XMPP_CLIENT_ACCOUNTS" ]; then
sed -i "s|password=.*|password=$new_user_password|g" "$XMPP_CLIENT_ACCOUNTS"
fi
fi
}
function reconfigure_xmpp {
echo -n ''
}
function update_prosody_modules {
if [ ! "$1" ]; then
if [ ! -d /var/lib/prosody/prosody-modules ]; then
return
fi
fi
if [ ! -d /usr/lib/prosody ]; then
return
fi
if [ ! -f "$INSTALL_DIR/$prosody_modules_filename" ]; then
# Obtain the modules
if [ -f "$HOME/${PROJECT_NAME}/image_build/$prosody_modules_filename" ]; then
cp "$HOME/${PROJECT_NAME}/image_build/$prosody_modules_filename" "$INSTALL_DIR"
else
if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/$prosody_modules_filename" ]; then
cp "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/$prosody_modules_filename" "$INSTALL_DIR"
fi
fi
if [ -f "$INSTALL_DIR/$prosody_modules_filename" ]; then
cd "$INSTALL_DIR" || exit 246824684
# Check the hash
curr_hash=$(sha256sum "$INSTALL_DIR/$prosody_modules_filename" | awk -F ' ' '{print $1}')
if [[ "$curr_hash" != "$prosody_modules_hash" ]]; then
echo $'Prosody modules hash does not match'
exit 83562
else
# Extract the modules
if [ -d "$INSTALL_DIR/prosody-modules" ]; then
rm -rf "$INSTALL_DIR/prosody-modules"
fi
tar -xzvf $prosody_modules_filename
if [ -d "$INSTALL_DIR/prosody-modules" ]; then
systemctl stop prosody
if [ ! -d /var/lib/prosody/prosody-modules ]; then
mkdir -p /var/lib/prosody/prosody-modules
fi
cp -r "$INSTALL_DIR/prosody-modules/"* /var/lib/prosody/prosody-modules/
cp -r "$INSTALL_DIR/prosody-modules/"* /usr/lib/prosody/modules/
chown -R prosody:prosody /var/lib/prosody/prosody-modules
chown -R prosody:prosody /usr/lib/prosody/modules
systemctl start prosody
else
echo $'Prosody modules not extracted'
exit 72524
fi
fi
fi
fi
if ! grep -q '"vcard"' /etc/prosody/prosody.cfg.lua; then
systemctl stop prosody
sed -i '/"pep"/a "vcard";' /etc/prosody/prosody.cfg.lua
systemctl start prosody
fi
if ! grep -q "omemo_all_access" /etc/prosody/prosody.cfg.lua; then
sed -i '/"pep";/a "omemo_all_access"; -- Fix for PEP with OMEMO' /etc/prosody/prosody.cfg.lua
sed -i 's|"omemo_all_access";| "omemo_all_access";|g' /etc/prosody/prosody.cfg.lua
fi
if ! grep -q "omemo_all_access" /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/"pep";/a "omemo_all_access"; -- Fix for PEP with OMEMO' /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|"omemo_all_access";| "omemo_all_access";|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q "block_strangers" /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/"pep";/a "block_strangers"; -- Dont allow messages from strangers' /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|"block_strangers";| "block_strangers";|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q "block_strangers" /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/"pep";/a "block_strangers"; -- Dont allow messages from strangers' /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|"block_strangers";| "block_strangers";|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
}
function prosody_daemon_restart_script {
# On rare occasions the daemon appears to get stuck
# i.e. still active, but not accepting connections
# This ensures that it will unstick itself at least once per day
if [ -f /etc/cron.daily/prosody ]; then
rm /etc/cron.daily/prosody
fi
if [ ! -f /etc/cron.hourly/prosody ]; then
{ echo '#!/bin/bash';
echo "is_active=\$(systemctl is-active prosody)";
echo "if [[ \"\$is_active\" != 'active' ]]; then";
echo ' systemctl restart prosody'
echo 'fi'; } > /etc/cron.hourly/prosody
chmod +x /etc/cron.hourly/prosody
fi
}
function upgrade_xmpp {
if [ -d /etc/letsencrypt ]; then
prosody_groups=$(groups prosody)
if [[ "$prosody_groups" != *'ssl-cert'* ]]; then
usermod -a -G ssl-cert prosody
fi
fi
xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua
xmpp_update_e2e_policy /etc/prosody/prosody.cfg.lua
prosody_daemon_restart_script
function_check update_prosody_modules
update_prosody_modules
xmpp_onion_addresses /etc/prosody/prosody.cfg.lua
xmpp_contact_info /etc/prosody/prosody.cfg.lua
if grep -q "/etc/ssl/certs/xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then
cp /etc/ssl/certs/xmpp.dhparam /etc/prosody/xmpp.dhparam
chown prosody:prosody /etc/prosody/xmpp.dhparam
sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/prosody.cfg.lua
sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if grep -q "/etc/ssl/private/xmpp.key" /etc/prosody/prosody.cfg.lua; then
if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" ]; then
sed -i "s|/etc/ssl/private/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua
fi
fi
if grep -q "/etc/ssl/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then
if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then
sed -i "s|/etc/ssl/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua
fi
fi
curr_prosody_filename=$(grep "prosody_filename" "$COMPLETION_FILE" | awk -F ':' '{print $2}')
if [[ "$curr_prosody_filename" != "$prosody_filename" ]]; then
if [ -d "${INSTALL_DIR}/${prosody_filename}" ]; then
# ensure that the binaries have not been overwritten
# by an operating system upgrade
cd "${INSTALL_DIR}/${prosody_filename}" || exit 462846284
make prefix=/usr install
else
cd "$INSTALL_DIR" || exit 23681468
# Try to get the source from the project repo
if [ -f "/root/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" ]; then
cp "/root/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" .
else
if [ -f "/home/${MY_USERNAME}/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" ]; then
cp "/home/${MY_USERNAME}/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" .
else
wget $prosody_nightly_url
fi
fi
if [ ! -f "${INSTALL_DIR}/${prosody_filename}.tar.gz" ]; then
echo $"Failed to download prosody nightly $prosody_nightly_url"
return
fi
hash_value=$(sha256sum "${INSTALL_DIR}/${prosody_filename}.tar.gz" | awk -F ' ' '{print $1}')
if [[ "$hash_value" != "$prosody_nightly_hash" ]]; then
rm "${INSTALL_DIR}/${prosody_filename}.tar.gz"
echo $'Unexpected hash value for prosody nightly download'
return
fi
tar -xzvf "${INSTALL_DIR}/${prosody_filename}.tar.gz"
cd "${INSTALL_DIR}/${prosody_filename}" || exit 246872468246
./configure --ostype=debian --prefix=/usr
make prefix=/usr
make prefix=/usr install
if [ -f /usr/local/bin/prosody ]; then
echo $'Failed to build prosody nightly to /usr/bin'
rm "${INSTALL_DIR}/${prosody_filename}.tar.gz"
rm -rf "${INSTALL_DIR:?}/${prosody_filename}"
return
fi
rm "${INSTALL_DIR:?}/${prosody_filename}.tar.gz"
fi
# add onion addresses for known servers
if ! grep -q "onions_map =" /etc/prosody/prosody.cfg.lua; then
echo '' >> /etc/prosody/prosody.cfg.lua
xmpp_onion_addresses /etc/prosody/prosody.cfg.lua
fi
set_completion_param "prosody_filename" "${prosody_filename}"
fi
cp -r "$INSTALL_DIR/prosody-modules/"* /var/lib/prosody/prosody-modules/
chown -R prosody:prosody /var/lib/prosody/prosody-modules
systemctl restart prosody
}
function backup_local_xmpp {
source_directory=/var/lib/prosody
if [ -d $source_directory ]; then
dest_directory=xmpp
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
fi
}
function restore_local_xmpp {
if [ -d /var/lib/prosody ]; then
echo $"Restoring xmpp settings"
temp_restore_dir=/root/tempxmpp
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir xmpp
if [ -d $temp_restore_dir/var/lib/prosody ]; then
cp -r $temp_restore_dir/var/lib/prosody/* /var/lib/prosody
else
cp -r $temp_restore_dir/* /var/lib/prosody/
fi
# shellcheck disable=SC2181
if [ ! "$?" = "0" ]; then
function_check set_user_permissions
set_user_permissions
function_check backup_unmount_drive
backup_unmount_drive
exit 725
fi
rm -rf $temp_restore_dir
systemctl restart prosody
chown -R prosody:prosody /var/lib/prosody/*
echo $"Restore of xmpp settings complete"
fi
}
function backup_remote_xmpp {
if [ -d /var/lib/prosody ]; then
echo $"Backing up the xmpp settings"
backup_directory_to_friend /var/lib/prosody xmpp
echo $"Backup of xmpp settings complete"
fi
}
function restore_remote_xmpp {
if [ -d /var/lib/prosody ]; then
echo $"Restoring xmpp settings"
temp_restore_dir=/root/tempxmpp
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir xmpp
if [ -d $temp_restore_dir/var/lib/prosody ]; then
cp -r $temp_restore_dir/var/lib/prosody/* /var/lib/prosody
else
cp -r $temp_restore_dir/* /var/lib/prosody/
fi
# shellcheck disable=SC2181
if [ ! "$?" = "0" ]; then
exit 725
fi
rm -rf $temp_restore_dir
systemctl restart prosody
chown -R prosody:prosody /var/lib/prosody/*
echo $"Restore of xmpp settings complete"
fi
}
function configure_firewall_for_xmpp {
if [ ! -d /etc/prosody ]; then
return
fi
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
firewall_add XMPP 5222 tcp
firewall_add XMPP 5223 tcp
firewall_add XMPP 5269 tcp
firewall_add XMPP 5280 tcp
firewall_add XMPP 5281 tcp
mark_completed "${FUNCNAME[0]}"
}
function remove_xmpp {
remove_profanity
remove_movim
firewall_remove 5222 tcp
firewall_remove 5223 tcp
firewall_remove 5269 tcp
firewall_remove 5280 tcp
firewall_remove 5281 tcp
function_check remove_onion_service
remove_onion_service xmpp 5222 5223 5269
apt-mark -q unhold prosody
apt-get -yq remove --purge prosody
rm /etc/cron.daily/prosody
if [ -f "$INSTALL_DIR/$prosody_modules_filename" ]; then
rm "$INSTALL_DIR/$prosody_modules_filename"
fi
if [ -d "$INSTALL_DIR/prosody-modules" ]; then
rm -rf "$INSTALL_DIR/prosody-modules"
fi
if [ -d /etc/prosody ]; then
rm -rf /etc/prosody
fi
if [ -d /var/lib/prosody ]; then
rm -rf /var/lib/prosody
fi
if [ -d /usr/lib/prosody ]; then
rm -rf /usr/lib/prosody
fi
if [ -f /usr/local/bin/prosody ]; then
rm /usr/local/bin/prosody
fi
if [ -f /usr/local/bin/prosodyctl ]; then
rm /usr/local/bin/prosodyctl
fi
groupdel prosody
remove_completion_param install_xmpp
sed -i '/xmpp/d' "$COMPLETION_FILE"
sed -i '/prosody/d' "$COMPLETION_FILE"
rm /etc/avahi/services/xmpp.service
rm /etc/avahi/services/xmpp-server.service
systemctl restart avahi-daemon
}
function xmpp_email_headers {
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
if [ -f "/home/$USERNAME/.muttrc" ]; then
if ! grep -q "Jabber-ID" "/home/$USERNAME/.muttrc"; then
echo "my_hdr Jabber-ID: ${USERNAME}@${HOSTNAME}" >> "/home/$USERNAME/.muttrc"
fi
fi
fi
done
}
function xmpp_contact_info {
filename="$1"
if grep -q "contact_info =" "$filename"; then
return
fi
{ echo 'contact_info = {';
echo "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
echo "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
echo "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
echo "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
echo "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
echo '};'; } >> "$filename"
}
function xmpp_modules {
filename="$1"
{ echo 'modules_enabled = {';
echo ' "server_contact_info";';
echo ' "pubsub";';
echo ' "pubsub_hub";';
echo ' "dialback"; -- s2s dialback support';
echo ' "disco"; -- Service discovery';
echo ' "private"; -- Private XML storage (for room bookmarks, etc.)';
echo ' "version"; -- Replies to server version requests';
echo ' "uptime"; -- Report how long server has been running';
echo ' "time"; -- Let others know the time here on this server';
echo ' "ping"; -- Replies to XMPP pings with pongs';
echo ' "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands';
echo ' "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.';
echo ' "bosh"; -- Enable mod_bosh';
echo ' "tls"; -- Enable mod_tls';
echo ' "saslauth"; -- Enable mod_saslauth';
echo ' "onions"; -- Enable chat via onion service';
echo ' "mam"; -- Message archive management';
echo ' "csi"; -- Client state indication';
echo ' "carbons"; -- Message carbons';
echo ' "carbons_adhoc"; -- Message carbons';
echo ' "carbons_copies"; -- Message carbons';
echo ' "smacks"; -- Stream management';
echo ' "smacks_offline"; -- Stream management';
echo ' "pep"; -- Personal Eventing Protocol (to support OMEMO)';
echo ' "omemo_all_access"; -- Fix for PEP with OMEMO';
echo ' "vcard"; -- Personal Eventing Protocol (to support OMEMO)';
echo ' "e2e_policy"; -- To support OMEMO';
echo ' "pep_vcard_avatar"; -- Personal Eventing Protocol (to support OMEMO)';
echo ' "blocklist"; -- Privacy lists';
echo ' "privacy_lists"; -- Privacy lists';
echo ' "blocking"; -- Blocking command';
echo ' "block_strangers"; -- Dont allow messages from strangers';
echo ' "roster"; -- Roster versioning';
echo ' "offline_email"; -- If offline send to email';
echo ' "offline"; -- Store offline messages';
echo ' "http";';
echo ' "http_upload";';
echo ' "websocket";';
echo ' "throttle_presence"; -- Reduce battery and bandwidth usage';
echo ' "filter_chatstates"; -- Reduce battery and bandwidth usage';
echo '};'; } >> "$filename"
}
function xmpp_onion_addresses {
filename="$1"
sed -i '/onions_map = {/,/};/d' "$filename"
{ echo 'onions_map = {';
echo ' ["anonymitaet-im-inter.net"] = "rwf5skuv5vqzcdit.onion";';
echo ' ["autistici.org"] = "wi7qkxyrdpu5cmvr.onion";';
echo ' ["jabber.calyxinstitute.org"] = "ijeeynrc6x2uy5ob.onion";';
echo ' ["jabber.ccc.de"] = "okj7xc6j2szr2y75.onion";';
echo ' ["cloak.dk"] = "m2dsl4banuimpm6c.onion";';
echo ' ["jabber.cryptoparty.is"] = "cryjabkbdljzohnp.onion";';
echo ' ["daemons.cf"] = "daemon4jidu2oig6.onion";';
echo ' ["dukgo.com"] = "wlcpmruglhxp6quz.onion";';
echo ' ["evil.im"] = "evilxro6nvjuvxqo.onion";';
echo ' ["xmpp.evil.im"] = "evilxro6nvjuvxqo.onion";';
echo ' ["inventati.org"] = "wi7qkxyrdpu5cmvr.onion";';
echo ' ["jabber.ipredator.se"] = "3iffdebkzzkpgipa.onion";';
echo ' ["jabber-germany.de"] = "dbbrphko5tqcpar3.onion";';
echo ' ["kode.im"] = "ihkw7qy3tok45dun.onion";';
echo ' ["im.koderoot.net"] = "ihkw7qy3tok45dun.onion";';
echo ' ["adb-centralen.se"] = "qai7jjjnhbrdiexf.onion";';
echo ' ["joelpurra.se"] = "37x6i3wgr2jyublb.onion";';
echo ' ["nordberg.se"] = "qai7jjjnhbrdiexf.onion";';
echo ' ["jabber.lqdn.fr"] = "jabber63t4r2qi57.onion";';
echo ' ["jabber.otr.im"] = "5rgdtlawqkcplz75.onion";';
echo ' ["otromundo.cf"] = "arauemwe2utqqzye.onion";';
echo ' ["patchcord.be"] = "xsydhi3dnbjuatpz.onion";';
echo ' ["riseup.net"] = "4cjw6cwpeaeppfqz.onion";';
echo ' ["xmpp.riseup.net"] = "4cjw6cwpeaeppfqz.onion";';
echo ' ["rows.io"] = "yz6yiv2hxyagvwy6.onion";';
echo ' ["xmpp.rows.io"] = "yz6yiv2hxyagvwy6.onion";';
echo ' ["securejabber.me"] = "giyvshdnojeivkom.onion";';
echo ' ["so36.net"] = "s4fgy24e2b5weqdb.onion";';
echo ' ["jabber.so36.net"] = "s4fgy24e2b5weqdb.onion";';
echo ' ["jabber.systemli.org"] = "x5tno6mwkncu5m3h.onion";';
echo ' ["taolo.ga"] = "l3ybpw4vs6ie5rv2.onion";';
echo ' ["tchncs.de"] = "duvfmyqmdlyvc3mi.onion";';
echo ' ["wtfismyip.com"] = "ofkztxcohimx34la.onion";';
echo ' ["prosody.xmpp.is"] = "y2qmqomqpszzryei.onion";';
echo ' ["xndr.de"] = "trcubpttd6zkc3tf.onion";';
echo ' ["jabber.cat"] = "sybzodlxacch7st7.onion";';
echo ' ["trashserver.net"] = "m4c722bvc2r7brnn.onion";';
echo '};'; } >> "$filename"
}
function xmpp_create_config {
echo "admins = { \"$MY_USERNAME@$DEFAULT_DOMAIN_NAME\" }" > /etc/prosody/prosody.cfg.lua
echo 'plugin_paths = { "/var/lib/prosody/prosody-modules" }' >> /etc/prosody/prosody.cfg.lua
echo '' >> /etc/prosody/prosody.cfg.lua
xmpp_modules /etc/prosody/prosody.cfg.lua
echo '' >> /etc/prosody/prosody.cfg.lua
xmpp_onion_addresses /etc/prosody/prosody.cfg.lua
xmpp_contact_info /etc/prosody/prosody.cfg.lua
{ echo '';
echo 'allow_registration = false;';
echo '';
echo 'daemonize = true;';
echo '';
echo 'pidfile = "/var/run/prosody/prosody.pid";';
echo '';
echo 'https_ports = { 5281 }';
echo 'https_interfaces = { "*" }';
echo 'https_ssl = {'; } >> /etc/prosody/prosody.cfg.lua
if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
echo " certificate = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem\";" >> /etc/prosody/prosody.cfg.lua
echo " key = \"/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key\";" >> /etc/prosody/prosody.cfg.lua
else
echo " certificate = \"/etc/ssl/certs/xmpp.crt\";" >> /etc/prosody/prosody.cfg.lua
echo " key = \"/etc/ssl/private/xmpp.key\";" >> /etc/prosody/prosody.cfg.lua
fi
{ echo " curve = $XMPP_ECC_CURVE;";
echo " ciphers = $XMPP_CIPHERS;";
echo ' options = {"no_sslv2", "no_sslv3" };'; } >> /etc/prosody/prosody.cfg.lua
if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
echo " dhparam = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam\";" >> /etc/prosody/prosody.cfg.lua
else
echo " dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua
fi
{ echo "}";
echo '';
echo 'ssl = {'; } >> /etc/prosody/prosody.cfg.lua
if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
echo " certificate = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem\";" >> /etc/prosody/prosody.cfg.lua
echo " key = \"/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key\";" >> /etc/prosody/prosody.cfg.lua
else
echo " certificate = \"/etc/ssl/certs/xmpp.crt\";" >> /etc/prosody/prosody.cfg.lua
echo " key = \"/etc/ssl/private/xmpp.key\";" >> /etc/prosody/prosody.cfg.lua
fi
{ echo " curve = $XMPP_ECC_CURVE;";
echo ' depth = "2";';
echo " ciphers = $XMPP_CIPHERS;";
echo ' options = {"no_sslv2", "no_sslv3" };'; } >> /etc/prosody/prosody.cfg.lua
if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
echo " dhparam = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam\";" >> /etc/prosody/prosody.cfg.lua
else
echo " dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua
fi
{ echo '}';
echo '';
echo 'c2s_require_encryption = true';
echo 's2s_require_encryption = true';
echo '';
echo 'e2e_policy_muc = "none"';
echo 'e2e_policy_chat = "required"';
echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"";
echo '';
echo 's2s_secure_auth = false';
echo '';
echo 'authentication = "internal_hashed"';
echo '';
echo 'storage = "sql"';
echo 'sql = { driver = "SQLite3", database = "prosody.sqlite" }';
echo '';
echo 'log = {';
echo ' info = "/dev/null";';
echo ' error = "/dev/null";';
echo ' { levels = { "error" }; to = "/dev/null"; };';
echo '}';
echo ''; } >> /etc/prosody/prosody.cfg.lua
if [[ "$ONION_ONLY" != 'no' ]]; then
echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/prosody.cfg.lua
# TLS is not needed for onion transport security
sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua
sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua
else
echo "VirtualHost \"${DEFAULT_DOMAIN_NAME}\"" >> /etc/prosody/prosody.cfg.lua
fi
echo ' ssl = {' >> /etc/prosody/prosody.cfg.lua
if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
echo " certificate = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem\";" >> /etc/prosody/prosody.cfg.lua
echo " key = \"/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key\";" >> /etc/prosody/prosody.cfg.lua
else
echo " certificate = \"/etc/ssl/certs/xmpp.crt\";" >> /etc/prosody/prosody.cfg.lua
echo " key = \"/etc/ssl/private/xmpp.key\";" >> /etc/prosody/prosody.cfg.lua
fi
{ echo " curve = $XMPP_ECC_CURVE;";
echo ' depth = "2";';
echo " ciphers = $XMPP_CIPHERS;";
echo ' options = {"no_sslv2", "no_sslv3" };'; } >> /etc/prosody/prosody.cfg.lua
if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
echo " dhparam = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam\";" >> /etc/prosody/prosody.cfg.lua
else
echo " dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua
fi
{ echo ' }';
echo '';
echo 'Include "conf.d/*.cfg.lua"';
echo 'http_upload_path = "/var/lib/prosody/http_uploads"';
echo 'http_upload_file_size_limit = 307200';
echo '';
echo "Component \"chat.${DEFAULT_DOMAIN_NAME}\" \"muc\"";
echo ' restrict_room_creation = true';
echo ' name = "Chatrooms"';
echo ' modules_enabled = {';
echo ' "muc_limits";';
echo ' "muc_log";';
echo ' "mam_muc";';
echo ' "muc_log_http";';
echo ' }';
echo 'storage = { muc_log = "sql"; }';
echo 'sql = { driver = "SQLite3", database = "prosody.sqlite" }';
echo 'muc_event_rate = 0.5;';
echo 'muc_burst_factor = 10;';
echo 'muc_log_by_default = false;';
echo 'muc_log_all_rooms = false;';
echo 'max_archive_query_results = 10;';
echo 'max_history_messages = 10;'; } >> /etc/prosody/prosody.cfg.lua
}
function install_xmpp_nightly {
if [ ! -d "$INSTALL_DIR" ]; then
mkdir -p "$INSTALL_DIR"
fi
cd "$INSTALL_DIR" || exit 2468274
# Try to get the source from the project repo
if [ -f "/root/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" ]; then
cp "/root/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" .
else
if [ -f "/home/${MY_USERNAME}/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" ]; then
cp "/home/${MY_USERNAME}/${PROJECT_NAME}/image_build/${prosody_filename}.tar.gz" .
else
wget "$prosody_nightly_url"
fi
fi
if [ ! -f "${INSTALL_DIR}/${prosody_filename}.tar.gz" ]; then
echo $"Failed to download prosody nightly $prosody_nightly_url"
exit 78352
fi
hash_value=$(sha256sum "${INSTALL_DIR}/${prosody_filename}.tar.gz" | awk -F ' ' '{print $1}')
if [[ "$hash_value" != "$prosody_nightly_hash" ]]; then
rm "${INSTALL_DIR}/${prosody_filename}.tar.gz"
echo $'Unexpected hash value for prosody nightly download'
exit 68224283
fi
tar -xzvf "${INSTALL_DIR}/${prosody_filename}.tar.gz"
cd "${INSTALL_DIR}/${prosody_filename}" || exit 7246284245
./configure --ostype=debian --prefix=/usr
make prefix=/usr
make prefix=/usr install
if [ -f /usr/local/bin/prosody ]; then
echo $'Failed to build prosody nightly to /usr/bin'
rm "${INSTALL_DIR}/${prosody_filename}.tar.gz"
rm -rf "${INSTALL_DIR:?}/${prosody_filename}"
exit 628732
fi
rm "${INSTALL_DIR}/${prosody_filename}.tar.gz"
set_completion_param "prosody_filename" "${prosody_filename}"
}
function install_xmpp {
if [ ! -d "$INSTALL_DIR" ]; then
mkdir -p "$INSTALL_DIR"
fi
# remove any existing install attempt
if [ -f "$INSTALL_DIR/$prosody_modules_filename" ]; then
rm "$INSTALL_DIR/$prosody_modules_filename"
fi
if [ -d "$INSTALL_DIR/prosody-modules" ]; then
rm -rf "$INSTALL_DIR/prosody-modules"
fi
update_prosody_modules
# obtain a cert for the default domain
if [[ "$(cert_exists "${DEFAULT_DOMAIN_NAME}" pem)" == "0" ]]; then
create_site_certificate "${DEFAULT_DOMAIN_NAME}" 'yes'
if [[ "$ONION_ONLY" == 'no' ]]; then
if [[ "$(cert_exists "${DEFAULT_DOMAIN_NAME}" pem)" == "0" ]]; then
echo $'LetsEncrypt cert could not be obtained for xmpp'
exit 72342
fi
fi
fi
apt-get -yq install lua-sec lua-bitop lua5.1 liblua5.1-dev
apt-get -yq install libidn11-dev libssl-dev lua-dbi-sqlite3
apt-get -yq install mercurial
apt-get -yq install prosody
if [ ! -f /usr/bin/hg ]; then
echo $"Couldn't install mercurial"
exit 52825
fi
if [ ! -d /etc/prosody ]; then
echo $"ERROR: prosody does not appear to have installed. $CHECK_MESSAGE"
exit 52367
fi
groupadd prosody
if [ ! -d /var/lib/prosody/http_uploads ]; then
mkdir -p /var/lib/prosody/http_uploads
fi
if [ ! -d /etc/prosody/conf.d ]; then
mkdir -p /etc/prosody/conf.d
fi
chmod -R 700 /etc/prosody/conf.d
chown -R prosody /var/lib/prosody
chown -R prosody /etc/prosody/conf.d
# install modules
update_prosody_modules initial
if [ ! -d /var/lib/prosody/prosody-modules ]; then
echo $'No prosody modules available'
exit 82634
fi
# create a certificate
if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
if [ ! -f /etc/ssl/certs/xmpp.crt ]; then
"${PROJECT_NAME}-addcert" -h xmpp --dhkey "${DH_KEYLENGTH}"
CHECK_HOSTNAME=xmpp
check_certificates xmpp
if [ ! -f /etc/ssl/certs/xmpp.crt ]; then
echo $'Failed to create xmpp certificate'
exit 72352
fi
if [ ! -f /etc/ssl/private/xmpp.key ]; then
echo $'Failed to create xmpp private certificate'
exit 36829
fi
chmod g=rX /etc/ssl/private/xmpp.key
chmod g=rX /etc/ssl/certs/xmpp.*
fi
fi
groupadd default
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
usermod -g default prosody
chmod 0000 /etc/shadow
chmod 0000 /etc/gshadow
chown root:default /etc/ssl/private/xmpp.*
chown root:default /etc/ssl/certs/xmpp.*
chown root:default "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.*"
chown root:default "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.*"
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
if [[ "$(cert_exists "${DEFAULT_DOMAIN_NAME}" pem)" == "1" ]]; then
sed -i "s|key =.*|key = \"/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key\";|g" /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i "s|certificate =.*|certificate = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem\";|g" /etc/prosody/conf.avail/xmpp.cfg.lua
else
sed -i "s|key =.*|key = \"/etc/ssl/private/xmpp.key\";|g" /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i "s|certificate =.*|certificate = \"/etc/ssl/certs/xmpp.crt\";|g" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then
if [[ "$(cert_exists "${DEFAULT_DOMAIN_NAME}")" == "1" ]]; then
sed -i "/certificate =/a\\ dhparam = \"/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam\";" /etc/prosody/conf.avail/xmpp.cfg.lua
else
sed -i '/certificate =/a\\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
fi
if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'ciphers =' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i "/certificate =/a\\ ciphers = $XMPP_CIPHERS;" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'depth = "2";' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/certificate =/a\ depth = "2";' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'curve =' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i "/certificate =/a\\ curve = $XMPP_ECC_CURVE;" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua
if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
xmpp_modules /etc/prosody/conf.avail/xmpp.cfg.lua
fi
echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
if ! grep -q "c2s_require_encryption" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua
else
sed -i 's|c2s_require_encryption.*|c2s_require_encryption = true|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q "s2s_require_encryption" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua
else
sed -i 's|s2s_require_encryption.*|s2s_require_encryption = true|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if [[ "$ONION_ONLY" != 'no' ]]; then
sed -i 's|c2s_require_encryption.*|c2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|s2s_require_encryption.*|s2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua
if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
else
sed -i 's|allow_unencrypted_plain_auth.*|allow_unencrypted_plain_auth = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
if [ ! -d /var/lib/tor ]; then
echo $'No Tor installation found. xmpp onion site cannot be configured.'
exit 877367
fi
if ! grep -q "hidden_service_xmpp" "$ONION_SERVICES_FILE"; then
{ echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/';
echo 'HiddenServiceVersion 3';
echo "HiddenServicePort 5222 127.0.0.1:5222";
echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> "$ONION_SERVICES_FILE"
echo $'Added onion site for xmpp chat'
fi
onion_update
wait_for_onion_service 'xmpp'
if [ ! -f /var/lib/tor/hidden_service_xmpp/hostname ]; then
echo $'xmpp onion site hostname not found'
exit 65349
fi
XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
if ! grep -q "${XMPP_ONION_HOSTNAME}" /etc/prosody/conf.avail/xmpp.cfg.lua; then
{ echo '';
echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"";
echo ' modules_enabled = { "onions" };'; } >> /etc/prosody/conf.avail/xmpp.cfg.lua
fi
set_completion_param "xmpp onion domain" "${XMPP_ONION_HOSTNAME}"
if [ -f "$IMAGE_PASSWORD_FILE" ]; then
XMPP_PASSWORD="$(printf "%s" "$(cat "$IMAGE_PASSWORD_FILE")")"
else
if [ ${#XMPP_PASSWORD} -lt 8 ]; then
XMPP_PASSWORD="$(create_password "${MINIMUM_PASSWORD_LENGTH}")"
fi
fi
function_check configure_firewall_for_xmpp
configure_firewall_for_xmpp
xmpp_email_headers
update_default_domain
xmpp_create_config
# TODO comment this out after debian supports prosody 0.10 or later
install_xmpp_nightly
chown -R prosody /etc/prosody
chown -R prosody /var/lib/prosody
chown -R prosody /usr/lib/prosody
chmod -R 700 /etc/prosody/conf.d
usermod -a -G www-data prosody
# Avoid STIG failures
if [ -f /usr/lib/ssl/private/xmpp.key ]; then
chown root:root /usr/lib/ssl/private/xmpp.key
fi
if [ -f /usr/lib/ssl/certs/xmpp.crt ]; then
chown root:root /usr/lib/ssl/certs/xmpp.crt
fi
if [ -f /usr/lib/ssl/certs/xmpp.dhparam ]; then
chown root:root /usr/lib/ssl/certs/xmpp.dhparam
fi
if [ -d /etc/letsencrypt ]; then
usermod -a -G ssl-cert prosody
fi
if [ -f /etc/ssl/certs/xmpp.dhparam ]; then
cp /etc/ssl/certs/xmpp.dhparam /etc/prosody/xmpp.dhparam
chown prosody:prosody /etc/prosody/xmpp.dhparam
sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/prosody.cfg.lua
sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
apt-mark -q hold prosody
systemctl restart prosody
if [[ $ONION_ONLY != 'no' ]]; then
prosodyctl register "$MY_USERNAME" "$XMPP_ONION_HOSTNAME" "$XMPP_PASSWORD"
else
prosodyctl register "$MY_USERNAME" "$DEFAULT_DOMAIN_NAME" "$XMPP_PASSWORD"
fi
# shellcheck disable=SC2181
if [ ! "$?" = "0" ]; then
echo ''
echo ''
systemctl status prosody -l
echo ''
echo ''
which prosody
which prosodyctl
echo ''
echo ''
cat /etc/prosody/prosody.cfg.lua
echo ''
echo ''
cat /etc/prosody/conf.avail/xmpp.cfg.lua
echo ''
echo ''
#remove_xmpp
echo $'Unable to register prosody user'
exit 347682
fi
prosody_daemon_restart_script
"${PROJECT_NAME}-pass" -u "$MY_USERNAME" -a xmpp -p "$XMPP_PASSWORD"
# Add avahi services
{ echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->';
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">';
echo '<service-group>';
echo ' <name replace-wildcards="yes">%h XMPP</name>';
echo ' <service>';
echo ' <type>_xmpp._tcp</type>';
echo " <port>5222</port>";
echo ' </service>';
echo ' <service>';
echo ' <type>_xmpp-server._tcp</type>';
echo " <port>5269</port>";
echo ' </service>';
echo '</service-group>'; } > /etc/avahi/services/xmpp.service
systemctl restart avahi-daemon
APP_INSTALLED=1
}
# NOTE: deliberately no exit 0