free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
freedomboneeee/src/freedombone-utils-setup

995 lines
28 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Setup functions
#
# License
# =======
#
# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ ! $PROJECT_NAME ]; then
PROJECT_NAME='freedombone'
fi
DEFAULT_DOMAIN_NAME=
DEFAULT_DOMAIN_CODE=
MY_USERNAME=
if [ ! $SYSTEM_TYPE ]; then
SYSTEM_TYPE="full"
fi
# An optional configuration file which overrides some of these variables
if [ ! $CONFIGURATION_FILE ]; then
CONFIGURATION_FILE="$HOME/${PROJECT_NAME}.cfg"
fi
# Directory where source code is downloaded and compiled
INSTALL_DIR=$HOME/build
# device name for an attached usb drive
USB_DRIVE=/dev/sda1
# Location where the USB drive is mounted to
USB_MOUNT=/mnt/usb
# Number of days to keep backups for
BACKUP_MAX_DAYS=30
# file containing a list of remote locations to backup to
# Format: [username@friendsdomain//home/username] [ssh_password]
# With the only space character being between the server and the password
FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
export DEBIAN_FRONTEND=noninteractive
# used to limit CPU usage
CPULIMIT='/usr/bin/cpulimit -l 20 -e'
# command to create a git repository
CREATE_GIT_PROJECT_COMMAND='create-project'
# File which keeps track of what has already been installed
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
# log file where details of remote backups are stored
REMOTE_BACKUPS_LOG=/var/log/remotebackups.log
# message if something fails to install
CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
# Default diffie-hellman key length in bits
DH_KEYLENGTH=2048
function detect_usb_drive {
# sets to the highest available drive letter
# which is likely to be the last drive connected
read_config_param USB_DRIVE
partition_number='1'
if [[ "$1" == "nopath" ]]; then
partition_number=''
fi
if [ -b /dev/sdb${partition_number} ]; then
USB_DRIVE=/dev/sdb${partition_number}
fi
if [ -b /dev/sdc${partition_number} ]; then
USB_DRIVE=/dev/sdc${partition_number}
fi
if [ -b /dev/sdd${partition_number} ]; then
USB_DRIVE=/dev/sdd${partition_number}
fi
if [ -b /dev/sde${partition_number} ]; then
USB_DRIVE=/dev/sde${partition_number}
fi
if [ -b /dev/sdf${partition_number} ]; then
USB_DRIVE=/dev/sdf${partition_number}
fi
if [ -b /dev/sdg${partition_number} ]; then
USB_DRIVE=/dev/sdg${partition_number}
fi
if [ -b /dev/sdh${partition_number} ]; then
USB_DRIVE=/dev/sdh${partition_number}
fi
write_config_param USB_DRIVE "$USB_DRIVE"
}
function separate_tmp_filesystem {
tmp_filesystem_size_mb=$1
if [ ! -d /tmp ]; then
mkdir -p /tmp
fi
if ! grep -q '/tmp' /etc/fstab; then
mount -t tmpfs -o size=${tmp_filesystem_size_mb}m tmpfs /tmp
echo "tmpfs /tmp tmpfs nodev,nosuid,noexec,nodiratime,size=${tmp_filesystem_size_mb}M 0 0" >> /etc/fstab
fi
}
function remove_bluetooth {
rmmod -f bnep
rmmod -f bluetooth
if [ -f /etc/default/bluetooth ]; then
if grep "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then
sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth
else
echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth
fi
fi
if ! grep 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then
echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf
fi
if ! grep 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then
echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf
fi
if ! grep 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then
echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf
fi
update-initramfs -u -k `uname -r` -v
update-rc.d bluetooth remove
}
function running_as_root {
if [[ $EUID != 0 ]] ; then
echo "0"
else
echo "1"
fi
}
function reset_usb_devices {
for xhci in /sys/bus/pci/drivers/?hci-pci ; do
if ! cd $xhci ; then
return
fi
echo "Resetting devices from $xhci..."
for i in ????:??:??.? ; do
echo -n "$i" > unbind
echo -n "$i" > bind
done
done
udevadm control --reload-rules
}
function install_backports_kernel {
# install backports kernel if possible
architecture_type=$(uname -a)
if [[ "$architecture_type" == *"amd64"* ]]; then
apt-get -yq install linux-image-amd64 -t jessie-backports
fi
}
function turn_off_rsys_logging {
sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf
sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf
sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf
sed -i 's|mail.warn.*|mail.warn /dev/null|g' /etc/rsyslog.conf
sed -i 's|mail.err.*|mail.err /dev/null|g' /etc/rsyslog.conf
sed -i 's|daemon.\*.*|daemon.\* /dev/null|g' /etc/rsyslog.conf
sed -i 's|mail.\*.*|mail.\* /dev/null|g' /etc/rsyslog.conf
sed -i 's|user.\*.*|user.\* /dev/null|g' /etc/rsyslog.conf
sed -i 's|news.none;mail.none.*|news.none;mail.none /dev/null|g' /etc/rsyslog.conf
sed -i 's|\*.\*;auth,authpriv.none.*|\*.\*;auth,authpriv.none /dev/null|g' /etc/rsyslog.conf
sed -i 's|#cron.\*|cron.\*|g' /etc/rsyslog.conf
sed -i 's|cron.\*.*|cron.\* /dev/null|g' /etc/rsyslog.conf
shred -zu /var/log/wtmp*
shred -zu /var/log/debug*
shred -zu /var/log/cron.*
shred -zu /var/log/auth.*
shred -zu /var/log/mail.*
shred -zu /var/log/daemon.*
shred -zu /var/log/user.*
shred -zu /var/log/messages*
}
function initial_setup {
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
return
fi
apt-get -yq remove --purge apache*
apt-get -yq dist-upgrade
apt-get -yq install ca-certificates
apt-get -yq install apt-utils
apt-get -yq install cryptsetup libgfshare-bin obnam sshpass wget avahi-daemon
apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
apt-get -yq install pinentry-curses eatmydata iotop bc hostapd haveged
apt-get -yq install cpulimit screen
if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
apt-get -yq install grub2
fi
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
fi
mark_completed $FUNCNAME
}
function admin_user_sudo {
if ! grep -q "$MY_USERNAME ALL=(ALL) ALL" $rootdir/etc/sudoers; then
echo "$MY_USERNAME ALL=(ALL) ALL" >> $rootdir/etc/sudoers
fi
}
function search_for_attached_usb_drive {
# If a USB drive is attached then search for email,
# gpg, ssh keys and emacs configuration
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
return
fi
detect_usb_drive
if [ -b $USB_DRIVE ]; then
if [ ! -d $USB_MOUNT ]; then
echo $'Mounting USB drive'
mkdir $USB_MOUNT
mount $USB_DRIVE $USB_MOUNT
fi
if [ -d $USB_MOUNT/.gnupg ]; then
echo $'Importing GPG keyring'
cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
GPG_KEYS_IMPORTED="yes"
if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then
echo $'GPG files did not copy'
exit 73529
fi
fi
if [ -f $USB_MOUNT/private_key.gpg ]; then
echo $'GPG private key found on USB drive'
MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
fi
if [ -f $USB_MOUNT/public_key.gpg ]; then
echo $'GPG public key found on USB drive'
MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
fi
if [ -f $USB_MOUNT/letsencrypt ]; then
echo $'Copying letsencrypt keys"'
cp -r $USB_MOUNT/letsencrypt /etc
fi
if [ -d $USB_MOUNT/.ssh ]; then
echo $'Importing ssh keys'
cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
# for security delete the ssh keys from the usb drive
if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then
echo $'ssh files did not copy'
exit 8
fi
fi
if [ -f $USB_MOUNT/.emacs ]; then
echo $'Importing .emacs file'
cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
fi
if [ -d $USB_MOUNT/.emacs.d ]; then
echo $'Importing .emacs.d directory'
cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d
fi
if [ -d $USB_MOUNT/ssl ]; then
echo $'Importing SSL certificates'
cp -r $USB_MOUNT/ssl/* /etc/ssl
chmod 640 /etc/ssl/certs/*
chmod 400 /etc/ssl/private/*
# change ownership of some certificates
if [ -d /etc/prosody ]; then
chown prosody:prosody /etc/ssl/private/xmpp.*
chown prosody:prosody /etc/ssl/certs/xmpp.*
fi
if [ -d /etc/dovecot ]; then
chown root:dovecot /etc/ssl/certs/dovecot.*
chown root:dovecot /etc/ssl/private/dovecot.*
fi
if [ -f /etc/ssl/private/exim.key ]; then
cp /etc/ssl/private/exim.key /etc/exim4
cp /etc/ssl/certs/exim.crt /etc/exim4
cp /etc/ssl/certs/exim.dhparam /etc/exim4
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
fi
fi
if [ -d $USB_MOUNT/personal ]; then
echo $'Importing personal directory'
cp -r $USB_MOUNT/personal /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal
fi
else
if [ -d $USB_MOUNT ]; then
umount $USB_MOUNT
rm -rf $USB_MOUNT
fi
echo $'No USB drive attached'
fi
mark_completed $FUNCNAME
}
function mark_admin_user_account {
set_completion_param "Admin user" "$MY_USERNAME"
}
function remove_instructions_from_motd {
sed -i '/## /d' /etc/motd
}
function remove_default_user {
# make sure you don't use the default user account
if [[ $MY_USERNAME == "debian" ]]; then
echo 'Do not use the default debian user account. Create a different user with: adduser [username]'
exit 68
fi
# remove the default debian user to prevent it from becoming an attack vector
if [ -d /home/debian ]; then
userdel -r debian
echo 'Default debian user account removed'
fi
}
function create_completion_file {
if [ ! -f $COMPLETION_FILE ]; then
touch $COMPLETION_FILE
fi
}
function disable_nfs_insecure_locks {
apt-get -yq install nfs-kernel-server
if grep 'insecure_locks' /etc/exports; then
sed -i 's|,insecure_locks||g' /etc/exports
sed -i 's|insecure_locks,||g' /etc/exports
exportfs -a
fi
}
function remove_management_engine_interface {
# see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
# Disabling this interface doesn't cure the problems of ME, but it
# might stop an adversary in control of AMT from using the command
# interface to control the operating system.
if [ -f /dev/mei0 ]; then
rmmod mei_me
rmmod mei0
fi
blacklist_changed=
if [ ! -f /etc/modprobe.d/blacklist.conf ]; then
touch /etc/modprobe.d/blacklist.conf
blacklist_changed=1
fi
if ! grep -q "blacklist mei" /etc/modprobe.d/blacklist.conf; then
echo "blacklist mei" >> /etc/modprobe.d/blacklist.conf
blacklist_changed=1
fi
if ! grep -q "blacklist mei_me" /etc/modprobe.d/blacklist.conf; then
echo "blacklist mei_me" >> /etc/modprobe.d/blacklist.conf
blacklist_changed=1
fi
if [ $blacklist_changed ]; then
depmod -ae -E
update-initramfs -u
fi
}
function set_login_umask {
sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
}
function disable_deferred_execution {
systemctl stop atd
systemctl disable atd
}
function set_shadow_permissions {
chown root:root /etc/shadow
chmod 0000 /etc/shadow
chown root:root /etc/gshadow
chmod 0000 /etc/gshadow
}
function set_max_login_tries {
max_tries=$1
if ! grep ' deny=' /etc/pam.d/common-auth; then
sed -i "/pam_deny.so/a auth required\t\t\tpam_tally.so onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
else
sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
fi
if ! grep ' deny=' /etc/pam.d/common-account; then
sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account
else
sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account
fi
}
function limit_user_logins {
# overall max logins
if ! grep '* hard maxsyslogins' /etc/security/limits.conf; then
echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
else
sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
fi
# Max logins for each user
if ! grep '* hard maxlogins' /etc/security/limits.conf; then
echo '* hard maxlogins 2' >> /etc/security/limits.conf
else
sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
fi
}
function remove_serial_logins {
if grep 'ttyS' /etc/securetty; then
cp /etc/securetty /etc/securetty_old
sed -i '/ttyS/d' /etc/securetty
fi
}
function set_sticky_bits {
world_writable=$(find / -xdev -type d -perm -002 \! -perm -1000)
for w in $world_writable; do
echo "Setting sticky bit on $w"
chmod +t $w
done
}
function disable_ctrl_alt_del {
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
}
function lockdown_permissions {
# All commands owned by root
if [ -d /root/.cache/yarn ]; then
rm -rf /root/.cache/yarn
fi
if [ -d /usr/local/share/.cache/yarn ]; then
rm -rf /usr/local/share/.cache/yarn
fi
if [ -f /usr/lib/ssl/certs/ssl-cert-snakeoil.pem ]; then
chown root:root /usr/lib/ssl/certs/ssl-cert-snake*
fi
if [ -d /bin ]; then
chown root:root /bin/*
fi
if [ -d /usr/bin ]; then
chown root:root /usr/bin/*
fi
if [ -d /usr/local/bin ]; then
chown root:root /usr/local/bin/*
fi
if [ -d /sbin ]; then
chown root:root /sbin/*
fi
if [ -d /usr/sbin ]; then
chown root:root /usr/sbin/*
fi
if [ -d /usr/local/sbin ]; then
chown root:root /usr/local/sbin/*
fi
if [ -d /usr/share/${PROJECT_NAME} ]; then
chown -R root:root /usr/share/${PROJECT_NAME}
chmod -R +r /usr/share/${PROJECT_NAME}
fi
# All libraries owned by root
if [ -d /lib ]; then
chown -R root:root /lib/*
fi
if [ -d /lib64 ]; then
chown -R root:root /lib64/*
fi
if [ -d /usr/lib ]; then
chown -R root:root /usr/lib/*
fi
if [ -d /usr/lib64 ]; then
chown -R root:root /usr/lib64/*
fi
# sudo permissions
chmod 4755 /usr/bin/sudo
chmod 4755 /usr/lib/sudo/sudoers.so
chown root:root /etc/sudoers
# permissions on email commands
if [ -f /usr/bin/procmail ]; then
chmod 6755 /usr/bin/procmail
fi
if [ -f /usr/sbin/exim ]; then
chmod u+s /usr/sbin/exim
fi
if [ -f /usr/sbin/exim4 ]; then
chmod u+s /usr/sbin/exim4
fi
set_sticky_bits
# Create some directories to correspond with users in passwords file
if [ ! -d /var/spool/lpd ]; then
mkdir /var/spool/lpd
fi
if [ ! -d /var/spool/news ]; then
mkdir /var/spool/news
fi
if [ ! -d /var/spool/uucp ]; then
mkdir /var/spool/uucp
fi
if [ ! -d /var/list ]; then
mkdir /var/list
fi
if [ ! -d /var/lib/gnats ]; then
mkdir /var/lib/gnats
fi
if [ ! -d /var/lib/saned ]; then
mkdir /var/lib/saned
fi
if [ -d /etc/prosody ]; then
chown -R prosody /etc/prosody
chmod -R 700 /etc/prosody/conf.d
fi
if [ -d /var/lib/prosody ]; then
chown -R prosody /var/lib/prosody
fi
}
function disable_core_dumps {
if ! grep '* hard core 0' /etc/security/limits.conf; then
echo '* hard core 0' >> /etc/security/limits.conf
else
sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
fi
}
function dummy_nologin_command {
if [ ! -f /sbin/nologin ]; then
echo '#!/bin/bash' > /sbin/nologin
chmod +x /sbin/nologin
fi
}
function disable_null_passwords {
sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
}
function create_usb_canary {
if [[ $SYSTEM_TYPE == "mesh"* ]]; then
return
fi
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
return
fi
echo "ACTION==\"add\", KERNEL==\"sd*[!0-9]\", RUN+=\"/usr/local/bin/${PROJECT_NAME}-usb-canary\"" > /etc/udev/rules.d/00-usb-canary.rules
udevadm control --reload-rules
mark_completed $FUNCNAME
}
function setup_firewall {
function_check create_completion_file
create_completion_file
function_check configure_firewall
configure_firewall
function_check configure_firewall_ping
configure_firewall_ping
function_check firewall_drop_telnet
firewall_drop_telnet
function_check firewall_drop_spoofed_packets
firewall_drop_spoofed_packets
function_check firewall_rate_limits
firewall_rate_limits
function_check configure_firewall_for_dns
configure_firewall_for_dns
function_check configure_firewall_for_avahi
configure_firewall_for_avahi
function_check global_rate_limit
global_rate_limit
function_check firewall_block_bad_ip_ranges
firewall_block_bad_ip_ranges
}
function setup_utils {
read_config_param "PROJECT_REPO"
write_config_param "PROJECT_REPO" "$PROJECT_REPO"
function_check remove_management_engine_interface
remove_management_engine_interface
function_check separate_tmp_filesystem
separate_tmp_filesystem 150
function_check disable_null_passwords
disable_null_passwords
function_check disable_ctrl_alt_del
disable_ctrl_alt_del
function_check dummy_nologin_command
dummy_nologin_command
function_check disable_core_dumps
disable_core_dumps
function_check remove_serial_logins
remove_serial_logins
function_check set_max_login_tries
set_max_login_tries 10
function_check set_shadow_permissions
set_shadow_permissions
function_check remove_bluetooth
remove_bluetooth
function_check disable_nfs_insecure_locks
disable_nfs_insecure_locks
function_check set_login_umask
set_login_umask
function_check disable_deferred_execution
disable_deferred_execution
function_check turn_off_rsys_logging
turn_off_rsys_logging
function_check install_backports_kernel
install_backports_kernel
function_check create_completion_file
create_completion_file
function_check read_configuration
read_configuration
function_check check_system_type
check_system_type
function_check set_default_onion_domains
set_default_onion_domains
function_check locale_setup
locale_setup
function_check parse_args
parse_args
function_check check_domains
check_domains
function_check install_static_network
install_static_network
function_check remove_default_user
remove_default_user
function_check setup_firewall
setup_firewall
function_check create_repo_sources
create_repo_sources
function_check configure_dns
configure_dns
function_check initial_setup
initial_setup
function_check install_tor
install_tor
#function_check resolve_dns_via_tor
#resolve_dns_via_tor
function_check install_command_line_browser
install_command_line_browser
function_check enable_ssh_via_onion
enable_ssh_via_onion
function_check check_date
check_date
function_check install_dynamicdns
install_dynamicdns
function_check randomize_cron
randomize_cron
function_check create_freedns_updater
create_freedns_updater
function_check mark_admin_user_account
mark_admin_user_account
function_check enforce_good_passwords
enforce_good_passwords
function_check change_login_message
change_login_message
function_check enable_zram
enable_zram
function_check random_number_generator
random_number_generator
function_check set_your_domain_name
set_your_domain_name
function_check configure_internet_protocol
configure_internet_protocol
function_check create_git_project
create_git_project
function_check setup_wifi
setup_wifi
function_check configure_ssh
configure_ssh
function_check configure_ssh_onion
configure_ssh_onion
function_check allow_ssh_to_onion_address
allow_ssh_to_onion_address
function_check remove_instructions_from_motd
remove_instructions_from_motd
function_check check_hwrng
check_hwrng
function_check search_for_attached_usb_drive
search_for_attached_usb_drive
function_check regenerate_ssh_keys
regenerate_ssh_keys
function_check create_mirrors
create_mirrors
function_check create_upgrade_script
create_upgrade_script
function_check letsencrypt_renewals
letsencrypt_renewals
function_check install_watchdog_script
install_watchdog_script
function_check install_avahi
install_avahi
function_check create_avahi_onion_domains
create_avahi_onion_domains
#function_check install_atheros_wifi
#install_atheros_wifi
function_check route_outgoing_traffic_through_tor
route_outgoing_traffic_through_tor
function_check upgrade_golang
upgrade_golang
function_check install_tomb
install_tomb
function_check admin_user_sudo
admin_user_sudo
function_check limit_user_logins
limit_user_logins
function_check schedule_stig_tests
schedule_stig_tests
function_check create_usb_canary
create_usb_canary
}
function setup_email {
function_check create_completion_file
create_completion_file
function_check install_email
install_email
function_check create_procmail
create_procmail
function_check handle_admin_emails
handle_admin_emails
function_check spam_filtering
spam_filtering
function_check configure_imap
configure_imap
#function_check configure_imap_client_certs
#configure_imap_client_certs
function_check configure_gpg
configure_gpg
function_check refresh_gpg_keys
refresh_gpg_keys
function_check configure_backup_key
configure_backup_key
function_check install_monkeysphere
install_monkeysphere
function_check encrypt_incoming_email
encrypt_incoming_email
function_check encrypt_outgoing_email
encrypt_outgoing_email
function_check email_client
email_client
function_check email_archiving
email_archiving
function_check email_from_address
email_from_address
function_check create_public_mailing_list
#create_public_mailing_list
#function check create_private_mailing_list
#create_private_mailing_list
function_check encrypt_all_email
encrypt_all_email
function_check import_email
import_email
}
function setup_web {
function_check create_completion_file
create_completion_file
function_check install_web_server
install_web_server
function_check install_web_server_access_control
install_web_server_access_control
}
function upgrade_apps {
function_check create_completion_file
create_completion_file
APPS_COMPLETED=()
FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
# for all the app scripts
for filename in $FILES
do
app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
item_in_array "${app_name}" "${APPS_COMPLETED[@]}"
if [[ $? != 0 ]]; then
function_check app_is_installed
if [[ "$(app_is_installed $a)" == "1" ]]; then
echo ''
echo ''
echo $"Upgrading $a"
app_load_variables ${app_name}
APPS_COMPLETED+=("${app_name}")
function_check upgrade_${app_name}
upgrade_${app_name}
fi
fi
done
}
function setup_apps {
is_interactive=$1
function_check create_completion_file
create_completion_file
function_check detect_installable_apps
detect_installable_apps
function_check choose_apps_for_variant
choose_apps_for_variant "$SYSTEM_TYPE"
echo $"System variant: $SYSTEM_TYPE"
echo $'The following apps have been selected'
echo ''
function_check list_chosen_apps
list_chosen_apps
echo ''
function_check upgrade_apps
upgrade_apps
if [[ $is_interactive == "noninteractive" || $is_interactive == "headless" ]]; then
function_check install_apps
install_apps
if [ ! $APP_INSTALLED_SUCCESS ]; then
echo $'One or more apps failed to install'
fi
fi
}
function combine_all_scripts {
combined_filename=$1
# initial variables
cp $PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars $combined_filename
# utilities
UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
for f in $UTILS_FILES
do
# this removes the first line, which is #!/bin/bash
tail -n +2 "$f" >> $combined_filename
done
# base system
BASE_SYSTEM_FILES=/usr/share/${PROJECT_NAME}/base/${PROJECT_NAME}-base-*
for f in $BASE_SYSTEM_FILES
do
tail -n +2 "$f" >> $combined_filename
done
# apps
APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
for f in $APP_FILES
do
tail -n +2 "$f" >> $combined_filename
done
}
# NOTE: deliberately no exit 0
Reference in New Issue View Git Blame Copy Permalink