free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
freedomboneeee/src/freedombone

11491 lines
495 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# This install script is intended for use with Debian Jessie
#
# License
# =======
#
# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
NO_OF_ARGS=$#
PROJECT_NAME='freedombone'
export TEXTDOMAIN=$PROJECT_NAME
export TEXTDOMAINDIR="/usr/share/locale"
DEFAULT_LANGUAGE=$(echo $LANG)
# username created by default within a debian image
GENERIC_IMAGE_USERNAME='fbone'
# Web site
PROJECT_WEBSITE="http://${PROJECT_NAME}.uk.to"
# Repo
PROJECT_REPO="https://github.com/bashrc/${PROJECT_NAME}"
# default search engine for command line browser
DEFAULT_SEARCH='https://searx.laquadrature.net'
# Are we installing on a Beaglebone Black (BBB) or some other system?
INSTALLING_ON_BBB="no"
# Version number of this script
VERSION="1.01"
# if yes then this minimises the number of descisions presented during install
MINIMAL_INSTALL="yes"
# Whether web sites will be .onion addresses only
ONION_ONLY="no"
# Different system variants which may be specified within
# the SYSTEM_TYPE option
VARIANT_FULL="full"
VARIANT_WRITER="writer"
VARIANT_CLOUD="cloud"
VARIANT_CHAT="chat"
VARIANT_MAILBOX="mailbox"
VARIANT_NONMAILBOX="nonmailbox"
VARIANT_SOCIAL="social"
VARIANT_MEDIA="media"
VARIANT_DEVELOPER="developer"
VARIANT_MESH="mesh"
DEFAULT_DOMAIN_NAME=
DEFAULT_DOMAIN_CODE=
MY_USERNAME=
SYSTEM_TYPE=$VARIANT_FULL
# whether the system is being installed from a pre-created configuration file
INSTALLING_FROM_CONFIGURATION_FILE="no"
# An optional configuration file which overrides some of these variables
CONFIGURATION_FILE="${PROJECT_NAME}.cfg"
SSH_PORT=2222
IRC_PORT=6697
IRC_ONION_PORT=6697
GO_VERSION=1.5
# password used for accessing your repo mirrors
MY_MIRRORS_PASSWORD=
# friend's repo mirrors
FRIENDS_MIRRORS_PASSWORD=
FRIENDS_MIRRORS_SERVER=
FRIENDS_MIRRORS_SSH_PORT=2222
# This isn't used here, but is included for mirrors creation purposes
LETSENCRYPT_REPO="https://github.com/letsencrypt/letsencrypt"
# An optional password to log into IRC. This applies to all users
IRC_PASSWORD=
# If this file exists it contains a global password used with
# disk image installs. This simplifies password management for
# deployment at scale
IMAGE_PASSWORD_FILE=/root/login.txt
# parameters used when adding a new domain
DDNS_PROVIDER="default@freedns.afraid.org"
DDNS_USERNAME=
DDNS_PASSWORD=
EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp"
NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir"
CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86'
INADYN_REPO="https://github.com/bashrc/inadyn"
INADYN_COMMIT='fadbe17f520d337dfb8d69ee4bf1fcaa23fce0d6'
# Minimum number of characters in a password
MINIMUM_PASSWORD_LENGTH=10
# number of CPU cores
CPU_CORES=1
# If the system is on an IPv6 network
IPV6_NETWORK='2001:470:26:307'
# The static IP address of the system within the local network
# By default the IP address is dynamic within your LAN
LOCAL_NETWORK_STATIC_IP_ADDRESS=
# IP address of the router (gateway)
ROUTER_IP_ADDRESS="192.168.1.254"
# DNS
NAMESERVER1='213.73.91.35'
NAMESERVER2='85.214.20.141'
# whether to route outgoing traffic through Tor
ROUTE_THROUGH_TOR="no"
# Why use Google as a time source?
# The thinking here is that it's likely to be reliable and fast.
# The ping doesn't reveal any information other than that the server
# is running, and if anyone maliciously alters the time on Google's
# servers then that would certainly be newsworthy and they'd be
# likely to do something about it quickly.
# If you have better time sources then change them here.
TLS_TIME_SOURCE1="google.com"
TLS_TIME_SOURCE2="www.ptb.de"
# The type of hardware random number generator being used
# This can be empty, "beaglebone" or "onerng"
HWRNG_TYPE=
# Download location for OneRNG driver
ONERNG_PACKAGE="onerng_3.4-1_all.deb"
ONERNG_PACKAGE_DOWNLOAD="https://github.com/OneRNG/onerng.github.io/blob/master/sw/$ONERNG_PACKAGE?raw=true"
# Hash for OneRNG driver
ONERNG_PACKAGE_HASH='78f1c2f52ae573e3b398a695ece7ab9f41868252657ea269f0d5cf0bd4f2eb59'
# device name for OneRNG
ONERNG_DEVICE='ttyACM0'
# Whether this system is being installed within a docker container
INSTALLED_WITHIN_DOCKER="no"
# If you want to run a public mailing list specify its name here.
# There should be no spaces in the name
PUBLIC_MAILING_LIST=
# Optional different domain name for the public mailing list
PUBLIC_MAILING_LIST_DOMAIN_NAME=
# Directory where the public mailing list data is stored
PUBLIC_MAILING_LIST_DIRECTORY="/var/spool/mlmmj"
# If you want to run an encrypted mailing list specify its name here.
# There should be no spaces in the name
PRIVATE_MAILING_LIST=
# Domain name for mediagoblin installation
MEDIAGOBLIN_DOMAIN_NAME=
MEDIAGOBLIN_CODE=
MEDIAGOBLIN_REPO="git://git.savannah.gnu.org/mediagoblin.git"
MEDIAGOBLIN_COMMIT='d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba'
MEDIAGOBLIN_ADMIN_PASSWORD=
MEDIAGOBLIN_ONION_PORT=8096
#mediadrop
MEDIA_SERVER_DOMAIN_NAME=
MEDIA_SERVER_CODE=
MEDIA_SERVER_BASE_DIRECTORY=/var/www/media
MEDIA_SERVER_WORKING_DIRECTORY=${MEDIA_SERVER_BASE_DIRECTORY}/mediadrop
MEDIA_SERVER_REPO="https://github.com/mediadrop/mediadrop"
MEDIA_SERVER_COMMIT='ad44f47d99b5d57d3396a3afb80d68a4a182dadd'
MEDIA_SERVER_ONION_PORT=8098
MEDIA_SERVER_ADMIN_PASSWORD=
# Domain name for microblog installation
MICROBLOG_DOMAIN_NAME=
MICROBLOG_CODE=
MICROBLOG_ONION_PORT=8087
MICROBLOG_REPO="https://git.gnu.io/gnu/gnu-social.git"
MICROBLOG_COMMIT='c67b89e56bf0f90730a9e22beca7e1bd41fc26c3'
MICROBLOG_ADMIN_PASSWORD=
MICROBLOG_THEME_REPO="https://git.gnu.io/h2p/Qvitter.git"
MICROBLOG_THEME_COMMIT='34510bcf37c727f91afad789fb0a531a45171ccf'
MICROBLOG_WELCOME_MESSAGE=$'<h1>Welcome to GNU Social a federated microblog</h1><p>Another Freedombone site</p>'
MICROBLOG_BACKGROUND_IMAGE_URL=
MICROBLOG_MARKDOWN_REPO="https://git.gnu.io/chimo/markdown.git"
MICROBLOG_MARKDOWN_COMMIT='03c53942f94b3376f0946e6e1fe566cc21ccf232'
# Sharings plugin for the microblog
SHARINGS_REPO="http://git.lasindias.club/bashrc/Sharings"
SHARINGS_COMMIT='d5c6c7f855d9afff9086c09ea706f38c859bc0d4'
SHARINGS_THEME_REPO="http://git.lasindias.club/manuel/SharingsTheme"
SHARINGS_THEME_COMMIT='7106c7ef03'
# Domain name for hubzilla installation
HUBZILLA_DOMAIN_NAME=
HUBZILLA_CODE=
HUBZILLA_ONION_PORT=8085
HUBZILLA_REPO="https://github.com/redmatrix/hubzilla.git"
HUBZILLA_THEMES_REPO="https://github.com/DeadSuperHero/redmatrix-themes"
HUBZILLA_ADDONS_REPO="https://github.com/redmatrix/hubzilla-addons.git"
HUBZILLA_ADMIN_PASSWORD=
HUBZILLA_COMMIT='2d79e75788aa71664a379c4cea0b6bfe3ab87ad0'
HUBZILLA_ADDONS_COMMIT='67b40c7a40f328a93ee030eb15e9e1261f3cba64'
# roundcube webmail
WEBMAIL_REPO="https://github.com/roundcube/roundcubemail"
WEBMAIL_COMMIT='78cf9c2e5cff2d78cd8beb647d60570f195a2a9c'
WEBMAIL_ONION_HOSTNAME=
WEBMAIL_ONION_PORT=8097
WEBMAIL_ADMIN_PASSWORD=
# Domain name for git hosting installation
GIT_DOMAIN_NAME=
GIT_CODE=
GIT_ONION_PORT=8090
GIT_DOMAIN_REPO="https://github.com/gogits/gogs"
GIT_ADMIN_PASSWORD=
GOGS_COMMIT='3fb4f7f4980b4339fd9ef6a3ba5b0acab83d264d'
GO_PACKAGE_MANAGER_REPO="https://github.com/gpmgo/gopm"
GVM_HOME=/home/git/gvm
GVM_REPO="https://github.com/moovweb/gvm"
GVM_COMMIT='25ea8ae158e2861c92e2b22c458e60840157832f'
# Syncthing
SYNCTHING_ID=
SYNCTHING_CONFIG_PATH=/root/.config/syncthing
SYNCTHING_CONFIG_FILE=$SYNCTHING_CONFIG_PATH/config.xml
SYNCTHING_RELAY_SERVER='https://relays.syncthing.net/endpoint'
SYNCTHING_RELEASES='https://api.github.com/repos/syncthing/syncthing/releases?per_page=30'
SYNCTHING_PORT=22000
SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared
SYNCTHING_USER_IDS_FILE='.syncthingids'
# Domain name for your wiki
WIKI_DOMAIN_NAME=
WIKI_ADMIN_PASSWORD=
WIKI_TITLE="${PROJECT_NAME} Wiki"
WIKI_CODE=
WIKI_ONION_PORT=8089
# Domain name for your blog
FULLBLOG_DOMAIN_NAME=
FULLBLOG_CODE=
FULLBLOG_ONION_PORT=8086
FULLBLOG_REPO="https://github.com/danpros/htmly"
FULLBLOG_COMMIT='bf5fe9486160be4da86d8987d3e5c977e1dc6d32'
MY_BLOG_TITLE="My Blog"
MY_BLOG_SUBTITLE="Another ${PROJECT_NAME} Blog"
# search engine
SEARCH_ENGINE_REPO="https://github.com/asciimoo/searx"
SEARCH_ENGINE_COMMIT='fee556c9904637051a9ba874ba7e71cd9f10789f'
SEARCH_ENGINE_PATH=/etc
SEARCH_ENGINE_ONION_PORT=8094
SEARCH_ENGINE_ONION_HOSTNAME=
SEARCH_ENGINE_LOGIN_TEXT=$"Search engine login"
SEARCH_ENGINE_PASSWORD=
GPG_KEYSERVER="hkp://keys.gnupg.net"
# whether to encrypt all incoming email with your public key
GPG_ENCRYPT_STORED_EMAIL="yes"
# gets set to yes if gpg keys are imported from usb
GPG_KEYS_IMPORTED="no"
# optionally you can provide your exported GPG key pair here
# Note that the private key file will be deleted after use
# If these are unspecified then a new GPG key will be created
MY_GPG_PUBLIC_KEY=
MY_GPG_PRIVATE_KEY=
# optionally specify your public key ID
MY_GPG_PUBLIC_KEY_ID=
# If you have existing mail within a Maildir
# you can specify the directory here and the files
# will be imported
IMPORT_MAILDIR=
# The Debian package repository to use.
DEBIAN_REPO="ftp.us.debian.org"
DEBIAN_VERSION="jessie"
# Directory where source code is downloaded and compiled
INSTALL_DIR=$HOME/build
# device name for an attached usb drive
USB_DRIVE=/dev/sda1
# Location where the USB drive is mounted to
USB_MOUNT=/mnt/usb
# name of a script used to upgrade the system
UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade"
# name of a script which keeps running processes going even if they crash
WATCHDOG_SCRIPT_NAME="keepon"
# Number of days to keep backups for
BACKUP_MAX_DAYS=30
# memory limit for php in MB
MAX_PHP_MEMORY=64
# default MariaDB password
MARIADB_PASSWORD=
# Directory where XMPP settings are stored
XMPP_DIRECTORY="/var/lib/prosody"
XMPP_PASSWORD=
# file containing a list of remote locations to backup to
# Format: [username@friendsdomain//home/username] [ssh_password]
# With the only space character being between the server and the password
FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
# list of encryption protocols
SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
# list of ciphers to use. See bettercrypto.org recommendations
SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
# ssh (from https://stribika.github.io/2015/01/04/secure-secure-shell.html)
SSH_CIPHERS="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com"
SSH_KEX="curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
SSH_HOST_KEY_ALGORITHMS="ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa"
# xmpp ciphers and curve
XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"'
XMPP_ECC_CURVE='"secp384r1"'
# the default email address
MY_EMAIL_ADDRESS=$MY_USERNAME@$DEFAULT_DOMAIN_NAME
# optionally specify your name to appear on the blog
MY_NAME=$DEFAULT_DOMAIN_NAME
export DEBIAN_FRONTEND=noninteractive
# logging level for Nginx
WEBSERVER_LOG_LEVEL='warn'
# used to limit CPU usage
CPULIMIT='/usr/bin/cpulimit -l 20 -e'
# command to create a git repository
CREATE_GIT_PROJECT_COMMAND='create-project'
# File which keeps track of what has already been installed
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
# Used to indicate whether the backup contains MariaDB databases or not
BACKUP_INCLUDES_DATABASES="no"
# contains the mysql root password which
# is used for backups and repair
DATABASE_PASSWORD_FILE=/root/dbpass
# log file where details of remote backups are stored
REMOTE_BACKUPS_LOG=/var/log/remotebackups.log
# message if something fails to install
CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
# web site used to obtain the external IP address of the system
GET_IP_ADDRESS_URL="checkip.two-dns.de"
# Password used for VoIP server
VOIP_SERVER_PASSWORD=
# Port on which VoIP server listens
VOIP_PORT=64738
SIP_SERVER_PASSWORD=
SIP_PORT=5060
SIP_TLS_PORT=5061
VOIP_TURN_PORT=3478
VOIP_TURN_TLS_PORT=5349
VOIP_TURN_NONCE=
# Location of VoIP database and configuration
VOIP_DATABASE="mumble-server.sqlite"
VOIP_CONFIG_FILE="mumble-server.ini"
# other possible services to obtain the external IP address
EXTERNAL_IP_SERVICES=( \
'https://check.torproject.org/' \
'https://www.whatsmydns.net/whats-my-ip-address.html' \
'https://www.privateinternetaccess.com/pages/whats-my-ip/' \
'http://checkip.two-dns.de' \
'http://ip.dnsexit.com' \
'http://ifconfig.me/ip' \
'http://ipecho.net/plain' \
'http://checkip.dyndns.org/plain' \
'http://ipogre.com/linux.php' \
'http://whatismyipaddress.com/' \
'http://ip.my-proxy.com/' \
'http://websiteipaddress.com/WhatIsMyIp' \
'http://getmyipaddress.org/' \
'http://www.my-ip-address.net/' \
'http://myexternalip.com/raw' \
'http://www.canyouseeme.org/' \
'http://www.trackip.net/' \
'http://icanhazip.com/' \
'http://www.iplocation.net/' \
'http://www.howtofindmyipaddress.com/' \
'http://www.ipchicken.com/' \
'http://whatsmyip.net/' \
'http://www.ip-adress.com/' \
'http://checkmyip.com/' \
'http://www.tracemyip.org/' \
'http://checkmyip.net/' \
'http://www.lawrencegoetz.com/programs/ipinfo/' \
'http://www.findmyip.co/' \
'http://ip-lookup.net/' \
'http://www.dslreports.com/whois' \
'http://www.mon-ip.com/en/my-ip/' \
'http://www.myip.ru' \
'http://ipgoat.com/' \
'http://www.myipnumber.com/my-ip-address.asp' \
'http://www.whatsmyipaddress.net/' \
'http://formyip.com/' \
'http://www.displaymyip.com/' \
'http://www.bobborst.com/tools/whatsmyip/' \
'http://www.geoiptool.com/' \
'http://checkip.dyndns.com/' \
'http://myexternalip.com/' \
'http://www.ip-adress.eu/' \
'http://www.infosniper.net/' \
'http://wtfismyip.com/' \
'http://ipinfo.io/' \
'http://httpbin.org/ip')
WIFI_CHANNEL=2
WIFI_INTERFACE=wlan0
WIFI_TYPE='wpa2-psk'
WIFI_SSID=
WIFI_PASSPHRASE=
WIFI_HOTSPOT='no'
WIFI_NETWORKS_FILE=~/${PROJECT_NAME}-wifi.cfg
# cjdns settings
ENABLE_CJDNS="no"
CJDNS_PRIVATE_KEY=
CJDNS_PUBLIC_KEY=
CJDNS_IPV6=
CJDNS_PASSWORD=
CJDNS_PORT=
CJDNS_REPO="https://github.com/cjdelisle/cjdns.git"
CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca'
CJDCMD_REPO="https://github.com/inhies/cjdcmd"
CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808'
# B.A.T.M.A.N settings
ENABLE_BATMAN="no"
BATMAN_CELLID='any'
# Babel mesh
ENABLE_BABEL="no"
BABEL_PORT=6696
# social key management
ENABLE_SOCIAL_KEY_MANAGEMENT="no"
TOX_PORT=33445
TOXCORE_REPO="git://github.com/irungentoo/toxcore.git"
TOXCORE_COMMIT='532629d486e3361c7d8d95b38293cc7d61dc4ee5'
TOXID_REPO="https://github.com/bashrc/toxid"
TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
# These are some default nodes, but you can replace them with trusted nodes
# as you prefer. See https://wiki.tox.im/Nodes
TOX_NODES=
#TOX_NODES=(
# '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US'
# '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
#)
TOXIC_REPO="https://github.com/Tox/toxic"
TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2'
TOXIC_FILE=/usr/local/bin/toxic
ZERONET_REPO="https://github.com/HelloZeroNet/ZeroNet.git"
ZERONET_COMMIT='675bd462556c541d65e2d95f91f899146a373aad'
ZERONET_BLOG_REPO="https://github.com/HelloZeroNet/ZeroBlog"
ZERONET_BLOG_COMMIT='bbb0d6c36465fed2e6df71f1aab45fcc9c6ad609'
ZERONET_MAIL_REPO="https://github.com/HelloZeroNet/ZeroMail"
ZERONET_MAIL_COMMIT='955af09d643c72b02e4983d71eca5c0c93a6c131'
ZERONET_FORUM_REPO="https://github.com/HelloZeroNet/ZeroTalk"
ZERONET_FORUM_COMMIT='e2d2c9cb1cfbfef91b244935efb5c14c2ad95faa'
ZERONET_URL=http://127.0.0.1:43110
ZERONET_PORT=15441
TRACKER_PORT=6969
ZERONET_DEFAULT_BLOG_TAGLINE="Blogging on the Mesh"
ZERONET_DEFAULT_FORUM_TAGLINE="A decentralized discussion group"
ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh"
# https://github.com/ipfs/go-ipfs
IPFS_GO_REPO="https://github.com/ipfs/go-ipfs"
IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166'
IPFS_PORT=4001
GPGIT_REPO="https://github.com/mikecardwell/gpgit"
GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738'
# Default diffie-hellman key length in bits
DH_KEYLENGTH=2048
# repo for atheros AR9271 wifi driver
ATHEROS_WIFI_REPO="https://github.com/qca/open-ath9k-htc-firmware.git"
# Whether Let's Encrypt is enabled for all sites
LETSENCRYPT_ENABLED="no"
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
RSS_READER_REPO="https://tt-rss.org/git/tt-rss.git"
RSS_READER_COMMIT='9e84bab449f9ed55e02e60378b0af1521026f3b8'
RSS_READER_ADMIN_PASSWORD=
RSS_READER_ONION_PORT=8092
RSS_MOBILE_READER_ONION_PORT=8095
RSS_READER_DOMAIN_NAME=ttrss
RSS_MOBILE_READER_REPO="https://github.com/mboinet/ttrss-mobile"
RSS_MOBILE_READER_COMMIT='d5242e1c269e9480ab3b66b7a38da3c892dfb326'
RSS_READER_PATH=/etc/share/tt-rss
RSS_READER_GNUSOCIAL_REPO="https://github.com/bashrc/ttrss-gnusocial"
RSS_READER_GNUSOCIAL_COMMIT='8b92b8f5db7b0d12459c7bd86a50f48815efe642'
# refresh gpg keys every few hours
REFRESH_GPG_KEYS_HOURS=2
function show_help {
echo ''
echo $"${PROJECT_NAME} -c [configuration file]"
echo ''
echo $' -h --help Show help'
echo $' menuconfig Easy interactive installation'
echo $' menuconfig-full Full interactive installation'
echo $' menuconfig-onion Interactive installation for onion-only sites'
echo $' -c --config Installing from a configuration file'
echo $' --bbb Installing on Beaglebone Black'
echo $' -u --user User to install the system as'
echo $' -d --domain Default domain name'
echo $' -s --system System type'
echo $' --ip Static LAN IP address of the system'
echo $' --iprouter LAN IP address of the internet router'
echo $' --ddns Dynamic DNS provider domain'
echo $' --ddnsuser Dynamic DNS provider username'
echo $' --ddnspass Dynamic DNS provider password'
echo ''
echo $' --microblogdomain Microblog domain name'
echo $' --wikidomain Wiki domain name'
echo $' --blogdomain Blog domain name'
echo $' --hubzilladomain Hubzilla domain name'
echo $' --gitdomain Git hosting domain name'
echo $' -t --time Domain used as a TLS time source'
echo $' --ssh ssh port number'
echo $' --list Public mailing list name'
echo $' --cores Number of CPU cores'
echo $' --name Your name'
echo $' --email Your email address'
echo $' --usb Path for the USB drive (eg. /dev/sdb1)'
echo $' --cjdns Enable CJDNS'
echo $' --vpass VoIP server password'
echo $' --vport VoIP server port'
echo $' --ns1 First DNS nameserver'
echo $' --ns2 Second DNS nameserver'
echo $' --repo Debian repository'
echo ''
echo $'system types'
echo '------------'
echo $'This can either be blank if you wish to install the full system,'
echo $"or for more specialised variants you can specify '$VARIANT_MAILBOX', '$VARIANT_CLOUD',"
echo $"'$VARIANT_CHAT', '$VARIANT_SOCIAL', '$VARIANT_MEDIA', '$VARIANT_WRITER', '$VARIANT_DEVELOPER'"
echo $"or '$VARIANT_MESH'."
echo ''
echo $"If you wish to install everything except email then use the '$VARIANT_NONMAILBOX' variaint."
echo ''
exit 0
}
function git_clone {
repo_url="$1"
destination_dir="$2"
if [[ "$repo_url" == "ssh:"* ]]; then
if [ "${FRIENDS_MIRRORS_SERVER}" ]; then
if [ ${#FRIENDS_MIRRORS_SERVER} -gt 2 ]; then
if [ "$FRIENDS_MIRRORS_PASSWORD" ]; then
if [ ${#FRIENDS_MIRRORS_PASSWORD} -gt 2 ]; then
echo "sshpass -p \"$FRIENDS_MIRRORS_PASSWORD\" git clone $repo_url $destination_dir"
sshpass -p "$FRIENDS_MIRRORS_PASSWORD" git clone "$repo_url" "$destination_dir"
return
fi
fi
fi
fi
fi
echo "git clone $repo_url $destination_dir"
git clone "$repo_url" "$destination_dir"
}
function git_pull {
if [ ! $1 ]; then
echo $'git_pull no repo specified'
fi
git stash
git remote set-url origin $1
git checkout master
if [ "${FRIENDS_MIRRORS_SERVER}" ]; then
if [ ${#FRIENDS_MIRRORS_SERVER} -gt 2 ]; then
if [ "$FRIENDS_MIRRORS_PASSWORD" ]; then
if [ ${#FRIENDS_MIRRORS_PASSWORD} -gt 2 ]; then
sshpass -p "$FRIENDS_MIRRORS_PASSWORD" git pull
if [ $2 ]; then
git checkout $2 -b $2
fi
return
fi
fi
fi
fi
git pull
if [ $2 ]; then
# delete any existing branch
git branch -D $2
# check out the new branch
git checkout $2 -b $2
if [ ! "$?" = "0" ]; then
echo $"Unable to checkout $1 $2"
exit 72357
fi
fi
}
function remove_database {
app_name="$1"
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
echo "drop database ${app_name};
quit" > $INSTALL_DIR/batch.sql
chmod 600 $INSTALL_DIR/batch.sql
mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql
shred -zu $INSTALL_DIR/batch.sql
}
function create_database {
app_name="$1"
app_admin_password="$2"
app_admin_username=$3
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
if [ ! $app_admin_username ]; then
app_admin_username=${app_name}admin
fi
echo "create database ${app_name};
CREATE USER '$app_admin_username@localhost' IDENTIFIED BY '${app_admin_password}';
GRANT ALL PRIVILEGES ON ${app_name}.* TO '$app_admin_username@localhost';
quit" > $INSTALL_DIR/batch.sql
chmod 600 $INSTALL_DIR/batch.sql
mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql
shred -zu $INSTALL_DIR/batch.sql
}
function locale_setup {
if grep -Fxq "locale_setup" $COMPLETION_FILE; then
return
fi
apt-get -y install locales locales-all debconf
if [ ! "$DEFAULT_LANGUAGE" ]; then
DEFAULT_LANGUAGE='en_GB.UTF-8'
fi
if [ ${#DEFAULT_LANGUAGE} -lt 2 ]; then
DEFAULT_LANGUAGE='en_GB.UTF-8'
fi
update-locale LANG=${DEFAULT_LANGUAGE}
update-locale LANGUAGE=${DEFAULT_LANGUAGE}
update-locale LC_MESSAGES=${DEFAULT_LANGUAGE}
update-locale LC_ALL=${DEFAULT_LANGUAGE}
update-locale LC_CTYPE=${DEFAULT_LANGUAGE}
echo 'locale_setup' >> $COMPLETION_FILE
}
function interactive_configuration_remote_backups {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -f /usr/local/bin/${PROJECT_NAME}-remote ]; then
if [ ! -f /usr/bin/${PROJECT_NAME}-remote ]; then
echo $"The command ${PROJECT_NAME}-remote was not found"
exit 87354
fi
fi
${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes
if [ ! "$?" = "0" ]; then
echo $'Command failed:'
echo ''
echo $" ${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes"
echo ''
exit 65892
fi
}
# test a domain name to see if it's valid
function validate_domain_name {
# count the number of dots in the domain name
dots=${TEST_DOMAIN_NAME//[^.]}
no_of_dots=${#dots}
if (( $no_of_dots > 3 )); then
TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"
fi
if (( $no_of_dots == 0 )); then
TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"
fi
}
function interactive_configuration {
if [ ! -f /usr/local/bin/${PROJECT_NAME}-config ]; then
if [ ! -f /usr/bin/${PROJECT_NAME}-config ]; then
echo $"The command ${PROJECT_NAME}-config was not found"
exit 63935
fi
fi
if [ -f /tmp/meshuserdevice ]; then
rm -f /tmp/meshuserdevice
fi
if [[ $ONION_ONLY == "no" ]]; then
if [[ $MINIMAL_INSTALL == "no" ]]; then
${PROJECT_NAME}-config \
-f $CONFIGURATION_FILE \
-w $PROJECT_WEBSITE \
-m $MINIMUM_PASSWORD_LENGTH
else
${PROJECT_NAME}-config \
-f $CONFIGURATION_FILE \
-w $PROJECT_WEBSITE \
-m $MINIMUM_PASSWORD_LENGTH \
--minimal "yes"
fi
else
${PROJECT_NAME}-config \
-f $CONFIGURATION_FILE \
-w $PROJECT_WEBSITE \
-m $MINIMUM_PASSWORD_LENGTH \
--onion "yes"
fi
if [ -f /tmp/meshuserdevice ]; then
# mesh network user device installation
rm -f /tmp/meshuserdevice
exit 0
fi
if [ ! "$?" = "0" ]; then
echo $'Command failed:'
echo ''
echo $" ${PROJECT_NAME}-config -u $MY_USERNAME -f $CONFIGURATION_FILE -w $PROJECT_WEBSITE -b $PROJECT_BITMESSAGE -m $MINIMUM_PASSWORD_LENGTH --minimal [yes|no]"
echo ''
exit 73594
fi
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
dialog --title $"Encrypted backup to other servers" \
--backtitle $"${PROJECT_NAME} Configuration" \
--defaultno \
--yesno $"\nDo you wish to configure some remote backup locations?" 7 60
sel=$?
case $sel in
0) interactive_configuration_remote_backups;;
esac
fi
}
command_options=$1
if [[ $command_options == "menuconfig-full" ]]; then
MINIMAL_INSTALL="no"
command_options="menuconfig"
fi
if [[ $command_options == "menuconfig-onion" ]]; then
MINIMAL_INSTALL="yes"
ONION_ONLY="yes"
command_options="menuconfig"
fi
if [[ $command_options == "menuconfig" ]]; then
interactive_configuration
else
while [[ $# > 1 ]]
do
key="$1"
case $key in
-h|--help)
show_help
;;
# load a configuration file
-c|--config)
shift
CONFIGURATION_FILE="$1"
INSTALLING_FROM_CONFIGURATION_FILE="yes"
break
;;
# username within /home
-u|--user)
shift
MY_USERNAME="$1"
;;
# microblog domain name
--microblogdomain)
shift
MICROBLOG_DOMAIN_NAME="$1"
;;
# wiki domain name
--wikidomain)
shift
WIKI_DOMAIN_NAME="$1"
;;
# blog domain name
--blogdomain)
shift
FULLBLOG_DOMAIN_NAME="$1"
;;
# hubzilla domain name
--hubzilladomain)
shift
HUBZILLA_DOMAIN_NAME="$1"
;;
# git hosting domain name
--gitdomain)
shift
GIT_DOMAIN_NAME="$1"
;;
# default domain name
-d|--domain)
shift
DEFAULT_DOMAIN_NAME="$1"
;;
# The type of system
-s|--system)
shift
SYSTEM_TYPE="$1"
;;
# The dynamic DNS provider
--ddns)
shift
DDNS_PROVIDER="$1"
;;
# Username for the synamic DNS provider
--ddnsuser)
shift
DDNS_USERNAME="$1"
;;
# Password for the synamic DNS provider
--ddnspass)
shift
DDNS_PASSWORD="$1"
;;
# Whether this installation is on a Beaglebone Black
--bbb)
INSTALLING_ON_BBB="yes"
;;
# Domain name to use as a TLS time source
-t|--time)
shift
TLS_TIME_SOURCE1="$1"
;;
# Static IP address for the system
--ip)
shift
LOCAL_NETWORK_STATIC_IP_ADDRESS=$1
;;
# IP address for the internet router
--iprouter)
shift
ROUTER_IP_ADDRESS=$1
;;
# ssh port
--ssh)
shift
SSH_PORT=$1
;;
# public mailing list name
--list)
shift
PUBLIC_MAILING_LIST="$1"
;;
# Number of CPU cores
--cores)
shift
CPU_CORES=$1
;;
# my name
--name)
shift
MY_NAME="$1"
;;
# my email address
--email)
shift
MY_EMAIL_ADDRESS="$1"
;;
# USB drive
--usb)
shift
USB_DRIVE=$1
;;
# Enable CJDNS
--cjdns)
shift
ENABLE_CJDNS="yes"
;;
# Enable B.A.T.M.A.N
--batman)
shift
ENABLE_BATMAN="yes"
;;
# Enable Babel
--babel)
shift
ENABLE_BABEL="yes"
;;
# VoIP server password
--vpass)
shift
VOIP_SERVER_PASSWORD=$1
;;
# VoIP server port
--vport)
shift
VOIP_PORT=$1
;;
# DNS Nameserver 1
--ns1)
shift
NAMESERVER1=$1
;;
# DNS Nameserver 2
--ns2)
shift
NAMESERVER2=$1
;;
# Debian repository
--repo)
shift
DEBIAN_REPO=$1
;;
# minimal install
--minimal)
shift
MINIMAL_INSTALL=$1
;;
*)
# unknown option
;;
esac
shift
done
fi
function parse_args {
if [[ $NO_OF_ARGS == 0 ]]; then
echo 'no_of_args = 0'
show_help
exit 0
fi
if [ ! -d /home/$MY_USERNAME ]; then
echo $"There is no user '$MY_USERNAME' on the system. Use 'adduser $MY_USERNAME' to create the user."
exit 1
fi
if [ ! "$DEFAULT_DOMAIN_NAME" ]; then
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
echo 'No default domain specified'
show_help
exit 2
fi
fi
if [ ! $MY_USERNAME ]; then
echo 'No username specified'
show_help
exit 3
fi
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
if [[ $ONION_ONLY == "no" ]]; then
if [ ! $DDNS_USERNAME ]; then
echo $'Please provide the username for your dynamic DNS provider with the --ddnsuser option'
exit 7823
fi
if [ ! $DDNS_PASSWORD ]; then
echo $'Please provide the password for your dynamic DNS provider with the --ddnspass option'
exit 6382
fi
fi
fi
if [ ! $SYSTEM_TYPE ]; then
SYSTEM_TYPE=$VARIANT_FULL
fi
if [[ $SYSTEM_TYPE != $VARIANT_WRITER && $SYSTEM_TYPE != $VARIANT_CLOUD && $SYSTEM_TYPE != $VARIANT_CHAT && $SYSTEM_TYPE != $VARIANT_MAILBOX && $SYSTEM_TYPE != $VARIANT_NONMAILBOX && $SYSTEM_TYPE != $VARIANT_SOCIAL && $SYSTEM_TYPE != $VARIANT_MEDIA && $SYSTEM_TYPE != $VARIANT_DEVELOPER && $SYSTEM_TYPE != $VARIANT_MESH && $SYSTEM_TYPE != $VARIANT_FULL ]]; then
echo $"'$SYSTEM_TYPE' is an unrecognised ${PROJECT_NAME} variant."
exit 30
fi
}
function read_repo_servers {
if [ -f $CONFIGURATION_FILE ]; then
if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
fi
if [ ! $FRIENDS_MIRRORS_SERVER ]; then
return
fi
if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then
return
fi
MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME}
if [ ! -f $MAIN_COMMAND ]; then
MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
fi
REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g'))
for line in "${REPOS[@]}"
do
repo_name=$(echo "$line" | awk -F '=' '{print $1}')
mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
${repo_name}="${friends_repo_url}"
done
}
function read_configuration {
# if not installing on a Beaglebone then use sdb as the USB drive by default
if [ ! $INSTALLING_ON_BBB ]; then
if [[ $USB_DRIVE == /dev/sda1 ]]; then
USB_DRIVE=/dev/sdb1
fi
fi
if [[ $INSTALLING_FROM_CONFIGURATION_FILE == "yes" ]]; then
if [ ! -f $CONFIGURATION_FILE ]; then
echo $"The configuration file $CONFIGURATION_FILE was not found"
exit 8935
fi
fi
if [ -f $CONFIGURATION_FILE ]; then
read_repo_servers
# Ensure that a copy of the config exists for upgrade purposes
if [[ $CONFIGURATION_FILE != "/root/${PROJECT_NAME}.cfg" ]]; then
cp $CONFIGURATION_FILE /root/${PROJECT_NAME}.cfg
fi
if grep -q "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE; then
REFRESH_GPG_KEYS_HOURS=$(grep "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WEBMAIL_REPO" $CONFIGURATION_FILE; then
WEBMAIL_REPO=$(grep "WEBMAIL_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WEBMAIL_COMMIT" $CONFIGURATION_FILE; then
WEBMAIL_COMMIT=$(grep "WEBMAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then
WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_SSID" $CONFIGURATION_FILE; then
WIFI_SSID=$(grep "WIFI_SSID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_TYPE" $CONFIGURATION_FILE; then
WIFI_TYPE=$(grep "WIFI_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_PASSPHRASE" $CONFIGURATION_FILE; then
WIFI_PASSPHRASE=$(grep "WIFI_PASSPHRASE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_HOTSPOT" $CONFIGURATION_FILE; then
WIFI_HOTSPOT=$(grep "WIFI_HOTSPOT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE; then
WIFI_NETWORKS_FILE=$(grep "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_ID" $CONFIGURATION_FILE; then
SYNCTHING_ID=$(grep "SYNCTHING_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE; then
SYNCTHING_CONFIG_PATH=$(grep "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE; then
SYNCTHING_CONFIG_FILE=$(grep "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE; then
SYNCTHING_RELAY_SERVER=$(grep "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_RELEASES" $CONFIGURATION_FILE; then
SYNCTHING_RELEASES=$(grep "SYNCTHING_RELEASES" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_PORT" $CONFIGURATION_FILE; then
SYNCTHING_PORT=$(grep "SYNCTHING_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE; then
SYNCTHING_SHARED_DATA=$(grep "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "VOIP_TURN_PORT" $CONFIGURATION_FILE; then
VOIP_TURN_PORT=$(grep "VOIP_TURN_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE; then
VOIP_TURN_TLS_PORT=$(grep "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "VOIP_TURN_NONCE" $CONFIGURATION_FILE; then
VOIP_TURN_NONCE=$(grep "VOIP_TURN_NONCE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DEFAULT_SEARCH" $CONFIGURATION_FILE; then
DEFAULT_SEARCH=$(grep "DEFAULT_SEARCH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE; then
SEARCH_ENGINE_PASSWORD=$(grep "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "XMPP_PASSWORD" $CONFIGURATION_FILE; then
XMPP_PASSWORD=$(grep "XMPP_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "RSS_READER_REPO" $CONFIGURATION_FILE; then
RSS_READER_REPO=$(grep "RSS_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE; then
RSS_MOBILE_READER_REPO=$(grep "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "RSS_READER_COMMIT" $CONFIGURATION_FILE; then
RSS_READER_COMMIT=$(grep "RSS_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE; then
RSS_MOBILE_READER_COMMIT=$(grep "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE; then
RSS_READER_ADMIN_PASSWORD=$(grep "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE; then
RSS_READER_DOMAIN_NAME=$(grep "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE; then
MICROBLOG_BACKGROUND_IMAGE_URL=$(grep "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE; then
MICROBLOG_WELCOME_MESSAGE=$(grep "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "PROJECT_WEBSITE" $CONFIGURATION_FILE; then
PROJECT_WEBSITE=$(grep "PROJECT_WEBSITE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "PROJECT_REPO" $CONFIGURATION_FILE; then
PROJECT_REPO=$(grep "PROJECT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ONION_ONLY" $CONFIGURATION_FILE; then
ONION_ONLY=$(grep "ONION_ONLY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "IRC_PASSWORD" $CONFIGURATION_FILE; then
IRC_PASSWORD=$(grep "IRC_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DEFAULT_LANGUAGE" $CONFIGURATION_FILE; then
DEFAULT_LANGUAGE=$(grep "DEFAULT_LANGUAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MINIMAL_INSTALL" $CONFIGURATION_FILE; then
MINIMAL_INSTALL=$(grep "MINIMAL_INSTALL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then
LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FULLBLOG_REPO" $CONFIGURATION_FILE; then
FULLBLOG_REPO=$(grep "FULLBLOG_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FULLBLOG_COMMIT" $CONFIGURATION_FILE; then
FULLBLOG_COMMIT=$(grep "FULLBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GOGS_COMMIT" $CONFIGURATION_FILE; then
GOGS_COMMIT=$(grep "GOGS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TOXCORE_COMMIT" $CONFIGURATION_FILE; then
TOXCORE_COMMIT=$(grep "TOXCORE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TOXIC_COMMIT" $CONFIGURATION_FILE; then
TOXIC_COMMIT=$(grep "TOXIC_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GPGIT_REPO" $CONFIGURATION_FILE; then
GPGIT_REPO=$(grep "GPGIT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GPGIT_COMMIT" $CONFIGURATION_FILE; then
GPGIT_COMMIT=$(grep "GPGIT_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "HUBZILLA_REPO" $CONFIGURATION_FILE; then
HUBZILLA_REPO=$(grep "HUBZILLA_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then
HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "IPFS_COMMIT" $CONFIGURATION_FILE; then
IPFS_COMMIT=$(grep "IPFS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE; then
ZERONET_BLOG_COMMIT=$(grep "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE; then
ZERONET_MAIL_COMMIT=$(grep "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE; then
ZERONET_FORUM_COMMIT=$(grep "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MICROBLOG_COMMIT" $CONFIGURATION_FILE; then
MICROBLOG_COMMIT=$(grep "MICROBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "NGINX_ENSITE_REPO" $CONFIGURATION_FILE; then
NGINX_ENSITE_REPO=$(grep "NGINX_ENSITE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE; then
NGINX_ENSITE_COMMIT=$(grep "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE; then
CLEANUP_MAILDIR_COMMIT=$(grep "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE; then
CLEANUP_MAILDIR_REPO=$(grep "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ZERONET_COMMIT" $CONFIGURATION_FILE; then
ZERONET_COMMIT=$(grep "ZERONET_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "INADYN_REPO" $CONFIGURATION_FILE; then
INADYN_REPO=$(grep "INADYN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "INADYN_COMMIT" $CONFIGURATION_FILE; then
INADYN_COMMIT=$(grep "INADYN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GPG_KEYSERVER" $CONFIGURATION_FILE; then
GPG_KEYSERVER=$(grep "GPG_KEYSERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "IPFS_PORT" $CONFIGURATION_FILE; then
IPFS_PORT=$(grep "IPFS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TRACKER_PORT" $CONFIGURATION_FILE; then
TRACKER_PORT=$(grep "TRACKER_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ZERONET_PORT" $CONFIGURATION_FILE; then
ZERONET_PORT=$(grep "ZERONET_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then
DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "IRC_PORT" $CONFIGURATION_FILE; then
IRC_PORT=$(grep "IRC_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_CHANNEL" $CONFIGURATION_FILE; then
WIFI_CHANNEL=$(grep "WIFI_CHANNEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "BATMAN_CELLID" $CONFIGURATION_FILE; then
BATMAN_CELLID=$(grep "BATMAN_CELLID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TOX_PORT" $CONFIGURATION_FILE; then
TOX_PORT=$(grep "TOX_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TOX_NODES" $CONFIGURATION_FILE; then
TOX_NODES=$(grep "TOX_NODES" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TOXCORE_REPO" $CONFIGURATION_FILE; then
TOXCORE_REPO=$(grep "TOXCORE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE; then
ENABLE_SOCIAL_KEY_MANAGEMENT=$(grep "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "IPV6_NETWORK" $CONFIGURATION_FILE; then
IPV6_NETWORK=$(grep "IPV6_NETWORK" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "HWRNG_TYPE" $CONFIGURATION_FILE; then
HWRNG_TYPE=$(grep "HWRNG_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIA_SERVER_ADMIN_PASSWORD" $CONFIGURATION_FILE; then
MEDIA_SERVER_ADMIN_PASSWORD=$(grep "MEDIA_SERVER_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIA_SERVER_DOMAIN_NAME" $CONFIGURATION_FILE; then
MEDIA_SERVER_DOMAIN_NAME=$(grep "MEDIA_SERVER_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIA_SERVER_CODE" $CONFIGURATION_FILE; then
MEDIA_SERVER_CODE=$(grep "MEDIA_SERVER_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIA_SERVER_REPO" $CONFIGURATION_FILE; then
MEDIA_SERVER_REPO=$(grep "MEDIA_SERVER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIA_SERVER_COMMIT" $CONFIGURATION_FILE; then
MEDIA_SERVER_COMMIT=$(grep "MEDIA_SERVER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE; then
MEDIAGOBLIN_DOMAIN_NAME=$(grep "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE; then
MEDIAGOBLIN_CODE=$(grep "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE; then
MEDIAGOBLIN_REPO=$(grep "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE; then
MEDIAGOBLIN_COMMIT=$(grep "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE; then
GIT_ADMIN_PASSWORD=$(grep "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GIT_DOMAIN_NAME" $CONFIGURATION_FILE; then
GIT_DOMAIN_NAME=$(grep "GIT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GIT_CODE" $CONFIGURATION_FILE; then
GIT_CODE=$(grep "GIT_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SYSTEM_TYPE" $CONFIGURATION_FILE; then
SYSTEM_TYPE=$(grep "SYSTEM_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSL_PROTOCOLS" $CONFIGURATION_FILE; then
SSL_PROTOCOLS=$(grep "SSL_PROTOCOLS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSL_CIPHERS" $CONFIGURATION_FILE; then
SSL_CIPHERS=$(grep "SSL_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSH_CIPHERS" $CONFIGURATION_FILE; then
SSH_CIPHERS=$(grep "SSH_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSH_MACS" $CONFIGURATION_FILE; then
SSH_MACS=$(grep "SSH_MACS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSH_KEX" $CONFIGURATION_FILE; then
SSH_KEX=$(grep "SSH_KEX" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE; then
SSH_HOST_KEY_ALGORITHMS=$(grep "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSH_PASSWORDS" $CONFIGURATION_FILE; then
SSH_PASSWORDS=$(grep "SSH_PASSWORDS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "XMPP_CIPHERS" $CONFIGURATION_FILE; then
XMPP_CIPHERS=$(grep "XMPP_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "XMPP_ECC_CURVE" $CONFIGURATION_FILE; then
XMPP_ECC_CURVE=$(grep "XMPP_ECC_CURVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then
MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DOMAIN_NAME" $CONFIGURATION_FILE; then
# for backwards compatability
DEFAULT_DOMAIN_NAME=$(grep "DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE; then
DEFAULT_DOMAIN_CODE=$(grep "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "NAMESERVER1" $CONFIGURATION_FILE; then
NAMESERVER1=$(grep "NAMESERVER1" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "NAMESERVER2" $CONFIGURATION_FILE; then
NAMESERVER2=$(grep "NAMESERVER2" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DEBIAN_REPO" $CONFIGURATION_FILE; then
DEBIAN_REPO=$(grep "DEBIAN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
CHECK_MESSAGE=$"Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
fi
if grep -q "VOIP_PORT" $CONFIGURATION_FILE; then
VOIP_PORT=$(grep "VOIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then
VOIP_SERVER_PASSWORD=$(grep "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SIP_PORT" $CONFIGURATION_FILE; then
SIP_PORT=$(grep "SIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SIP_TLS_PORT" $CONFIGURATION_FILE; then
SIP_TLS_PORT=$(grep "SIP_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then
SIP_SERVER_PASSWORD=$(grep "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE; then
GET_IP_ADDRESS_URL=$(grep "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DDNS_PROVIDER" $CONFIGURATION_FILE; then
DDNS_PROVIDER=$(grep "DDNS_PROVIDER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DDNS_USERNAME" $CONFIGURATION_FILE; then
DDNS_USERNAME=$(grep "DDNS_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "DDNS_PASSWORD" $CONFIGURATION_FILE; then
DDNS_PASSWORD=$(grep "DDNS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE; then
LOCAL_NETWORK_STATIC_IP_ADDRESS=$(grep "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ENABLE_BABEL" $CONFIGURATION_FILE; then
ENABLE_BABEL=$(grep "ENABLE_BABEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ENABLE_BATMAN" $CONFIGURATION_FILE; then
ENABLE_BATMAN=$(grep "ENABLE_BATMAN" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ENABLE_CJDNS" $CONFIGURATION_FILE; then
ENABLE_CJDNS=$(grep "ENABLE_CJDNS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CJDNS_COMMIT" $CONFIGURATION_FILE; then
CJDNS_COMMIT=$(grep "CJDNS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CJDNS_IPV6" $CONFIGURATION_FILE; then
CJDNS_IPV6=$(grep "CJDNS_IPV6" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE; then
CJDNS_PUBLIC_KEY=$(grep "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE; then
CJDNS_PRIVATE_KEY=$(grep "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE; then
ROUTER_IP_ADDRESS=$(grep "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "CPU_CORES" $CONFIGURATION_FILE; then
CPU_CORES=$(grep "CPU_CORES" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE; then
WEBSERVER_LOG_LEVEL=$(grep "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE; then
ROUTE_THROUGH_TOR=$(grep "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIKI_TITLE" $CONFIGURATION_FILE; then
WIKI_TITLE=$(grep "WIKI_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_NAME" $CONFIGURATION_FILE; then
MY_NAME=$(grep "MY_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE; then
MY_EMAIL_ADDRESS=$(grep "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "INSTALLING_ON_BBB" $CONFIGURATION_FILE; then
INSTALLING_ON_BBB=$(grep "INSTALLING_ON_BBB" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "SSH_PORT" $CONFIGURATION_FILE; then
SSH_PORT=$(grep "SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE; then
INSTALLED_WITHIN_DOCKER=$(grep "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE; then
PUBLIC_MAILING_LIST=$(grep "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then
MICROBLOG_DOMAIN_NAME=$(grep "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MICROBLOG_CODE" $CONFIGURATION_FILE; then
MICROBLOG_CODE=$(grep "MICROBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE; then
HUBZILLA_DOMAIN_NAME=$(grep "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "HUBZILLA_CODE" $CONFIGURATION_FILE; then
HUBZILLA_CODE=$(grep "HUBZILLA_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE; then
WIKI_DOMAIN_NAME=$(grep "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIKI_CODE" $CONFIGURATION_FILE; then
WIKI_CODE=$(grep "WIKI_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then
FULLBLOG_DOMAIN_NAME=$(grep "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FULLBLOG_CODE" $CONFIGURATION_FILE; then
FULLBLOG_CODE=$(grep "FULLBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_BLOG_TITLE" $CONFIGURATION_FILE; then
MY_BLOG_TITLE=$(grep "MY_BLOG_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE; then
MY_BLOG_SUBTITLE=$(grep "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE; then
GPG_ENCRYPT_STORED_EMAIL=$(grep "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE; then
MY_GPG_PUBLIC_KEY=$(grep "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE; then
MY_GPG_PRIVATE_KEY=$(grep "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE; then
MY_GPG_PUBLIC_KEY_ID=$(grep "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "USB_DRIVE" $CONFIGURATION_FILE; then
USB_DRIVE=$(grep "USB_DRIVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MAX_PHP_MEMORY" $CONFIGURATION_FILE; then
MAX_PHP_MEMORY=$(grep "MAX_PHP_MEMORY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TLS_TIME_SOURCE1" $CONFIGURATION_FILE; then
TLS_TIME_SOURCE1=$(grep "TLS_TIME_SOURCE1" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "TLS_TIME_SOURCE2" $CONFIGURATION_FILE; then
TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
fi
echo "System type: $SYSTEM_TYPE"
}
function set_default_onion_domains {
# If sites are only visible via Tor then for installation
# purposes assign them some default domain names
if [[ $ONION_ONLY == "no" ]]; then
return
fi
if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then
MICROBLOG_DOMAIN_NAME='microblog.local'
fi
if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then
FULLBLOG_DOMAIN_NAME='blog.local'
fi
if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then
WIKI_DOMAIN_NAME='wiki.local'
fi
if [ ${#DEFAULT_DOMAIN_NAME} -gt 1 ]; then
DEFAULT_DOMAIN_NAME="${PROJECT_NAME}.local"
fi
if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
GIT_DOMAIN_NAME='git.local'
fi
if [ ${#MEDIAGOBLIN_DOMAIN_NAME} -gt 1 ]; then
MEDIAGOBLIN_DOMAIN_NAME='media.local'
fi
}
function nginx_disable_sniffing {
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo ' add_header X-Frame-Options DENY;' >> $filename
echo ' add_header X-Content-Type-Options nosniff;' >> $filename
echo '' >> $filename
}
function nginx_limits {
domain_name=$1
max_body='20m'
if [ $2 ]; then
max_body=$2
fi
filename=/etc/nginx/sites-available/$domain_name
echo " client_max_body_size ${max_body};" >> $filename
echo ' client_body_buffer_size 128k;' >> $filename
echo '' >> $filename
echo ' limit_conn conn_limit_per_ip 10;' >> $filename
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename
echo '' >> $filename
}
function nginx_http_redirect {
# redirect port 80 to https
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo 'server {' > $filename
echo ' listen 80;' >> $filename
echo ' listen [::]:80;' >> $filename
echo " server_name ${domain_name};" >> $filename
echo " root /var/www/${domain_name}/htdocs;" >> $filename
echo ' access_log off;' >> $filename
echo " error_log /var/log/nginx/${domain_name}_error.log $WEBSERVER_LOG_LEVEL;" >> $filename
nginx_limits $domain_name
echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> $filename
echo '}' >> $filename
echo '' >> $filename
}
function nginx_ssl {
# creates the SSL/TLS section for a website
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo ' ssl on;' >> $filename
echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename
echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename
echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
echo '' >> $filename
echo ' ssl_session_timeout 60m;' >> $filename
echo ' ssl_prefer_server_ciphers on;' >> $filename
echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
}
function rss_reader_modifications {
# modify the rss reader to use a socks5 proxy rather than a http proxy
if [ ! -d $RSS_READER_PATH ]; then
return
fi
# ensure that socks5 proxy is used
if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/plugins/af_unburn/init.php; then
sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/plugins/af_unburn/init.php
fi
if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/include/functions.php; then
sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/include/functions.php
fi
chown -R www-data:www-data $RSS_READER_PATH
chmod a+x $RSS_READER_PATH
}
function set_repo_commit {
repo_dir=$1
repo_commit_name=$2
repo_commit=$3
repo_url=$4
if [ -d $repo_dir ]; then
if grep -q "$repo_commit_name" $COMPLETION_FILE; then
CURRENT_REPO_COMMIT=$(grep "$repo_commit_name" $COMPLETION_FILE | awk -F ':' '{print $2}')
if [[ "$CURRENT_REPO_COMMIT" != "$repo_commit" ]]; then
cd $repo_dir
git_pull $repo_url $repo_commit
sed -i "s/${repo_commit_name}.*/${repo_commit_name}:$repo_commit/g" $COMPLETION_FILE
# application specific stuff after updating the repo
if [[ $repo_dir == *"www"* ]]; then
chown -R www-data:www-data $repo_dir
fi
if [[ $repo_dir == *"cjdns" ]]; then
./do
fi
if [[ $repo_dir == *"gpgit" ]]; then
cp gpgit.pl /usr/bin/gpgit.pl
fi
if [[ $repo_dir == *"cleanup-maildir" ]]; then
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
fi
if [[ $repo_dir == *"nginx_ensite" ]]; then
make install
fi
if [[ $repo_dir == *"gogs" ]]; then
git checkout master
go get -u ./...
if [ ! "$?" = "0" ]; then
echo $'Failed to get gogs'
exit 52792
fi
git checkout $repo_commit
go build
if [ ! "$?" = "0" ]; then
echo $'Failed to build gogs'
exit 36226
fi
systemctl restart gogs
fi
if [[ $repo_dir == *"toxcore" ]]; then
sed -i 's|ExecStart=.*|ExecStart=/usr/local/bin/tox-bootstrapd --config /etc/tox-bootstrapd.conf|g' $rootdir/etc/systemd/system/tox-bootstrapd.service
autoreconf -i
./configure --enable-daemon
make
make install
systemctl daemon-reload
systemctl restart tox-bootstrapd.service
fi
if [[ $repo_dir == *"toxic" ]]; then
make
make install
fi
if [[ $repo_dir == $RSS_READER_PATH ]]; then
rss_reader_modifications
fi
if [[ $repo_dir == *"inadyn" ]]; then
./configure
USE_OPENSSL=1 make
make install
systemctl restart inadyn
fi
if [[ $repo_dir == *"ipfs" ]]; then
chown -R git:git /home/git
systemctl restart ipfs
systemctl daemon-reload
fi
fi
else
echo "${repo_commit_name}:${repo_commit}" >> $COMPLETION_FILE
fi
fi
}
function wait_for_onion_service {
onion_service_name="$1"
sleep_ctr=0
while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do
sleep 1
sleep_ctr=$((sleep_ctr + 1))
if [ $sleep_ctr -gt 10 ]; then
break
fi
done
if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
# restart and try a second time
systemctl restart tor
sleep_ctr=0
while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do
sleep 1
sleep_ctr=$((sleep_ctr + 1))
if [ $sleep_ctr -gt 10 ]; then
break
fi
done
fi
}
function add_onion_service {
onion_service_name="$1"
onion_service_port_from=$2
onion_service_port_to=$3
if [ -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname)
return
fi
if [ ! -d /var/lib/tor ]; then
echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured."
exit 877367
fi
if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then
echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc
echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> /etc/tor/torrc
fi
systemctl restart tor
wait_for_onion_service ${onion_service_name}
if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
echo $"${onion_service_name} onion site hostname not found"
exit 76362
fi
echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname)
}
function setup_wifi {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $WIFI_SSID ]; then
return
fi
if [ ${#WIFI_SSID} -lt 2 ]; then
return
fi
if grep -Fxq "setup_wifi" $COMPLETION_FILE; then
return
fi
HOTSPOT='no'
if [[ $WIFI_HOTSPOT != 'no' ]]; then
HOTSPOT='yes'
fi
if [ -f $WIFI_NETWORKS_FILE ]; then
${PROJECT_NAME}-wifi -i $WIFI_INTERFACE --networks $WIFI_NETWORKS_FILE
echo 'setup_wifi' >> $COMPLETION_FILE
return
fi
if [[ $WIFI_TYPE != 'none' ]]; then
if [ ! $WIFI_PASSPHRASE ]; then
echo $'No wifi passphrase was given'
return
fi
if [ ${#WIFI_PASSPHRASE} -lt 2 ]; then
echo $'Wifi passphrase was too short'
return
fi
${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE -p $WIFI_PASSPHRASE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE
else
${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE
fi
echo 'setup_wifi' >> $COMPLETION_FILE
}
function create_avahi_onion_domains {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -d /etc/avahi/services ]; then
return
fi
if [ $MICROBLOG_DOMAIN_NAME ]; then
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/microblog.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/microblog.service
echo '<service-group>' >> /etc/avahi/services/microblog.service
echo ' <name replace-wildcards="yes">%h HTTP</name>' >> /etc/avahi/services/microblog.service
echo ' <service>' >> /etc/avahi/services/microblog.service
echo ' <type>_http._tcp</type>' >> /etc/avahi/services/microblog.service
echo " <port>$MICROBLOG_ONION_PORT</port>" >> /etc/avahi/services/microblog.service
echo ' </service>' >> /etc/avahi/services/microblog.service
echo '</service-group>' >> /etc/avahi/services/microblog.service
fi
if [ $FULLBLOG_DOMAIN_NAME ]; then
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/blog.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/blog.service
echo '<service-group>' >> /etc/avahi/services/blog.service
echo ' <name replace-wildcards="yes">%h HTTP</name>' >> /etc/avahi/services/blog.service
echo ' <service>' >> /etc/avahi/services/blog.service
echo ' <type>_http._tcp</type>' >> /etc/avahi/services/blog.service
echo " <port>$BLOG_ONION_PORT</port>" >> /etc/avahi/services/blog.service
echo ' </service>' >> /etc/avahi/services/blog.service
echo '</service-group>' >> /etc/avahi/services/blog.service
fi
if [ $GIT_DOMAIN_NAME ]; then
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/git.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/git.service
echo '<service-group>' >> /etc/avahi/services/git.service
echo ' <name replace-wildcards="yes">%h HTTP</name>' >> /etc/avahi/services/git.service
echo ' <service>' >> /etc/avahi/services/git.service
echo ' <type>_http._tcp</type>' >> /etc/avahi/services/git.service
echo " <port>$GIT_ONION_PORT</port>" >> /etc/avahi/services/git.service
echo ' </service>' >> /etc/avahi/services/git.service
echo '</service-group>' >> /etc/avahi/services/git.service
fi
if [ $WIKI_DOMAIN_NAME ]; then
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/wiki.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/wiki.service
echo '<service-group>' >> /etc/avahi/services/wiki.service
echo ' <name replace-wildcards="yes">%h HTTP</name>' >> /etc/avahi/services/wiki.service
echo ' <service>' >> /etc/avahi/services/wiki.service
echo ' <type>_http._tcp</type>' >> /etc/avahi/services/wiki.service
echo " <port>$WIKI_ONION_PORT</port>" >> /etc/avahi/services/wiki.service
echo ' </service>' >> /etc/avahi/services/wiki.service
echo '</service-group>' >> /etc/avahi/services/wiki.service
fi
}
# check an individual domain name
function test_domain_name {
if [ $1 ]; then
TEST_DOMAIN_NAME=$1
validate_domain_name
if [[ $TEST_DOMAIN_NAME != $1 ]]; then
echo $TEST_DOMAIN_NAME
exit 8528
fi
fi
}
# check that domain names are sensible
function check_domains {
if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then
test_domain_name "$WIKI_DOMAIN_NAME"
if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
echo $'Wiki domain name is the same as blog domain name. They must be different'
exit 97326
fi
if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
echo $'Wiki domain name is the same as microblog domain name. They must be different'
exit 36827
fi
if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
echo $'Wiki domain name is the same as hubzilla domain name. They must be different'
exit 65848
fi
if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
echo $'Wiki domain name is the same as Gogs domain name. They must be different'
exit 73529
fi
fi
fi
if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then
test_domain_name "$FULLBLOG_DOMAIN_NAME"
if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
echo $'Blog domain name is the same as wiki domain name. They must be different'
exit 62348
fi
if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
echo $'Blog domain name is the same as microblog domain name. They must be different'
exit 38236
fi
if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
echo $'Blog domain name is the same as hubzilla domain name. They must be different'
exit 35483
fi
if [ $GIT_DOMAIN_NAME ]; then
if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
echo $'Blog domain name is the same as Gogs domain name. They must be different'
exit 84695
fi
fi
fi
if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then
test_domain_name "$MICROBLOG_DOMAIN_NAME"
if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
echo $'Microblog domain name is the same as wiki domain name. They must be different'
exit 73924
fi
if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
echo $'Microblog domain name is the same as blog domain name. They must be different'
exit 26832
fi
if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
echo $'Microblog domain name is the same as hubzilla domain name. They must be different'
exit 678382
fi
if [ $GIT_DOMAIN_NAME ]; then
if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
echo $'Microblog domain name is the same as Gogs domain name. They must be different'
exit 684325
fi
fi
fi
if [ $HUBZILLA_DOMAIN_NAME ]; then
test_domain_name "$HUBZILLA_DOMAIN_NAME"
if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as wiki domain name. They must be different'
exit 83682
fi
if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as blog domain name. They must be different'
exit 74817
fi
if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as microblog domain name. They must be different'
exit 83683
fi
if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as Gogs domain name. They must be different'
exit 135523
fi
fi
fi
if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
test_domain_name "$GIT_DOMAIN_NAME"
if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as wiki domain name. They must be different'
exit 83682
fi
if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as blog domain name. They must be different'
exit 74817
fi
if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
echo $'Hubzilla domain name is the same as microblog domain name. They must be different'
exit 83683
fi
if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
echo $'Microblog domain name is the same as hubzilla domain name. They must be different'
exit 678382
fi
fi
}
# Checks whether certificates were generated for the given hostname
function check_certificates {
if [ ! $1 ]; then
return
fi
USE_LETSENCRYPT='no'
if [ $2 ]; then
USE_LETSENCRYPT=$2
fi
if [[ $USE_LETSENCRYPT == 'no' ]]; then
if [ ! -f /etc/ssl/private/$1.key ]; then
echo $"Private certificate for $CHECK_HOSTNAME was not created"
exit 63959
fi
if [ ! -f /etc/ssl/certs/$1.crt ]; then
echo $"Public certificate for $CHECK_HOSTNAME was not created"
exit 7679
fi
else
if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
echo $"Private certificate for $CHECK_HOSTNAME was not created"
exit 6282
fi
if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
echo $"Public certificate for $CHECK_HOSTNAME was not created"
exit 5328
fi
fi
if [ ! -f /etc/ssl/certs/$1.dhparam ]; then
echo $"DiffieHellman parameters for $CHECK_HOSTNAME were not created"
exit 5989
fi
}
function create_site_certificate {
SITE_DOMAIN_NAME="$1"
# if yes then only "valid" certs are allowed, not self-signed
NO_SELF_SIGNED='no'
if [ $2 ]; then
NO_SELF_SIGNED="$2"
fi
if [[ $ONION_ONLY == "no" ]]; then
if [ ! -f /etc/ssl/certs/$SITE_DOMAIN_NAME.dhparam ]; then
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $SITE_DOMAIN_NAME
else
${PROJECT_NAME}-addcert -e $SITE_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS
if [ ! "$?" = "0" ]; then
if [[ $NO_SELF_SIGNED == 'no' ]]; then
echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME, so try making a self-signed cert"
${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $SITE_DOMAIN_NAME
else
echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
exit 682529
fi
else
check_certificates $SITE_DOMAIN_NAME 'yes'
fi
fi
fi
fi
}
function backup_database_local {
# Makes local backups of databases which can then be automatically rolled
# back if corruption is detected
database_name=$1
backup_databases_script=/usr/bin/backupdatabases
echo '' >> $backup_databases_script
echo "# Backup the ${database_name} database" >> $backup_databases_script
echo "TEMPFILE=/root/${database_name}.sql" >> $backup_databases_script
echo 'DAILYFILE=/var/backups/${database_name}_daily.sql' >> $backup_databases_script
echo "mysqldump --password=\"\$MYSQL_PASSWORD\" ${database_name} > \$TEMPFILE" >> $backup_databases_script
echo 'FILESIZE=$(stat -c%s $TEMPFILE)' >> $backup_databases_script
echo 'if [ "$FILESIZE" -eq "0" ]; then' >> $backup_databases_script
echo ' if [ -f $DAILYFILE ]; then' >> $backup_databases_script
echo ' cp $DAILYFILE $TEMPFILE' >> $backup_databases_script
echo '' >> $backup_databases_script
echo ' # try to restore yesterdays database' >> $backup_databases_script
echo " mysql -u root --password=\"\$MYSQL_PASSWORD\" ${database_name} -o < \$DAILYFILE" >> $backup_databases_script
echo '' >> $backup_databases_script
echo ' # Send a warning email' >> $backup_databases_script
echo " echo \"Unable to create a backup of the ${database_name} database. Attempted to restore from yesterdays backup\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script
echo ' else' >> $backup_databases_script
echo ' # Send a warning email' >> $backup_databases_script
echo " echo \"Unable to create a backup of the ${database_name} database.\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script
echo ' fi' >> $backup_databases_script
echo 'else' >> $backup_databases_script
echo ' chmod 600 $TEMPFILE' >> $backup_databases_script
echo ' mv $TEMPFILE $DAILYFILE' >> $backup_databases_script
echo '' >> $backup_databases_script
echo ' # Make the backup readable only by root' >> $backup_databases_script
echo ' chmod 600 $DAILYFILE' >> $backup_databases_script
echo 'fi' >> $backup_databases_script
weekly_backup_script=/etc/cron.weekly/backupdatabasesweekly
if ! grep -q "${database_name}" ${weekly_backup_script}; then
echo '' >> ${weekly_backup_script}
echo "# ${database_name}" >> ${weekly_backup_script}
echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${weekly_backup_script}
echo " cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_2weekly.sql" >> ${weekly_backup_script}
echo 'fi' >> ${weekly_backup_script}
echo "if [ -f /var/backups/${database_name}_daily.sql ]; then" >> ${weekly_backup_script}
echo " cp -f /var/backups/${database_name}_daily.sql /var/backups/${database_name}_weekly.sql" >> ${weekly_backup_script}
echo 'fi' >> ${weekly_backup_script}
fi
monthly_backup_script=/etc/cron.monthly/backupdatabasesmonthly
if ! grep -q "${database_name}" ${monthly_backup_script}; then
echo '' >> ${monthly_backup_script}
echo "# ${database_name}" >> ${monthly_backup_script}
echo "if [ -f /var/backups/${database_name}_monthly.sql ]; then" >> ${monthly_backup_script}
echo " cp -f /var/backups/${database_name}_monthly.sql /var/backups/${database_name}_2monthly.sql" >> ${monthly_backup_script}
echo 'fi' >> ${monthly_backup_script}
echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${monthly_backup_script}
echo " cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_monthly.sql" >> ${monthly_backup_script}
echo 'fi' >> ${monthly_backup_script}
fi
if ! grep -q "${database_name}" /etc/cron.hourly/repair; then
echo "${PROJECT_NAME}-repair-database ${database_name}" >> /etc/cron.hourly/repair
# remove legacy stuff
sed -i 's|/usr/bin/repairdatabase redmatrix||g' /etc/cron.hourly/repair
fi
}
function install_not_on_BBB {
if grep -Fxq "install_not_on_BBB" $COMPLETION_FILE; then
return
fi
if [[ INSTALLING_ON_BBB == "yes" ]]; then
return
fi
if [ ! $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then
return
fi
echo '# The loopback network interface' > /etc/network/interfaces
echo 'auto lo' >> /etc/network/interfaces
echo 'iface lo inet loopback' >> /etc/network/interfaces
echo '' >> /etc/network/interfaces
echo '# The primary network interface' >> /etc/network/interfaces
echo 'auto eth0' >> /etc/network/interfaces
echo 'iface eth0 inet static' >> /etc/network/interfaces
echo " address $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/network/interfaces
echo ' netmask 255.255.255.0' >> /etc/network/interfaces
echo " gateway $ROUTER_IP_ADDRESS" >> /etc/network/interfaces
echo " dns-nameservers $NAMESERVER1 $NAMESERVER2" >> /etc/network/interfaces
echo '# Example to keep MAC address between reboots' >> /etc/network/interfaces
echo '#hwaddress ether DE:AD:BE:EF:CA:FE' >> /etc/network/interfaces
echo '' >> /etc/network/interfaces
echo '# The secondary network interface' >> /etc/network/interfaces
echo '#auto eth1' >> /etc/network/interfaces
echo '#iface eth1 inet dhcp' >> /etc/network/interfaces
echo '' >> /etc/network/interfaces
echo '# WiFi Example' >> /etc/network/interfaces
echo "#auto $WIFI_INTERFACE" >> /etc/network/interfaces
echo "#iface $WIFI_INTERFACE inet dhcp" >> /etc/network/interfaces
echo '# wpa-ssid "essid"' >> /etc/network/interfaces
echo '# wpa-psk "password"' >> /etc/network/interfaces
echo '' >> /etc/network/interfaces
echo '# Ethernet/RNDIS gadget (g_ether)' >> /etc/network/interfaces
echo '# ... or on host side, usbnet and random hwaddr' >> /etc/network/interfaces
echo '# Note on some boards, usb0 is automaticly setup with an init script' >> /etc/network/interfaces
echo '#iface usb0 inet static' >> /etc/network/interfaces
echo '# address 192.168.7.2' >> /etc/network/interfaces
echo '# netmask 255.255.255.0' >> /etc/network/interfaces
echo '# network 192.168.7.0' >> /etc/network/interfaces
echo '# gateway 192.168.7.1' >> /etc/network/interfaces
echo 'install_not_on_BBB' >> $COMPLETION_FILE
}
function mark_admin_user_account {
if ! grep -q "Admin user:" $COMPLETION_FILE; then
echo "Admin user:$MY_USERNAME" >> $COMPLETION_FILE
fi
}
function mark_blog_domain {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if ! grep -q "Blog domain:" $COMPLETION_FILE; then
echo "Blog domain:$FULLBLOG_DOMAIN_NAME" >> $COMPLETION_FILE
fi
}
function randomize_cron {
# The predictable default timing of Debian cron jobs might
# be exploitable knowledge. Avoid too much predictability
# by randomizing the times when cron jobs run
if grep -Fxq "randomize_cron" $COMPLETION_FILE; then
return
fi
# randomize the day on which the weekly cron job runs
randdow=$(($RANDOM%6+1))
sed -i "s|\* \* 7|* * $randdow|g" /etc/crontab
# randomize the time when the weekly cron job runs
randmin=$(($RANDOM%60))
randhr=$(($RANDOM%3+1))
sed -i "s|47 6|$randmin $randhr|g" /etc/crontab
# randomize the time when the daily cron job runs
randmin=$(($RANDOM%60))
randhr=$(($RANDOM%3+4))
sed -i "s|25 6\t\* \* \*|$randmin $randhr\t* * *|g" /etc/crontab
# randomize the time when the hourly cron job runs
randmin=$(($RANDOM%60))
sed -i "s|17 \*\t|$randmin *\t|g" /etc/crontab
# randomize monthly cron job time and day
randmin=$(($RANDOM%60))
randhr=$(($RANDOM%22+1))
randdom=$(($RANDOM%27+1))
sed -i "s|52 6\t|$randmin $randhr\t|g" /etc/crontab
sed -i "s|\t1 \* \*|\t$randdom * *|g" /etc/crontab
systemctl restart cron
echo 'randomize_cron' >> $COMPLETION_FILE
}
function get_cjdns_public_key {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "cjdns public key" /home/$MY_USERNAME/README; then
if [ ! $CJDNS_PUBLIC_KEY ]; then
CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
function get_cjdns_private_key {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "cjdns private key" /home/$MY_USERNAME/README; then
if [ ! $CJDNS_PRIVATE_KEY ]; then
CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
function get_cjdns_ipv6_address {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then
if [ ! $CJDNS_IPV6 ]; then
CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
function get_cjdns_port {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "cjdns port" /home/$MY_USERNAME/README; then
if [ ! $CJDNS_PORT ]; then
CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
function get_cjdns_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "cjdns password" /home/$MY_USERNAME/README; then
if [ ! $CJDNS_PASSWORD ]; then
CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
# script to automatically renew any Let's Encrypt certificates
function letsencrypt_renewals {
if [[ $ONION_ONLY != "no" ]]; then
return
fi
renewals_script=/etc/cron.monthly/letsencrypt
renewals_retry_script=/etc/cron.daily/letsencrypt
renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
# the main script tries to renew once per month
echo '#!/bin/bash' > $renewals_script
echo '' >> $renewals_script
echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script
echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script
echo '' >> $renewals_script
echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script
echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script
echo ' rm ~/letsencrypt_failed' >> $renewals_script
echo ' fi' >> $renewals_script
echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script
echo -n "awk -F ':' '{print " >> $renewals_script
echo -n '$2' >> $renewals_script
echo "}')" >> $renewals_script
echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script
echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script
echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script
echo -n "awk -F '/' '{print " >> $renewals_script
echo -n '$5' >> $renewals_script
echo "}')" >> $renewals_script
echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script
echo ' if [ ! "$?" = "0" ]; then' >> $renewals_script
echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script
echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script
echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script
echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script
echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_script
echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script
echo ' touch ~/letsencrypt_failed' >> $renewals_script
echo ' fi' >> $renewals_script
echo ' fi' >> $renewals_script
echo ' fi' >> $renewals_script
echo ' done' >> $renewals_script
echo 'fi' >> $renewals_script
chmod +x $renewals_script
# a secondary script keeps trying to renew after a failure
echo '#!/bin/bash' > $renewals_retry_script
echo '' >> $renewals_retry_script
echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script
echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script
echo '' >> $renewals_retry_script
echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script
echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
echo ' rm ~/letsencrypt_failed' >> $renewals_retry_script
echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script
echo -n "awk -F ':' '{print " >> $renewals_retry_script
echo -n '$2' >> $renewals_retry_script
echo "}')" >> $renewals_retry_script
echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script
echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script
echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script
echo -n "awk -F '/' '{print " >> $renewals_retry_script
echo -n '$5' >> $renewals_retry_script
echo "}')" >> $renewals_retry_script
echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script
echo ' if [ ! "$?" = "0" ]; then' >> $renewals_retry_script
echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script
echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script
echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script
echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
echo ' touch ~/letsencrypt_failed' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo ' done' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo 'fi' >> $renewals_retry_script
chmod +x $renewals_retry_script
}
function save_firewall_settings {
iptables-save > /etc/firewall.conf
ip6tables-save > /etc/firewall6.conf
printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
}
function enable_ipv6 {
# endure that ipv6 is enabled and can route
sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
#sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
#sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
}
function mesh_cjdns {
if [[ $ENABLE_CJDNS != "yes" ]]; then
return
fi
# update to the next commit
set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO
if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then
return
fi
apt-get -y install nodejs git build-essential nmap
# if a README exists then obtain the cjdns parameters
get_cjdns_ipv6_address
get_cjdns_public_key
get_cjdns_private_key
get_cjdns_port
get_cjdns_password
# special compile settings for running ./do on the Beaglebone Black
if [[ $INSTALLING_ON_BBB == "yes" ]]; then
CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized"
export LDFLAGS="$CFLAGS"
fi
if [ ! -d /etc/cjdns ]; then
git_clone $CJDNS_REPO /etc/cjdns
cd /etc/cjdns
git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT
if ! grep -q "cjdns commit" $COMPLETION_FILE; then
echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE
fi
./do
if [ ! "$?" = "0" ]; then
exit 7439
fi
# create a configuration
if [ ! -f /etc/cjdns/cjdroute.conf ]; then
./cjdroute --genconf > /etc/cjdns/cjdroute.conf
if [ ! "$?" = "0" ]; then
exit 5922
fi
fi
# create a user to run as
useradd cjdns
else
cd /etc/cjdns
git_pull $CJDNS_REPO
./do
if [ ! "$?" = "0" ]; then
exit 9926
fi
fi
# set permissions
chown -R cjdns:cjdns /etc/cjdns
chmod 600 /etc/cjdns/cjdroute.conf
/sbin/ip tuntap add mode tun user cjdns dev cjdroute0
# insert values into the configuration file
if [ $CJDNS_PRIVATE_KEY ]; then
sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf
else
CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p)
fi
if [ $CJDNS_PUBLIC_KEY ]; then
sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf
else
CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p)
fi
if [ $CJDNS_IPV6 ]; then
sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf
else
CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p)
fi
if [ $CJDNS_PASSWORD ]; then
sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf
else
CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p)
fi
if [ $CJDNS_PORT ]; then
sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf
else
CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p)
fi
enable_ipv6
echo '#!/bin/sh -e' > /etc/init.d/cjdns
echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns
echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns
echo '# Provides: cjdroute' >> /etc/init.d/cjdns
echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns
echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns
echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns
echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns
echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns
echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns
echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns
echo '### END INIT INFO' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo 'PROG="cjdroute"' >> /etc/init.d/cjdns
echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns
echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns
echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo 'start() {' >> /etc/init.d/cjdns
echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns
echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
echo ' then' >> /etc/init.d/cjdns
echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns
echo ' else' >> /etc/init.d/cjdns
echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns
echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns
echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns
echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns
echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns
echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns
echo ' fi' >> /etc/init.d/cjdns
echo '}' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo 'stop() {' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns
echo ' then' >> /etc/init.d/cjdns
echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns
echo ' else' >> /etc/init.d/cjdns
echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns
echo ' killall cjdroute' >> /etc/init.d/cjdns
echo ' fi' >> /etc/init.d/cjdns
echo '}' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo 'status() {' >> /etc/init.d/cjdns
echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
echo ' then' >> /etc/init.d/cjdns
echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns
echo ' else' >> /etc/init.d/cjdns
echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns
echo ' fi' >> /etc/init.d/cjdns
echo '}' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo ' update() {' >> /etc/init.d/cjdns
echo ' cd $GIT_PATH' >> /etc/init.d/cjdns
echo ' echo "Updating..."' >> /etc/init.d/cjdns
echo ' git pull' >> /etc/init.d/cjdns
echo ' ./do' >> /etc/init.d/cjdns
echo '}' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns
echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns
echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns
echo ' exit 1' >> /etc/init.d/cjdns
echo 'fi' >> /etc/init.d/cjdns
echo '' >> /etc/init.d/cjdns
echo 'case $1 in' >> /etc/init.d/cjdns
echo ' start)' >> /etc/init.d/cjdns
echo ' start' >> /etc/init.d/cjdns
echo ' exit 0' >> /etc/init.d/cjdns
echo ' ;;' >> /etc/init.d/cjdns
echo ' stop)' >> /etc/init.d/cjdns
echo ' stop' >> /etc/init.d/cjdns
echo ' exit 0' >> /etc/init.d/cjdns
echo ' ;;' >> /etc/init.d/cjdns
echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns
echo ' stop' >> /etc/init.d/cjdns
echo ' sleep 1' >> /etc/init.d/cjdns
echo ' start' >> /etc/init.d/cjdns
echo ' exit 0' >> /etc/init.d/cjdns
echo ' ;;' >> /etc/init.d/cjdns
echo ' status)' >> /etc/init.d/cjdns
echo ' status' >> /etc/init.d/cjdns
echo ' exit 0' >> /etc/init.d/cjdns
echo ' ;;' >> /etc/init.d/cjdns
echo ' update|upgrade)' >> /etc/init.d/cjdns
echo ' update' >> /etc/init.d/cjdns
echo ' stop' >> /etc/init.d/cjdns
echo ' sleep 2' >> /etc/init.d/cjdns
echo ' start' >> /etc/init.d/cjdns
echo ' exit 0' >> /etc/init.d/cjdns
echo ' ;;' >> /etc/init.d/cjdns
echo ' **)' >> /etc/init.d/cjdns
echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns
echo ' exit 1' >> /etc/init.d/cjdns
echo ' ;;' >> /etc/init.d/cjdns
echo 'esac' >> /etc/init.d/cjdns
chmod +x /etc/init.d/cjdns
update-rc.d cjdns defaults
service cjdns start
if [ ! "$?" = "0" ]; then
systemctl status cjdns.service
exit 8260
fi
apt-get -y install radvd
echo 'interface eth0' > /etc/radvd.conf
echo '{' >> /etc/radvd.conf
echo ' AdvSendAdvert on;' >> /etc/radvd.conf
echo ' prefix fdfc::1/64' >> /etc/radvd.conf
echo ' {' >> /etc/radvd.conf
echo ' AdvRouterAddr on;' >> /etc/radvd.conf
echo ' };' >> /etc/radvd.conf
echo '};' >> /etc/radvd.conf
systemctl restart radvd
if [ ! "$?" = "0" ]; then
systemctl status radvd.service
exit 4395
fi
if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then
echo '' >> /etc/network/interfaces
echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces
echo 'iface eth0 inet6 static' >> /etc/network/interfaces
echo ' pre-up modprobe ipv6' >> /etc/network/interfaces
echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces
echo ' netmask 64' >> /etc/network/interfaces
service network-manager restart
if [ ! "$?" = "0" ]; then
systemctl status networking.service
exit 6949
fi
fi
ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
save_firewall_settings
if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}')
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README
echo '=======================' >> /home/$MY_USERNAME/README
echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README
echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README
echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README
echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README
echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README
echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README
echo $'to you using your default password' >> /home/$MY_USERNAME/README
echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README
echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README
echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README
echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README
echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README
echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README
echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README
echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README
echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README
echo $'each password is for.' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README
echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README
echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'mesh_cjdns' >> $COMPLETION_FILE
}
function create_mirrors {
if [ -d /home/trove ]; then
userdel -r trove
fi
if grep -Fxq "create_mirrors" $COMPLETION_FILE; then
return
fi
${PROJECT_NAME}-mirrors
echo 'create_mirrors' >> $COMPLETION_FILE
}
function select_go_version {
if [ ! -d $GVM_HOME/bin ]; then
echo $'GVM was not installed'
exit 629532
fi
export GVM_ROOT=$GVM_HOME
if ! grep -q "GVM_ROOT=" ~/.bashrc; then
echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc
else
sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc
fi
cd $GVM_ROOT/bin
[[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm"
gvm use go${GO_VERSION} --default
systemctl set-environment GOPATH=$GOPATH
if [ ${#GOPATH} -lt 2 ]; then
echo $'GOPATH was not set'
exit 629825
fi
}
function mesh_cjdns_tools {
if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then
return
fi
if [[ $ENABLE_CJDNS != "yes" ]]; then
return
fi
if [ ! -d /etc/cjdns ]; then
mesh_cjdns
fi
select_go_version
apt-get -y install golang mercurial
if [ ! -f ~/.bashrc ]; then
touch ~/.bashrc
fi
if [ ! -d /home/git ]; then
# add a gogs user account
adduser --disabled-login --gecos 'Gogs' git
# install Go
if ! grep -q "export GOPATH=" ~/.bashrc; then
echo "export GOPATH=$GOPATH" >> ~/.bashrc
fi
systemctl set-environment GOPATH=$GOPATH
if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
fi
if [ ! -d $GOPATH ]; then
mkdir -p $GOPATH
fi
fi
if ! grep -q "export GOPATH=" ~/.bashrc; then
echo "export GOPATH=$GOPATH" >> ~/.bashrc
fi
expected_go_path='export PATH=$PATH:'${GOPATH}'/bin'
export PATH=$PATH:${GOPATH}/bin
if ! grep -q "$expected_go_path" ~/.bashrc; then
echo "$expected_go_path" >> ~/.bashrc
fi
export PATH=$PATH:$GOPATH/bin
CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g')
go get $CJDCMD_REPO2
if [ ! -f $GOPATH/bin/cjdcmd ]; then
echo $'cjdcmd was not compiled. Check your golang installation'
exit 7439
fi
cp $GOPATH/bin/cjdcmd /usr/bin
# initialise from the cjdns config
/usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf
echo 'mesh_cjdns_tools' >> $COMPLETION_FILE
}
function install_zeronet_blog {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
set_repo_commit /opt/zeronet/ZeroBlog "ZeroNet Blog commit" "$ZERONET_BLOG_COMMIT" $ZERONET_BLOG_REPO
if grep -Fxq "install_zeronet_blog" $COMPLETION_FILE; then
return
fi
if [ ! -f /home/$MY_USERNAME/README ]; then
touch /home/$MY_USERNAME/README
fi
if grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then
return
fi
if [ ! -d /etc/avahi ]; then
echo $'Avahi is not installed'
exit 736
fi
ZERONET_DEFAULT_BLOG_TITLE="${MY_USERNAME}'s Blog"
cd /opt/zeronet
python zeronet.py --batch siteCreate 2> /opt/zeronet/blog.txt
if [ ! -f /opt/zeronet/blog.txt ]; then
echo $'Unable to create blog'
exit 479
fi
blog_address=$(cat blog.txt | grep "Site address" | awk -F ':' '{print $2}')
blog_private_key=$(cat blog.txt | grep "Site private key" | awk -F ':' '{print $2}')
ZERONET_BLOG_ADDRESS=${blog_address//[[:blank:]]/}
ZERONET_BLOG_PRIVATE_KEY=${blog_private_key//[[:blank:]]/}
if [ ${#ZERONET_BLOG_ADDRESS} -lt 20 ]; then
echo $"Address: $ZERONET_BLOG_ADDRESS"
echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY"
echo $'Unable to create zeronet blog address'
exit 7358
fi
if [ ${#ZERONET_BLOG_PRIVATE_KEY} -lt 20 ]; then
echo $"Address: $ZERONET_BLOG_ADDRESS"
echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY"
echo $'Unable to create zeronet blog private key'
exit 1639
fi
if [ ! -d "/opt/zeronet/data/$ZERONET_BLOG_ADDRESS" ]; then
echo $"Unable to find site directory: /opt/zeronet/data/$ZERONET_BLOG_ADDRESS"
exit 7638
fi
git_clone $ZERONET_BLOG_REPO ZeroBlog
if [ ! -d /opt/zeronet/ZeroBlog ]; then
echo $'ZeroBlog repo could not be cloned'
exit 6739
fi
cd /opt/zeronet/ZeroBlog
git checkout $ZERONET_BLOG_COMMIT -b $ZERONET_BLOG_COMMIT
if ! grep -q "ZeroNet Blog commit" $COMPLETION_FILE; then
echo "ZeroNet Blog commit:$ZERONET_BLOG_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/ZeroNet Blog commit.*/ZeroNet Blog commit:$ZERONET_BLOG_COMMIT/g" $COMPLETION_FILE
fi
echo $"ZeroNet Blog address: $ZERONET_BLOG_ADDRESS"
echo $"ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY"
cp -r /opt/zeronet/ZeroBlog/* /opt/zeronet/data/$ZERONET_BLOG_ADDRESS
if [ ! -d /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/data ]; then
mkdir /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/data
fi
cp /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/data-default/data.json /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/data
sed -i "s/MyZeroBlog/$ZERONET_DEFAULT_BLOG_TITLE/g" /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json
sed -i "s/My ZeroBlog./$ZERONET_DEFAULT_BLOG_TAGLINE/g" /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json
sed -i "s/ZeroBlog Demo/$ZERONET_DEFAULT_BLOG_TITLE/g" /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html
sed -i "s|<h3 class=\"description\">.*|<h3 class=\"description\">$ZERONET_DEFAULT_BLOG_TAGLINE</h3>|g" /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html
sed -i "s/Blogging platform Demo/Blogging platform/g" /opt/zeronet/data/$ZERONET_BLOG_ADDRESS/content.json
python zeronet.py siteSign $ZERONET_BLOG_ADDRESS $ZERONET_BLOG_PRIVATE_KEY
# Add an avahi service
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /tmp/zeronet-blog.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /tmp/zeronet-blog.service
echo '<service-group>' >> /tmp/zeronet-blog.service
echo ' <name replace-wildcards="yes">%h ZeroNet Blog</name>' >> /tmp/zeronet-blog.service
echo ' <service>' >> /tmp/zeronet-blog.service
echo ' <type>_zeronet._udp</type>' >> /tmp/zeronet-blog.service
echo " <port>$ZERONET_PORT</port>" >> /tmp/zeronet-blog.service
echo " <txt-record>$ZERONET_URL/$ZERONET_BLOG_ADDRESS</txt-record>" >> /tmp/zeronet-blog.service
echo ' </service>' >> /tmp/zeronet-blog.service
echo '</service-group>' >> /tmp/zeronet-blog.service
cp /tmp/zeronet-blog.service /etc/avahi/services/zeronet-blog.service
if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then
mkdir -p /home/$MY_USERNAME/.config/zeronet
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
fi
echo "$ZERONET_URL/$ZERONET_BLOG_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myblog
if ! grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo "ZeroNet Blog address: $ZERONET_BLOG_ADDRESS" >> /home/$MY_USERNAME/README
echo "ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY" >> /home/$MY_USERNAME/README
fi
echo 'install_zeronet_blog' >> $COMPLETION_FILE
}
function install_zeronet_mail {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
set_repo_commit /opt/zeronet/ZeroMail "ZeroNet Mail commit" "$ZERONET_MAIL_COMMIT" $ZERONET_MAIL_REPO
if grep -Fxq "install_zeronet_mail" $COMPLETION_FILE; then
return
fi
if [ ! -f /home/$MY_USERNAME/README ]; then
touch /home/$MY_USERNAME/README
fi
if grep -q "ZeroNet Mail address" /home/$MY_USERNAME/README; then
return
fi
if [ ! -d /etc/avahi ]; then
echo 'Avahi is not installed'
exit 736
fi
ZERONET_DEFAULT_MAIL_TITLE="${MY_USERNAME}'s Mail"
cd /opt/zeronet
python zeronet.py --batch siteCreate 2> /opt/zeronet/mail.txt
if [ ! -f /opt/zeronet/mail.txt ]; then
echo $'Unable to create mail'
exit 479
fi
mail_address=$(cat mail.txt | grep "Site address" | awk -F ':' '{print $2}')
mail_private_key=$(cat mail.txt | grep "Site private key" | awk -F ':' '{print $2}')
ZERONET_MAIL_ADDRESS=${mail_address//[[:blank:]]/}
ZERONET_MAIL_PRIVATE_KEY=${mail_private_key//[[:blank:]]/}
if [ ${#ZERONET_MAIL_ADDRESS} -lt 20 ]; then
echo $"Address: $ZERONET_MAIL_ADDRESS"
echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY"
echo $'Unable to create zeronet mail address'
exit 7358
fi
if [ ${#ZERONET_MAIL_PRIVATE_KEY} -lt 20 ]; then
echo $"Address: $ZERONET_MAIL_ADDRESS"
echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY"
echo $'Unable to create zeronet mail private key'
exit 1639
fi
if [ ! -d "/opt/zeronet/data/$ZERONET_MAIL_ADDRESS" ]; then
echo $"Unable to find site directory: /opt/zeronet/data/$ZERONET_MAIL_ADDRESS"
exit 7638
fi
git_clone $ZERONET_MAIL_REPO ZeroMail
if [ ! -d /opt/zeronet/ZeroMail ]; then
echo $'ZeroMail repo could not be cloned'
exit 6739
fi
cd /opt/zeronet/ZeroMail
git checkout $ZERONET_MAIL_COMMIT -b $ZERONET_MAIL_COMMIT
if ! grep -q "ZeroNet Mail commit" $COMPLETION_FILE; then
echo "ZeroNet Mail commit:$ZERONET_MAIL_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/ZeroNet Mail commit.*/ZeroNet Mail commit:$ZERONET_MAIL_COMMIT/g" $COMPLETION_FILE
fi
echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS"
echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY"
cp -r /opt/zeronet/ZeroMail/* /opt/zeronet/data/$ZERONET_MAIL_ADDRESS
if [ ! -d /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/data ]; then
mkdir /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/data
fi
cp /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/data-default/data.json /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/data
sed -i "s/MyZeroMail/$ZERONET_DEFAULT_MAIL_TITLE/g" /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json
sed -i "s/My ZeroMail./$ZERONET_DEFAULT_MAIL_TAGLINE/g" /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json
sed -i "s/ZeroMail Demo/$ZERONET_DEFAULT_MAIL_TITLE/g" /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html
sed -i "s|<h3 class=\"description\">.*|<h3 class=\"description\">$ZERONET_DEFAULT_MAIL_TAGLINE</h3>|g" /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html
sed -i "s/Mailging platform Demo/Mailging platform/g" /opt/zeronet/data/$ZERONET_MAIL_ADDRESS/content.json
python zeronet.py siteSign $ZERONET_MAIL_ADDRESS $ZERONET_MAIL_PRIVATE_KEY
# Add an avahi service
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /tmp/zeronet-mail.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /tmp/zeronet-mail.service
echo '<service-group>' >> /tmp/zeronet-mail.service
echo ' <name replace-wildcards="yes">%h ZeroNet Mail</name>' >> /tmp/zeronet-mail.service
echo ' <service>' >> /tmp/zeronet-mail.service
echo ' <type>_zeronet._udp</type>' >> /tmp/zeronet-mail.service
echo " <port>$ZERONET_PORT</port>" >> /tmp/zeronet-mail.service
echo " <txt-record>$ZERONET_URL/$ZERONET_MAIL_ADDRESS</txt-record>" >> /tmp/zeronet-mail.service
echo ' </service>' >> /tmp/zeronet-mail.service
echo '</service-group>' >> /tmp/zeronet-mail.service
cp /tmp/zeronet-mail.service /etc/avahi/services/zeronet-mail.service
if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then
mkdir -p /home/$MY_USERNAME/.config/zeronet
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
fi
echo "$ZERONET_URL/$ZERONET_MAIL_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/mymail
if ! grep -q $"ZeroNet Mail address" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS" >> /home/$MY_USERNAME/README
echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY" >> /home/$MY_USERNAME/README
fi
echo 'install_zeronet_mail' >> $COMPLETION_FILE
}
function install_zeronet_forum {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
# update to the next commit
set_repo_commit /opt/zeronet/ZeroTalk "ZeroNet Forum commit" "$ZERONET_FORUM_COMMIT" $ZERONET_FORUM_REPO
if grep -Fxq "install_zeronet_forum" $COMPLETION_FILE; then
return
fi
if [ ! -f /home/$MY_USERNAME/README ]; then
touch /home/$MY_USERNAME/README
fi
if grep -q "ZeroNet Forum address" /home/$MY_USERNAME/README; then
return
fi
if [ ! -d /etc/avahi ]; then
echo $'Avahi is not installed'
exit 736
fi
ZERONET_DEFAULT_FORUM_TITLE=$"${MY_USERNAME}'s Forum"
cd /opt/zeronet
python zeronet.py --batch siteCreate 2> /opt/zeronet/forum.txt
if [ ! -f /opt/zeronet/forum.txt ]; then
echo $'Unable to create forum'
exit 479
fi
forum_address=$(cat forum.txt | grep "Site address" | awk -F ':' '{print $2}')
forum_private_key=$(cat forum.txt | grep "Site private key" | awk -F ':' '{print $2}')
ZERONET_FORUM_ADDRESS=${forum_address//[[:blank:]]/}
ZERONET_FORUM_PRIVATE_KEY=${forum_private_key//[[:blank:]]/}
if [ ${#ZERONET_FORUM_ADDRESS} -lt 20 ]; then
echo $"Address: $ZERONET_FORUM_ADDRESS"
echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY"
echo $'Unable to create zeronet forum address'
exit 76352
fi
if [ ${#ZERONET_FORUM_PRIVATE_KEY} -lt 20 ]; then
echo $"Address: $ZERONET_FORUM_ADDRESS"
echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY"
echo $'Unable to create zeronet forum private key'
exit 87356
fi
if [ ! -d "/opt/zeronet/data/$ZERONET_FORUM_ADDRESS" ]; then
echo $"Unable to find site directory: /opt/zeronet/data/$ZERONET_FORUM_ADDRESS"
exit 7638
fi
git_clone $ZERONET_FORUM_REPO ZeroTalk
if [ ! -d /opt/zeronet/ZeroTalk ]; then
echo $'ZeroTalk repo could not be cloned'
exit 6739
fi
git checkout $ZERONET_FORUM_COMMIT -b $ZERONET_FORUM_COMMIT
if ! grep -q "ZeroNet Forum commit" $COMPLETION_FILE; then
echo "ZeroNet Forum commit:$ZERONET_FORUM_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/ZeroNet Forum commit.*/ZeroNet Forum commit:$ZERONET_FORUM_COMMIT/g" $COMPLETION_FILE
fi
echo $"Forum address: $ZERONET_FORUM_ADDRESS"
echo $"Forum private key: $ZERONET_FORUM_PRIVATE_KEY"
cp -r /opt/zeronet/ZeroTalk/* /opt/zeronet/data/$ZERONET_FORUM_ADDRESS
sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" /opt/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html
sed -i "s/ZeroTalk/$ZERONET_DEFAULT_FORUM_TITLE/g" /opt/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html
sed -i "s|Demo for dynamic, decentralized content publishing.|$ZERONET_DEFAULT_FORUM_TAGLINE|g" /opt/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html
sed -i 's/Messaging Board Demo/Messaging Board/g' /opt/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json
sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" /opt/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json
python zeronet.py siteSign $ZERONET_FORUM_ADDRESS $ZERONET_FORUM_PRIVATE_KEY --inner_path data/users/content.json
# Add an avahi service
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /tmp/zeronet-forum.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /tmp/zeronet-forum.service
echo '<service-group>' >> /tmp/zeronet-forum.service
echo ' <name replace-wildcards="yes">%h ZeroNet Forum</name>' >> /tmp/zeronet-forum.service
echo ' <service>' >> /tmp/zeronet-forum.service
echo ' <type>_zeronet._udp</type>' >> /tmp/zeronet-forum.service
echo " <port>$ZERONET_PORT</port>" >> /tmp/zeronet-forum.service
echo " <txt-record>$ZERONET_URL/$ZERONET_FORUM_ADDRESS</txt-record>" >> /tmp/zeronet-forum.service
echo ' </service>' >> /tmp/zeronet-forum.service
echo '</service-group>' >> /tmp/zeronet-forum.service
sudo cp /tmp/zeronet-forum.service /etc/avahi/services/zeronet-forum.service
if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then
mkdir -p /home/$MY_USERNAME/.config/zeronet
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
fi
echo "$ZERONET_URL/$ZERONET_FORUM_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myforum
if ! grep -q $"ZeroNet Forum address" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo $"ZeroNet Forum address: $ZERONET_FORUM_ADDRESS" >> /home/$MY_USERNAME/README
echo $"ZeroNet Forum private key: $ZERONET_FORUM_PRIVATE_KEY" >> /home/$MY_USERNAME/README
fi
echo 'install_zeronet_forum' >> $COMPLETION_FILE
}
function install_zeronet {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
# update to the next commit
set_repo_commit /opt/zeronet "ZeroNet commit" "$ZERONET_COMMIT" $ZERONET_REPO
if grep -Fxq "install_zeronet" $COMPLETION_FILE; then
return
fi
${PROJECT_NAME}-mesh-install -f zeronet
systemctl daemon-reload
systemctl start tracker.service
systemctl start zeronet.service
echo 'mesh_zeronet' >> $COMPLETION_FILE
}
function install_vpn_tunnel {
if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then
echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list
gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C
if [ ! "$?" = "0" ]; then
exit 76272
fi
gpg -a --export 16EF3F64CB201D9C | sudo apt-key add -
apt-get update
apt-get -y install fastd
if [ ! "$?" = "0" ]; then
exit 52026
fi
fi
}
# ath9k_htc driver
function install_atheros_wifi {
if grep -Fxq "install_atheros_wifi" $COMPLETION_FILE; then
return
fi
if [ $INSTALLING_ON_BBB != "yes" ]; then
return
fi
if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then
return
fi
if [ -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then
return
fi
# have drivers already been installed ?
if [ -f /lib/firmware/htc_9271.fw ]; then
return
fi
apt-get -y install build-essential cmake git m4 texinfo
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
fi
cd $INSTALL_DIR
if [ ! -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then
git_clone $ATHEROS_WIFI_REPO $INSTALL_DIR/open-ath9k-htc-firmware
if [ ! "$?" = "0" ]; then
rm -rf $INSTALL_DIR/open-ath9k-htc-firmware
exit 74283
fi
fi
cd $INSTALL_DIR/open-ath9k-htc-firmware
git checkout 1.4.0
make toolchain
if [ ! "$?" = "0" ]; then
rm -rf $INSTALL_DIR/open-ath9k-htc-firmware
exit 24820
fi
make firmware
if [ ! "$?" = "0" ]; then
rm -rf $INSTALL_DIR/open-ath9k-htc-firmware
exit 63412
fi
cp target_firmware/*.fw /lib/firmware/
if [ ! "$?" = "0" ]; then
exit 74681
fi
echo 'install_atheros_wifi' >> $COMPLETION_FILE
}
function configure_avahi {
if grep -Fxq "configure_avahi" $COMPLETION_FILE; then
return
fi
# only enable avahi if we're doing mesh networking
if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then
return
fi
${PROJECT_NAME}-mesh-install -f avahi
if [ ! "$?" = "0" ]; then
echo $'Failed to install avahi'
exit 68442
fi
if [ $DEFAULT_DOMAIN_NAME ]; then
sed -i "s|#host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf
sed -i "s|host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf
else
decarray=( 1 2 3 4 5 6 7 8 9 0 )
PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf
sed -i "s|host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf
fi
echo 'configure_avahi' >> $COMPLETION_FILE
}
function mesh_babel {
if grep -Fxq "mesh_babel" $COMPLETION_FILE; then
return
fi
if [[ $ENABLE_BABEL != "yes" ]]; then
return
fi
${PROJECT_NAME}-mesh-install -f babel
if [ ! "$?" = "0" ]; then
echo $'Failed to install babel'
exit 67242
fi
echo 'mesh_babel' >> $COMPLETION_FILE
}
function mesh_batman {
if grep -Fxq "mesh_batman" $COMPLETION_FILE; then
return
fi
if [[ $ENABLE_BATMAN != "yes" ]]; then
return
fi
${PROJECT_NAME}-mesh-install -f batman
if [ ! "$?" = "0" ]; then
echo $'Failed to install batman'
exit 72524
fi
if ! grep -q "Mesh Networking (B.A.T.M.A.N)" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo 'Mesh Networking (B.A.T.M.A.N)' >> /home/$MY_USERNAME/README
echo '=============================' >> /home/$MY_USERNAME/README
echo "Mesh ESSID: $WIFI_SSID" >> /home/$MY_USERNAME/README
echo "Mesh cell ID: $BATMAN_CELLID" >> /home/$MY_USERNAME/README
echo "Mesh wifi channel: $WIFI_CHANNEL" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'mesh_batman' >> $COMPLETION_FILE
}
function remove_instructions_from_motd {
sed -i '/## /d' /etc/motd
}
function check_hwrng {
if [[ $HWRNG_TYPE == "beaglebone" ]]; then
# If hardware random number generation was enabled then make sure that the device exists.
# if /dev/hwrng is not found then any subsequent cryptographic key generation would
# suffer from low entropy and might be insecure
if [ ! -e /dev/hwrng ]; then
ls /dev/hw*
echo $'The hardware random number generator is enabled but could not be detected on'
echo $'/dev/hwrng. There may be a problem with the installation or the Beaglebone hardware.'
exit 75
fi
fi
# If a OneRNG device was installed then verify its firmware
#check_onerng_verification
}
function get_mariadb_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "MariaDB password" /home/$MY_USERNAME/README; then
if [ -f $DATABASE_PASSWORD_FILE ]; then
MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE)
else
MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//')
echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
chmod 600 $DATABASE_PASSWORD_FILE
fi
fi
fi
}
function get_mariadb_media_server_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "Media server administrator password" /home/$MY_USERNAME/README; then
MEDIA_SERVER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Media server administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function get_mariadb_gnusocial_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then
MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
if grep -q "Microblog administrator password" /home/$MY_USERNAME/README; then
MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Microblog administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function get_mariadb_webmail_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "MariaDB webmail admin password" /home/$MY_USERNAME/README; then
WEBMAIL_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB webmail admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function get_mariadb_rss_reader_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "RSS reader admin password" /home/$MY_USERNAME/README; then
RSS_READER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "RSS reader admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function get_mariadb_git_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "Gogs admin user password" /home/$MY_USERNAME/README; then
GIT_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Gogs admin user password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function get_mariadb_hubzilla_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "MariaDB Hubzilla admin password" /home/$MY_USERNAME/README; then
HUBZILLA_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB Hubzilla admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function create_freedns_updater {
if [[ $ONION_ONLY != "no" ]]; then
return
fi
# currently inadyn doesn't work as expected with freeDNS, so this is a workaround
if grep -Fxq "create_freedns_updater" $COMPLETION_FILE; then
return
fi
if [[ $DDNS_PROVIDER != "default@freedns.afraid.org" ]]; then
return
fi
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
FREEDNS_WGET='wget -q --read-timeout=0.0 --waitretry=5 --tries=4 https://freedns.afraid.org/dynamic/update.php?'
echo '#!/bin/bash' > /usr/bin/dynamicdns
echo 'cd /tmp' >> /usr/bin/dynamicdns
if [ $DEFAULT_DOMAIN_CODE ]; then
echo "# $DEFAULT_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$DEFAULT_DOMAIN_CODE=" >> /usr/bin/dynamicdns
fi
if [ $WIKI_CODE ]; then
if [[ $WIKI_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
echo "# $WIKI_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$WIKI_CODE=" >> /usr/bin/dynamicdns
fi
fi
if [ $FULLBLOG_CODE ]; then
if [[ $FULLBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
echo "# $FULLBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$FULLBLOG_CODE=" >> /usr/bin/dynamicdns
fi
fi
if [ $HUBZILLA_CODE ]; then
if [[ $HUBZILLA_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
echo "# $HUBZILLA_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$HUBZILLA_CODE=" >> /usr/bin/dynamicdns
fi
fi
if [ $MICROBLOG_CODE ]; then
if [[ $MICROBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
echo "# $MICROBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$MICROBLOG_CODE=" >> /usr/bin/dynamicdns
fi
fi
if [ $GIT_CODE ]; then
if [[ $GIT_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
echo "# $GIT_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$GIT_CODE=" >> /usr/bin/dynamicdns
fi
fi
if [ $MEDIAGOBLIN_CODE ]; then
if [[ $MEDIAGOBLIN_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
echo "# $MEDIAGOBLIN_DOMAIN_NAME" >> /usr/bin/dynamicdns
echo "$FREEDNS_WGET$MEDIAGOBLIN_CODE=" >> /usr/bin/dynamicdns
fi
fi
echo 'exit 0' >> /usr/bin/dynamicdns
chmod 600 /usr/bin/dynamicdns
chmod +x /usr/bin/dynamicdns
if ! grep -q "/usr/bin/dynamicdns" /etc/crontab; then
echo '*/3 * * * * root /usr/bin/dynamicdns' >> /etc/crontab
systemctl restart cron
fi
echo 'create_freedns_updater' >> $COMPLETION_FILE
}
function backup_to_friends_servers {
# update crontab
echo '#!/bin/bash' > /etc/cron.daily/backuptofriends
echo "if [ -f /usr/local/bin/${PROJECT_NAME}-backup-remote ]; then" >> /etc/cron.daily/backuptofriends
echo " /usr/local/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends
echo 'else' >> /etc/cron.daily/backuptofriends
echo " /usr/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends
echo 'fi' >> /etc/cron.daily/backuptofriends
chmod +x /etc/cron.daily/backuptofriends
}
function remove_default_user {
# make sure you don't use the default user account
if [[ $MY_USERNAME == "debian" ]]; then
echo 'Do not use the default debian user account. Create a different user with: adduser [username]'
exit 68
fi
# remove the default debian user to prevent it from becoming an attack vector
if [ -d /home/debian ]; then
userdel -r debian
echo 'Default debian user account removed'
fi
}
function enforce_good_passwords {
# because humans are generally bad at choosing passwords
if grep -Fxq "enforce_good_passwords" $COMPLETION_FILE; then
return
fi
apt-get -y install libpam-cracklib
sed -i 's/password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password
echo 'enforce_good_passwords' >> $COMPLETION_FILE
}
function change_login_message {
if grep -Fxq "change_login_message" $COMPLETION_FILE; then
return
fi
# remove automatic motd creator if it exists
if [ -f /etc/init.d/motd ]; then
rm -f /etc/init.d/motd
fi
echo '' > /etc/motd
echo ".---. . . " >> /etc/motd
echo "| | | " >> /etc/motd
echo "|--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. " >> /etc/motd
echo "| | (.-' (.-' ( | ( )| | | | )( )| | (.-' " >> /etc/motd
echo "' ' --' --' -' - -' ' ' -' -' -' ' - --'" >> /etc/motd
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
echo $' M A I L B O X E D I T I O N' >> /etc/motd
fi
if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
echo $' S O C I A L E D I T I O N' >> /etc/motd
fi
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
echo $' C H A T E D I T I O N' >> /etc/motd
fi
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then
echo $' C L O U D E D I T I O N' >> /etc/motd
fi
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then
echo $' W R I T E R E D I T I O N ' >> /etc/motd
fi
if [[ $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then
echo $' M E D I A E D I T I O N' >> /etc/motd
fi
if [[ $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
echo $' D E V E L O P E R E D I T I O N' >> /etc/motd
fi
echo '' >> /etc/motd
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
echo $' Freedom in the Cloud' >> /etc/motd
else
echo $' Freedom in the Mesh' >> /etc/motd
fi
echo '' >> /etc/motd
echo 'change_login_message' >> $COMPLETION_FILE
}
function search_for_attached_usb_drive {
# If a USB drive is attached then search for email,
# gpg, ssh keys and emacs configuration
if grep -Fxq "search_for_attached_usb_drive" $COMPLETION_FILE; then
return
fi
if [ -b $USB_DRIVE ]; then
if [ ! -d $USB_MOUNT ]; then
echo $'Mounting USB drive'
mkdir $USB_MOUNT
mount $USB_DRIVE $USB_MOUNT
fi
if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
if [ -d $USB_MOUNT/Maildir ]; then
echo $'Maildir found on USB drive'
IMPORT_MAILDIR=$USB_MOUNT/Maildir
fi
if [ -d $USB_MOUNT/.gnupg ]; then
echo $'Importing GPG keyring'
cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
GPG_KEYS_IMPORTED="yes"
if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then
echo $'GPG files did not copy'
exit 73529
fi
fi
if [ -f $USB_MOUNT/.procmailrc ]; then
echo $'Importing procmail settings'
cp $USB_MOUNT/.procmailrc /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc
fi
if [ -f $USB_MOUNT/private_key.gpg ]; then
echo $'GPG private key found on USB drive'
MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
fi
if [ -f $USB_MOUNT/public_key.gpg ]; then
echo $'GPG public key found on USB drive'
MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
fi
fi
if [ -d $USB_MOUNT/prosody ]; then
if [ ! -d $XMPP_DIRECTORY ]; then
mkdir $XMPP_DIRECTORY
fi
cp -r $USB_MOUNT/prosody/* $XMPP_DIRECTORY
chown -R prosody:prosody $XMPP_DIRECTORY
fi
if [ -d $USB_MOUNT/.ssh ]; then
echo $'Importing ssh keys'
cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
# for security delete the ssh keys from the usb drive
if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then
echo $'ssh files did not copy'
exit 8
fi
fi
if [ -f $USB_MOUNT/.emacs ]; then
echo $'Importing .emacs file'
cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
fi
if [ -d $USB_MOUNT/.emacs.d ]; then
echo $'Importing .emacs.d directory'
cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d
fi
if [ -d $USB_MOUNT/ssl ]; then
echo $'Importing SSL certificates'
cp -r $USB_MOUNT/ssl/* /etc/ssl
chmod 640 /etc/ssl/certs/*
chmod 400 /etc/ssl/private/*
# change ownership of some certificates
if [ -d /etc/prosody ]; then
chown prosody:prosody /etc/ssl/private/xmpp.*
chown prosody:prosody /etc/ssl/certs/xmpp.*
fi
if [ -d /etc/dovecot ]; then
chown root:dovecot /etc/ssl/certs/dovecot.*
chown root:dovecot /etc/ssl/private/dovecot.*
fi
if [ -f /etc/ssl/private/exim.key ]; then
cp /etc/ssl/private/exim.key /etc/exim4
cp /etc/ssl/certs/exim.crt /etc/exim4
cp /etc/ssl/certs/exim.dhparam /etc/exim4
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
fi
fi
if [ -d $USB_MOUNT/personal ]; then
echo $'Importing personal directory'
cp -r $USB_MOUNT/personal /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal
fi
else
if [ -d $USB_MOUNT ]; then
umount $USB_MOUNT
rm -rf $USB_MOUNT
fi
echo $'No USB drive attached'
fi
echo 'search_for_attached_usb_drive' >> $COMPLETION_FILE
}
function create_repo_sources {
if grep -Fxq "create_repo_sources" $COMPLETION_FILE; then
return
fi
rm -rf /var/lib/apt/lists/*
apt-get clean
echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" > /etc/apt/sources.list
echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" >> /etc/apt/sources.list
echo '' >> /etc/apt/sources.list
echo "deb http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list
echo "deb-src http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list
echo '' >> /etc/apt/sources.list
echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list
echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list
echo '' >> /etc/apt/sources.list
echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list
echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list
apt-get update
apt-get -y install apt-transport-https
echo 'create_repo_sources' >> $COMPLETION_FILE
}
function initial_setup {
if grep -Fxq "initial_setup" $COMPLETION_FILE; then
return
fi
apt-get -y remove --purge apache*
apt-get -y dist-upgrade
apt-get -y install ca-certificates emacs24 cpulimit
apt-get -y install cryptsetup libgfshare-bin obnam sshpass wget
apt-get -y install avahi-daemon avahi-utils avahi-discover
apt-get -y install connect-proxy
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
fi
echo 'initial_setup' >> $COMPLETION_FILE
}
function allow_ssh_to_onion_address {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -d /home/$MY_USERNAME/.ssh ]; then
mkdir /home/$MY_USERNAME/.ssh
fi
if [ ! -d /etc/tor ]; then
echo $'Tor not found when updating ssh'
exit 528257
fi
if ! grep -q "onion" /home/$MY_USERNAME/.ssh/config; then
echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config
echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config
fi
}
function install_tor {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "install_tor" $COMPLETION_FILE; then
return
fi
apt-get -y install tor
if [ ! -f /etc/tor/torrc ]; then
echo 'Tor failed to install'
exit 38259
fi
echo 'install_tor' >> $COMPLETION_FILE
}
function resolve_dns_via_tor {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "resolve_dns_via_tor" $COMPLETION_FILE; then
return
fi
if [ ! -f /etc/tor/torrc ]; then
echo $'tor was not installed'
exit 52952
fi
# resolve DNS via tor
if ! grep 'DNSPort 53' /etc/tor/torrc; then
echo 'DNSPort 53' >> /etc/tor/torrc
echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
echo 'AutomapHostsSuffixes .exit,.onion' >> /etc/tor/torrc
systemctl restart tor
fi
# don't change resolv.conf
sed -i 's|, domain-name-servers||g' /etc/dhcp/dhclient.conf
# point resolv.conf to tor
echo 'nameserver 127.0.0.1:53' > /etc/resolv.conf
# prevent resolv.conf from changing
chattr +i /etc/resolv.conf
echo 'resolve_dns_via_tor' >> $COMPLETION_FILE
}
function enable_ssh_via_onion {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "enable_ssh_via_onion" $COMPLETION_FILE; then
return
fi
apt-get -y install tor connect-proxy
if ! grep -q 'Host *.onion' /home/$MY_USERNAME/.ssh/config; then
if [ ! -d /home/$MY_USERNAME/.ssh ]; then
mkdir /home/$MY_USERNAME/.ssh
fi
echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config
echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh/config
fi
if ! grep -q 'Host *.onion' /root/.ssh/config; then
if [ ! -d /root/.ssh ]; then
mkdir /root/.ssh
fi
echo 'Host *.onion' >> /root/.ssh/config
echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /root/.ssh/config
fi
echo 'enable_ssh_via_onion' >> $COMPLETION_FILE
}
function install_editor {
if grep -Fxq "install_editor" $COMPLETION_FILE; then
return
fi
update-alternatives --set editor /usr/bin/emacs24
# A minimal emacs configuration
#echo -n "(add-to-list 'load-path " > /home/$MY_USERNAME/.emacs
#echo '"~/.emacs.d/")' >> /home/$MY_USERNAME/.emacs
#echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Remove trailing whitepace ======================================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo ";;(add-hook 'before-save-hook 'delete-trailing-whitespace)" >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo ';; Goto a line number with CTRL-l' >> /home/$MY_USERNAME/.emacs
echo -n '(global-set-key "\C-l" ' >> /home/$MY_USERNAME/.emacs
echo "'goto-line)" >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Show line numbers ==============================================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo "(add-hook 'find-file-hook (lambda () (linum-mode 1)))" >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Enable line wrapping in org-mode ===============================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo " (add-hook 'org-mode-hook" >> /home/$MY_USERNAME/.emacs
echo " '(lambda ()" >> /home/$MY_USERNAME/.emacs
echo " (visual-line-mode 1)))" >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Enable shift select in org mode ================================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Set standard indent to 4 rather that 4 =========================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs
echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs
echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Support Wheel Mouse Scrolling ==================================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Place Backup Files in Specific Directory =======================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs
echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs
echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Make Text mode the default mode for new buffers ================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Line length ====================================================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Enable Line and Column Numbering ===============================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(line-number-mode 1)' >> /home/$MY_USERNAME/.emacs
echo '(column-number-mode 1)' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Turn on Auto Fill mode automatically in all modes ==============' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo ';; Auto-fill-mode the the automatic wrapping of lines and insertion of' >> /home/$MY_USERNAME/.emacs
echo ';; newlines when the cursor goes over the column limit.' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo ';; This should actually turn on auto-fill-mode by default in all major' >> /home/$MY_USERNAME/.emacs
echo ';; modes. The other way to do this is to turn on the fill for specific modes' >> /home/$MY_USERNAME/.emacs
echo ';; via hooks.' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo '(setq auto-fill-mode 1)' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo $';; ===== Enable GPG encryption =========================================' >> /home/$MY_USERNAME/.emacs
echo '' >> /home/$MY_USERNAME/.emacs
echo "(require 'epa)" >> /home/$MY_USERNAME/.emacs
echo '(epa-file-enable)' >> /home/$MY_USERNAME/.emacs
cp /home/$MY_USERNAME/.emacs /root/.emacs
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
echo 'install_editor' >> $COMPLETION_FILE
}
function enable_zram {
if grep -Fxq "enable_zram" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then
${PROJECT_NAME}-zram off
return
fi
${PROJECT_NAME}-zram on
echo 'enable_zram' >> $COMPLETION_FILE
}
function check_onerng_verification {
if grep -Fxq "check_onerng_verification" $COMPLETION_FILE; then
return
fi
if [[ $HWRNG_TYPE != "onerng" ]]; then
return
fi
echo $'Checking OneRNG firmware verification'
last_onerng_validation=$(cat /var/log/syslog.1 | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
if [[ $last_onerng_validation != *"passed OK"* ]]; then
last_onerng_validation=$(cat /var/log/syslog | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
if [[ $last_onerng_validation != *"passed OK"* ]]; then
echo $last_onerng_validation
echo $'OneRNG firmware verification failed'
exit 735026
fi
fi
echo $'OneRNG firmware verification passed'
# if haveged was previously installed then remove it
apt-get -y remove haveged
echo 'check_onerng_verification' >> $COMPLETION_FILE
}
function install_onerng {
apt-get -y install rng-tools at python-gnupg
# Move to the installation directory
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
cd $INSTALL_DIR
# Download the package
if [ ! -f $ONERNG_PACKAGE ]; then
wget $ONERNG_PACKAGE_DOWNLOAD
mv "$ONERNG_PACKAGE?raw=true" $ONERNG_PACKAGE
fi
if [ ! -f $ONERNG_PACKAGE ]; then
echo $"OneRNG package could not be downloaded"
exit 59249
fi
# Check the hash
hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}')
if [[ $hash != $ONERNG_PACKAGE_HASH ]]; then
echo $"OneRNG package: $ONERNG_PACKAGE"
echo $"Hash does not match. This could indicate that the package has been tampered with."
echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH"
echo $"OneRNG actual hash: $hash"
exit 25934
fi
# install the package
dpkg -i $ONERNG_PACKAGE
# Check that the install worked
if [ ! -f /etc/onerng.conf ]; then
echo $'OneRNG configuration file not found. The package may not have installed successfully.'
exit 42904
fi
dialog --title $"OneRNG Device" \
--msgbox $"Please plug in the OneRNG device" 6 40
# check rng-tools configuration
if ! grep -q "/dev/$ONERNG_DEVICE" /etc/default/rng-tools; then
echo "HRNGDEVICE=/dev/$ONERNG_DEVICE" >> /etc/default/rng-tools
fi
systemctl restart rng-tools
}
function random_number_generator {
if grep -Fxq "random_number_generator" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# it is assumed that docker uses the random number
# generator of the host system
return
fi
# if the hrng type has not been set but /dev/hwrng is detected
if [[ $HWRNG_TYPE != "beaglebone" ]]; then
if [ -e /dev/hwrng ]; then
HWRNG_TYPE="beaglebone"
fi
fi
case $HWRNG_TYPE in
beaglebone)
apt-get -y install rng-tools
sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools
;;
onerng)
install_onerng
;;
*)
apt-get -y install haveged
;;
esac
echo 'random_number_generator' >> $COMPLETION_FILE
}
function configure_ssh {
if grep -Fxq "configure_ssh" $COMPLETION_FILE; then
return
fi
sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config
sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
echo 'DebianBanner no' >> /etc/ssh/sshd_config
else
sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config
fi
if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then
sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config
else
echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config
fi
if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then
sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
else
echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config
fi
if grep -q 'Ciphers' /etc/ssh/sshd_config; then
sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config
else
echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config
fi
if grep -q 'MACs' /etc/ssh/sshd_config; then
sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config
else
echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config
fi
if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config
else
echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config
fi
apt-get -y install fail2ban
echo 'configure_ssh' >> $COMPLETION_FILE
}
function configure_ssh_onion {
if grep -Fxq "configure_ssh_onion" $COMPLETION_FILE; then
return
fi
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
SSH_ONION_HOSTNAME=$(add_onion_service ssh ${SSH_PORT} ${SSH_PORT})
if ! grep -q "ssh onion domain" $COMPLETION_FILE; then
echo "ssh onion domain:${SSH_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|ssh onion domain.*|ssh onion domain:${SSH_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
echo 'configure_ssh_onion' >> $COMPLETION_FILE
}
# see https://stribika.github.io/2015/01/04/secure-secure-shell.html
function ssh_remove_small_moduli {
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
mv ~/moduli /etc/ssh/moduli
}
function configure_ssh_client {
if grep -Fxq "configure_ssh_client" $COMPLETION_FILE; then
return
fi
#sed -i 's/# PasswordAuthentication.*/ PasswordAuthentication no/g' /etc/ssh/ssh_config
#sed -i 's/# ChallengeResponseAuthentication.*/ ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config
sed -i "s/# HostKeyAlgorithms.*/ HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config
sed -i "s/# Ciphers.*/ Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
sed -i "s/# MACs.*/ MACs $SSH_MACS/g" /etc/ssh/ssh_config
if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then
echo " HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config
fi
sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
if ! grep -q "Ciphers " /etc/ssh/ssh_config; then
echo " Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config
fi
sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config
if ! grep -q "MACs " /etc/ssh/ssh_config; then
echo " MACs $SSH_MACS" >> /etc/ssh/ssh_config
fi
# Create ssh keys
if [ ! -f ~/.ssh/id_ed25519 ]; then
ssh-keygen -t ed25519 -o -a 100
fi
if [ ! -f ~/.ssh/id_rsa ]; then
ssh-keygen -t rsa -b 4096 -o -a 100
fi
ssh_remove_small_moduli
echo 'configure_ssh_client' >> $COMPLETION_FILE
}
function regenerate_ssh_keys {
if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then
return
fi
rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
ssh_remove_small_moduli
systemctl restart ssh
echo 'regenerate_ssh_keys' >> $COMPLETION_FILE
}
function configure_dns {
if grep -Fxq "configure_dns" $COMPLETION_FILE; then
return
fi
echo 'domain localdomain' > /etc/resolv.conf
echo 'search localdomain' >> /etc/resolv.conf
echo "nameserver $NAMESERVER1" >> /etc/resolv.conf
echo "nameserver $NAMESERVER2" >> /etc/resolv.conf
# prevent resolv.conf from changing
chattr +i /etc/resolv.conf
echo 'configure_dns' >> $COMPLETION_FILE
}
function set_hostname {
DEFAULT_DOMAIN_NAME="$1"
echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname
hostname $DEFAULT_DOMAIN_NAME
if grep -q "127.0.1.1" /etc/hosts; then
sed -i "s/127.0.1.1.*/127.0.1.1 $DEFAULT_DOMAIN_NAME/g" /etc/hosts
else
echo "127.0.1.1 $DEFAULT_DOMAIN_NAME" >> /etc/hosts
fi
}
function set_your_domain_name {
if grep -Fxq "set_your_domain_name" $COMPLETION_FILE; then
return
fi
set_hostname $DEFAULT_DOMAIN_NAME
echo 'set_your_domain_name' >> $COMPLETION_FILE
}
function time_synchronisation {
# mesh peers typically don't sync over the internet
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then
cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate
else
cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate
fi
chmod +x /usr/bin/updatedate
if grep -Fxq "time_synchronisation" $COMPLETION_FILE; then
return
fi
apt-get -y install tlsdate
apt-get -y remove ntpdate
echo '*/15 * * * * root /usr/bin/updatedate' >> /etc/crontab
systemctl restart cron
echo 'time_synchronisation' >> $COMPLETION_FILE
}
function configure_firewall {
if grep -q "RELATED" /etc/firewall.conf; then
# recreate the firewall to remove RELATED
sed -i "/firewall/d" $COMPLETION_FILE
fi
if grep -Fxq "configure_firewall" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -X
ip6tables -X
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Make sure incoming tcp connections are SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop packets with incoming fragments
iptables -A INPUT -f -j DROP
# Drop bogons
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
echo 'configure_firewall' >> $COMPLETION_FILE
}
function configure_firewall_ping {
if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then
return
fi
# Only allow ping for mesh installs
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
save_firewall_settings
echo 'configure_firewall_ping' >> $COMPLETION_FILE
}
function configure_firewall_for_voip {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
}
function configure_firewall_for_syncthing {
if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then
return
fi
iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
}
function configure_firewall_for_voip_turn {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE
}
function configure_firewall_for_sip4 {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE
}
function configure_firewall_for_ipfs {
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
return
fi
if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE
}
function configure_firewall_for_avahi {
if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
return
fi
iptables -A INPUT -p tcp --dport 548 -j ACCEPT
iptables -A INPUT -p udp --dport 548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
iptables -A INPUT -p udp --dport 5354 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
}
function configure_firewall_for_cjdns {
if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then
return
fi
if [[ $ENABLE_CJDNS != "yes" ]]; then
return
fi
ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE
}
function configure_firewall_for_batman {
if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then
return
fi
if [[ $ENABLE_BATMAN != "yes" ]]; then
return
fi
save_firewall_settings
echo 'configure_firewall_for_batman' >> $COMPLETION_FILE
}
function configure_firewall_for_babel {
if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then
return
fi
if [[ $ENABLE_BABEL != "yes" ]]; then
return
fi
iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_babel' >> $COMPLETION_FILE
}
function configure_firewall_for_zeronet {
if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then
return
fi
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE
}
function configure_firewall_for_dlna {
if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
return
fi
iptables -A INPUT -p udp --dport 1900 -j ACCEPT
iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
}
function configure_firewall_for_dns {
if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
}
function configure_firewall_for_xmpp {
if [ ! -d /etc/prosody ]; then
return
fi
if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
}
function configure_firewall_for_irc {
if [ ! -d /etc/ngircd ]; then
return
fi
if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT
iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
}
function configure_firewall_for_ftp {
if grep -Fxq "configure_firewall_for_ftp" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -I INPUT -p tcp --dport 1024:65535 --sport 20:21 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_ftp' >> $COMPLETION_FILE
}
function configure_firewall_for_web_access {
if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE
}
function configure_firewall_for_web_server {
if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
}
function configure_firewall_for_tox {
if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
}
function configure_firewall_for_ssh {
if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE
}
function configure_firewall_for_git {
if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_git' >> $COMPLETION_FILE
}
function configure_firewall_for_email {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
return
fi
if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
save_firewall_settings
echo 'configure_firewall_for_email' >> $COMPLETION_FILE
}
function configure_internet_protocol {
if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
return
fi
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
if ! grep -q "ignore pings" /etc/sysctl.conf; then
echo '# ignore pings' >> /etc/sysctl.conf
echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
fi
if ! grep -q "disable ipv6" /etc/sysctl.conf; then
echo '# disable ipv6' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
fi
if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
fi
if ! grep -q "keepalive" /etc/sysctl.conf; then
echo '# keepalive' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
fi
echo 'configure_internet_protocol' >> $COMPLETION_FILE
}
function install_command_line_browser {
if grep -Fxq "install_command_line_browser" $COMPLETION_FILE; then
return
fi
apt-get -y install elinks
# set the home page
if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then
if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc
else
sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc
fi
fi
echo 'install_command_line_browser' >> $COMPLETION_FILE
}
function configure_email {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "configure_email" $COMPLETION_FILE; then
return
fi
apt-get -y remove postfix
apt-get -y install exim4 sasl2-bin swaks libnet-ssleay-perl procmail xinetd
if [ ! -d /etc/exim4 ]; then
echo $"ERROR: Exim does not appear to have installed. $CHECK_MESSAGE"
exit 48
fi
onion_service_name='email'
if [ ! -d /var/lib/tor ]; then
echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured."
exit 877367
fi
if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then
echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc
echo 'HiddenServicePort 25 127.0.0.1:25' >> /etc/tor/torrc
echo 'HiddenServicePort 587 127.0.0.1:587' >> /etc/tor/torrc
echo 'HiddenServicePort 465 127.0.0.1:465' >> /etc/tor/torrc
echo 'HiddenServicePort 993 127.0.0.1:993' >> /etc/tor/torrc
echo $"Added onion site for ${onion_service_name}"
fi
systemctl restart tor
wait_for_onion_service ${onion_service_name}
if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
echo $"${onion_service_name} onion site hostname not found"
exit 76362
fi
EMAIL_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname)
if [[ $ONION_ONLY != "no" ]]; then
set_hostname ${EMAIL_ONION_HOSTNAME}
MY_EMAIL_ADDRESS=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}
fi
if ! grep -q "Email onion domain" $COMPLETION_FILE; then
echo "Email onion domain:${EMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|Email onion domain.*|Email onion domain:${EMAIL_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
# see https://github.com/petterreinholdtsen/exim4-smtorp
echo '# tor stuff first' > /etc/exim4/conf.d/router/100_exim4-smtorp
echo '#' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# if were submitting mail *from* a .tor/.onion address,' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# make sure any header lines that may give us away is' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# stripped out, and add a new, cryptic Message-ID.' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# In address_data we store the name we should HELO as.' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo 'tor_to_any:' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' debug_print = "R: manualroute from .onion to $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' driver = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' domains = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' condition = ${if match {$sender_address_domain}{\N.*\.(onion|tor)$\N}}' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' address_data = $sender_address_domain' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' transport = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' self = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' route_list = * localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' headers_remove = Received:Message-ID:X-Mailer:User-Agent' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' headers_add = Message-ID: <${lc:${sha1:$message_id}}@$sender_address_domain>' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# this catches the case where were submitting mail' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# from a regular email address where we dont need to' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo '# rewrite any headers' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo 'any_to_tor:' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' debug_print = "R: manualroute for $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' driver = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' domains = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' transport = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' self = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' route_list = *.onion localhost ; *.tor localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo ' address_data = $smtp_active_hostname' >> /etc/exim4/conf.d/router/100_exim4-smtorp
echo 'remote_smtp_onion:' > /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' debug_print = "T: remote_smtp_onion for $local_part@$original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' driver = smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' # set helo_data to where we want to connect to,' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' # for the proxy program tor-smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' helo_data = "$address_data $original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' # wherever we configured our script at' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' port = 12668' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' # cannot use TLS otherwise it will EHLO again!!' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
echo ' hosts_avoid_tls = *' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
fi
cd $INSTALL_DIR
git_clone $EXIM_ONION_REPO $INSTALL_DIR/exim4-smtorp
cd $INSTALL_DIR/exim4-smtorp/tor-smtp
make
if [ ! -f $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp ]; then
echo $'Unable to make tor smtp transport'
exit 52629
fi
if [ ! -d /usr/lib/exim4-smtorp ]; then
mkdir /usr/lib/exim4-smtorp
fi
cp $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp /usr/lib/exim4-smtorp/tor-smtp
if [ ! -f /usr/lib/exim4-smtorp/tor-smtp ]; then
echo $'Unable to copy tor-smtp'
exit 83503
fi
cp $INSTALL_DIR/exim4-smtorp/xinetd /etc/xinetd.d/tor-smtp
if [ ! -f /etc/xinetd.d/tor-smtp ]; then
echo $'Unable to copy to xinetd.d'
exit 835954
fi
systemctl restart xinetd
# configure for Maildir format
sed -i 's/MAIL_DIR/#MAIL_DIR/g' /etc/login.defs
sed -i 's|#MAIL_FILE.*|MAIL_FILE Maildir/|g' /etc/login.defs
if ! grep -q "export MAIL" /etc/profile; then
echo 'export MAIL=~/Maildir' >> /etc/profile
fi
sed -i 's|pam_mail.so standard|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/login
sed -i 's|pam_mail.so standard noenv|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/sshd
sed -i 's|pam_mail.so nopen|pam_mail.so dir=~/Maildir nopen|g' /etc/pam.d/su
echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf
if [[ $ONION_ONLY == "no" ]]; then
# both ICANN and onion domains
echo "dc_other_hostnames='${DEFAULT_DOMAIN_NAME};${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf
else
echo "dc_other_hostnames='${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf
fi
echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf
echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf
echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf
echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf
RELAY_NETS='192.168.1.0/24'
if [ $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then
RELAY_NETS=$(echo $LOCAL_NETWORK_STATIC_IP_ADDRESS | awk -F '.' '{print $1 "." $2 "." $3 ".0/24"}')
fi
echo "dc_relay_nets='$RELAY_NETS'" >> /etc/exim4/update-exim4.conf.conf
echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf
echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf
echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf
echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf
echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf
echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf
update-exim4.conf
sed -i "s/START=no/START=yes/g" /etc/default/saslauthd
systemctl start saslauthd
# make a tls certificate for email
if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH
check_certificates exim
fi
cp /etc/ssl/private/exim.key /etc/exim4
cp /etc/ssl/certs/exim.crt /etc/exim4
cp /etc/ssl/certs/exim.dhparam /etc/exim4
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template
sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME = $DEFAULT_DOMAIN_NAME\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template
sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4
if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then
sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template
fi
adduser $MY_USERNAME sasl
addgroup Debian-exim sasl
systemctl restart exim4
if [ ! -d /etc/skel/Maildir ]; then
mkdir -m 700 /etc/skel/.mutt
mkdir -m 700 /etc/skel/Maildir
mkdir -m 700 /etc/skel/Maildir/new
mkdir -m 700 /etc/skel/Maildir/cur
mkdir -m 700 /etc/skel/Maildir/Sent
mkdir -m 700 /etc/skel/Maildir/Sent/tmp
mkdir -m 700 /etc/skel/Maildir/Sent/cur
mkdir -m 700 /etc/skel/Maildir/Sent/new
mkdir -m 700 /etc/skel/Maildir/.learn-spam
mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur
mkdir -m 700 /etc/skel/Maildir/.learn-spam/new
mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp
mkdir -m 700 /etc/skel/Maildir/.learn-ham
mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur
mkdir -m 700 /etc/skel/Maildir/.learn-ham/new
mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp
ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam
ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham
fi
if [ ! -d /home/$MY_USERNAME/Maildir ]; then
mkdir -m 700 /home/$MY_USERNAME/.mutt
mkdir -m 700 /home/$MY_USERNAME/Maildir
mkdir -m 700 /home/$MY_USERNAME/Maildir/cur
mkdir -m 700 /home/$MY_USERNAME/Maildir/tmp
mkdir -m 700 /home/$MY_USERNAME/Maildir/new
mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent
mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/cur
mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/tmp
mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/new
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/cur
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/new
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/tmp
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/cur
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/new
mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/tmp
ln -s /home/$MY_USERNAME/Maildir/.learn-spam /home/$MY_USERNAME/Maildir/spam
ln -s /home/$MY_USERNAME/Maildir/.learn-ham /home/$MY_USERNAME/Maildir/ham
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir
fi
echo 'configure_email' >> $COMPLETION_FILE
}
function create_procmail {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "create_procmail" $COMPLETION_FILE; then
return
fi
if [ ! -f /home/$MY_USERNAME/.procmailrc ]; then
echo 'MAILDIR=$HOME/Maildir' > /home/$MY_USERNAME/.procmailrc
echo 'DEFAULT=$MAILDIR/' >> /home/$MY_USERNAME/.procmailrc
echo 'LOGFILE=$HOME/log/procmail.log' >> /home/$MY_USERNAME/.procmailrc
echo 'LOGABSTRACT=all' >> /home/$MY_USERNAME/.procmailrc
echo '' >> /home/$MY_USERNAME/.procmailrc
echo $"# Tripwire reports which have no violations don't need to be logged" >> /home/$MY_USERNAME/.procmailrc
echo ':0 BD:' >> /home/$MY_USERNAME/.procmailrc
TRIPWIRE_VIOLATIONS_STR=$'Total violations found: 0'
echo " * .*$TRIPWIRE_VIOLATIONS_STR" >> /home/$MY_USERNAME/.procmailrc
echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc
echo '' >> /home/$MY_USERNAME/.procmailrc
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc
fi
mkdir -p /home/$MY_USERNAME/Maildir/admin/new
mkdir -p /home/$MY_USERNAME/Maildir/admin/cur
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir/admin
if [ ! -f /etc/skel/.procmailrc ]; then
cp /home/$MY_USERNAME/.procmailrc /etc/skel/.procmailrc
chown root:root /etc/skel/.procmailrc
fi
echo 'create_procmail' >> $COMPLETION_FILE
}
function handle_admin_emails {
# keep emails for root in a separate folder
if [ -d /home/$MY_USERNAME/Maildir/admin ]; then
return
fi
freedombone-addemail -u $MY_USERNAME -e "root@$DEFAULT_DOMAIN_NAME" -g admin --public no
}
function spam_filtering {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "spam_filtering" $COMPLETION_FILE; then
return
fi
apt-get -y install exim4-daemon-heavy
apt-get -y install spamassassin
if [ ! -f /etc/default/spamassassin ]; then
echo 'Spamassassin was not installed'
exit 72570
fi
sa-update -v
sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/spamassassin
sed -i 's/# spamd_address = 127.0.0.1 783/spamd_address = 127.0.0.1 783/g' /etc/exim4/exim4.conf.template
# This configuration is based on https://wiki.debian.org/DebianSpamAssassin
sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
sed -i '/domains = +local_domains : +relay_to_domains/a\ set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
sed -i 's/accept/accept condition = ${if eq{$acl_m0}{rfcnames} {1}{0}}/g' /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo 'warn message = X-Spam-Score: $spam_score ($spam_bar)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo 'warn message = X-Spam-Flag: YES' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo 'warn message = X-Spam-Report: $spam_report' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo '# reject spam at high scores (> 12)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo 'deny message = This message scored $spam_score spam points.' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
echo ' condition = ${if >{$spam_score_int}{120}{1}{0}}' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data
# procmail configuration
echo '# get spamassassin to check emails' >> /home/$MY_USERNAME/.procmailrc
echo ':0fw: .spamassassin.lock' >> /home/$MY_USERNAME/.procmailrc
echo ' * < 256000' >> /home/$MY_USERNAME/.procmailrc
echo '| spamc' >> /home/$MY_USERNAME/.procmailrc
echo '# strong spam are discarded' >> /home/$MY_USERNAME/.procmailrc
echo ':0' >> /home/$MY_USERNAME/.procmailrc
echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc
echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc
echo '# weak spam are kept just in case - clear this out every now and then' >> /home/$MY_USERNAME/.procmailrc
echo ':0' >> /home/$MY_USERNAME/.procmailrc
echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc
echo 'maybe-spam/' >> /home/$MY_USERNAME/.procmailrc
echo '# otherwise, marginal spam goes here for revision' >> /home/$MY_USERNAME/.procmailrc
echo ':0' >> /home/$MY_USERNAME/.procmailrc
echo ' * ^X-Spam-Level: \*\*' >> /home/$MY_USERNAME/.procmailrc
echo 'spam/' >> /home/$MY_USERNAME/.procmailrc
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc
echo '# get spamassassin to check emails' >> /etc/skel/.procmailrc
echo ':0fw: .spamassassin.lock' >> /etc/skel/.procmailrc
echo ' * < 256000' >> /etc/skel/.procmailrc
echo '| spamc' >> /etc/skel/.procmailrc
echo '# strong spam are discarded' >> /etc/skel/.procmailrc
echo ':0' >> /etc/skel/.procmailrc
echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /etc/skel/.procmailrc
echo '/dev/null' >> /etc/skel/.procmailrc
echo '# weak spam are kept just in case - clear this out every now and then' >> /etc/skel/.procmailrc
echo ':0' >> /etc/skel/.procmailrc
echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /etc/skel/.procmailrc
echo 'maybe-spam/' >> /etc/skel/.procmailrc
echo '# otherwise, marginal spam goes here for revision' >> /etc/skel/.procmailrc
echo ':0' >> /etc/skel/.procmailrc
echo ' * ^X-Spam-Level: \*\*' >> /etc/skel/.procmailrc
echo 'spam/' >> /etc/skel/.procmailrc
# filtering scripts
echo '#!/bin/bash' > /usr/bin/filterspam
echo 'for d in /home/*/ ; do' >> /usr/bin/filterspam
echo ' USERNAME=$(echo "$d" | awk -F '"'"'/'"'"' '"'"'{print $3}'"'"')' >> /usr/bin/filterspam
echo ' if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then' >> /usr/bin/filterspam
echo ' MAILDIR=/home/$USERNAME/Maildir/.learn-spam' >> /usr/bin/filterspam
echo ' if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterspam
echo ' exit' >> /usr/bin/filterspam
echo ' fi' >> /usr/bin/filterspam
echo ' for f in `ls $MAILDIR/cur`' >> /usr/bin/filterspam
echo ' do' >> /usr/bin/filterspam
echo ' spamc -L spam < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterspam
echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterspam
echo ' done' >> /usr/bin/filterspam
echo ' for f in `ls $MAILDIR/new`' >> /usr/bin/filterspam
echo ' do' >> /usr/bin/filterspam
echo ' spamc -L spam < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterspam
echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterspam
echo ' done' >> /usr/bin/filterspam
echo ' fi' >> /usr/bin/filterspam
echo 'done' >> /usr/bin/filterspam
echo 'exit 0' >> /usr/bin/filterspam
echo '#!/bin/bash' > /usr/bin/filterham
echo 'for d in /home/*/ ; do' >> /usr/bin/filterham
echo ' USERNAME=$(echo "$d" | awk -F '"'"'/'"'"' '"'"'{print $3}'"'"')' >> /usr/bin/filterham
echo ' if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then' >> /usr/bin/filterham
echo ' MAILDIR=/home/$USERNAME/Maildir/.learn-ham' >> /usr/bin/filterham
echo ' if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterham
echo ' exit' >> /usr/bin/filterham
echo ' fi' >> /usr/bin/filterham
echo ' for f in `ls $MAILDIR/cur`' >> /usr/bin/filterham
echo ' do' >> /usr/bin/filterham
echo ' spamc -L ham < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterham
echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterham
echo ' done' >> /usr/bin/filterham
echo ' for f in `ls $MAILDIR/new`' >> /usr/bin/filterham
echo ' do' >> /usr/bin/filterham
echo ' spamc -L ham < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterham
echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterham
echo ' done' >> /usr/bin/filterham
echo ' fi' >> /usr/bin/filterham
echo 'done' >> /usr/bin/filterham
echo 'exit 0' >> /usr/bin/filterham
if ! grep -q "filterspam" /etc/crontab; then
echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterspam" >> /etc/crontab
fi
if ! grep -q "filterham" /etc/crontab; then
echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterham" >> /etc/crontab
fi
chmod 655 /usr/bin/filterspam /usr/bin/filterham
sed -i 's/# use_bayes 1/use_bayes 1/g' /etc/mail/spamassassin/local.cf
sed -i 's/# bayes_auto_learn 1/bayes_auto_learn 1/g' /etc/mail/spamassassin/local.cf
# user preferences
if [ ! -d /home/$MY_USERNAME/.spamassassin ]; then
mkdir /home/$MY_USERNAME/.spamassassin
echo $'# How many points before a mail is considered spam.' > /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# required_score 5' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# Whitelist and blacklist addresses are now file-glob-style patterns, so' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# whitelist_from someone@somewhere.com' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# Add your own customised scores for some tests below. The default scores are' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# read from the installed spamassassin rules files, but you can override them' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# here. To see the list of tests and their default scores, go to' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# http://spamassassin.apache.org/tests.html .' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '#' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score SYMBOLIC_TEST_NAME n.nn' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# definitely want to uncomment the following lines. They will switch off some' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# rules that detect 8-bit characters, which commonly trigger on mails using CJK' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# character sets, or that assume a western-style charset is in use. ' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# ' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score HTML_COMMENT_8BITS 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score UPPERCASE_25_50 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score UPPERCASE_50_75 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score UPPERCASE_75_100 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score OBSCURED_EMAIL 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# Speakers of any language that uses non-English, accented characters may wish' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# to uncomment the following lines. They turn off rules that fire on' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# misformatted messages generated by common mail apps in contravention of the' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo $'# email RFCs.' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs
echo '# score SUBJ_ILLEGAL_CHARS 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs
fi
# this must be accessible by root
chown -R $MY_USERNAME:root /home/$MY_USERNAME/.spamassassin
systemctl restart spamassassin
systemctl restart exim4
systemctl restart cron
echo 'spam_filtering' >> $COMPLETION_FILE
}
function configure_imap {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "configure_imap" $COMPLETION_FILE; then
return
fi
dpkg -P dovecot-imapd
dpkg -P dovecot-core
apt-get -y install dovecot-imapd
if [ ! -d /etc/dovecot ]; then
echo $"ERROR: Dovecot does not appear to have installed. $CHECK_MESSAGE"
exit 48
fi
if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then
${PROJECT_NAME}-addcert -h dovecot --dhkey $DH_KEYLENGTH
check_certificates dovecot
fi
chown root:dovecot /etc/ssl/certs/dovecot.*
chown root:dovecot /etc/ssl/private/dovecot.*
if [ ! -f /etc/dovecot/conf.d/10-ssl.conf ]; then
echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf'
exit 83629
fi
sed -i 's|#ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|ssl = no|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|#ssl_key =.*|ssl_key = </etc/ssl/private/dovecot.key|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|ssl_key =.*|ssl_key = </etc/ssl/private/dovecot.key|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|#ssl_dh_parameters_length.*|ssl_dh_parameters_length = 2048|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's/#ssl_prefer_server_ciphers.*/ssl_prefer_server_ciphers = yes/g' /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|#ssl_protocols =.*|ssl_protocols = '$SSL_PROTOCOLS'|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|ssl_protocols =.*|ssl_protocols = '$SSL_PROTOCOLS'|g" /etc/dovecot/conf.d/10-ssl.conf
echo "ssl_cipher_list = '$SSL_CIPHERS'" >> /etc/dovecot/conf.d/10-ssl.conf
if [ ! -f /etc/dovecot/conf.d/10-master.conf ]; then
echo $'Unable to find /etc/dovecot/conf.d/10-master.conf'
exit 49259
fi
sed -i 's/#process_limit =.*/process_limit = 100/g' /etc/dovecot/conf.d/10-master.conf
sed -i 's/#default_client_limit.*/default_client_limit = 100/g' /etc/dovecot/conf.d/10-master.conf
sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf
if [ ! -f /etc/dovecot/conf.d/10-logging.conf ]; then
echo $'Unable to find /etc/dovecot/conf.d/10-logging.conf'
exit 48936
fi
sed -i 's/#auth_verbose.*/auth_verbose = yes/g' /etc/dovecot/conf.d/10-logging.conf
if [ ! -f /etc/dovecot/dovecot.conf ]; then
echo $'Unable to find /etc/dovecot/dovecot.conf'
exit 43890
fi
sed -i 's/#listen =.*/listen = */g' /etc/dovecot/dovecot.conf
if [ ! -f /etc/dovecot/conf.d/10-auth.conf ]; then
echo $'Unable to find /etc/dovecot/conf.d/10-auth.conf'
exit 843256
fi
sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
if [ ! -f /etc/dovecot/conf.d/10-mail.conf ]; then
echo $'Unable to find /etc/dovecot/conf.d/10-mail.conf'
exit 42036
fi
sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
# This long notify interval makes the system more suited for use with
# battery powered mobile devices
sed -i 's|#imap_idle_notify_interval =.*|imap_idle_notify_interval = 29|g' /etc/dovecot/conf.d/20-imap.conf
if [ -f /var/lib/dovecot/ssl-parameters.dat ]; then
rm /var/lib/dovecot/ssl-parameters.dat
fi
systemctl restart dovecot
echo 'configure_imap' >> $COMPLETION_FILE
}
function configure_imap_client_certs {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then
return
fi
# http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf
sed -i 's/disable_plaintext_auth =.*/disable_plaintext_auth = yes/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
sed -i "s|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|#ssl_verify_client_cert =.*|ssl_verify_client_cert = yes|g' /etc/dovecot/conf.d/10-ssl.conf
if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
echo '' >> /etc/dovecot/conf.d/10-auth.conf
echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf
echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf
echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf
echo '}' >> /etc/dovecot/conf.d/10-auth.conf
fi
if [[ $ONION_ONLY == "no" ]]; then
# make a CA cert
if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
else
${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS
fi
fi
fi
# CA configuration
echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
echo "default_ca = dovecot-ca" >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf
echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf
echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf
echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf
echo "certificate = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt" >> /etc/ssl/dovecot-ca.cnf
echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf
echo "private_key = /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key" >> /etc/ssl/dovecot-ca.cnf
echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
echo 'default_bits = 4096' >> /etc/ssl/dovecot-ca.cnf
echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf
echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf
echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf
echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf
echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf
echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf
echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf
echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf
if [ -f /etc/ssl/ssldb ]; then
rm /etc/ssl/ssldb
fi
if [ -f /etc/ssl/sslserial ]; then
rm /etc/ssl/sslserial
fi
touch /etc/ssl/ssldb
echo 0001 > /etc/ssl/sslserial
#${PROJECT_NAME}-clientcert -u $MY_USERNAME
systemctl restart dovecot
echo 'configure_imap_client_certs' >> $COMPLETION_FILE
}
function create_gpg_subkey {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "create_gpg_subkey" $COMPLETION_FILE; then
return
fi
apt-get -y install gnupg
GPG_KEY_USAGE=$1
if [[ $GPG_KEY_USAGE != "sign" && $GPG_KEY_USAGE != "auth" && $GPG_KEY_USAGE != "encrypt" ]]; then
echo $"Unknown subkey usage: $GPG_KEY_USAGE"
echo $'Available types: sign|auth|encrypt'
exit 14783
fi
KEYGRIP=$(gpg --fingerprint --fingerprint $MY_EMAIL_ADDRESS | grep fingerprint | tail -1 | cut -d= -f2 | sed -e 's/ //g')
# Generate a GPG subkey
# Here a 2048bit length is used to be compatible with yubikey
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
echo "Key-Grip: $KEYGRIP" > /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Length: 2048' >> /home/$MY_USERNAME/gpg-genkey.conf
echo "subkey-Usage: $GPG_KEY_USAGE" > /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Comment: $GPG_KEY_USAGE" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
MY_GPG_SUBKEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
echo 'create_gpg_subkey' >> $COMPLETION_FILE
}
function gpg_key_exists {
key_owner_username=$1
key_search_text=$2
if [[ $key_owner_username != "root" ]]; then
KEY_EXISTS=$(su -c "gpg --list-keys \"${key_search_text}\"" - $key_owner_username)
else
KEY_EXISTS=$(gpg --list-keys "${key_search_text}")
fi
if [ ! "$KEY_EXISTS" ]; then
echo "no"
return
fi
if [ "$KEY_EXISTS" == *"error"* ]; then
echo "no"
return
fi
echo "yes"
}
function gpg_pubkey_from_email {
key_owner_username=$1
key_email_address=$2
key_id=
if [[ $key_owner_username != "root" ]]; then
key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
else
key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
fi
echo $key_id
}
function configure_gpg {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "configure_gpg" $COMPLETION_FILE; then
return
fi
apt-get -y install gnupg
gpg_dir=/home/$MY_USERNAME/.gnupg
# if gpg keys directory was previously imported from usb
if [[ $GPG_KEYS_IMPORTED == "yes" && -d $gpg_dir ]]; then
echo $'GPG keys were imported'
sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
echo $'GPG public key ID could not be obtained'
fi
chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir
chmod 700 $gpg_dir
chmod 600 $gpg_dir/*
echo 'configure_gpg' >> $COMPLETION_FILE
return
fi
if [ ! -d $gpg_dir ]; then
mkdir $gpg_dir
echo "keyserver $GPG_KEYSERVER" >> $gpg_dir/gpg.conf
echo 'keyserver-options auto-key-retrieve' >> $gpg_dir/gpg.conf
fi
sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf
if ! grep -q "# default preferences" $gpg_dir/gpg.conf; then
echo '' >> $gpg_dir/gpg.conf
echo '# default preferences' >> $gpg_dir/gpg.conf
echo 'personal-digest-preferences SHA256' >> $gpg_dir/gpg.conf
echo 'cert-digest-algo SHA256' >> $gpg_dir/gpg.conf
echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> $gpg_dir/gpg.conf
fi
chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir
chmod 700 $gpg_dir
chmod 600 $gpg_dir/*
if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then
echo $'Importing GPG keys from file'
echo $"Public key: $MY_GPG_PUBLIC_KEY"
echo $"Private key: $MY_GPG_PRIVATE_KEY"
# use your existing GPG keys which were exported
if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
echo $"GPG public key file $MY_GPG_PUBLIC_KEY was not found"
exit 2483
fi
if [ ! -f $MY_GPG_PRIVATE_KEY ]; then
echo $"GPG private key file $MY_GPG_PRIVATE_KEY was not found"
exit 5383
fi
su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME
su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME
KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [[ $KEY_EXISTS == "no" ]]; then
echo $"The GPG key for $MY_EMAIL_ADDRESS could not be imported"
exit 13821
fi
# for security ensure that the private key file doesn't linger around
shred -zu $MY_GPG_PRIVATE_KEY
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
echo $'GPG public key ID could not be obtained'
fi
else
# Generate a GPG key
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
echo $'Generating a new GPG key'
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [[ $KEY_EXISTS == "no" ]]; then
echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created"
exit 6362
fi
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
echo $'GPG public key ID could not be obtained'
fi
MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg
su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
if grep -q "configure_email" $COMPLETION_FILE; then
if ! grep -q $"Change your GPG password" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Change your GPG password' >> /home/$MY_USERNAME/README
echo '========================' >> /home/$MY_USERNAME/README
echo $"It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README
echo $"if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README
echo $'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README
echo $'You can change the it with:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
echo ' passwd' >> /home/$MY_USERNAME/README
echo ' save' >> /home/$MY_USERNAME/README
echo ' quit' >> /home/$MY_USERNAME/README
fi
if ! grep -q $"Publish your GPG public key" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Publish your GPG public key' >> /home/$MY_USERNAME/README
echo '===========================' >> /home/$MY_USERNAME/README
echo $'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README
echo $'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
fi
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
fi
echo 'configure_gpg' >> $COMPLETION_FILE
}
function refresh_gpg_keys {
REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys
echo '#!/bin/bash' > $REFRESH_GPG_KEYS_SCRIPT
echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then" >> $REFRESH_GPG_KEYS_SCRIPT
echo " /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT
echo 'else' >> $REFRESH_GPG_KEYS_SCRIPT
echo " /usr/bin/timeout 600 /usr/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT
echo 'fi' >> $REFRESH_GPG_KEYS_SCRIPT
chmod +x $REFRESH_GPG_KEYS_SCRIPT
if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then
sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab
fi
if ! grep -q "$REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then
GPG_REFRESH_TIME=$(( RANDOM % 60 ))
echo "$GPG_REFRESH_TIME */$REFRESH_GPG_KEYS_HOURS * * * root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab
systemctl restart cron
else
sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab
fi
}
function configure_backup_key {
if grep -Fxq "configure_backup_key" $COMPLETION_FILE; then
return
fi
apt-get -y install gnupg
BACKUP_KEY_EXISTS=$(gpg_key_exists "root" "$MY_NAME (backup key)")
if [[ $BACKUP_KEY_EXISTS == "yes" ]]; then
return
fi
# Generate a GPG key for backups
BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
echo $'Backup key does not exist. Creating it.'
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
echo $'Checking that the Backup key was created'
BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
echo $'Backup key could not be created'
exit 43382
fi
fi
MY_BACKUP_KEY_ID=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\" | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
echo "Backup key: $MY_BACKUP_KEY_ID"
MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
su -c "gpg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
su -c "gpg --output ${MY_BACKUP_KEY}_private.asc --armor --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
echo 'Public backup key could not be exported'
exit 36829
fi
if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
echo 'Private backup key could not be exported'
exit 29235
fi
# import backup key to root user
gpg --import --import ${MY_BACKUP_KEY}_public.asc
gpg --allow-secret-key-import --import ${MY_BACKUP_KEY}_private.asc
shred -zu ${MY_BACKUP_KEY}_public.asc
shred -zu ${MY_BACKUP_KEY}_private.asc
echo 'configure_backup_key' >> $COMPLETION_FILE
}
function install_monkeysphere {
if grep -Fxq "install_monkeysphere" $COMPLETION_FILE; then
return
fi
apt-get -y install monkeysphere msva-perl
#su -c "monkeysphere gen-subkey $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
mkdir /home/$MY_USERNAME/.monkeysphere
chmod 755 /home/$MY_USERNAME/.monkeysphere
echo "$MY_NAME <${MY_EMAIL_ADDRESS}>" > /home/$MY_USERNAME/.monkeysphere/authorized_user_ids
chmod 644 /home/$MY_USERNAME/.monkeysphere/authorized_user_ids
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.monkeysphere
monkeysphere-authentication update-users
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
echo $'monkeysphere import: ssh host key not found'
exit 76295
fi
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
exit 52825
fi
fi
# The admin user is the identity certifier
fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
monkeysphere-authentication add-identity-certifier $fpr
echo 'install_monkeysphere' >> $COMPLETION_FILE
}
function encrypt_incoming_email {
# encrypts incoming mail using your GPG public key
# so even if an attacker gains access to the data at rest they still need
# to know your GPG key password to be able to read anything
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
# update to the next commit
set_repo_commit $INSTALL_DIR/gpgit "gpgit commit" "$GPGIT_COMMIT" $GPGIT_REPO
if grep -Fxq "encrypt_incoming_email" $COMPLETION_FILE; then
return
fi
if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then
return
fi
if [ ! -f /usr/bin/gpgit.pl ]; then
apt-get -y install git libmail-gnupg-perl
cd $INSTALL_DIR
git_clone $GPGIT_REPO $INSTALL_DIR/gpgit
cd $INSTALL_DIR/gpgit
git checkout $GPGIT_COMMIT -b $GPGIT_COMMIT
if ! grep -q "gpgit commit" $COMPLETION_FILE; then
echo "gpgit commit:$GPGIT_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/gpgit commit.*/gpgit commit:$GPGIT_COMMIT/g" $COMPLETION_FILE
fi
cp gpgit.pl /usr/bin
fi
# add a procmail rule
if ! grep -q "/usr/bin/gpgit.pl" /home/$MY_USERNAME/.procmailrc; then
echo '' >> /home/$MY_USERNAME/.procmailrc
echo ':0 f' >> /home/$MY_USERNAME/.procmailrc
echo "| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/.procmailrc
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc
echo '' >> /etc/skel/.procmailrc
echo ':0 f' >> /etc/skel/.procmailrc
echo -n '| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $USER@' >> /etc/skel/.procmailrc
echo "$DEFAULT_DOMAIN_NAME" >> /etc/skel/.procmailrc
fi
echo 'encrypt_incoming_email' >> $COMPLETION_FILE
}
function encrypt_outgoing_email {
# encrypts outgoing mail using your GPG public key
# so even if an attacker gains access to the data at rest they still need
# to know your GPG key password to be able to read sent mail
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "encrypt_outgoing_email" $COMPLETION_FILE; then
return
fi
if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then
return
fi
if [ ! -d /home/$MY_USERNAME/.gnupg ]; then
return
fi
if [ ! -f /home/$MY_USERNAME/.muttrc ]; then
return
fi
# obtain your public key ID
if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [ ! "$MY_GPG_PUBLIC_KEY_ID" ]; then
return
fi
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
return
fi
fi
if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then
echo '' >> /home/$MY_USERNAME/.muttrc
echo $'# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc
echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
else
sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
fi
if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then
echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
else
sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
fi
echo 'encrypt_outgoing_email' >> $COMPLETION_FILE
}
function encrypt_all_email {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then
return
fi
if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then
cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
else
cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
fi
chmod +x /usr/bin/encmaildir
if grep -Fxq "encrypt_all_email" $COMPLETION_FILE; then
return
fi
if [ ! /home/$MY_USERNAME/README ]; then
touch /home/$MY_USERNAME/README
fi
if ! grep -q $"If you have imported legacy email which is not encrypted" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Encrypting legacy email' >> /home/$MY_USERNAME/README
echo '=======================' >> /home/$MY_USERNAME/README
echo $'If you have imported legacy email which is not encrypted' >> /home/$MY_USERNAME/README
echo $'then it can be encrypted with the command:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo ' encmaildir' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'But be warned that depending upon how much email you have' >> /home/$MY_USERNAME/README
echo $'this could take a seriously LONG time on the Beaglebone' >> /home/$MY_USERNAME/README
echo $'and may be better done on a faster machine.' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'encrypt_all_email' >> $COMPLETION_FILE
}
function email_client {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "email_client" $COMPLETION_FILE; then
return
fi
apt-get -y install mutt-patched lynx abook
if [ ! -f /etc/Muttrc ]; then
echo $"ERROR: Mutt does not appear to have installed. $CHECK_MESSAGE"
exit 49
fi
if [ ! -d /home/$MY_USERNAME/.mutt ]; then
mkdir /home/$MY_USERNAME/.mutt
fi
echo "text/html; lynx -dump -width=78 -nolist %s | sed s/^ //; copiousoutput; needsterminal; nametemplate=%s.html" > /home/$MY_USERNAME/.mutt/mailcap
cp /home/$MY_USERNAME/.mutt/mailcap /etc/skel/.mutt
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt
chown -R root:root /etc/skel/.mutt
echo 'set mbox_type=Maildir' >> /etc/Muttrc
echo 'set folder="~/Maildir"' >> /etc/Muttrc
echo 'set mask="!^\\.[^.]"' >> /etc/Muttrc
echo 'set mbox="~/Maildir"' >> /etc/Muttrc
echo 'set record="+Sent"' >> /etc/Muttrc
echo 'set postponed="+Drafts"' >> /etc/Muttrc
echo 'set trash="+Trash"' >> /etc/Muttrc
echo 'set spoolfile="~/Maildir"' >> /etc/Muttrc
echo 'auto_view text/x-vcard text/html text/enriched' >> /etc/Muttrc
echo 'set editor="emacs -q --load ~/.emacs-mutt"' >> /etc/Muttrc
echo 'set header_cache="+.cache"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo 'macro index S "<tag-prefix><decode-save>=.learn-spam<enter>" "move to learn-spam"' >> /etc/Muttrc
echo 'macro pager S "<decode-save>=.learn-spam<enter>" "move to learn-spam"' >> /etc/Muttrc
echo 'macro index H "<tag-prefix><decode-copy>=.learn-ham<enter>" "copy to learn-ham"' >> /etc/Muttrc
echo 'macro pager H "<decode-copy>=.learn-ham<enter>" "copy to learn-ham"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# set up the sidebar' >> /etc/Muttrc
echo 'set sidebar_width=22' >> /etc/Muttrc
echo 'set sidebar_visible=yes' >> /etc/Muttrc
echo "set sidebar_delim='|'" >> /etc/Muttrc
echo 'set sidebar_sort=yes' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo 'set rfc2047_parameters' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# Show inbox and sent items' >> /etc/Muttrc
echo 'mailboxes = =Sent =maybe-spam =spam' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# Alter these colours as needed for maximum bling' >> /etc/Muttrc
echo 'color sidebar_new yellow default' >> /etc/Muttrc
echo 'color normal white default' >> /etc/Muttrc
echo 'color hdrdefault brightcyan default' >> /etc/Muttrc
echo 'color signature green default' >> /etc/Muttrc
echo 'color attachment brightyellow default' >> /etc/Muttrc
echo 'color quoted green default' >> /etc/Muttrc
echo 'color quoted1 white default' >> /etc/Muttrc
echo 'color tilde blue default' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# ctrl-n, ctrl-p to select next, prev folder' >> /etc/Muttrc
echo '# ctrl-o to open selected folder' >> /etc/Muttrc
echo 'bind index \Cp sidebar-prev' >> /etc/Muttrc
echo 'bind index \Cn sidebar-next' >> /etc/Muttrc
echo 'bind index \Co sidebar-open' >> /etc/Muttrc
echo 'bind pager \Cp sidebar-prev' >> /etc/Muttrc
echo 'bind pager \Cn sidebar-next' >> /etc/Muttrc
echo 'bind pager \Co sidebar-open' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# ctrl-b toggles sidebar visibility' >> /etc/Muttrc
echo "macro index,pager \Cb '<enter-command>toggle sidebar_visible<enter><redraw-screen>' 'toggle sidebar'" >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# esc-m Mark new messages as read' >> /etc/Muttrc
echo 'macro index <esc>m "T~N<enter>;WNT~O<enter>;WO\CT~T<enter>" "mark all messages read"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# Collapsing threads' >> /etc/Muttrc
echo 'macro index [ "<collapse-thread>" "collapse/uncollapse thread"' >> /etc/Muttrc
echo 'macro index ] "<collapse-all>" "collapse/uncollapse all threads"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# threads containing new messages' >> /etc/Muttrc
echo 'uncolor index "~(~N)"' >> /etc/Muttrc
echo 'color index brightblue default "~(~N)"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# new messages themselves' >> /etc/Muttrc
echo 'uncolor index "~N"' >> /etc/Muttrc
echo 'color index brightyellow default "~N"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# GPG/PGP integration' >> /etc/Muttrc
echo '# this set the number of seconds to keep in memory the passphrase used to encrypt/sign' >> /etc/Muttrc
echo 'set pgp_timeout=1800' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# automatically sign and encrypt with PGP/MIME' >> /etc/Muttrc
echo 'set pgp_autosign # autosign all outgoing mails' >> /etc/Muttrc
echo 'set pgp_autoencrypt # Try to encrypt automatically' >> /etc/Muttrc
echo 'set pgp_replyencrypt # autocrypt replies to crypted' >> /etc/Muttrc
echo 'set pgp_replysign # autosign replies to signed' >> /etc/Muttrc
echo 'set pgp_auto_decode=yes # decode attachments' >> /etc/Muttrc
echo 'set fcc_clear=no # Keep encrypted copy of sent encrypted mail' >> /etc/Muttrc
echo 'unset smime_is_default' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo 'set alias_file=~/.mutt-alias' >> /etc/Muttrc
echo 'source ~/.mutt-alias' >> /etc/Muttrc
echo 'set query_command= "abook --mutt-query \"%s\""' >> /etc/Muttrc
echo 'macro index,pager A "<pipe-message>abook --add-email-quiet<return>" "add the sender address to abook"' >> /etc/Muttrc
echo '' >> /etc/Muttrc
echo '# Optional relay of SMTP via ISP' >> /etc/Muttrc
echo '#set smtp_url="smtps://username:password@isp_mail_domain:465/"' >> /etc/Muttrc
# create an Emacs configuration specifically for use with Mutt, which
# has word wrap and spell checking on by default
echo "(add-hook 'before-save-hook 'delete-trailing-whitespace)" > /home/$MY_USERNAME/.emacs-mutt
echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs-mutt
echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs-mutt
echo "(dolist (hook '(text-mode-hook))" >> /home/$MY_USERNAME/.emacs-mutt
echo ' (add-hook hook (lambda () (flyspell-mode 1))))' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs-mutt
echo '(setq auto-fill-mode 0)' >> /home/$MY_USERNAME/.emacs-mutt
echo "(add-hook 'text-mode-hook 'turn-on-auto-fill)" >> /home/$MY_USERNAME/.emacs-mutt
echo "(setq-default auto-fill-function 'do-auto-fill)" >> /home/$MY_USERNAME/.emacs-mutt
# add the emacs mutt configuration to the user profile skeleton
if [ ! -f /etc/skel/.emacs-mutt ]; then
cp /home/$MY_USERNAME/.emacs-mutt /etc/skel/.emacs-mutt
chown root:root /etc/skel/.emacs-mutt
fi
cp -f /etc/Muttrc /home/$MY_USERNAME/.muttrc
cp -f /etc/Muttrc /etc/skel/.muttrc
touch /home/$MY_USERNAME/.mutt-alias
cp /home/$MY_USERNAME/.mutt-alias /etc/skel/.mutt-alias
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs-mutt
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.muttrc
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt-alias
# default user on generic images
if [ -d /home/${GENERIC_IMAGE_USERNAME} ]; then
cp -f /etc/Muttrc /home/${GENERIC_IMAGE_USERNAME}/.muttrc
chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.muttrc
touch /home/${GENERIC_IMAGE_USERNAME}/.mutt-alias
chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.mutt-alias
cp /etc/skel/.emacs-mutt /home/${GENERIC_IMAGE_USERNAME}/.emacs-mutt
chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.emacs-mutt
fi
echo 'email_client' >> $COMPLETION_FILE
}
function email_archiving {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
# ensure that the mail archive script is up to date
if [ -f /usr/local/bin/${PROJECT_NAME}-archive-mail ]; then
cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
else
if [ -f /usr/bin/${PROJECT_NAME}-archive-mail ]; then
cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
else
echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed."
exit 62379
fi
fi
chmod +x /etc/cron.daily/archivemail
# update to the next commit
set_repo_commit $INSTALL_DIR/cleanup-maildir "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT" $CLEANUP_MAILDIR_REPO
if grep -Fxq "email_archiving" $COMPLETION_FILE; then
return
fi
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
cd $INSTALL_DIR
git_clone $CLEANUP_MAILDIR_REPO $INSTALL_DIR/cleanup-maildir
cd $INSTALL_DIR/cleanup-maildir
git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT
if ! grep -q "cleanup-maildir commit" $COMPLETION_FILE; then
echo "cleanup-maildir commit:$CLEANUP_MAILDIR_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/cleanup-maildir commit.*/cleanup-maildir commit:$CLEANUP_MAILDIR_COMMIT/g" $COMPLETION_FILE
fi
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
echo 'email_archiving' >> $COMPLETION_FILE
}
# Ensure that the from field is correct when sending email from Mutt
function email_from_address {
if grep -Fxq "email_from_address" $COMPLETION_FILE; then
return
fi
if [ ! -f /home/$MY_USERNAME/.muttrc ]; then
return
fi
if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
sed -i "s|set from=.*|set from='$MY_NAME <$MY_EMAIL_ADDRESS>'|g" /home/$MY_USERNAME/.muttrc
else
echo "set from='$MY_NAME <$MY_EMAIL_ADDRESS>'" >> /home/$MY_USERNAME/.muttrc
fi
echo 'email_from_address' >> $COMPLETION_FILE
}
function create_public_mailing_list {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "create_public_mailing_list" $COMPLETION_FILE; then
return
fi
if [ ! $PUBLIC_MAILING_LIST ]; then
return
fi
# does the mailing list have a separate domain name?
if [ ! $PUBLIC_MAILING_LIST_DOMAIN_NAME ]; then
PUBLIC_MAILING_LIST_DOMAIN_NAME=$DEFAULT_DOMAIN_NAME
fi
PUBLIC_MAILING_LIST_USER="mlmmj"
apt-get -y install mlmmj
adduser --system $PUBLIC_MAILING_LIST_USER
addgroup $PUBLIC_MAILING_LIST_USER
adduser $PUBLIC_MAILING_LIST_USER $PUBLIC_MAILING_LIST_USER
echo ''
echo $"Creating the $PUBLIC_MAILING_LIST mailing list"
echo ''
# create the list
mlmmj-make-ml -a -L "$PUBLIC_MAILING_LIST" -c $PUBLIC_MAILING_LIST_USER
echo 'SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe' > /etc/exim4/conf.d/main/000_localmacros
echo "SYSTEM_ALIASES_USER = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros
echo "SYSTEM_ALIASES_GROUP = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros
# router
echo 'mlmmj_router:' > /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' debug_print = "R: mlmmj_router for $local_part@$domain"' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' driver = accept' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' domains = +mlmmj_domains' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' #require_files = MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' # Use this instead, if you dont want to give Exim rx rights to mlmmj spool.' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' # Exim will then spawn a new process running under the UID of "mlmmj".' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' require_files = mlmmj:MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' local_part_suffix = +*' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' headers_remove = Delivered-To' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' headers_add = Delivered-To: $local_part$local_part_suffix@$domain' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
echo ' transport = mlmmj_transport' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj
# transport
echo 'mlmmj_transport:' > /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' debug_print = "T: mlmmj_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' driver = pipe' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' return_path_add' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' user = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' group = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' home_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' current_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
echo ' command = /usr/bin/mlmmj-receive -F -L MLMMJ_HOME/${lc:$local_part}' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj
if ! grep -q "MLMMJ_HOME=/var/spool/mlmmj" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then
sed -i '/MAIN CONFIGURATION SETTINGS/a\MLMMJ_HOME=/var/spool/mlmmj' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs
fi
if ! grep -q "domainlist mlmmj_domains =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then
sed -i "/MLMMJ_HOME/a\domainlist mlmmj_domains = $PUBLIC_MAILING_LIST_DOMAIN_NAME" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs
fi
if ! grep -q "delay_warning_condition =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then
sed -i '/domainlist mlmmj_domains =/a\delay_warning_condition = ${if match_domain{$domain}{+mlmmj_domains}{no}{yes}}' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs
fi
if ! grep -q ": +mlmmj_domains" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then
sed -i 's/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS : +mlmmj_domains/g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs
fi
if ! grep -q "! +mlmmj_domains" /etc/exim4/conf.d/router/200_exim4-config_primary; then
sed -i 's/domains = ! +local_domains/domains = ! +mlmmj_domains : ! +local_domains/g' /etc/exim4/conf.d/router/200_exim4-config_primary
fi
update-exim4.conf.template -r
update-exim4.conf
systemctl restart exim4
if ! grep -q $"$PUBLIC_MAILING_LIST mailing list" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $"$PUBLIC_MAILING_LIST mailing list" >> /home/$MY_USERNAME/README
echo '=================================' >> /home/$MY_USERNAME/README
echo $"To subscribe to the $PUBLIC_MAILING_LIST mailing list send a" >> /home/$MY_USERNAME/README
echo $"cleartext email to $PUBLIC_MAILING_LIST+subscribe@$DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
${PROJECT_NAME}-addlist -u $MY_USERNAME -l "$PUBLIC_MAILING_LIST" -s "$PUBLIC_MAILING_LIST"
echo 'create_public_mailing_list' >> $COMPLETION_FILE
}
function create_private_mailing_list {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
# This installation doesn't work, results in ruby errors
# There is currently no schleuder package for Debian jessie
if grep -Fxq "create_private_mailing_list" $COMPLETION_FILE; then
return
fi
if [ ! $PRIVATE_MAILING_LIST ]; then
return
fi
if [[ $PRIVATE_MAILING_LIST == $MY_USERNAME ]]; then
echo $'The name of the private mailing list should not be the same as your username'
exit 10
fi
if [ ! $MY_GPG_PUBLIC_KEY ]; then
echo $'To create a private mailing list you need to specify a file'
echo $'containing your exported GPG key within MY_GPG_PUBLIC_KEY at'
echo $'the top of the script'
exit 11
fi
apt-get -y install ruby ruby-dev ruby-gpgme libgpgme11-dev libmagic-dev
gem install schleuder
schleuder-fix-gem-dependencies
schleuder-init-setup --gem
# NOTE: this is version number sensitive and so might need changing
ln -s /var/lib/gems/2.1.0/gems/schleuder-2.2.4 /var/lib/schleuder
sed -i 's/#smtp_port: 25/smtp_port: 465/g' /etc/schleuder/schleuder.conf
sed -i 's/#superadminaddr: root@localhost/superadminaddr: root@localhost' /etc/schleuder/schleuder.conf
schleuder-newlist $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME -realname "$PRIVATE_MAILING_LIST" -adminaddress $MY_EMAIL_ADDRESS -initmember $MY_EMAIL_ADDRESS -initmemberkey $MY_GPG_PUBLIC_KEY -nointeractive
${PROJECT_NAME}-addemail -u $MY_USERNAME -e $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME -l $PRIVATE_MAILING_LIST
echo 'schleuder:' > /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' debug_print = "R: schleuder for $local_part@$domain"' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' driver = accept' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' local_part_suffix = +* : -bounce : -sendkey' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' domains = +local_domains' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' user = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' group = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' require_files = schleuder:+/var/lib/schleuder/$domain/${local_part}' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo ' transport = schleuder_transport' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder
echo 'schleuder_transport:' > /etc/exim4/conf.d/transport/30_exim4-config_schleuder
echo ' debug_print = "T: schleuder_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder
echo ' driver = pipe' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder
echo ' home_directory = "/var/lib/schleuder/$domain/$local_part"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder
echo ' command = "/usr/bin/schleuder $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder
chown -R schleuder:schleuder /var/lib/schleuder
update-exim4.conf.template -r
update-exim4.conf
systemctl restart exim4
useradd -d /var/schleuderlists -s /bin/false schleuder
adduser Debian-exim schleuder
usermod -a -G mail schleuder
#exim -d -bt $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME
echo 'create_private_mailing_list' >> $COMPLETION_FILE
}
function split_gpg_key_into_fragments {
# split the gpg key into fragments if social key management is enabled
if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
echo 'Splitting GPG key. You may need to enter your passphrase.'
${PROJECT_NAME}-splitkey -u $MY_USERNAME -e $MY_EMAIL_ADDRESS --fullname "$MY_NAME"
if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then
echo 'Yhe GPG key could not be split'
exit 86548
fi
fi
}
function import_email {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
EMAIL_COMPLETE_MSG=$"
*** ${PROJECT_NAME} mailbox installation is complete ***
Now on your internet router forward ports
25, 587, 465, 993 and 2222 to the ${PROJECT_NAME}
"
if grep -Fxq "import_email" $COMPLETION_FILE; then
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
backup_to_friends_servers
intrusion_detection
split_gpg_key_into_fragments
clear
echo ''
echo "$EMAIL_COMPLETE_MSG"
if [ -d $USB_MOUNT ]; then
umount $USB_MOUNT
rm -rf $USB_MOUNT
echo $' You can now remove the USB drive'
fi
exit 0
fi
return
fi
if [ $IMPORT_MAILDIR ]; then
if [ -d $IMPORT_MAILDIR ]; then
echo $'Transfering email files'
cp -r $IMPORT_MAILDIR /home/$MY_USERNAME
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir
else
echo $"Email import directory $IMPORT_MAILDIR not found"
exit 9
fi
fi
echo 'import_email' >> $COMPLETION_FILE
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
backup_to_friends_servers
intrusion_detection
split_gpg_key_into_fragments
# unmount any attached usb drive
clear
echo ''
echo "$EMAIL_COMPLETE_MSG"
echo ''
if [ -d $USB_MOUNT ]; then
umount $USB_MOUNT
rm -rf $USB_MOUNT
echo $' You can now remove the USB drive'
fi
exit 0
fi
}
function install_web_server {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
return
fi
# update to the next commit
set_repo_commit $INSTALL_DIR/nginx_ensite "Nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
if grep -Fxq "install_web_server" $COMPLETION_FILE; then
return
fi
# remove apache
apt-get -y remove --purge apache2
if [ -d /etc/apache2 ]; then
rm -rf /etc/apache2
fi
# install nginx
apt-get -y install nginx php5-fpm git
# limit the number of php processes
sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf
#sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf
if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then
echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf
echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf
echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf
fi
if [ ! -d /etc/nginx ]; then
echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"
exit 51
fi
# Nginx settings
echo 'user www-data;' > /etc/nginx/nginx.conf
#echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo 'events {' >> /etc/nginx/nginx.conf
echo ' worker_connections 50;' >> /etc/nginx/nginx.conf
echo ' # multi_accept on;' >> /etc/nginx/nginx.conf
echo '}' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo 'http {' >> /etc/nginx/nginx.conf
echo ' # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
echo ' limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
echo ' limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
echo ' client_body_buffer_size 128k;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
echo ' client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
echo ' large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
echo ' client_body_timeout 3m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
echo ' client_header_timeout 3m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' # Basic Settings' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' sendfile on;' >> /etc/nginx/nginx.conf
echo ' tcp_nopush on;' >> /etc/nginx/nginx.conf
echo ' tcp_nodelay on;' >> /etc/nginx/nginx.conf
echo ' keepalive_timeout 65;' >> /etc/nginx/nginx.conf
echo ' types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
echo ' server_tokens off;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
echo ' # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
echo ' default_type application/octet-stream;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' # Logging Settings' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf
echo ' error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ###' >> /etc/nginx/nginx.conf
echo ' # Gzip Settings' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' gzip on;' >> /etc/nginx/nginx.conf
echo ' gzip_disable "msie6";' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # gzip_vary on;' >> /etc/nginx/nginx.conf
echo ' # gzip_proxied any;' >> /etc/nginx/nginx.conf
echo ' # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
echo ' # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
echo ' # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
echo ' # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' # Virtual Host Configs' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
echo ' include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
echo '}' >> /etc/nginx/nginx.conf
# install a script to easily enable and disable nginx virtual hosts
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
cd $INSTALL_DIR
git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite
cd $INSTALL_DIR/nginx_ensite
git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT
if ! grep -q "Nginx-ensite commit" $COMPLETION_FILE; then
echo "Nginx-ensite commit:$NGINX_ENSITE_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Nginx-ensite commit.*/Nginx-ensite commit:$NGINX_ENSITE_COMMIT/g" $COMPLETION_FILE
fi
make install
nginx_dissite default
echo 'install_web_server' >> $COMPLETION_FILE
}
function install_web_server_access_control {
if [ ! -f /etc/pam.d/nginx ]; then
echo '#%PAM-1.0' > /etc/pam.d/nginx
echo '@include common-auth' >> /etc/pam.d/nginx
echo '@include common-account' >> /etc/pam.d/nginx
echo '@include common-session' >> /etc/pam.d/nginx
fi
}
function configure_php {
sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini
sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini
}
function install_mariadb {
if grep -Fxq "install_mariadb" $COMPLETION_FILE; then
return
fi
apt-get -y install python-software-properties debconf-utils
apt-get -y install software-properties-common
apt-get -y update
get_mariadb_password
if [ ! $MARIADB_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
MARIADB_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
chmod 600 $DATABASE_PASSWORD_FILE
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo 'MariaDB / MySql' >> /home/$MY_USERNAME/README
echo '===============' >> /home/$MY_USERNAME/README
echo $"Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD"
debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD"
apt-get -y install mariadb-server
apt-get -y remove --purge apache*
if [ -d /etc/apache2 ]; then
rm -rf /etc/apache2
echo $'Removed Apache installation after MariaDB install'
fi
if [ ! -d /etc/mysql ]; then
echo $"ERROR: mariadb-server does not appear to have installed. $CHECK_MESSAGE"
exit 54
fi
mysqladmin -u root password "$MARIADB_PASSWORD"
echo 'install_mariadb' >> $COMPLETION_FILE
}
function backup_databases_script_header {
if [ ! -f /usr/bin/backupdatabases ]; then
# daily
echo '#!/bin/sh' > /usr/bin/backupdatabases
echo '' >> /usr/bin/backupdatabases
echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases
echo '' >> /usr/bin/backupdatabases
echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases
echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases
echo 'umask 0077' >> /usr/bin/backupdatabases
echo '' >> /usr/bin/backupdatabases
echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases
echo "if [ -f $FRIENDS_SERVERS_LIST ]; then" >> /usr/bin/backupdatabases
echo ' exit 1' >> /usr/bin/backupdatabases
echo 'fi' >> /usr/bin/backupdatabases
chmod 600 /usr/bin/backupdatabases
chmod +x /usr/bin/backupdatabases
echo '#!/bin/sh' > /etc/cron.daily/backupdatabasesdaily
echo '/usr/bin/backupdatabases' >> /etc/cron.daily/backupdatabasesdaily
chmod 600 /etc/cron.daily/backupdatabasesdaily
chmod +x /etc/cron.daily/backupdatabasesdaily
# weekly
echo '#!/bin/sh' > /etc/cron.weekly/backupdatabasesweekly
echo '' >> /etc/cron.weekly/backupdatabasesweekly
echo 'umask 0077' >> /etc/cron.weekly/backupdatabasesweekly
chmod 600 /etc/cron.weekly/backupdatabasesweekly
chmod +x /etc/cron.weekly/backupdatabasesweekly
# monthly
echo '#!/bin/sh' > /etc/cron.monthly/backupdatabasesmonthly
echo '' >> /etc/cron.monthly/backupdatabasesmonthly
echo 'umask 0077' >> /etc/cron.monthly/backupdatabasesmonthly
chmod 600 /etc/cron.monthly/backupdatabasesmonthly
chmod +x /etc/cron.monthly/backupdatabasesmonthly
fi
}
function repair_databases_script {
if [ -f /etc/cron.hourly/repair ]; then
sed -i "s|/usr/bin/repairdatabase|${PROJECT_NAME}-repair-database|g" /etc/cron.hourly/repair
fi
if grep -Fxq "repair_databases_script" $COMPLETION_FILE; then
return
fi
if [ ! -f $DATABASE_PASSWORD_FILE ]; then
return
fi
echo '#!/bin/bash' > /etc/cron.hourly/repair
echo '' >> /etc/cron.hourly/repair
chmod 600 /etc/cron.hourly/repair
chmod +x /etc/cron.hourly/repair
echo 'repair_databases_script' >> $COMPLETION_FILE
}
function add_ddns_domain {
if [ ! $1 ]; then
echo $'ddns domain not specified'
exit 5638
fi
CURRENT_DDNS_DOMAIN="$1"
if [[ $ONION_ONLY != "no" ]]; then
return
fi
if [ ! -f /etc/inadyn.conf ]; then
echo $'Unable to find inadyn configuration file /etc/inadyn.conf'
exit 5745
fi
if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then
echo '' >> /etc/inadyn.conf
echo "system $DDNS_PROVIDER" >> /etc/inadyn.conf
echo ' ssl' >> /etc/inadyn.conf
echo " checkip-url $GET_IP_ADDRESS_URL /" >> /etc/inadyn.conf
if [ $DDNS_USERNAME ]; then
echo " username $DDNS_USERNAME" >> /etc/inadyn.conf
fi
if [ $DDNS_PASSWORD ]; then
echo " password $DDNS_PASSWORD" >> /etc/inadyn.conf
fi
fi
if ! grep -q "$CURRENT_DDNS_DOMAIN" /etc/inadyn.conf; then
echo " alias $CURRENT_DDNS_DOMAIN" >> /etc/inadyn.conf
fi
chmod 600 /etc/inadyn.conf
systemctl restart inadyn
systemctl daemon-reload
}
function install_syncthing {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "install_syncthing" $COMPLETION_FILE; then
return
fi
apt-get -y install curl
curl -s https://syncthing.net/release-key.txt | apt-key add -
echo "deb http://apt.syncthing.net/ syncthing release" | tee /etc/apt/sources.list.d/syncthing.list
apt-get update
apt-get -y install syncthing
# This probably does need to run as root so that it can access the Sync directories
# in each user's home directory
echo '[Unit]' > /etc/systemd/system/syncthing.service
echo 'Description=Syncthing - Open Source Continuous File Synchronization' >> /etc/systemd/system/syncthing.service
echo 'Documentation=man:syncthing(1)' >> /etc/systemd/system/syncthing.service
echo 'After=network.target' >> /etc/systemd/system/syncthing.service
echo 'Wants=syncthing-inotify@.service' >> /etc/systemd/system/syncthing.service
echo '' >> /etc/systemd/system/syncthing.service
echo '[Service]' >> /etc/systemd/system/syncthing.service
echo 'User=root' >> /etc/systemd/system/syncthing.service
echo "Environment='all_proxy=socks5://localhost:9050'" >> /etc/systemd/system/syncthing.service
echo 'ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0' >> /etc/systemd/system/syncthing.service
echo 'Restart=on-failure' >> /etc/systemd/system/syncthing.service
echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/syncthing.service
echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/syncthing.service
echo '' >> /etc/systemd/system/syncthing.service
echo '[Install]' >> /etc/systemd/system/syncthing.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/syncthing.service
systemctl enable syncthing
systemctl daemon-reload
systemctl start syncthing
if ! grep -q "syncthing" /etc/crontab; then
echo "*/1 * * * * root /usr/local/bin/freedombone-syncthing > /dev/null" >> /etc/crontab
systemctl restart cron
fi
echo 'install_syncthing' >> $COMPLETION_FILE
}
function upgrade_golang {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
# NOTE: this is annoyingly hacky and going in the opposite
# direction of a pure blend, but it's necessary if you want
# to run the latest version of gogs
# update to the next commit
set_repo_commit $INSTALL_DIR/gvm "gvm commit" "$GVM_COMMIT" $GVM_REPO
if grep -Fxq "upgrade_golang" $COMPLETION_FILE; then
return
fi
export GVM_ROOT=$GVM_HOME
apt-get -y install curl git mercurial make binutils bison gcc build-essential
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
cd $INSTALL_DIR
git_clone $GVM_REPO gvm
cd $INSTALL_DIR/gvm
git checkout $GVM_COMMIT -b $GVM_COMMIT
if [ ! -f binscripts/gvm-installer ]; then
echo $'gvm installer not found'
fi
chmod +x binscripts/gvm-installer
if [ -d /root/.gvm ]; then
rm -rf /root/.gvm
fi
if [ -d $GVM_ROOT ]; then
rm -rf $GVM_ROOT
fi
sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc
if [ ! -d /home/git ]; then
# add a gogs user account within which the gvm home directory will exist
adduser --disabled-login --gecos 'Gogs' git
fi
if [ -d /home/git/Maildir ]; then
rm -rf /home/git/Maildir
fi
# TODO: this script is all over the place
# and contains hardcoded github. See if you can do better
./binscripts/gvm-installer master /home/git
if [ ! -d $GVM_ROOT ]; then
echo $'Unable to install gvm'
exit 83537
fi
[[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm"
if [ ! -f $GVM_ROOT/bin/gvm ]; then
echo $'gvm was not installed'
fi
if ! grep -q "export GVM_ROOT=" ~/.bashrc; then
echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc
fi
cd $GVM_ROOT/bin
gvm install go1.4
gvm use go1.4
export GOROOT_BOOTSTRAP=$GOROOT
gvm install go${GO_VERSION}
if [ ! "$?" = "0" ]; then
echo $'Unable to upgrade golang'
exit 529252
fi
gvm use go${GO_VERSION} --default
chown -R git:git $GVM_HOME
if ! grep -q "gvm commit" $COMPLETION_FILE; then
echo "gvm commit:$GVM_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/gvm commit.*/gvm commit:$GVM_COMMIT/g" $COMPLETION_FILE
fi
echo 'upgrade_golang' >> $COMPLETION_FILE
}
function install_gogs {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $GIT_DOMAIN_NAME ]; then
return
fi
select_go_version
# update to the next commit
set_repo_commit $GOPATH/src/github.com/gogits/gogs "Gogs commit" "$GOGS_COMMIT" $GIT_DOMAIN_REPO
if grep -Fxq "install_gogs" $COMPLETION_FILE; then
return
fi
if [ -d $GOPATH/src/github.com/gogits ]; then
rm -rf $GOPATH/src/github.com/gogits
fi
if [ -d /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits ]; then
rm -rf /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits
fi
if [ -d /home/git/gogs-repositories ]; then
rm -rf /home/git/gogs-repositories
fi
if [ ! -d /home/git ]; then
# add a gogs user account
adduser --disabled-login --gecos 'Gogs' git
fi
if [ -d /home/git/Maildir ]; then
rm -rf /home/git/Maildir
fi
if [ -d $GOPATH/src/github.com/gogits ]; then
rm -rf $GOPATH/src/github.com/gogits
fi
# install Go
apt-get -y install golang libpam0g-dev
if ! grep -q "export GOPATH=" ~/.bashrc; then
echo "export GOPATH=$GOPATH" >> ~/.bashrc
else
sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc
fi
systemctl set-environment GOPATH=$GOPATH
if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
else
sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc
fi
if [ ! -d $GOPATH ]; then
mkdir -p $GOPATH
fi
GO_PACKAGE_MANAGER_REPO2=$(echo "$GO_PACKAGE_MANAGER_REPO" | sed 's|https://||g')
go get -u $GO_PACKAGE_MANAGER_REPO2
if [ ! "$?" = "0" ]; then
echo $'install_gogs: go get failed'
exit 479832
fi
# clone the repo
if [ ! -d $GOPATH/src/github.com/gogits ]; then
mkdir -p $GOPATH/src/github.com/gogits
fi
git_clone $GIT_DOMAIN_REPO $GOPATH/src/github.com/gogits/gogs
if [ ! -d $GOPATH/src/github.com/gogits/gogs ]; then
echo $"Unable to clone repo $GOPATH/src/github.com/gogits/gogs"
exit 85482
fi
cd $GOPATH/src/github.com/gogits/gogs
# install
go get -u ./...
git checkout $GOGS_COMMIT -b $GOGS_COMMIT
if ! grep -q "Gogs commit" $COMPLETION_FILE; then
echo "Gogs commit:$GOGS_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Gogs commit.*/Gogs commit:$GOGS_COMMIT/g" $COMPLETION_FILE
fi
go build
if [ ! "$?" = "0" ]; then
echo $'install_gogs: go build failed'
exit 546750
fi
install_mariadb
get_mariadb_password
get_mariadb_git_admin_password
if [ ! $GIT_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
GIT_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
GIT_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
if ! grep -q $"Gogs admin user password" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo 'Gogs' >> /home/$MY_USERNAME/README
echo '====' >> /home/$MY_USERNAME/README
echo $'Install Steps For First-time Run:' >> /home/$MY_USERNAME/README
echo $'Leave email service settings empty' >> /home/$MY_USERNAME/README
echo $'Check "Enable Register Confirmation"' >> /home/$MY_USERNAME/README
echo $'Check "Enable Mail Notification"' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'If you want to disable new account registrations then append the following:' >> /home/$MY_USERNAME/README
echo ' [service]' >> /home/$MY_USERNAME/README
echo ' DISABLE_REGISTRATION = true' >> /home/$MY_USERNAME/README
echo $'Then restart with:' >> /home/$MY_USERNAME/README
echo ' systemctl restart gogs' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $"Note that there's a usability/security trade-off made here." >> /home/$MY_USERNAME/README
echo $"In order to allow git clone via http we don't redirect everything" >> /home/$MY_USERNAME/README
echo $'over https. Instead only critical things such as user login,' >> /home/$MY_USERNAME/README
echo $'settings and admin are encrypted.' >> /home/$MY_USERNAME/README
echo $'There are also potential security issues with cloning/pulling/pushing' >> /home/$MY_USERNAME/README
echo $'code over http, since a determined adversary could inject malware' >> /home/$MY_USERNAME/README
echo $'into the stream as it passes, so beware.' >> /home/$MY_USERNAME/README
echo $'If you have a bought domain and a non-self signed cert then you' >> /home/$MY_USERNAME/README
echo $"should change /etc/nginx/sites-available/$GIT_DOMAIN_NAME to redirect everything over https." >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
create_database gogs "$GOGS_ADMIN_PASSWORD"
if [ ! -f $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql ]; then
echo $'MySql template for Gogs was not found'
exit 72528
fi
mysql -u root --password="$MARIADB_PASSWORD" -D gogs < $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql
chmod 600 $GOPATH/src/github.com/gogits/gogs/custom/conf/app.ini
chown -R git:git /home/git
echo '[Unit]' > /etc/systemd/system/gogs.service
echo 'Description=Gogs (Go Git Service)' >> /etc/systemd/system/gogs.service
echo 'After=syslog.target' >> /etc/systemd/system/gogs.service
echo 'After=network.target' >> /etc/systemd/system/gogs.service
echo 'After=mysqld.service' >> /etc/systemd/system/gogs.service
echo '' >> /etc/systemd/system/gogs.service
echo '[Service]' >> /etc/systemd/system/gogs.service
echo '#LimitMEMLOCK=infinity' >> /etc/systemd/system/gogs.service
echo '#LimitNOFILE=65535' >> /etc/systemd/system/gogs.service
echo 'Type=simple' >> /etc/systemd/system/gogs.service
echo 'User=git' >> /etc/systemd/system/gogs.service
echo 'Group=git' >> /etc/systemd/system/gogs.service
echo "WorkingDirectory=$GOPATH/src/github.com/gogits/gogs" >> /etc/systemd/system/gogs.service
echo "ExecStart=$GOPATH/src/github.com/gogits/gogs/gogs web" >> /etc/systemd/system/gogs.service
echo 'Restart=always' >> /etc/systemd/system/gogs.service
echo 'RestartSec=10' >> /etc/systemd/system/gogs.service
echo 'TimeoutStartSec=120' >> /etc/systemd/system/gogs.service
echo "Environment=\"USER=git\" \"HOME=/home/git\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/gogs.service
echo '' >> /etc/systemd/system/gogs.service
echo '[Install]' >> /etc/systemd/system/gogs.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/gogs.service
systemctl enable gogs
systemctl daemon-reload
systemctl restart gogs
if [ ! -d /var/www/$GIT_DOMAIN_NAME ]; then
mkdir /var/www/$GIT_DOMAIN_NAME
fi
if [ -d /var/www/$GIT_DOMAIN_NAME/htdocs ]; then
rm -rf /var/www/$GIT_DOMAIN_NAME/htdocs
fi
if [[ $ONION_ONLY == "no" ]]; then
echo 'server {' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' listen 80;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
nginx_disable_sniffing $GIT_DOMAIN_NAME
nginx_limits $GIT_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' location ^~ /user/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' location ^~ /admin/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
nginx_limits $GIT_DOMAIN_NAME '10G'
nginx_ssl $GIT_DOMAIN_NAME
nginx_disable_sniffing $GIT_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
else
echo -n '' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME
fi
echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " listen 127.0.0.1:${GIT_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
nginx_limits $GIT_DOMAIN_NAME '10G'
nginx_disable_sniffing $GIT_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
configure_php
create_site_certificate $GIT_DOMAIN_NAME
nginx_ensite $GIT_DOMAIN_NAME
if [ ! -d /var/lib/tor ]; then
echo $'No Tor installation found. Gogs onion site cannot be configured.'
exit 877367
fi
if ! grep -q "hidden_service_gogs" /etc/tor/torrc; then
echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/' >> /etc/tor/torrc
echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}" >> /etc/tor/torrc
echo "HiddenServicePort 9418 127.0.0.1:9418" >> /etc/tor/torrc
echo $'Added onion site for Gogs'
fi
systemctl restart tor
wait_for_onion_service 'gogs'
GIT_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_gogs/hostname)
systemctl restart php5-fpm
systemctl restart nginx
if ! grep -q "Gogs onion domain" /home/$MY_USERNAME/README; then
echo "Gogs onion domain: ${GIT_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
if ! grep -q "Gogs onion domain" $COMPLETION_FILE; then
echo "Gogs onion domain:${GIT_ONION_HOSTNAME}" >> $COMPLETION_FILE
fi
add_ddns_domain $GIT_DOMAIN_NAME
# obtain the secret key
GOGS_SECRET_KEY=
if grep -q "Gogs secret key:" /home/$MY_USERNAME/README; then
GOGS_SECRET_KEY=$(cat /home/$MY_USERNAME/README | grep "Gogs secret key:" | awk -F ':' '{print $2}' | sed 's/^ *//')
else
GOGS_SECRET_KEY="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
echo "Gogs secret key:$GOGS_SECRET_KEY" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
fi
# create the configuration
GOGS_CONFIG_PATH=/home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits/gogs/custom/conf
if [ ! -d $GOGS_CONFIG_PATH ]; then
mkdir -p $GOGS_CONFIG_PATH
fi
GOGS_CONFIG_FILE=$GOGS_CONFIG_PATH/app.ini
echo 'RUN_USER = git' > $GOGS_CONFIG_FILE
echo 'RUN_MODE = prod' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[database]' >> $GOGS_CONFIG_FILE
echo 'DB_TYPE = mysql' >> $GOGS_CONFIG_FILE
echo 'HOST = 127.0.0.1:3306' >> $GOGS_CONFIG_FILE
echo 'NAME = gogs' >> $GOGS_CONFIG_FILE
echo 'USER = root' >> $GOGS_CONFIG_FILE
echo "PASSWD = $MARIADB_PASSWORD" >> $GOGS_CONFIG_FILE
echo 'SSL_MODE = disable' >> $GOGS_CONFIG_FILE
echo 'PATH = data/gogs.db' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[repository]' >> $GOGS_CONFIG_FILE
echo 'ROOT = /home/git/gogs-repositories' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[server]' >> $GOGS_CONFIG_FILE
if [[ $ONION_ONLY == 'no' ]]; then
echo "DOMAIN = ${GIT_DOMAIN_NAME}" >> $GOGS_CONFIG_FILE
else
echo "DOMAIN = ${GIT_ONION_HOSTNAME}" >> $GOGS_CONFIG_FILE
fi
echo 'HTTP_PORT = 3000' >> $GOGS_CONFIG_FILE
echo "ROOT_URL = http://$GIT_DOMAIN_NAME/" >> $GOGS_CONFIG_FILE
echo "SSH_PORT = $SSH_PORT" >> $GOGS_CONFIG_FILE
echo 'SSH_DOMAIN = %(DOMAIN)s' >> $GOGS_CONFIG_FILE
echo "CERT_FILE = /etc/ssl/certs/${GIT_DOMAIN_NAME}.crt" >> $GOGS_CONFIG_FILE
echo "KEY_FILE = /etc/ssl/private/${GIT_DOMAIN_NAME}.key" >> $GOGS_CONFIG_FILE
echo 'DISABLE_ROUTER_LOG = true' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[session]' >> $GOGS_CONFIG_FILE
echo 'PROVIDER = file' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[log]' >> $GOGS_CONFIG_FILE
echo 'MODE = file' >> $GOGS_CONFIG_FILE
echo 'LEVEL = Info' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[security]' >> $GOGS_CONFIG_FILE
echo 'INSTALL_LOCK = true' >> $GOGS_CONFIG_FILE
echo "SECRET_KEY = $GOGS_SECRET_KEY" >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[service]' >> $GOGS_CONFIG_FILE
echo 'DISABLE_REGISTRATION = false' >> $GOGS_CONFIG_FILE
echo 'SHOW_REGISTRATION_BUTTON = true' >> $GOGS_CONFIG_FILE
echo 'REQUIRE_SIGNIN_VIEW = false' >> $GOGS_CONFIG_FILE
echo 'ENABLE_CAPTCHA = false' >> $GOGS_CONFIG_FILE
echo '' >> $GOGS_CONFIG_FILE
echo '[other]' >> $GOGS_CONFIG_FILE
echo 'SHOW_FOOTER_BRANDING = false' >> $GOGS_CONFIG_FILE
echo 'SHOW_FOOTER_VERSION = false' >> $GOGS_CONFIG_FILE
chmod 750 $GOGS_CONFIG_FILE
chown -R git:git /home/git
systemctl restart gogs
if ! grep -q "Gogs domain:" $COMPLETION_FILE; then
echo "Gogs domain:$GIT_DOMAIN_NAME" >> $COMPLETION_FILE
fi
echo 'install_gogs' >> $COMPLETION_FILE
}
function tox_avahi {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "tox_avahi" $COMPLETION_FILE; then
return
fi
if [ ! -d /etc/avahi ]; then
echo $'tox_avahi: avahi is not installed'
exit 87359
fi
# install a command to obtain the Tox ID
cd $INSTALL_DIR
git_clone $TOXID_REPO $INSTALL_DIR/toxid
if [ ! -d $INSTALL_DIR/toxid ]; then
exit 63921
fi
cd $INSTALL_DIR/toxid
make
if [ ! "$?" = "0" ]; then
exit 58432
fi
make install
toxavahi
# publish regularly
if ! grep -q "toxavahi" /etc/crontab; then
echo "* * * * * root toxavahi > /dev/null" >> /etc/crontab
fi
systemctl restart avahi-daemon
echo 'tox_avahi' >> $COMPLETION_FILE
}
function install_tox_node {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
# update to the next commit
set_repo_commit $INSTALL_DIR/toxcore "toxcore commit" "$TOXCORE_COMMIT" $TOXCORE_REPO
if grep -Fxq "install_tox_node" $COMPLETION_FILE; then
return
fi
${PROJECT_NAME}-mesh-install -f tox_node
if [ ! "$?" = "0" ]; then
echo $'Failed to install tox node'
exit 26778
fi
TOX_ONION_HOSTNAME=$(add_onion_service tox ${TOX_PORT} ${TOX_PORT})
if ! grep -q "tox onion domain" $COMPLETION_FILE; then
echo "tox onion domain:${TOX_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|tox onion domain.*|tox onion domain:${TOX_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
systemctl restart tox-bootstrapd.service
TOX_PUBLIC_KEY=$(cat /var/log/syslog | grep tox | grep "Public Key" | awk -F ' ' '{print $8}' | tail -1)
if [ ${#TOX_PUBLIC_KEY} -lt 30 ]; then
echo $'Could not obtain the tox node public key'
exit 6529
fi
# save the public key for later reference
echo "$TOX_PUBLIC_KEY" > $TOX_BOOTSTRAP_ID_FILE
configure_firewall_for_tox
if ! grep -q $"Your Tox node public key is" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo 'Tox' >> /home/$MY_USERNAME/README
echo '===' >> /home/$MY_USERNAME/README
echo $"tox onion domain: ${TOX_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo $"Your Tox node public key is: $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README
echo $'In the Toxic client you can connect to it with:' >> /home/$MY_USERNAME/README
echo " /connect $DEFAULT_DOMAIN_NAME.local $TOX_PORT $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_tox_node' >> $COMPLETION_FILE
}
function install_tox_client {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
# update to the next commit
set_repo_commit $INSTALL_DIR/toxic "Toxic commit" "$TOXIC_COMMIT" $TOXIC_REPO
if grep -Fxq "install_tox_client" $COMPLETION_FILE; then
return
fi
${PROJECT_NAME}-mesh-install -f tox_client
if [ ! "$?" = "0" ]; then
echo $'Could not install Tox client'
exit 67248
fi
# initial setup of username
#su -c "echo 'n
#/nick $MY_USERNAME
#/exit
#' | $TOXIC_FILE -d" - $MY_USERNAME
echo 'install_tox_client' >> $COMPLETION_FILE
}
function update_prosody_modules {
if [ ! -d $INSTALL_DIR/prosody-modules ]; then
return
fi
if [ ! -d /usr/lib/prosody ]; then
return
fi
cd $INSTALL_DIR/prosody-modules
hg pull
hg update
# support onion addresses
if [ -f $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua ]; then
cp $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua /usr/lib/prosody/modules/mod_onions.lua
fi
# message archive management
# https://modules.prosody.im/mod_mam.html
# Allows you to download your previous messages onto a new client
# This only applies if you are not using forward secret crypto
# such as OTR or OMEMO (eg. OpenPGP)
if [ -d $INSTALL_DIR/prosody-modules/mod_mam ]; then
cp $INSTALL_DIR/prosody-modules/mod_mam/*.lua /usr/lib/prosody/modules
fi
# Client State Indication
# Notifies the server if the app is in the background or not
if [ -d $INSTALL_DIR/prosody-modules/mod_csi ]; then
cp $INSTALL_DIR/prosody-modules/mod_csi/*.lua /usr/lib/prosody/modules
fi
# Message Carbons
# Ensures all messages get delivered to all clients (if you have a mobile and desktop client)
if [ -d $INSTALL_DIR/prosody-modules/mod_carbons ]; then
cp $INSTALL_DIR/prosody-modules/mod_carbons/*.lua /usr/lib/prosody/modules
fi
# Stream management
# Helps mobile apps recover when a device switches networks.
if [ -d $INSTALL_DIR/prosody-modules/mod_smacks ]; then
cp $INSTALL_DIR/prosody-modules/mod_smacks/*.lua /usr/lib/prosody/modules
fi
if [ -d $INSTALL_DIR/prosody-modules/mod_smacks_offline ]; then
cp $INSTALL_DIR/prosody-modules/mod_smacks_offline/*.lua /usr/lib/prosody/modules
fi
}
function install_xmpp {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
update_prosody_modules
if grep -Fxq "install_xmpp" $COMPLETION_FILE; then
return
fi
apt-get -y install lua-sec lua-bitop
apt-get -y install prosody prosody-modules mercurial
if [ ! -d /etc/prosody ]; then
echo $"ERROR: prosody does not appear to have installed. $CHECK_MESSAGE"
exit 52
fi
# obtain the prosody modules
cd $INSTALL_DIR
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
if [ ! -d $INSTALL_DIR/prosody-modules/mod_onions ]; then
echo $'mod_onions prosody module could not be found'
exit 73254
fi
# install the onions module
update_prosody_modules
if [ ! -f /usr/lib/prosody/modules/mod_onions.lua ]; then
echo $'mod_onions.lua could not be copied to the prosody modules directory'
exit 63952
fi
# create a certificate
if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then
${PROJECT_NAME}-addcert -h xmpp --dhkey $DH_KEYLENGTH
check_certificates xmpp
fi
chown prosody:prosody /etc/ssl/private/xmpp.key
chown prosody:prosody /etc/ssl/certs/xmpp.*
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|/etc/prosody/certs/example.com.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's|/etc/prosody/certs/example.com.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/conf.avail/xmpp.cfg.lua
if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'ciphers =' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i "/certificate =/a\ ciphers = $XMPP_CIPHERS;" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i '/certificate =/a\ depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q 'curve =' /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i "/certificate =/a\ curve = $XMPP_ECC_CURVE;" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua
sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua
if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo 'modules_enabled = {' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "bosh"; -- Enable mod_bosh' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "tls"; -- Enable mod_tls' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "saslauth"; -- Enable mod_saslauth' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "onions"; -- Enable chat via onion service' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "mam"; -- Message archive management' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "csi"; -- Client state indication' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "carbons"; -- Message carbons' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "smacks"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "smacks_offline"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' "pep"; -- Personal Eventing Protocol (to support OMEMO)' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo '}' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
fi
ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
sed -i 's|/etc/prosody/certs/localhost.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/prosody.cfg.lua
sed -i 's|/etc/prosody/certs/localhost.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/prosody.cfg.lua
if ! grep -q "xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then
sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/prosody.cfg.lua
fi
if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/prosody.cfg.lua; then
sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/prosody.cfg.lua
fi
if ! grep -q 'ciphers =' /etc/prosody/prosody.cfg.lua; then
sed -i "/certificate =/a\ ciphers = $XMPP_CIPHERS;" /etc/prosody/prosody.cfg.lua
fi
if ! grep -q 'depth = "1";' /etc/prosody/prosody.cfg.lua; then
sed -i '/certificate =/a\ depth = "1";' /etc/prosody/prosody.cfg.lua
fi
if ! grep -q 'curve =' /etc/prosody/prosody.cfg.lua; then
sed -i "/certificate =/a\ curve = $XMPP_ECC_CURVE;" /etc/prosody/prosody.cfg.lua
fi
sed -i 's/c2s_require_encryption = false/c2s_require_encryption = true/g' /etc/prosody/prosody.cfg.lua
if ! grep -q "s2s_require_encryption" /etc/prosody/prosody.cfg.lua; then
sed -i '/c2s_require_encryption/a\s2s_require_encryption = true' /etc/prosody/prosody.cfg.lua
fi
if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/prosody.cfg.lua; then
echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
fi
sed -i 's/--"bosh";/"bosh";/g' /etc/prosody/prosody.cfg.lua
sed -i 's/authentication = "internal_plain"/authentication = "internal_hashed"/g' /etc/prosody/prosody.cfg.lua
sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/prosody.cfg.lua
sed -i 's|key = "/etc/prosody/certs/example.com.key"|key = "/etc/ssl/private/xmpp.key"|g' /etc/prosody/prosody.cfg.lua
sed -i 's|certificate = "/etc/prosody/certs/example.com.crt"|certificate = "/etc/ssl/certs/xmpp.crt"|g' /etc/prosody/prosody.cfg.lua
sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/prosody.cfg.lua
systemctl restart prosody
touch /home/$MY_USERNAME/README
if [ ! -d /var/lib/tor ]; then
echo $'No Tor installation found. XMPP onion site cannot be configured.'
exit 877367
fi
if ! grep -q "hidden_service_xmpp" /etc/tor/torrc; then
echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/' >> /etc/tor/torrc
echo "HiddenServicePort 5222 127.0.0.1:5222" >> /etc/tor/torrc
echo "HiddenServicePort 5269 127.0.0.1:5269" >> /etc/tor/torrc
echo $'Added onion site for XMPP chat'
fi
systemctl restart tor
wait_for_onion_service 'xmpp'
if [ ! -f /var/lib/tor/hidden_service_xmpp/hostname ]; then
echo $'XMPP onion site hostname not found'
exit 65349
fi
XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
if ! grep -q "${XMPP_ONION_HOSTNAME}" /etc/prosody/conf.avail/xmpp.cfg.lua; then
echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/conf.avail/xmpp.cfg.lua
echo ' modules_enabled = { "onions" };' >> /etc/prosody/conf.avail/xmpp.cfg.lua
fi
if ! grep -q "XMPP onion domain" $COMPLETION_FILE; then
echo "XMPP onion domain:${XMPP_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|XMPP onion domain.*|XMPP onion domain:${XMPP_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
if ! grep -q "Your XMPP password is" /home/$MY_USERNAME/README; then
if [ ${#XMPP_PASSWORD} -lt 8 ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
XMPP_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
XMPP_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
prosodyctl register $MY_USERNAME $DEFAULT_DOMAIN_NAME $XMPP_PASSWORD
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'XMPP' >> /home/$MY_USERNAME/README
echo '====' >> /home/$MY_USERNAME/README
echo $"XMPP onion domain: ${XMPP_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo $"Your XMPP password is: $XMPP_PASSWORD" >> /home/$MY_USERNAME/README
echo $'You can change it with: ' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo " prosodyctl passwd $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_xmpp' >> $COMPLETION_FILE
}
function install_xmpp_client {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "install_xmpp_client" $COMPLETION_FILE; then
return
fi
apt-get -y install profanity
XMPP_CLIENT_DIR=/home/$MY_USERNAME/.local/share/profanity
XMPP_CLIENT_ACCOUNTS=$XMPP_CLIENT_DIR/accounts
if [ ! -d $XMPP_CLIENT_DIR ]; then
mkdir -p $XMPP_CLIENT_DIR
fi
if [[ $ONION_ONLY == 'no' ]]; then
echo "[${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}]" > $XMPP_CLIENT_ACCOUNTS
echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS
echo "jid=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS
echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS
echo "muc.service=conference.${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS
echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS
echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS
echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS
if [ ${#XMPP_PASSWORD} -gt 2 ]; then
echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS
fi
fi
if [ -f /var/lib/tor/hidden_service_xmpp/hostname ]; then
XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
echo "[${MY_USERNAME}@${XMPP_ONION_HOSTNAME}]" >> $XMPP_CLIENT_ACCOUNTS
if [[ $ONION_ONLY == 'no' ]]; then
echo 'enabled=false' >> $XMPP_CLIENT_ACCOUNTS
else
echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS
fi
echo "jid=${MY_USERNAME}@${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS
echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS
echo "muc.service=conference.${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS
echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS
echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS
echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS
echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS
if [ ${#XMPP_PASSWORD} -gt 2 ]; then
echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS
fi
fi
if [ ! -d /home/$MY_USERNAME/.config/profanity ]; then
mkdir /home/$MY_USERNAME/.config/profanity
fi
echo '[connection]' > /home/$MY_USERNAME/.config/profanity/profrc
echo "account=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> /home/$MY_USERNAME/.config/profanity/profrc
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.local
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
echo 'install_xmpp_client' >> $COMPLETION_FILE
}
function install_watchdog_script {
if grep -Fxq "install_watchdog_script" $COMPLETION_FILE; then
return
fi
echo '#!/bin/bash' > /usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'LOGFILE=/var/log/keepon.log' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'CURRENT_DATE=$(date)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
# application specific stuff is added later
chmod +x /usr/bin/$WATCHDOG_SCRIPT_NAME
if ! grep -q "/usr/bin/$WATCHDOG_SCRIPT_NAME" /etc/crontab; then
echo "* * * * * root /usr/bin/$WATCHDOG_SCRIPT_NAME" >> /etc/crontab
fi
echo 'install_watchdog_script' >> $COMPLETION_FILE
}
function install_irc_client {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "install_irc_client" $COMPLETION_FILE; then
return
fi
apt-get -y install irssi
if [ ! -d /home/$MY_USERNAME/.irssi ]; then
mkdir /home/$MY_USERNAME/.irssi
fi
echo 'servers = (' > /home/$MY_USERNAME/.irssi/config
echo ' {' >> /home/$MY_USERNAME/.irssi/config
echo ' address = "chat.freenode.net";' >> /home/$MY_USERNAME/.irssi/config
echo ' chatnet = "Freenode";' >> /home/$MY_USERNAME/.irssi/config
echo ' port = "6667";' >> /home/$MY_USERNAME/.irssi/config
echo ' autoconnect = "no";' >> /home/$MY_USERNAME/.irssi/config
echo ' },' >> /home/$MY_USERNAME/.irssi/config
echo ' {' >> /home/$MY_USERNAME/.irssi/config
echo ' address = "irc.oftc.net";' >> /home/$MY_USERNAME/.irssi/config
echo ' chatnet = "OFTC";' >> /home/$MY_USERNAME/.irssi/config
echo ' port = "6667";' >> /home/$MY_USERNAME/.irssi/config
echo ' autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config
echo ' },' >> /home/$MY_USERNAME/.irssi/config
echo ' {' >> /home/$MY_USERNAME/.irssi/config
echo " address = \"127.0.0.1\";" >> /home/$MY_USERNAME/.irssi/config
if [[ $ONION_ONLY == 'no' ]]; then
echo " port = \"${IRC_PORT}\";" >> /home/$MY_USERNAME/.irssi/config
echo ' use_ssl = "yes";' >> /home/$MY_USERNAME/.irssi/config
else
IRC_ONION_HOSTNAME=$(cat $COMPLETION_FILE | grep "IRC onion domain" | awk -F ':' '{print $2}')
echo " port = \"${IRC_ONION_PORT}\";" >> /home/$MY_USERNAME/.irssi/config
echo ' use_ssl = "no";' >> /home/$MY_USERNAME/.irssi/config
fi
echo ' chatnet = "Freedombone";' >> /home/$MY_USERNAME/.irssi/config
echo ' ssl_verify = "no";' >> /home/$MY_USERNAME/.irssi/config
echo ' autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config
if [ $IRC_PASSWORD ]; then
echo " password = \"${IRC_PASSWORD}\";" >> /home/$MY_USERNAME/.irssi/config
fi
echo ' }' >> /home/$MY_USERNAME/.irssi/config
echo ');' >> /home/$MY_USERNAME/.irssi/config
echo '' >> /home/$MY_USERNAME/.irssi/config
echo 'chatnets = {' >> /home/$MY_USERNAME/.irssi/config
echo ' Freedombone = {' >> /home/$MY_USERNAME/.irssi/config
echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' };' >> /home/$MY_USERNAME/.irssi/config
echo ' Freenode = {' >> /home/$MY_USERNAME/.irssi/config
echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' };' >> /home/$MY_USERNAME/.irssi/config
echo ' OFTC = {' >> /home/$MY_USERNAME/.irssi/config
echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_msgs = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config
echo ' };' >> /home/$MY_USERNAME/.irssi/config
echo '};' >> /home/$MY_USERNAME/.irssi/config
echo '' >> /home/$MY_USERNAME/.irssi/config
echo 'channels = (' >> /home/$MY_USERNAME/.irssi/config
echo ' { name = "#freedombone"; chatnet = "Freedombone"; autojoin = "Yes"; },' >> /home/$MY_USERNAME/.irssi/config
echo ');' >> /home/$MY_USERNAME/.irssi/config
echo '' >> /home/$MY_USERNAME/.irssi/config
echo 'settings = {' >> /home/$MY_USERNAME/.irssi/config
echo " core = { real_name = \"$MY_NAME\"; user_name = \"$MY_USERNAME\"; nick = \"$MY_USERNAME\"; };" >> /home/$MY_USERNAME/.irssi/config
echo ' "fe-text" = { actlist_sort = "refnum"; };' >> /home/$MY_USERNAME/.irssi/config
echo '};' >> /home/$MY_USERNAME/.irssi/config
echo 'ignores = ( { level = "CTCPS"; } );' >> /home/$MY_USERNAME/.irssi/config
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.irssi
echo 'install_irc_client' >> $COMPLETION_FILE
}
function install_irc_server {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "install_irc_server" $COMPLETION_FILE; then
return
fi
apt-get -y install ngircd
if [ ! -d /etc/ngircd ]; then
echo $"ERROR: ngircd does not appear to have installed. $CHECK_MESSAGE"
exit 53
fi
if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then
${PROJECT_NAME}-addcert -h ngircd --dhkey $DH_KEYLENGTH
check_certificates ngircd
fi
DEFAULTDOMAIN=$DEFAULT_DOMAIN_NAME
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
DEFAULTDOMAIN="${DEFAULT_DOMAIN_NAME}.local"
fi
# create a login password if needed
if [ ! $IRC_PASSWORD ]; then
IRC_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
echo '**************************************************' > /etc/ngircd/motd
echo $'* F R E E D O M B O N E I R C *' >> /etc/ngircd/motd
echo '* *' >> /etc/ngircd/motd
echo $'* Freedom in the Cloud *' >> /etc/ngircd/motd
echo '**************************************************' >> /etc/ngircd/motd
sed -i 's|MotdFile = /etc/ngircd/ngircd.motd|MotdFile = /etc/ngircd/motd|g' /etc/ngircd/ngircd.conf
sed -i "s/irc@irc.example.com/$MY_EMAIL_ADDRESS/g" /etc/ngircd/ngircd.conf
sed -i "s/irc.example.net/$DEFAULTDOMAIN/g" /etc/ngircd/ngircd.conf
sed -i "s|Yet another IRC Server running on Debian GNU/Linux|IRC Server of $DEFAULTDOMAIN|g" /etc/ngircd/ngircd.conf
sed -i 's/;Password = wealllikedebian/Password =/g' /etc/ngircd/ngircd.conf
sed -i 's|;CertFile = /etc/ssl/certs/server.crt|CertFile = /etc/ssl/certs/ngircd.crt|g' /etc/ngircd/ngircd.conf
sed -i 's|;DHFile = /etc/ngircd/dhparams.pem|DHFile = /etc/ssl/certs/ngircd.dhparam|g' /etc/ngircd/ngircd.conf
sed -i 's|;KeyFile = /etc/ssl/private/server.key|KeyFile = /etc/ssl/private/ngircd.key|g' /etc/ngircd/ngircd.conf
sed -i "s/;Ports =.*/Ports = $IRC_PORT/1" /etc/ngircd/ngircd.conf
sed -i "s/;Ports =.*/Ports = $IRC_PORT/2" /etc/ngircd/ngircd.conf
sed -i "s/;Name = #ngircd/Name = #${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf
sed -i "s/;Topic = Our ngircd testing channel/Topic = ${PROJECT_NAME} chat channel/g" /etc/ngircd/ngircd.conf
sed -i 's/;MaxUsers = 23/MaxUsers = 23/g' /etc/ngircd/ngircd.conf
sed -i "s|;KeyFile = /etc/ngircd/#chan.key|KeyFile = /etc/ngircd/#${PROJECT_NAME}.key|g" /etc/ngircd/ngircd.conf
sed -i "s/;CloakHost = cloaked.host/CloakHost = ${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf
IRC_SALT="$(openssl rand -base64 32 | cut -c1-30)"
if [ -f $IMAGE_PASSWORD_FILE ]; then
IRC_OPERATOR_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
IRC_OPERATOR_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
sed -i "s|;CloakHostSalt = abcdefghijklmnopqrstuvwxyz|CloakHostSalt = $IRC_SALT|g" /etc/ngircd/ngircd.conf
sed -i 's/;ConnectIPv4 = yes/ConnectIPv4 = yes/g' /etc/ngircd/ngircd.conf
sed -i 's/;MorePrivacy = no/MorePrivacy = yes/g' /etc/ngircd/ngircd.conf
sed -i 's/;RequireAuthPing = no/RequireAuthPing = no/g' /etc/ngircd/ngircd.conf
sed -i "s/;Name = TheOper/Name = $MY_USERNAME/g" /etc/ngircd/ngircd.conf
sed -i "s/;Password = ThePwd/Password = $IRC_OPERATOR_PASSWORD/g" /etc/ngircd/ngircd.conf
sed -i 's|;Listen =.*|Listen = 0.0.0.0,0.0.0.0:9050,127.0.0.1,127.0.0.1:9050|g' /etc/ngircd/ngircd.conf
if [ $IRC_PASSWORD ]; then
sed -i "0,/RE/s/Password =.*/Password =$IRC_PASSWORD/" /etc/ngircd/ngircd.conf
fi
# If we are on a mesh then DNS is not available
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
sed -i "s/;DNS =.*/DNS = no/g" /etc/ngircd/ngircd.conf
fi
# upgrade a cypher
sed -i 's|SECURE128|SECURE256|g' /etc/ngircd/ngircd.conf
mkdir /var/run/ircd
chown -R irc:irc /var/run/ircd
mkdir /var/run/ngircd
touch /var/run/ngircd/ngircd.pid
chown -R irc:irc /var/run/ngircd
IRC_ONION_HOSTNAME=$(add_onion_service irc ${IRC_PORT} ${IRC_ONION_PORT})
if ! grep -q $"IRC onion domain" $COMPLETION_FILE; then
echo "IRC onion domain:$IRC_ONION_HOSTNAME" >> $COMPLETION_FILE
fi
systemctl restart ngircd
# keep the daemon running
echo '' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo '# keep irc daemon running' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'IRC_RUNNING=$(pgrep ngircd > /dev/null && echo Running)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'if [ ! $IRC_RUNNING ]; then' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo ' systemctl start ngircd' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo ' echo -n $CURRENT_DATE >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo ' echo " IRC daemon restarted" >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'fi' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
if ! grep -q $"IRC Server" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'IRC Server' >> /home/$MY_USERNAME/README
echo '==========' >> /home/$MY_USERNAME/README
echo $'To connect to your IRC server in irssi:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
if [[ $ONION_ONLY != 'yes' ]]; then
echo " irssi" >> /home/$MY_USERNAME/README
echo " /server add -auto -ssl $DEFAULTDOMAIN $IRC_PORT" >> /home/$MY_USERNAME/README
echo " /connect $DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README
else
echo " usetorwith irssi" >> /home/$MY_USERNAME/README
echo " /server add -auto $IRC_ONION_HOSTNAME $IRC_PORT" >> /home/$MY_USERNAME/README
echo " /connect $IRC_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
fi
echo " /join #${PROJECT_NAME}" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_irc_server' >> $COMPLETION_FILE
}
function get_wiki_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "Wiki password" /home/$MY_USERNAME/README; then
WIKI_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Wiki password:" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function install_wiki {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MASH" ]]; then
return
fi
if grep -Fxq "install_wiki" $COMPLETION_FILE; then
return
fi
if [ ! $WIKI_DOMAIN_NAME ]; then
return
fi
apt-get -y install dokuwiki
apt-get -y remove --purge apache*
if [ -d /etc/apache2 ]; then
rm -rf /etc/apache2
echo $'Removed Apache installation after Dokuwiki install'
fi
if [ ! -d /var/www/$WIKI_DOMAIN_NAME ]; then
mkdir /var/www/$WIKI_DOMAIN_NAME
fi
if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then
rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
fi
ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs
mkdir /var/lib/dokuwiki/custom
cp /etc/dokuwiki/local.php.dist /var/lib/dokuwiki/custom/local.php
ln -s /var/lib/dokuwiki/custom/local.php /etc/dokuwiki/local.php
chown www-data /var/lib/dokuwiki/custom
chown www-data /var/lib/dokuwiki/custom/local.php
chown -R www-data /etc/dokuwiki
chown -R www-data /usr/share/dokuwiki/lib/
chmod 600 /var/lib/dokuwiki/custom/local.php
chmod -R 755 /usr/share/dokuwiki/lib
sed -i 's|//$conf|$conf|g' /var/lib/dokuwiki/custom/local.php
sed -i "s|joe|$MY_USERNAME|g" /var/lib/dokuwiki/custom/local.php
sed -i "s|Debian DokuWiki|$WIKI_TITLE|g" /etc/dokuwiki/local.php
# set the admin user
sed -i "s/@admin/$MY_USERNAME/g" /etc/dokuwiki/local.php
# disallow registration of new users
if ! grep -q "disableactions" /etc/dokuwiki/local.php; then
echo "\$conf['disableactions'] = 'register';" >> /etc/dokuwiki/local.php
fi
if ! grep -q "disableactions" /var/lib/dokuwiki/custom/local.php; then
echo "\$conf['disableactions'] = 'register';" >> /var/lib/dokuwiki/custom/local.php
fi
if ! grep -q "authtype" /var/lib/dokuwiki/custom/local.php; then
echo "\$conf['authtype'] = 'authplain';" >> /var/lib/dokuwiki/custom/local.php
fi
if ! grep -q "authtype" /etc/dokuwiki/local.php; then
echo "\$conf['authtype'] = 'authplain';" >> /etc/dokuwiki/local.php
fi
get_wiki_admin_password
if [ ! $WIKI_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
WIKI_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
WIKI_ADMIN_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
HASHED_WIKI_PASSWORD=$(echo -n "$WIKI_ADMIN_PASSWORD" | md5sum | awk -F ' ' '{print $1}')
echo -n "$MY_USERNAME:$HASHED_WIKI_PASSWORD:$MY_NAME:$MY_EMAIL:admin,user,upload" > /var/lib/dokuwiki/acl/users.auth.php
chmod 640 /var/lib/dokuwiki/acl/users.auth.php
if ! grep -q "video/ogg" /etc/dokuwiki/mime.conf; then
echo 'ogv video/ogg' >> /etc/dokuwiki/mime.conf
fi
if ! grep -q "video/mp4" /etc/dokuwiki/mime.conf; then
echo 'mp4 video/mp4' >> /etc/dokuwiki/mime.conf
fi
if ! grep -q "video/webm" /etc/dokuwiki/mime.conf; then
echo 'webm video/webm' >> /etc/dokuwiki/mime.conf
fi
WIKI_ONION_HOSTNAME=$(add_onion_service wiki 80 ${WIKI_ONION_PORT})
if [[ $ONION_ONLY == "no" ]]; then
echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
nginx_disable_sniffing $WIKI_DOMAIN_NAME
nginx_limits $WIKI_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
nginx_limits $WIKI_DOMAIN_NAME
nginx_ssl $WIKI_DOMAIN_NAME
nginx_disable_sniffing $WIKI_DOMAIN_NAME
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # webmail' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location /webmail {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' rewrite ^/(.*) /webmail/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' rewrite ^/(.*) /webmail/installer/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
else
echo -n '' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
fi
echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " listen 127.0.0.1:${WIKI_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " server_name $WIKI_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
nginx_limits $WIKI_DOMAIN_NAME
nginx_disable_sniffing $WIKI_DOMAIN_NAME
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
create_site_certificate $WIKI_DOMAIN_NAME
configure_php
nginx_ensite $WIKI_DOMAIN_NAME
systemctl restart php5-fpm
systemctl restart nginx
echo "Wiki onion domain:${WIKI_ONION_HOSTNAME}" >> $COMPLETION_FILE
add_ddns_domain $WIKI_DOMAIN_NAME
# add some post-install instructions
if ! grep -q $"Wiki password" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Wiki' >> /home/$MY_USERNAME/README
echo '====' >> /home/$MY_USERNAME/README
echo $"Wiki onion domain: ${WIKI_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo $"Wiki username: $MY_USERNAME" >> /home/$MY_USERNAME/README
echo $"Wiki password: $WIKI_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Once you have set up the wiki then remove the install file:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo " rm /var/www/$WIKI_DOMAIN_NAME/htdocs/install.php" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo "Wiki domain:$WIKI_DOMAIN_NAME" >> $COMPLETION_FILE
echo 'install_wiki' >> $COMPLETION_FILE
}
function get_blog_admin_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "Your blog password is" /home/$MY_USERNAME/README; then
FULLBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Your blog password is" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
}
function install_blog {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $FULLBLOG_DOMAIN_NAME ]; then
echo $'The blog domain name was not specified'
exit 5062
fi
# update to the next commit
set_repo_commit /var/www/$FULLBLOG_DOMAIN_NAME/htdocs "Blog commit" "$FULLBLOG_COMMIT" $FULLBLOG_REPO
if grep -Fxq "install_blog" $COMPLETION_FILE; then
return
fi
# for the avatar changing command
apt-get -y install imagemagick
if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME ]; then
mkdir /var/www/$FULLBLOG_DOMAIN_NAME
fi
cd /var/www/$FULLBLOG_DOMAIN_NAME
git_clone $FULLBLOG_REPO htdocs
cd htdocs
git checkout $FULLBLOG_COMMIT -b $FULLBLOG_COMMIT
if ! grep -q "Blog commit" $COMPLETION_FILE; then
echo "Blog commit:$FULLBLOG_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Blog commit.*/Blog commit:$FULLBLOG_COMMIT/g" $COMPLETION_FILE
fi
cd /var/www/$FULLBLOG_DOMAIN_NAME
chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
if [[ $ONION_ONLY == "no" ]]; then
echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
nginx_limits $FULLBLOG_DOMAIN_NAME
nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
echo ' # Always redirect the login page to https' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location /login {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
nginx_limits $FULLBLOG_DOMAIN_NAME
nginx_ssl $FULLBLOG_DOMAIN_NAME
nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
else
echo -n '' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
fi
echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " listen 127.0.0.1:${FULLBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
nginx_limits $FULLBLOG_DOMAIN_NAME
nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
create_site_certificate $FULLBLOG_DOMAIN_NAME
configure_php
# blog settings
cp /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini.example /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i "s|site.url.*|site.url = '/'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i "s|blog.title.*|blog.title = '$MY_BLOG_TITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i "s|blog.tagline.*|blog.tagline = '$MY_BLOG_SUBTITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i 's|timezone.*|timezone = "Europe/London"|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i "s|Your name|$MY_NAME|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
# set social networks
if grep -q "social.hubzilla" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then
sed -i "s|;social.hubzilla|social.hubzilla|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i "s|social.hubzilla.*|social.hubzilla = \"$HUBZILLA_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
fi
if grep -q "social.gnusocial" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then
sed -i "s|;social.gnusocial|social.gnusocial|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i "s|social.gnusocial.*|social.gnusocial = \"$MICROBLOG_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
fi
# clear proprietary social network strings
sed -i 's|social.facebook.*|social.facebook = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i 's|social.twitter.*|social.twitter = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
sed -i 's|social.google.*|social.google = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
# create a user password
get_blog_admin_password
if [ ! $FULLBLOG_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
FULLBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
FULLBLOG_ADMIN_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'HTMLy Blog' >> /home/$MY_USERNAME/README
echo '==========' >> /home/$MY_USERNAME/README
echo $"Your blog username: $MY_USERNAME" >> /home/$MY_USERNAME/README
echo $"Your blog password is: $FULLBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
if [[ $ONION_ONLY == 'no' ]]; then
echo $"Log into your blog at https://$FULLBLOG_DOMAIN_NAME/login" >> /home/$MY_USERNAME/README
fi
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
# create a user
FULLBLOG_ADMIN_PASSWORD_HASH=$(freedombone-sec --bloghash "$FULLBLOG_ADMIN_PASSWORD")
if [ ${#FULLBLOG_ADMIN_PASSWORD_HASH} -lt 8 ]; then
echo $'Blog admin password could not be hashed'
exit 625728
fi
echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
echo "password = $FULLBLOG_ADMIN_PASSWORD_HASH" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
echo 'encryption = password_hash' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
nginx_ensite $FULLBLOG_DOMAIN_NAME
FULLBLOG_ONION_HOSTNAME=$(add_onion_service blog 80 ${FULLBLOG_ONION_PORT})
systemctl restart php5-fpm
systemctl restart nginx
if ! grep -q "Blog onion domain" /home/$MY_USERNAME/README; then
echo $"Blog onion domain: ${FULLBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo $"Log into your blog at https://${FULLBLOG_ONION_HOSTNAME}/login" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo "Blog onion domain:${FULLBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE
add_ddns_domain $FULLBLOG_DOMAIN_NAME
echo 'install_blog' >> $COMPLETION_FILE
}
function install_rss_reader {
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
# update to the next commit
set_repo_commit $RSS_READER_PATH "RSS reader commit" "$RSS_READER_COMMIT" $RSS_READER_REPO
if grep -Fxq "install_rss_reader" $COMPLETION_FILE; then
return
fi
apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser
if [ ! -d /etc/share ]; then
mkdir /etc/share
fi
cd /etc/share
git_clone $RSS_READER_REPO tt-rss
if [ ! -d $RSS_READER_PATH ]; then
echo $'Could not clone RSS reader repo'
exit 52925
fi
cd $RSS_READER_PATH
git checkout $RSS_READER_COMMIT -b $RSS_READER_COMMIT
if ! grep -q "RSS reader commit" $COMPLETION_FILE; then
echo "RSS reader commit:$RSS_READER_COMMIT" >> $COMPLETION_FILE
fi
install_mariadb
get_mariadb_password
repair_databases_script
get_mariadb_rss_reader_admin_password
if [ ! $RSS_READER_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
RSS_READER_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
RSS_READER_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
create_database ttrss "$RSS_READER_ADMIN_PASSWORD" $MY_USERNAME
RSS_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_READER_ONION_PORT})
RSS_MOBILE_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_MOBILE_READER_ONION_PORT})
echo 'server {' > /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo " listen 127.0.0.1:$RSS_MOBILE_READER_ONION_PORT;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo " server_name $RSS_MOBILE_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' root /etc/share/ttrss-mobile;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' index index.html index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location /tt-rss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' try_files $uri $uri/ @ttrss_base;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' rewrite ^(.*)$ /index.html?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location @ttrss_base {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo " listen 127.0.0.1:$RSS_READER_ONION_PORT default_server;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo " server_name $RSS_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' root /etc/share/tt-rss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' set $mobile_rewrite do_not_perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' ## chi http_user_agent for mobile / smart phones ##' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' if ($mobile_rewrite = perform) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo " rewrite ^/(.*) http://$RSS_MOBILE_READER_ONION_HOSTNAME permanent;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
if [ ! -f $RSS_READER_PATH/config.php ]; then
# generate a config file
RSS_FEED_CRYPT_KEY="$(openssl rand -base64 26 | cut -c1-24)"
echo '<?php' > $RSS_READER_PATH/config.php
echo " define ('_CURL_HTTP_PROXY', '127.0.0.1:9050');" >> $RSS_READER_PATH/config.php
echo " define('DB_TYPE', 'mysql');" >> $RSS_READER_PATH/config.php
echo " define('DB_HOST', 'localhost');" >> $RSS_READER_PATH/config.php
echo " define('DB_USER', 'root');" >> $RSS_READER_PATH/config.php
echo " define('DB_NAME', 'ttrss');" >> $RSS_READER_PATH/config.php
echo " define('DB_PASS', '${MARIADB_PASSWORD}');" >> $RSS_READER_PATH/config.php
echo " define('DB_PORT', '3306');" >> $RSS_READER_PATH/config.php
echo " define('MYSQL_CHARSET', 'UTF8');" >> $RSS_READER_PATH/config.php
echo " define('SELF_URL_PATH', 'http://${RSS_READER_ONION_HOSTNAME}/');" >> $RSS_READER_PATH/config.php
echo " define('FEED_CRYPT_KEY', '${RSS_FEED_CRYPT_KEY}');" >> $RSS_READER_PATH/config.php
echo " define('SINGLE_USER_MODE', false);" >> $RSS_READER_PATH/config.php
echo " define('SIMPLE_UPDATE_MODE', false);" >> $RSS_READER_PATH/config.php
echo " define('PHP_EXECUTABLE', '/usr/bin/php');" >> $RSS_READER_PATH/config.php
echo " define('LOCK_DIRECTORY', 'lock');" >> $RSS_READER_PATH/config.php
echo " define('CACHE_DIR', 'cache');" >> $RSS_READER_PATH/config.php
echo " define('ICONS_DIR', \"feed-icons\");" >> $RSS_READER_PATH/config.php
echo " define('ICONS_URL', \"feed-icons\");" >> $RSS_READER_PATH/config.php
echo " define('AUTH_AUTO_CREATE', true);" >> $RSS_READER_PATH/config.php
echo " define('AUTH_AUTO_LOGIN', true);" >> $RSS_READER_PATH/config.php
echo " define('FORCE_ARTICLE_PURGE', 0);" >> $RSS_READER_PATH/config.php
echo " define('PUBSUBHUBBUB_HUB', '');" >> $RSS_READER_PATH/config.php
echo " define('PUBSUBHUBBUB_ENABLED', false);" >> $RSS_READER_PATH/config.php
echo " define('SPHINX_SERVER', 'localhost:9312');" >> $RSS_READER_PATH/config.php
echo " define('SPHINX_INDEX', 'ttrss, delta');" >> $RSS_READER_PATH/config.php
echo " define('ENABLE_REGISTRATION', false);" >> $RSS_READER_PATH/config.php
echo " define('REG_NOTIFY_ADDRESS', '${MY_EMAIL_ADDRESS}');" >> $RSS_READER_PATH/config.php
echo " define('REG_MAX_USERS', 10);" >> $RSS_READER_PATH/config.php
echo " define('SESSION_COOKIE_LIFETIME', 86400);" >> $RSS_READER_PATH/config.php
echo " define('SMTP_FROM_NAME', 'Tiny Tiny RSS');" >> $RSS_READER_PATH/config.php
echo " define('SMTP_FROM_ADDRESS', 'noreply@${RSS_READER_ONION_HOSTNAME}');" >> $RSS_READER_PATH/config.php
echo " define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');" >> $RSS_READER_PATH/config.php
echo " define('SMTP_SERVER', '');" >> $RSS_READER_PATH/config.php
echo " define('SMTP_LOGIN', '');" >> $RSS_READER_PATH/config.php
echo " define('SMTP_PASSWORD', '');" >> $RSS_READER_PATH/config.php
echo " define('SMTP_SECURE', '');" >> $RSS_READER_PATH/config.php
echo " define('CHECK_FOR_UPDATES', false);" >> $RSS_READER_PATH/config.php
echo " define('ENABLE_GZIP_OUTPUT', false);" >> $RSS_READER_PATH/config.php
echo " define('PLUGINS', 'auth_internal, note, gnusocial');" >> $RSS_READER_PATH/config.php
echo " define('LOG_DESTINATION', 'sql');" >> $RSS_READER_PATH/config.php
echo " define('CONFIG_VERSION', 26);" >> $RSS_READER_PATH/config.php
fi
# initialize the database
if [ ! -f $RSS_READER_PATH/schema/ttrss_schema_mysql.sql ]; then
echo $'No database schema found for rss reader'
exit 52926
fi
mysql -u root --password="$MARIADB_PASSWORD" -D ttrss < $RSS_READER_PATH/schema/ttrss_schema_mysql.sql
# change the password from the default
RSS_READER_ADMIN_PASSWORD_HASH=$(echo -n "${RSS_READER_ADMIN_PASSWORD}" | sha1sum | awk -F ' ' '{print $1}')
mysql -u root --password="$MARIADB_PASSWORD" -e "update ttrss_users set pwd_hash = 'SHA1:${RSS_READER_ADMIN_PASSWORD_HASH}', salt= '' WHERE login = 'admin';" ttrss
rss_reader_modifications
configure_php
nginx_ensite $RSS_READER_DOMAIN_NAME
systemctl restart php5-fpm
systemctl restart nginx
if ! grep -q "RSS reader onion domain" $COMPLETION_FILE; then
echo "RSS reader onion domain:${RSS_READER_ONION_HOSTNAME}" >> $COMPLETION_FILE
fi
if ! grep -q "RSS reader domain" $COMPLETION_FILE; then
echo "RSS reader domain:${RSS_READER_DOMAIN_NAME}" >> $COMPLETION_FILE
fi
# daemon to update feeds
echo '[Unit]' > /etc/systemd/system/ttrss.service
echo 'Description=ttrss_backend' >> /etc/systemd/system/ttrss.service
echo 'After=network.target mysql.service' >> /etc/systemd/system/ttrss.service
echo 'After=tor.service' >> /etc/systemd/system/ttrss.service
echo '' >> /etc/systemd/system/ttrss.service
echo '[Service]' >> /etc/systemd/system/ttrss.service
echo 'User=www-data' >> /etc/systemd/system/ttrss.service
echo "ExecStart=/usr/bin/php $RSS_READER_PATH/update.php --daemon" >> /etc/systemd/system/ttrss.service
echo '' >> /etc/systemd/system/ttrss.service
echo '[Install]' >> /etc/systemd/system/ttrss.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ttrss.service
systemctl enable ttrss
systemctl daemon-reload
systemctl start ttrss
# some post-install instructions for the user
if ! grep -q $"RSS Reader" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'RSS Reader' >> /home/$MY_USERNAME/README
echo '==========' >> /home/$MY_USERNAME/README
echo $"RSS reader domain: ${RSS_READER_DOMAIN_NAME}" >> /home/$MY_USERNAME/README
echo $"RSS reader onion domain: ${RSS_READER_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo $"RSS reader admin username: admin" >> /home/$MY_USERNAME/README
echo $"RSS reader admin password: ${RSS_READER_ADMIN_PASSWORD}" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_rss_reader' >> $COMPLETION_FILE
}
function install_rss_reader_gnusocial {
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $MICROBLOG_DOMAIN_NAME ]; then
return
fi
if [ ! $RSS_READER_PATH ]; then
RSS_READER_PATH=/etc/share/tt-rss
fi
RSS_READER_GNUSOCIAL_PATH=${RSS_READER_PATH}/plugins/gnusocial
# update to the next commit
set_repo_commit $RSS_READER_GNUSOCIAL_PATH "RSS reader gnusocial commit" "$RSS_READER_GNUSOCIAL_COMMIT" $RSS_READER_GNUSOCIAL_REPO
chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH
if grep -Fxq "install_rss_reader_gnusocial" $COMPLETION_FILE; then
return
fi
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
fi
cd $INSTALL_DIR
git_clone $RSS_READER_GNUSOCIAL_REPO ttrss-gnusocial
if [ ! -d $INSTALL_DIR/ttrss-gnusocial ]; then
echo $'Could not clone repo for RSS reader GNU Social plugin'
exit 52838
fi
cp -r $INSTALL_DIR/ttrss-gnusocial $RSS_READER_GNUSOCIAL_PATH
cd $RSS_READER_GNUSOCIAL_PATH
git checkout $RSS_READER_GNUSOCIAL_COMMIT -b $RSS_READER_GNUSOCIAL_COMMIT
if ! grep -q "RSS reader gnusocial commit" $COMPLETION_FILE; then
echo "RSS reader gnusocial commit:$RSS_READER_GNUSOCIAL_COMMIT" >> $COMPLETION_FILE
fi
chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH
echo 'install_rss_reader_gnusocial' >> $COMPLETION_FILE
}
function install_rss_mobile_reader {
if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $RSS_READER_PATH ]; then
RSS_READER_PATH=/etc/share/tt-rss
fi
if [ ! -d $RSS_READER_PATH ]; then
echo $'tt-rss is not installed, so the mobile version cannot be installed'
exit 63452
fi
RSS_MOBILE_READER_PATH=/etc/share/ttrss-mobile
# remove any previous install
if [ -d $RSS_READER_PATH/g2ttree-mobile ]; then
if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then
sed -i '/install_rss_mobile_reader/d' $COMPLETION_FILE
sed -i '/RSS mobile reader commit/d' $COMPLETION_FILE
rm -rf $RSS_READER_PATH/g2ttree-mobile
fi
fi
# update to the next commit
set_repo_commit $RSS_MOBILE_READER_PATH "RSS mobile reader commit" "$RSS_MOBILE_READER_COMMIT" $RSS_MOBILE_READER_REPO
if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then
return
fi
cd /etc/share
git_clone $RSS_MOBILE_READER_REPO ttrss-mobile
if [ ! -d $RSS_MOBILE_READER_PATH ]; then
echo $'Could not clone RSS mobile reader repo'
exit 24816
fi
cd $RSS_MOBILE_READER_PATH
git checkout $RSS_MOBILE_READER_COMMIT -b $RSS_MOBILE_READER_COMMIT
if ! grep -q "RSS mobile reader commit" $COMPLETION_FILE; then
echo "RSS mobile reader commit:$RSS_MOBILE_READER_COMMIT" >> $COMPLETION_FILE
fi
echo 'define({' > $RSS_MOBILE_READER_PATH/scripts/conf.js
echo ' apiPath: "/tt-rss/"' >> $RSS_MOBILE_READER_PATH/scripts/conf.js
echo '});' >> $RSS_MOBILE_READER_PATH/scripts/conf.js
# link to the main site
ln -s $RSS_READER_PATH $RSS_MOBILE_READER_PATH/tt-rss
chown -R www-data:www-data $RSS_MOBILE_READER_PATH
chown -R www-data:www-data $RSS_READER_PATH
chmod a+x $RSS_MOBILE_READER_PATH
echo 'install_rss_mobile_reader' >> $COMPLETION_FILE
}
function install_gnu_social {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $MICROBLOG_DOMAIN_NAME ]; then
echo $'No domain name was given for the microblog'
exit 7359
fi
# update to the next commit
set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs "GNU Social commit" "$MICROBLOG_COMMIT" $MICROBLOG_REPO
# add a script to check that the daemon is running
echo '#!/bin/bash' > /etc/cron.hourly/gnusocial-daemons
echo 'daemon_lines=$(ps aux | grep "scripts/queuedaemon.php" | grep "/var/www")' >> /etc/cron.hourly/gnusocial-daemons
echo 'if [[ $daemon_lines != *"/var/www/"* ]]; then' >> /etc/cron.hourly/gnusocial-daemons
echo " ADMIN_USER=\$(cat $COMPLETION_FILE | grep 'Admin user' | awk -F ':' '{print \$2}')" >> /etc/cron.hourly/gnusocial-daemons
echo ' MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME' >> /etc/cron.hourly/gnusocial-daemons
echo ' echo "Restarting GNU Social daemons" | mail -s "GNU Social daemons not found" $MY_EMAIL_ADDRESS' >> /etc/cron.hourly/gnusocial-daemons
echo " cd /var/www/${MICROBLOG_DOMAIN_NAME}/htdocs" >> /etc/cron.hourly/gnusocial-daemons
echo ' scripts/startdaemons.sh' >> /etc/cron.hourly/gnusocial-daemons
echo 'fi' >> /etc/cron.hourly/gnusocial-daemons
chmod +x /etc/cron.hourly/gnusocial-daemons
if grep -Fxq "install_gnu_social" $COMPLETION_FILE; then
return
fi
install_mariadb
get_mariadb_password
repair_databases_script
apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME ]; then
mkdir /var/www/$MICROBLOG_DOMAIN_NAME
fi
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then
git_clone $MICROBLOG_REPO /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then
echo $'Unable to clone gnusocial repo'
exit 87525
fi
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
git checkout $MICROBLOG_COMMIT -b $MICROBLOG_COMMIT
if ! grep -q "GNU Social commit" $COMPLETION_FILE; then
echo "GNU Social commit:$MICROBLOG_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/GNU Social commit.*/GNU Social commit:$MICROBLOG_COMMIT/g" $COMPLETION_FILE
fi
chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
chown www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
chmod +x /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php
get_mariadb_gnusocial_admin_password
if [ ! $MICROBLOG_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
MICROBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
MICROBLOG_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
create_database gnusocial "$MICROBLOG_ADMIN_PASSWORD" $MY_USERNAME
if [ ! -f "/etc/aliases" ]; then
touch /etc/aliases
fi
if ! grep -q "www-data: root" /etc/aliases; then
echo 'www-data: root' >> /etc/aliases
fi
if ! grep -q "/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" /etc/aliases; then
echo "*: /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" >> /etc/aliases
fi
add_ddns_domain $MICROBLOG_DOMAIN_NAME
microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
nginx_http_redirect $MICROBLOG_DOMAIN_NAME
echo 'server {' >> $microblog_nginx_site
echo ' listen 443 ssl;' >> $microblog_nginx_site
echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Security' >> $microblog_nginx_site
nginx_ssl $MICROBLOG_DOMAIN_NAME
nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME
nginx_limits $MICROBLOG_DOMAIN_NAME '15m'
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Logs' >> $microblog_nginx_site
echo ' access_log off;' >> $microblog_nginx_site
echo ' error_log off;' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Root' >> $microblog_nginx_site
echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Index' >> $microblog_nginx_site
echo ' index index.php;' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # PHP' >> $microblog_nginx_site
echo ' location ~ \.php {' >> $microblog_nginx_site
echo ' include snippets/fastcgi-php.conf;' >> $microblog_nginx_site
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Location' >> $microblog_nginx_site
echo ' location / {' >> $microblog_nginx_site
echo ' try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Fancy URLs' >> $microblog_nginx_site
echo ' location @gnusocial {' >> $microblog_nginx_site
echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $microblog_nginx_site
echo ' location ~ /\.(ht|git) {' >> $microblog_nginx_site
echo ' deny all;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '}' >> $microblog_nginx_site
else
echo -n '' > $microblog_nginx_site
fi
echo 'server {' >> $microblog_nginx_site
echo " listen 127.0.0.1:$MICROBLOG_ONION_PORT default_server;" >> $microblog_nginx_site
echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME
nginx_limits $MICROBLOG_DOMAIN_NAME '15m'
echo '' >> $microblog_nginx_site
echo ' # Logs' >> $microblog_nginx_site
echo ' access_log off;' >> $microblog_nginx_site
echo ' error_log off;' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Root' >> $microblog_nginx_site
echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Index' >> $microblog_nginx_site
echo ' index index.php;' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # PHP' >> $microblog_nginx_site
echo ' location ~ \.php {' >> $microblog_nginx_site
echo ' include snippets/fastcgi-php.conf;' >> $microblog_nginx_site
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Location' >> $microblog_nginx_site
echo ' location / {' >> $microblog_nginx_site
echo ' try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Fancy URLs' >> $microblog_nginx_site
echo ' location @gnusocial {' >> $microblog_nginx_site
echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '' >> $microblog_nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $microblog_nginx_site
echo ' location ~ /\.(ht|git) {' >> $microblog_nginx_site
echo ' deny all;' >> $microblog_nginx_site
echo ' }' >> $microblog_nginx_site
echo '}' >> $microblog_nginx_site
configure_php
create_site_certificate $MICROBLOG_DOMAIN_NAME 'yes'
# Ensure that the database gets backed up locally, if remote
# backups are not being used
backup_databases_script_header
backup_database_local gnusocial
nginx_ensite $MICROBLOG_DOMAIN_NAME
# NOTE: For the typical case always enable SSL and only
# disable it if in onion only mode. This is due to complexities
# with the way URLs are generated by GNU Social
gnu_social_ssl='always'
if [[ $ONION_ONLY != 'no' ]]; then
gnu_social_ssl='never'
fi
MICROBLOG_ONION_HOSTNAME=$(add_onion_service microblog 80 ${MICROBLOG_ONION_PORT})
MICROBLOG_SERVER=${MICROBLOG_DOMAIN_NAME}
if [[ $ONION_ONLY != 'no' ]]; then
MICROBLOG_SERVER=${MICROBLOG_ONION_HOSTNAME}
fi
# Create the configuration
gnu_social_installer=/var/www/${MICROBLOG_DOMAIN_NAME}/htdocs/scripts/install_cli.php
if [ ! -f $gnu_social_installer ]; then
echo $'No GNU Social commandline installer found'
exit 53026
fi
${gnu_social_installer} --server "${MICROBLOG_SERVER}" \
--host="localhost" --database="gnusocial" \
--dbtype=mysql --username="root" -v \
--password="$MARIADB_PASSWORD" \
--sitename=$"GNU Social" --fancy='yes' \
--admin-nick="$MY_USERNAME" \
--admin-pass="$MICROBLOG_ADMIN_PASSWORD" \
--site-profile="community" \
--ssl=${gnu_social_ssl}
# There can be a lot of warnings here so the return value check is disabled
#if [ ! "$?" = "0" ]; then
# # failed to install
# echo $'Could not install GNU Social'
# exit 72357
#fi
# check microblog has a config file
microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
if [ ! -f $microblog_config_file ]; then
echo $'Microblog config.php not found'
exit 87586
fi
# Some useful settings
if ! grep -q "Recommended GNU social settings" $microblog_config_file; then
echo "" >> $microblog_config_file
echo "// Recommended GNU social settings" >> $microblog_config_file
echo "\$config['thumbnail']['maxsize'] = 3000;" >> $microblog_config_file
echo "\$config['profile']['delete'] = true;" >> $microblog_config_file
echo "\$config['profile']['changenick'] = true;" >> $microblog_config_file
echo "\$config['public']['localonly'] = false;" >> $microblog_config_file
echo "addPlugin('StoreRemoteMedia');" >> $microblog_config_file
echo "\$config['queue']['enabled'] = true;" >> $microblog_config_file
echo "\$config['queue']['daemon'] = true;" >> $microblog_config_file
fi
# This improves performance
sed -i "s|//\$config\['db'\]\['schemacheck'\].*|\$config\['db'\]\['schemacheck'\] = 'script';|g" $microblog_config_file
systemctl restart php5-fpm
systemctl restart nginx
freedombone-addemail -u $MY_USERNAME -e "noreply@$MICROBLOG_DOMAIN_NAME" -g gnusocial --public no
# some post-install instructions for the user
if ! grep -q $"Microblog administrator" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Microblog' >> /home/$MY_USERNAME/README
echo '=========' >> /home/$MY_USERNAME/README
echo $"Microblog administrator nickname: $MY_USERNAME" >> /home/$MY_USERNAME/README
echo $"Microblog administrator password: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
if ! grep -q "Microblog onion domain" /home/$MY_USERNAME/README; then
echo $"Microblog onion domain: ${MICROBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo "GNU Social onion domain:${MICROBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE
echo "GNU Social domain:$MICROBLOG_DOMAIN_NAME" >> $COMPLETION_FILE
echo 'install_gnu_social' >> $COMPLETION_FILE
}
function install_gnu_social_plugin_sharings {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then
echo $'No local/plugins directory found for the microblog'
exit 72945
fi
# update to the next commit
set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings plugin commit" "$SHARINGS_COMMIT" $SHARINGS_REPO
if grep -Fxq "install_gnu_social_plugin_sharings" $COMPLETION_FILE; then
return
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
git_clone $SHARINGS_REPO Sharings
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings ]; then
echo $'Unable to clone microblog sharings plugin'
exit 36738
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings
git stash
git checkout master
git branch -D $SHARINGS_COMMIT
git checkout $SHARINGS_COMMIT -b $SHARINGS_COMMIT
# enable the plugin
if ! grep -q "addPlugin('Sharings');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then
echo "addPlugin('Sharings');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
php scripts/checkschema.php
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings
php scripts/seedsharings.php
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
php scripts/checkschema.php
# Languages
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en/LC_MESSAGES
msgfmt -o Sharings.mo Sharings.po
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_GB/LC_MESSAGES
msgfmt -o Sharings.mo Sharings.po
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_US/LC_MESSAGES
msgfmt -o Sharings.mo Sharings.po
chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
if ! grep -q "GNU Social sharings plugin commit" $COMPLETION_FILE; then
echo "GNU Social sharings plugin commit:$SHARINGS_COMMIT" >> $COMPLETION_FILE
else
sed -i "s|GNU Social sharings plugin commit.*|GNU Social sharings plugin commit:$SHARINGS_COMMIT|g" $COMPLETION_FILE
fi
echo 'install_gnu_social_plugin_sharings' >> $COMPLETION_FILE
}
function install_gnu_social_plugin_sharings_theme {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then
echo $'No local/plugins directory found for the microblog'
exit 74458
fi
# update to the next commit
set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings theme plugin commit" "$SHARINGS_THEME_COMMIT" $SHARINGS_THEME_REPO
if grep -Fxq "install_gnu_social_plugin_sharings_theme" $COMPLETION_FILE; then
return
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
git_clone $SHARINGS_THEME_REPO SharingsTheme
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme ]; then
echo $'Unable to clone microblog sharings plugin theme'
exit 639253
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme
git stash
git checkout master
git branch -D $SHARINGS_THEME_COMMIT
git checkout $SHARINGS_THEME_COMMIT -b $SHARINGS_THEME_COMMIT
# enable the plugin
if ! grep -q "addPlugin('SharingsTheme');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then
echo "addPlugin('SharingsTheme');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
php scripts/checkschema.php
chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
if ! grep -q "GNU Social sharings plugin theme commit" $COMPLETION_FILE; then
echo "GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT" >> $COMPLETION_FILE
else
sed -i "s|GNU Social sharings plugin theme commit.*|GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT|g" $COMPLETION_FILE
fi
echo 'install_gnu_social_plugin_sharings_theme' >> $COMPLETION_FILE
}
function expire_gnu_social_posts {
# To prevent the database size from growing endlessly this script expires posts
# after a number of months
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then
return
fi
gnusocial_expire_script=/usr/bin/gnusocial-expire
echo '<?php' > $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo '// GNU Social post expiry script, based on StatExpire by Tony Baldwin' >> $gnusocial_expire_script
echo '// https://github.com/tonybaldwin/statexpire' >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script
echo '$username="root";' >> $gnusocial_expire_script
echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script
echo '$database="gnusocial";' >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script
echo ' echo "Could not connect to mariadb";' >> $gnusocial_expire_script
echo ' exit;' >> $gnusocial_expire_script
echo '}' >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo 'if (!mysql_select_db($database, $link)) {' >> $gnusocial_expire_script
echo ' echo "Could not select gnusocial database";' >> $gnusocial_expire_script
echo ' exit;' >> $gnusocial_expire_script
echo '}' >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo "\$notice_query=\"DELETE FROM notice WHERE created <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script
echo "\$conversation_query=\"DELETE FROM conversation WHERE created <= '$oldate 01:01:01'\";" >> $gnusocial_expire_script
echo "\$reply_query=\"DELETE FROM reply WHERE modified <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo 'mysql_query($notice_query);' >> $gnusocial_expire_script
echo '$rowaff1=mysql_affected_rows();' >> $gnusocial_expire_script
echo 'mysql_query($conversation_query);' >> $gnusocial_expire_script
echo '$rowaff2=mysql_affected_rows();' >> $gnusocial_expire_script
echo 'mysql_query($reply_query);' >> $gnusocial_expire_script
echo '$rowaff3=mysql_affected_rows();' >> $gnusocial_expire_script
echo 'mysql_close();' >> $gnusocial_expire_script
echo '' >> $gnusocial_expire_script
echo 'echo "Expire GNU Social posts: $rowaff1 notices, $rowaff2 conversations, and $rowaff3 replies deleted from database.\n";' >> $gnusocial_expire_script
chmod +x $gnusocial_expire_script
# Add a cron job
if ! grep -q "$gnusocial_expire_script" /etc/crontab; then
echo "10 3 5 * * root /usr/bin/timeout 500 /usr/bin/php $gnusocial_expire_script" >> /etc/crontab
fi
# remove old expire script
if [ -f /etc/cron.weekly/clear-microblog-database ]; then
rm /etc/cron.weekly/clear-microblog-database
fi
}
function install_gnu_social_theme {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
# update to the next commit
set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter "GNU Social theme commit" "$MICROBLOG_THEME_COMMIT" $MICROBLOG_THEME_REPO
# customise with project logo
if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then
if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then
cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png
fi
fi
if grep -Fxq "install_gnu_social_theme" $COMPLETION_FILE; then
return
fi
apt-get -y install wget
if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then
mkdir -p /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
fi
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
git_clone $MICROBLOG_THEME_REPO Qvitter
cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter
git checkout $MICROBLOG_THEME_COMMIT -b $MICROBLOG_THEME_COMMIT
# download a custom background image
MICROBLOG_BACKGROUND_IMAGE_URL_EXT=
if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then
if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpeg" || $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpg" ]]; then
MICROBLOG_BACKGROUND_IMAGE_URL_EXT="jpg"
fi
if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".png" ]]; then
MICROBLOG_BACKGROUND_IMAGE_URL_EXT="png"
fi
if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".gif" ]]; then
MICROBLOG_BACKGROUND_IMAGE_URL_EXT="gif"
fi
if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then
wget $MICROBLOG_BACKGROUND_IMAGE_URL -O img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}
if [ ! -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then
echo "$MICROBLOG_BACKGROUND_IMAGE_URL"
echo $'Custom background image for microblog could not be downloaded'
exit 87524
fi
fi
fi
microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
if ! grep -q "addPlugin('Qvitter')" $microblog_config_file; then
MICROBLOG_WELCOME_MESSAGE=$(echo $MICROBLOG_WELCOME_MESSAGE | sed "s|\$MICROBLOG_DOMAIN_NAME|$MICROBLOG_DOMAIN_NAME|g")
echo "" >> $microblog_config_file
echo "// Qvitter settings" >> $microblog_config_file
echo "addPlugin('Qvitter');" >> $microblog_config_file
echo "\$config['site']['qvitter']['enabledbydefault'] = true;" >> $microblog_config_file
echo "\$config['site']['qvitter']['defaultbackgroundcolor'] = '#f4f4f4';" >> $microblog_config_file
echo "\$config['site']['qvitter']['defaultlinkcolor'] = '#0084B4';" >> $microblog_config_file
echo "\$config['site']['qvitter']['timebetweenpolling'] = 30000; // 30 secs" >> $microblog_config_file
echo "\$config['site']['qvitter']['urlshortenerapiurl'] = 'http://qttr.at/shortener.php';" >> $microblog_config_file
echo "\$config['site']['qvitter']['urlshortenersignature'] = 'b6afeec983';" >> $microblog_config_file
if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then
echo "\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';" >> $microblog_config_file
else
echo "\$config['site']['qvitter']['sitebackground'] = 'img/vagnsmossen.jpg';" >> $microblog_config_file
fi
echo "\$config['site']['qvitter']['favicon'] = 'img/favicon.ico?v=4';" >> $microblog_config_file
echo "\$config['site']['qvitter']['sprite'] = Plugin::staticPath('Qvitter', '').'img/sprite.png?v=40';" >> $microblog_config_file
echo "\$config['site']['qvitter']['enablewelcometext'] = true;" >> $microblog_config_file
echo "\$config['site']['qvitter']['customwelcometext']['en'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
echo "\$config['site']['qvitter']['customwelcometext']['de'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
echo "\$config['site']['qvitter']['customwelcometext']['fr'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
echo "\$config['site']['qvitter']['customwelcometext']['es'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
echo "\$config['site']['qvitter']['blocked_ips'] = array();" >> $microblog_config_file
else
if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then
if [ -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then
sed -i "s|\$config['site']['qvitter']['sitebackground'].*|\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';|g" $microblog_config_file
fi
fi
fi
# customise with project logo
if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then
if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then
cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png
fi
fi
if ! grep -q "GNU Social theme commit" $COMPLETION_FILE; then
echo "GNU Social theme commit:$MICROBLOG_THEME_COMMIT" >> $COMPLETION_FILE
fi
chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
echo 'install_gnu_social_theme' >> $COMPLETION_FILE
}
function install_gnu_social_markdown {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
MICROBLOG_PATH=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs
# update to the next commit
set_repo_commit $MICROBLOG_PATH/local/plugins/Markdown "GNU Social Markdown commit" "$MICROBLOG_MARKDOWN_COMMIT" $MICROBLOG_MARKDOWN_REPO
if grep -Fxq "install_gnu_social_markdown" $COMPLETION_FILE; then
return
fi
if [ -d $MICROBLOG_PATH/local/plugins/Markdown ]; then
rm -rf $MICROBLOG_PATH/local/plugins/Markdown
fi
if [ ! -d $MICROBLOG_PATH/local/plugins ]; then
mkdir -p $MICROBLOG_PATH/local/plugins
fi
cd $MICROBLOG_PATH/local/plugins
git_clone $MICROBLOG_MARKDOWN_REPO Markdown
cd $MICROBLOG_PATH/local/plugins/Markdown
git checkout $MICROBLOG_MARKDOWN_COMMIT -b $MICROBLOG_MARKDOWN_COMMIT
microblog_config_file=$MICROBLOG_PATH/config.php
if ! grep -q "addPlugin('Markdown'" $microblog_config_file; then
echo "" >> $microblog_config_file
echo "// Markdown settings" >> $microblog_config_file
echo "addPlugin('Markdown');" >> $microblog_config_file
fi
if ! grep -q "GNU Social Markdown commit" $COMPLETION_FILE; then
echo "GNU Social Markdown commit:$MICROBLOG_MARKDOWN_COMMIT" >> $COMPLETION_FILE
fi
chown -R www-data:www-data $MICROBLOG_PATH
echo 'install_gnu_social_markdown' >> $COMPLETION_FILE
}
function install_search_engine {
# Note: currently socks5 outgoing proxies to other search engines does not work
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! -d /etc/nginx ]; then
echo $'Webserver is not installed'
exit 62429
fi
# update to a new commit if needed
set_repo_commit $SEARCH_ENGINE_PATH/searx "Search engine commit" "$SEARCH_ENGINE_COMMIT" $SEARCH_ENGINE_REPO
if grep "Search engine key" $COMPLETION_FILE; then
if [ -f ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml ]; then
# note: this might change to a --tor option in a later version
if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then
echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
echo ' proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
echo ' http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
echo ' https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
fi
SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}')
sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
if [ -f /var/lib/tor/hidden_service_searx/hostname ]; then
SEARCH_ENGINE_ONION_HOSTNAME=$(echo /var/lib/tor/hidden_service_searx/hostname)
sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
fi
fi
fi
if grep -Fxq "install_search_engine" $COMPLETION_FILE; then
return
fi
apt-get -y install python-pip libyaml-dev python-werkzeug python-babel python-lxml apache2-utils
apt-get -y install git build-essential libxslt-dev python-dev python-virtualenv python-pybabel zlib1g-dev uwsgi uwsgi-plugin-python libapache2-mod-uwsgi
pip install --upgrade pip
pip install certifi
if [ ! "$?" = "0" ]; then
echo $'Failed to install certifi'
exit 737692
fi
pip install pyyaml
if [ ! "$?" = "0" ]; then
echo $'Failed to install pyyaml'
exit 469242
fi
pip install flask --upgrade
if [ ! "$?" = "0" ]; then
echo $'Failed to install flask'
exit 888575
fi
pip install flask_restless --upgrade
if [ ! "$?" = "0" ]; then
echo $'Failed to install flask_restless'
exit 54835
fi
pip install flask_babel --upgrade
if [ ! "$?" = "0" ]; then
echo $'Failed to install flask_babel'
exit 63738
fi
if [ ! -d $SEARCH_ENGINE_PATH ]; then
mkdir -p $SEARCH_ENGINE_PATH
fi
# clone the repo
cd $SEARCH_ENGINE_PATH
git_clone $SEARCH_ENGINE_REPO searx
git checkout $SEARCH_ENGINE_COMMIT -b $SEARCH_ENGINE_COMMIT
if ! grep -q "Search engine commit" $COMPLETION_FILE; then
echo "Search engine commit:$SEARCH_ENGINE_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Search engine commit.*/Search engine commit:$SEARCH_ENGINE_COMMIT/g" $COMPLETION_FILE
fi
# create an onion service
SEARCH_ENGINE_ONION_HOSTNAME=$(add_onion_service searx 80 ${SEARCH_ENGINE_ONION_PORT})
if ! grep "Search engine onion domain" $COMPLETION_FILE; then
echo "Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|Search engine onion domain.*|Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
# an unprivileged user to run as
useradd -d ${SEARCH_ENGINE_PATH}/searx/ -s /bin/false searx
adduser searx debian-tor
# daemon
echo '[Unit]' > /etc/systemd/system/searx.service
echo 'Description=Searx (search engine)' >> /etc/systemd/system/searx.service
echo 'After=syslog.target' >> /etc/systemd/system/searx.service
echo 'After=network.target' >> /etc/systemd/system/searx.service
echo '' >> /etc/systemd/system/searx.service
echo '[Service]' >> /etc/systemd/system/searx.service
echo 'Type=simple' >> /etc/systemd/system/searx.service
echo 'User=searx' >> /etc/systemd/system/searx.service
echo 'Group=searx' >> /etc/systemd/system/searx.service
echo "WorkingDirectory=${SEARCH_ENGINE_PATH}/searx" >> /etc/systemd/system/searx.service
echo "ExecStart=/usr/bin/python ${SEARCH_ENGINE_PATH}/searx/searx/webapp.py" >> /etc/systemd/system/searx.service
echo 'Restart=always' >> /etc/systemd/system/searx.service
echo 'Environment="USER=searx"' >> /etc/systemd/system/searx.service
echo '' >> /etc/systemd/system/searx.service
echo '[Install]' >> /etc/systemd/system/searx.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/searx.service
# create a webserver file
echo 'server {' > /etc/nginx/sites-available/searx
echo " listen 127.0.0.1:${SEARCH_ENGINE_ONION_PORT} default_server;" >> /etc/nginx/sites-available/searx
echo " root ${SEARCH_ENGINE_PATH}/searx;" >> /etc/nginx/sites-available/searx
echo " server_name ${SEARCH_ENGINE_ONION_HOSTNAME};" >> /etc/nginx/sites-available/searx
echo ' access_log off;' >> /etc/nginx/sites-available/searx
echo " error_log /var/log/searx_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/searx
echo '' >> /etc/nginx/sites-available/searx
nginx_limits searx '1M'
nginx_disable_sniffing searx
echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/searx
echo '' >> /etc/nginx/sites-available/searx
echo ' location / {' >> /etc/nginx/sites-available/searx
echo ' proxy_pass http://localhost:8888;' >> /etc/nginx/sites-available/searx
echo ' proxy_set_header Host $host;' >> /etc/nginx/sites-available/searx
echo ' proxy_set_header X-Real-IP $remote_addr;' >> /etc/nginx/sites-available/searx
echo ' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' >> /etc/nginx/sites-available/searx
echo ' proxy_set_header X-Remote-Port $remote_port;' >> /etc/nginx/sites-available/searx
echo ' proxy_set_header X-Forwarded-Proto $scheme;' >> /etc/nginx/sites-available/searx
echo ' proxy_redirect off;' >> /etc/nginx/sites-available/searx
echo " auth_basic \"${SEARCH_ENGINE_LOGIN_TEXT}\";" >> /etc/nginx/sites-available/searx
echo ' auth_basic_user_file /etc/nginx/.htpasswd;' >> /etc/nginx/sites-available/searx
echo ' }' >> /etc/nginx/sites-available/searx
echo '' >> /etc/nginx/sites-available/searx
echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/searx
echo '' >> /etc/nginx/sites-available/searx
echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/searx
echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/searx
echo '' >> /etc/nginx/sites-available/searx
echo ' location = /robots.txt {' >> /etc/nginx/sites-available/searx
echo ' allow all;' >> /etc/nginx/sites-available/searx
echo ' log_not_found off;' >> /etc/nginx/sites-available/searx
echo ' access_log off;' >> /etc/nginx/sites-available/searx
echo ' }' >> /etc/nginx/sites-available/searx
echo '}' >> /etc/nginx/sites-available/searx
# replace the secret key
if ! grep "Search engine key" $COMPLETION_FILE; then
SEARCH_ENGINE_SECRET_KEY="$(openssl rand -base64 32 | cut -c1-30)"
echo "Search engine key:${SEARCH_ENGINE_SECRET_KEY}" >> $COMPLETION_FILE
else
SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}')
fi
sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml
sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml
# note: this might change to a --tor option in a later version
if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then
echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
echo ' proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
echo ' http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
echo ' https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
fi
chown -R searx:searx ${SEARCH_ENGINE_PATH}/searx
# enable the site
nginx_ensite searx
# restart the web server
systemctl restart php5-fpm
systemctl restart nginx
# start the daemon
systemctl enable searx.service
systemctl daemon-reload
systemctl start searx.service
if ! grep -q "Your search engine password is" /home/$MY_USERNAME/README; then
if [ ${#SEARCH_ENGINE_PASSWORD} -lt 8 ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
SEARCH_ENGINE_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
SEARCH_ENGINE_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
echo "$SEARCH_ENGINE_PASSWORD" | htpasswd -i -s -c /etc/nginx/.htpasswd $MY_USERNAME
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Search Engine' >> /home/$MY_USERNAME/README
echo '=============' >> /home/$MY_USERNAME/README
echo $"Search engine onion domain: ${SEARCH_ENGINE_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
echo $"Your search engine password is: $SEARCH_ENGINE_PASSWORD" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_search_engine' >> $COMPLETION_FILE
}
function install_webmail {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
WEB_PATH=/var/www
WEBMAIL_PATH=$WEB_PATH/webmail
# update to a new commit if needed
set_repo_commit $WEBMAIL_PATH "Webmail commit" "$WEBMAIL_COMMIT" $WEBMAIL_REPO
if grep -Fxq "install_webmail" $COMPLETION_FILE; then
return
fi
if [ -d /etc/apache2 ]; then
rm -rf /etc/apache2
echo $'Removed Apache installation after Dokuwiki install'
fi
install_mariadb
get_mariadb_password
repair_databases_script
apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git
apt-get -y install php5-dev imagemagick php5-imagick php5-sqlite php-auth-sasl php-net-smtp php-mime-type
apt-get -y install php-mail-mime php-mail-mimedecode php-net-ldap3 php5-pspell
pear install Net_IDNA2
if [ ! -f $WEBMAIL_PATH/index.php ]; then
cd $WEB_PATH
git_clone $WEBMAIL_REPO webmail
cd $WEBMAIL_PATH
git checkout $WEBMAIL_COMMIT -b $WEBMAIL_COMMIT
if ! grep -q "Webmail commit" $COMPLETION_FILE; then
echo "Webmail commit:$WEBMAIL_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Webmail commit.*/Webmail commit:$WEBMAIL_COMMIT/g" $COMPLETION_FILE
fi
fi
if [ ! -f $WEBMAIL_PATH/index.php ]; then
echo $'Did not clone webmail repo'
exit 52825
fi
WEBMAIL_ONION_HOSTNAME=$(add_onion_service webmail 80 ${WEBMAIL_ONION_PORT})
echo "Webmail onion domain:${WEBMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE
get_mariadb_webmail_admin_password
if [ ! $WEBMAIL_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
WEBMAIL_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
WEBMAIL_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
create_database webmail "$WEBMAIL_ADMIN_PASSWORD"
mysql -u root --password="$MARIADB_PASSWORD" -D webmail < $WEBMAIL_PATH/SQL/mysql.initial.sql
if [ ! -d /var/www/$DEFAULT_DOMAIN_NAME/htdocs ]; then
mkdir -p /var/www/$DEFAULT_DOMAIN_NAME/htdocs
fi
ln -s $WEBMAIL_PATH /var/www/$DEFAULT_DOMAIN_NAME/htdocs/webmail
if [ ! -f /var/www/webmail/config/config.inc.php ]; then
# generate the configuration
echo '<?php' > /var/www/webmail/config/config.inc.php
echo "\$config['db_dsnw'] = 'mysql://root:${MARIADB_PASSWORD}@localhost/webmail';" >> /var/www/webmail/config/config.inc.php
echo "\$config['default_host'] = 'localhost';" >> /var/www/webmail/config/config.inc.php
echo "\$config['support_url'] = '';" >> /var/www/webmail/config/config.inc.php
WEBMAIL_DES_KEY="$(openssl rand -base64 32 | cut -c1-25)"
echo "\$config['des_key'] = '${WEBMAIL_DES_KEY}';" >> /var/www/webmail/config/config.inc.php
echo "\$config['product_name'] = '${PROJECT_NAME}';" >> /var/www/webmail/config/config.inc.php
echo "\$config['plugins'] = array('enigma');" >> /var/www/webmail/config/config.inc.php
echo "\$config['mime_param_folding'] = 0;" >> /var/www/webmail/config/config.inc.php
echo "\$config['enable_installer'] = false;" >> /var/www/webmail/config/config.inc.php
fi
chown -R www-data:www-data $WEBMAIL_PATH
echo 'server {' > /etc/nginx/sites-available/webmail
echo " listen 127.0.0.1:$WEBMAIL_ONION_PORT default_server;" >> /etc/nginx/sites-available/webmail
echo " server_name $WEBMAIL_ONION_HOSTNAME;" >> /etc/nginx/sites-available/webmail
echo " root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail
echo ' index index.php index.html index.htm;' >> /etc/nginx/sites-available/webmail
echo ' access_log off;' >> /etc/nginx/sites-available/webmail
echo ' error_log off;' >> /etc/nginx/sites-available/webmail
echo ' location / {' >> /etc/nginx/sites-available/webmail
echo ' try_files $uri $uri/ /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/webmail
echo ' }' >> /etc/nginx/sites-available/webmail
echo ' error_page 404 /404.html;' >> /etc/nginx/sites-available/webmail
echo ' error_page 500 502 503 504 /50x.html;' >> /etc/nginx/sites-available/webmail
echo ' location = /50x.html {' >> /etc/nginx/sites-available/webmail
echo " root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail
echo ' }' >> /etc/nginx/sites-available/webmail
echo ' location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {' >> /etc/nginx/sites-available/webmail
echo ' deny all;' >> /etc/nginx/sites-available/webmail
echo ' }' >> /etc/nginx/sites-available/webmail
echo ' location ~ ^/(config|temp|logs)/ {' >> /etc/nginx/sites-available/webmail
echo ' deny all;' >> /etc/nginx/sites-available/webmail
echo ' }' >> /etc/nginx/sites-available/webmail
echo ' location ~ /\. {' >> /etc/nginx/sites-available/webmail
echo ' deny all;' >> /etc/nginx/sites-available/webmail
echo ' access_log off;' >> /etc/nginx/sites-available/webmail
echo ' log_not_found off;' >> /etc/nginx/sites-available/webmail
echo ' }' >> /etc/nginx/sites-available/webmail
echo ' location ~ \.php$ {' >> /etc/nginx/sites-available/webmail
echo ' try_files $uri =404;' >> /etc/nginx/sites-available/webmail
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/webmail
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/webmail
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/webmail
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/webmail
echo ' }' >> /etc/nginx/sites-available/webmail
echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/webmail
echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/webmail
echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/webmail
echo '}' >> /etc/nginx/sites-available/webmail
nginx_ensite webmail
systemctl restart php5-fpm
systemctl restart nginx
if ! grep -q "Webmail" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo 'Webmail' >> /home/$MY_USERNAME/README
echo '=======' >> /home/$MY_USERNAME/README
if [[ $ONION_ONLY == 'no' ]]; then
echo $"Open https://$DEFAULT_DOMAIN_NAME/webmail/index.php" >> /home/$MY_USERNAME/README
else
echo $"Open http://$WEBMAIL_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
fi
echo $"MariaDB webmail admin password: $WEBMAIL_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_webmail' >> $COMPLETION_FILE
}
function install_hubzilla {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $HUBZILLA_DOMAIN_NAME ]; then
return
fi
HUBZILLA_PATH=/var/www/$HUBZILLA_DOMAIN_NAME/htdocs
# update to a new commit if needed
set_repo_commit $HUBZILLA_PATH "Hubzilla commit" "$HUBZILLA_COMMIT" $HUBZILLA_REPO
set_repo_commit $HUBZILLA_PATH/addon "Hubzilla addons commit" "$HUBZILLA_ADDONS_COMMIT" $HUBZILLA_ADDONS_REPO
if [ -d $HUBZILLA_PATH/redmatrix-themes1 ]; then
cd $HUBZILLA_PATH/redmatrix-themes1
git stash
git pull
cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/
chown -R www-data:www-data $HUBZILLA_PATH
fi
if grep -Fxq "install_hubzilla" $COMPLETION_FILE; then
return
fi
install_mariadb
get_mariadb_password
repair_databases_script
apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git
apt-get -y install php5-dev imagemagick php5-imagick
if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then
mkdir /var/www/$HUBZILLA_DOMAIN_NAME
fi
if [ ! -d $HUBZILLA_PATH ]; then
mkdir $HUBZILLA_PATH
fi
if [ ! -f $HUBZILLA_PATH/index.php ]; then
cd $INSTALL_DIR
git_clone $HUBZILLA_REPO hubzilla
git checkout $HUBZILLA_COMMIT -b $HUBZILLA_COMMIT
if ! grep -q "Hubzilla commit" $COMPLETION_FILE; then
echo "Hubzilla commit:$HUBZILLA_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Hubzilla commit.*/Hubzilla commit:$HUBZILLA_COMMIT/g" $COMPLETION_FILE
fi
rm -rf $HUBZILLA_PATH
mv hubzilla $HUBZILLA_PATH
git_clone $HUBZILLA_ADDONS_REPO $HUBZILLA_PATH/addon
cd $HUBZILLA_PATH/addon
git checkout $HUBZILLA_ADDONS_COMMIT -b $HUBZILLA_ADDONS_COMMIT
if ! grep -q "Hubzilla addons commit" $COMPLETION_FILE; then
echo "Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Hubzilla addons commit.*/Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT/g" $COMPLETION_FILE
fi
# some extra themes
git_clone $HUBZILLA_THEMES_REPO $HUBZILLA_PATH/redmatrix-themes1
cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/
chown -R www-data:www-data $HUBZILLA_PATH
fi
HUBZILLA_ONION_HOSTNAME=
if [[ $ONION_ONLY != "no" ]]; then
HUBZILLA_ONION_HOSTNAME=$(add_onion_service hubzilla 80 ${HUBZILLA_ONION_PORT})
echo "Hubzilla onion domain:${HUBZILLA_ONION_HOSTNAME}" >> $COMPLETION_FILE
fi
get_mariadb_hubzilla_admin_password
if [ ! $HUBZILLA_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
HUBZILLA_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
HUBZILLA_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo 'Hubzilla' >> /home/$MY_USERNAME/README
echo '========' >> /home/$MY_USERNAME/README
if [[ $ONION_ONLY == 'no' ]]; then
echo $"Open https://$HUBZILLA_DOMAIN_NAME and register a new user" >> /home/$MY_USERNAME/README
else
echo $"Open http://$HUBZILLA_ONION_HOSTNAME and register a new user" >> /home/$MY_USERNAME/README
fi
echo $"Your MariaDB Hubzilla admin password is: $HUBZILLA_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
create_database hubzilla "$HUBZILLA_ADMIN_PASSWORD"
if ! grep -q "$HUBZILLA_PATH" /etc/crontab; then
echo "12,22,32,42,52 * * * * root cd $HUBZILLA_PATH; /usr/bin/timeout 500 /usr/bin/php include/poller.php" >> /etc/crontab
fi
add_ddns_domain $HUBZILLA_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
nginx_http_redirect $HUBZILLA_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
nginx_limits $HUBZILLA_DOMAIN_NAME
nginx_ssl $HUBZILLA_DOMAIN_NAME
nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
else
echo 'server {' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " listen 127.0.0.1:${HUBZILLA_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " server_name $HUBZILLA_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
nginx_limits $HUBZILLA_DOMAIN_NAME
nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
fi
configure_php
create_site_certificate $HUBZILLA_DOMAIN_NAME 'yes'
if [ ! -d $HUBZILLA_PATH/view/tpl/smarty3 ]; then
mkdir $HUBZILLA_PATH/view/tpl/smarty3
fi
if [ ! -d "$HUBZILLA_PATH/store" ]; then
mkdir "$HUBZILLA_PATH/store"
fi
if [ ! -d "$HUBZILLA_PATH/store/[data]" ]; then
mkdir "$HUBZILLA_PATH/store/[data]"
fi
if [ ! -d "$HUBZILLA_PATH/store/[data]/smarty3" ]; then
mkdir "$HUBZILLA_PATH/store/[data]/smarty3"
chmod 777 "$HUBZILLA_PATH/store/[data]/smarty3"
fi
chmod 777 $HUBZILLA_PATH/view/tpl
chown -R www-data:www-data "$HUBZILLA_PATH/store"
chmod 777 $HUBZILLA_PATH/view/tpl/smarty3
# Ensure that the database gets backed up locally, if remote
# backups are not being used
backup_databases_script_header
backup_database_local hubzilla
chown -R www-data:www-data $HUBZILLA_PATH
nginx_ensite $HUBZILLA_DOMAIN_NAME
# initialize the database
if [ ! -f $HUBZILLA_PATH/install/schema_mysql.sql ]; then
echo $'No database schema found for hubzilla'
exit 252782
fi
mysql -u root --password="$MARIADB_PASSWORD" -D hubzilla < $HUBZILLA_PATH/install/schema_mysql.sql
if [ ! "$?" = "0" ]; then
exit 62952
fi
# create the config file
echo '<?php' > $HUBZILLA_PATH/.htconfig.php
echo "\$db_host = 'localhost';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$db_port = '0';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$db_user = 'root';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$db_pass = '${MARIADB_PASSWORD}';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$db_data = 'hubzilla';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$db_type = '0';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$default_timezone = 'Europe/London';" >> $HUBZILLA_PATH/.htconfig.php
if [[ $ONION_ONLY == 'no' ]]; then
echo "\$a->config['system']['baseurl'] = 'https://${HUBZILLA_DOMAIN_NAME}';" >> $HUBZILLA_PATH/.htconfig.php
else
echo "\$a->config['system']['baseurl'] = 'http://${HUBZILLA_ONION_HOSTNAME}';" >> $HUBZILLA_PATH/.htconfig.php
fi
echo "\$a->config['system']['sitename'] = \"Hubzilla\";" >> $HUBZILLA_PATH/.htconfig.php
HUBZILLA_LOCATION_HASH="$(openssl rand -base64 32 | cut -c1-30)"
echo "\$a->config['system']['location_hash'] = '${HUBZILLA_LOCATION_HASH}';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['register_policy'] = REGISTER_OPEN;" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['register_text'] = '';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['admin_email'] = '${MY_EMAIL_ADDRESS}';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['verify_email'] = 1;" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['access_policy'] = ACCESS_PRIVATE;" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['sellpage'] = '';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['max_import_size'] = 200000;" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['php_path'] = '/usr/bin/php';" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['directory_mode'] = DIRECTORY_MODE_NORMAL;" >> $HUBZILLA_PATH/.htconfig.php
echo "\$a->config['system']['theme'] = 'redbasic';" >> $HUBZILLA_PATH/.htconfig.php
chown www-data:www-data $HUBZILLA_PATH/.htconfig.php
chmod 755 $HUBZILLA_PATH/.htconfig.php
systemctl restart php5-fpm
systemctl restart nginx
systemctl restart cron
freedombone-addemail -u $MY_USERNAME -e "noreply@$HUBZILLA_DOMAIN_NAME" -g hubzilla --public no
echo "Hubzilla domain:${HUBZILLA_DOMAIN_NAME}" >> $COMPLETION_FILE
echo 'install_hubzilla' >> $COMPLETION_FILE
}
function script_for_attaching_usb_drive {
if grep -Fxq "script_for_attaching_usb_drive" $COMPLETION_FILE; then
return
fi
echo '#!/bin/bash' > /usr/bin/attach-music
echo 'remove-music' >> /usr/bin/attach-music
echo "if [ ! -d $USB_MOUNT ]; then" >> /usr/bin/attach-music
echo " mkdir $USB_MOUNT" >> /usr/bin/attach-music
echo 'fi' >> /usr/bin/attach-music
echo "mount /dev/sda1 $USB_MOUNT" >> /usr/bin/attach-music
echo "chown root:root $USB_MOUNT" >> /usr/bin/attach-music
echo "chown -R minidlna:minidlna $USB_MOUNT/*" >> /usr/bin/attach-music
echo 'service minidlna restart' >> /usr/bin/attach-music
echo 'minidlnad -R' >> /usr/bin/attach-music
chmod +x /usr/bin/attach-music
ln -s /usr/bin/attach-music /usr/bin/attach-usb
ln -s /usr/bin/attach-music /usr/bin/attach-videos
ln -s /usr/bin/attach-music /usr/bin/attach-pictures
ln -s /usr/bin/attach-music /usr/bin/attach-media
echo '#!/bin/bash' > /usr/bin/remove-music
echo "if [ -d $USB_MOUNT ]; then" >> /usr/bin/remove-music
echo " umount $USB_MOUNT" >> /usr/bin/remove-music
echo " rm -rf $USB_MOUNT" >> /usr/bin/remove-music
echo 'fi' >> /usr/bin/remove-music
chmod +x /usr/bin/remove-music
ln -s /usr/bin/remove-music /usr/bin/detach-music
ln -s /usr/bin/remove-music /usr/bin/detach-usb
ln -s /usr/bin/remove-music /usr/bin/remove-usb
ln -s /usr/bin/remove-music /usr/bin/detach-media
ln -s /usr/bin/remove-music /usr/bin/remove-media
ln -s /usr/bin/remove-music /usr/bin/detach-videos
ln -s /usr/bin/remove-music /usr/bin/remove-videos
ln -s /usr/bin/remove-music /usr/bin/detach-pictures
ln -s /usr/bin/remove-music /usr/bin/remove-pictures
echo 'script_for_attaching_usb_drive' >> $COMPLETION_FILE
}
function install_dlna_server {
if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then
return
fi
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
apt-get -y install minidlna
if [ ! -f /etc/minidlna.conf ]; then
echo $"ERROR: minidlna does not appear to have installed. $CHECK_MESSAGE"
exit 55
fi
sed -i "s|media_dir=/var/lib/minidlna|media_dir=A,/home/$MY_USERNAME/Music|g" /etc/minidlna.conf
if ! grep -q "/home/$MY_USERNAME/Pictures" /etc/minidlna.conf; then
echo "media_dir=P,/home/$MY_USERNAME/Pictures" >> /etc/minidlna.conf
fi
if ! grep -q "/home/$MY_USERNAME/Videos" /etc/minidlna.conf; then
echo "media_dir=V,/home/$MY_USERNAME/Videos" >> /etc/minidlna.conf
fi
if ! grep -q "$USB_MOUNT/Music" /etc/minidlna.conf; then
echo "media_dir=A,$USB_MOUNT/Music" >> /etc/minidlna.conf
fi
if ! grep -q "$USB_MOUNT/Pictures" /etc/minidlna.conf; then
echo "media_dir=P,$USB_MOUNT/Pictures" >> /etc/minidlna.conf
fi
if ! grep -q "$USB_MOUNT/Videos" /etc/minidlna.conf; then
echo "media_dir=V,$USB_MOUNT/Videos" >> /etc/minidlna.conf
fi
sed -i 's/#root_container=./root_container=B/g' /etc/minidlna.conf
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
sed -i 's/#network_interface=/network_interface=eth0/g' /etc/minidlna.conf
else
sed -i 's/#network_interface=/network_interface=$WIFI_INTERFACE/g' /etc/minidlna.conf
fi
sed -i "s/#friendly_name=/friendly_name=\"${PROJECT_NAME} Media\"/g" /etc/minidlna.conf
sed -i 's|#db_dir=/var/cache/minidlna|db_dir=/var/cache/minidlna|g' /etc/minidlna.conf
sed -i 's/#inotify=yes/inotify=yes/g' /etc/minidlna.conf
sed -i 's/#notify_interval=895/notify_interval=300/g' /etc/minidlna.conf
sed -i "s|#presentation_url=/|presentation_url=http://localhost:8200|g" /etc/minidlna.conf
service minidlna force-reload
service minidlna reload
sed -i 's/fs.inotify.max_user_watches*/fs.inotify.max_user_watches=65536/g' /etc/sysctl.conf
if ! grep -q "max_user_watches" $COMPLETION_FILE; then
echo 'fs.inotify.max_user_watches=65536' >> /etc/sysctl.conf
fi
/sbin/sysctl -p
echo 'install_dlna_server' >> $COMPLETION_FILE
}
function install_media_server {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $MEDIA_SERVER_DOMAIN_NAME ]; then
return
fi
# update to a new commit if needed
set_repo_commit $MEDIA_SERVER_WORKING_DIRECTORY "Media server commit" "$MEDIA_SERVER_COMMIT" $MEDIA_SERVER_REPO
if [ -d $MEDIA_SERVER_WORKING_DIRECTORY ]; then
chown -R www-data:www-data $MEDIA_SERVER_WORKING_DIRECTORY
fi
if grep -Fxq "install_media_server" $COMPLETION_FILE; then
return
fi
echo $'Installing media server'
apt-get -y install git-core python python-dev python-lxml python-pil
apt-get -y install python-virtualenv automake python-pip
apt-get -y install fcgiwrap libmysqlclient-dev
apt-get -y install libjpeg-dev zlib1g-dev libfreetype6-dev
apt-get -y install python-setuptools python-virtualenv
apt-get -y remove uwsgi uwsgi-plugin-python
pip uninstall uwsgi -y
apt-get -y install uwsgi uwsgi-plugin-python
pip install --upgrade pip
pip install paster==0.8
pip install bleach==1.4.3
pip install aniso8601==1.0.0
pip install decorator==3.3.2
pip install unidecode==0.4.19
pip install google-api-python-client==1.5.1
pip install akismet==0.2.0
pip install MySQL-python==1.2.5
pip install tw.forms==0.9.9
pip install repoze.who.plugins.sa==2.3
pip install repoze.who-friendlyform==1.0.8
pip install repoze.who==1.0.18
pip install Routes==1.12.3
pip install Genshi==0.7
pip install alembic==0.8.6
pip install SQLAlchemy==0.7.6
pip install WebHelpers==1.0
pip install Pylons==1.0.2
pip install ddt==1.1.0
pip install iso8601==0.1.11
pip install httplib2==0.9.1
pip install pyasn1==0.1.8
pip install uwsgi --upgrade
if [ -d $MEDIA_SERVER_BASE_DIRECTORY ]; then
rm -rf $MEDIA_SERVER_BASE_DIRECTORY
fi
mkdir -p $MEDIA_SERVER_BASE_DIRECTORY
install_mariadb
get_mariadb_password
repair_databases_script
get_mariadb_media_server_admin_password
if [ ! $MEDIA_SERVER_ADMIN_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
MEDIA_SERVER_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
MEDIA_SERVER_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
create_database mediadrop "$MEDIA_SERVER_ADMIN_PASSWORD" mediadropadmin
useradd -d ${MEDIA_SERVER_WORKING_DIRECTORY} -s /bin/false mediadrop
# create python environment
cd $MEDIA_SERVER_BASE_DIRECTORY
virtualenv --distribute --no-site-packages venv
source venv/bin/activate
# clone the repo
git_clone $MEDIA_SERVER_REPO $MEDIA_SERVER_WORKING_DIRECTORY
if [ ! -d $MEDIA_SERVER_WORKING_DIRECTORY ]; then
echo $'Unable to clone mediadrop'
exit 732581
fi
cd $MEDIA_SERVER_WORKING_DIRECTORY
git checkout $MEDIA_SERVER_COMMIT -b $MEDIA_SERVER_COMMIT
python setup.py develop
# create a configuration
if [ -f deployment.ini ]; then
rm deployment.ini
fi
paster make-config MediaDrop deployment.ini
if [ ! -f deployment.ini ]; then
echo $'deployment.ini not created'
exit 726567
fi
# database authentication
sed -i "s|sqlalchemy.url.*|sqlalchemy.url = mysql://mediadrop:${MEDIA_SERVER_ADMIN_PASSWORD}@localhost/mediadrop?charset=utf8&use_unicode=0|g" deployment.ini
# faster file serve
sed -i 's|files_serve_method.*|files_serve_method = nginx_redirect|g' deployment.ini
# initial data
if [ ! -d $MEDIA_SERVER_WORKING_DIRECTORY/data ]; then
echo $'No data directory found'
exit 625728
fi
cp -r $MEDIA_SERVER_WORKING_DIRECTORY/data/* $MEDIA_SERVER_WORKING_DIRECTORY
paster setup-app deployment.ini
# add uwsgi to deployment.ini
echo '' >> deployment.ini
echo '[uwsgi]' >> deployment.ini
echo 'socket = /tmp/uwsgi-mediadrop.soc' >> deployment.ini
echo 'master = true' >> deployment.ini
echo 'processes = 5' >> deployment.ini
echo "home = $MEDIA_SERVER_BASE_DIRECTORY" >> deployment.ini
echo 'daemonize = /var/log/uwsgi.log' >> deployment.ini
# enable full test search
mysql -u mediadrop --password="$MEDIA_SERVER_ADMIN_PASSWORD" mediadrop < $MEDIA_SERVER_WORKING_DIRECTORY/setup_triggers.sql
chown -R mediadrop:mediadrop $MEDIA_SERVER_BASE_DIRECTORY
# script to be called by the daemon
echo '#!/bin/bash' > /usr/bin/start-mediadrop
echo "cd ${MEDIA_SERVER_WORKING_DIRECTORY}" >> /usr/bin/start-mediadrop
echo "${MEDIA_SERVER_WORKING_DIRECTORY}/deployment-scripts/uwsgi --ini-paste ${MEDIA_SERVER_BASE_DIRECTORY}/deployment.ini" >> /usr/bin/start-mediadrop
echo "${MEDIA_SERVER_BASE_DIRECTORY}/venv/bin/paster serve --reload ${MEDIA_SERVER_BASE_DIRECTORY}/deployment.ini" >> /usr/bin/start-mediadrop
chmod +x /usr/bin/start-mediadrop
# create daemon
echo '[Unit]' > /etc/systemd/system/mediadrop.service
echo 'Description=Mediadrop - media playing on the web' >> /etc/systemd/system/mediadrop.service
echo 'After=network.target' >> /etc/systemd/system/mediadrop.service
echo '' >> /etc/systemd/system/mediadrop.service
echo '[Service]' >> /etc/systemd/system/mediadrop.service
echo 'User=mediadrop' >> /etc/systemd/system/mediadrop.service
echo "Environment='USER=mediadrop'" >> /etc/systemd/system/mediadrop.service
echo "WorkingDirectory=${MEDIA_SERVER_WORKING_DIRECTORY}" >> /etc/systemd/system/searx.service
echo 'ExecStart=/usr/bin/start-mediadrop' >> /etc/systemd/system/mediadrop.service
echo 'Restart=on-failure' >> /etc/systemd/system/mediadrop.service
echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/mediadrop.service
echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/mediadrop.service
echo '' >> /etc/systemd/system/mediadrop.service
echo '[Install]' >> /etc/systemd/system/mediadrop.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediadrop.service
systemctl enable mediadrop
systemctl daemon-reload
systemctl start mediadrop
# onion address
MEDIA_SERVER_ONION_HOSTNAME=$(add_onion_service mediadrop 80 ${MEDIA_SERVER_ONION_PORT})
if ! grep -q "Media server onion domain" $COMPLETION_FILE; then
echo "Media server onion domain:${MEDIA_SERVER_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|Media server onion domain.*|Media server onion domain:${MEDIA_SERVER_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
if [[ $MEDIA_SERVER_ONION_HOSTNAME == *"not found"* ]]; then
echo $'Problem creating onion address for mediadrop'
exit 72963
fi
if [[ $ONION_ONLY == 'no' ]]; then
nginx_http_redirect $MEDIA_SERVER_DOMAIN_NAME
echo 'server {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' listen 443;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " server_name $MEDIA_SERVER_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " access_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " error_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
nginx_ssl $MEDIA_SERVER_DOMAIN_NAME
nginx_disable_sniffing $MEDIA_SERVER_DOMAIN_NAME
nginx_limits $MEDIA_SERVER_DOMAIN_NAME '15m'
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/public;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location ~* ^/(appearance)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location ~* ^(/images\/media|images\/podcasts) {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location ~* ^/(styles|scripts|images)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' expires max;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' add_header Cache-Control "public";' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location /__mediacore_serve__ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " alias ${MEDIA_SERVER_WORKING_DIRECTORY}/data/media;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' internal;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' uwsgi_pass unix:///tmp/uwsgi-mediadrop.soc;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' include uwsgi_params;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " uwsgi_param SCRIPT_NAME '';" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
create_site_certificate $MEDIA_SERVER_DOMAIN_NAME
add_ddns_domain $MEDIA_SERVER_DOMAIN_NAME
else
echo -n '' > /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
fi
echo 'server {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " listen 127.0.0.1:${MEDIA_SERVER_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " server_name $MEDIA_SERVER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " access_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " error_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
nginx_disable_sniffing $MEDIA_SERVER_DOMAIN_NAME
nginx_limits $MEDIA_SERVER_DOMAIN_NAME '15m'
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/public;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location ~* ^/(appearance)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location ~* ^(/images\/media|images\/podcasts) {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location ~* ^/(styles|scripts|images)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' expires max;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' add_header Cache-Control "public";' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location /__mediacore_serve__ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " alias ${MEDIA_SERVER_WORKING_DIRECTORY}/data/media;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' internal;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' location / {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' uwsgi_pass unix:///tmp/uwsgi-mediadrop.soc;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' include uwsgi_params;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo " uwsgi_param SCRIPT_NAME '';" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME
nginx_ensite $MEDIA_SERVER_DOMAIN_NAME
systemctl restart php5-fpm
systemctl restart nginx
if ! grep -q "Media server domain" $COMPLETION_FILE; then
echo "Media server domain:$MEDIA_SERVER_DOMAIN_NAME" >> $COMPLETION_FILE
else
sed -i "s/Media server domain.*/Media server domain:$MEDIA_SERVER_DOMAIN_NAME/g" $COMPLETION_FILE
fi
if ! grep -q $"Media Server" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'Media Server' >> /home/$MY_USERNAME/README
echo '============' >> /home/$MY_USERNAME/README
echo $"Media server administrator nickname: mediadropadmin" >> /home/$MY_USERNAME/README
echo $"Media server administrator password: $MEDIA_SERVER_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_media_server' >> $COMPLETION_FILE
}
function install_mediagoblin {
if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [ ! $MEDIAGOBLIN_DOMAIN_NAME ]; then
return
fi
MEDIAGOBLIN_WORKING_DIRECTORY=/var/www/$MEDIAGOBLIN_DOMAIN_NAME/htdocs
# update to a new commit if needed
set_repo_commit $MEDIAGOBLIN_WORKING_DIRECTORY "Mediagoblin commit" "$MEDIAGOBLIN_COMMIT" $MEDIAGOBLIN_REPO
if [ -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then
chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY
fi
if grep -Fxq "install_mediagoblin" $COMPLETION_FILE; then
return
fi
apt-get -y install git-core python python-dev python-lxml python-pil
apt-get -y install python-virtualenv npm nodejs-legacy automake
apt-get -y install fcgiwrap
#apt-get -y install postgresql postgresql-client python-psycopg2
#apt-get -y install python-gst-1.0 libjpeg62-turbo-dev gstreamer1.0-plugins-base python-gobject
#apt-get -y install gstreamer1.0-plugins-good gstreamer1.0-libav libav-tools gstreamer0.10-tools
#apt-get -y install python-numpy python-scipy libsndfile1-dev python-gst0.10-dev
#apt-get -y install gstreamer0.10-plugins-base gstreamer0.10-plugins-good gstreamer1.0-tools
#su -c "createuser -A -D mediagoblin" - postgres
#su -c "createdb -E UNICODE -O mediagoblin mediagoblin" - postgres
useradd -c "GNU MediaGoblin system account" -d /var/lib/mediagoblin -m -r -g www-data mediagoblin
groupadd mediagoblin
usermod --append -G mediagoblin mediagoblin
if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then
mkdir -p $MEDIAGOBLIN_WORKING_DIRECTORY
fi
git_clone $MEDIAGOBLIN_REPO $MEDIAGOBLIN_WORKING_DIRECTORY
cd $MEDIAGOBLIN_WORKING_DIRECTORY
git checkout $MEDIAGOBLIN_COMMIT -b $MEDIAGOBLIN_COMMIT
git submodule init
git submodule update
if ! grep -q "Mediagoblin commit" $COMPLETION_FILE; then
echo "Mediagoblin commit:$MEDIAGOBLIN_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/Mediagoblin commit.*/Mediagoblin commit:$MEDIAGOBLIN_COMMIT/g" $COMPLETION_FILE
fi
chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bootstrap.sh" - mediagoblin
if [ ! "$?" = "0" ]; then
exit 278826
fi
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./configure" - mediagoblin
if [ ! "$?" = "0" ]; then
exit 462826
fi
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && make" - mediagoblin
if [ ! "$?" = "0" ]; then
exit 738229
fi
if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev ]; then
mkdir $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev
fi
chmod 750 $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install flup==1.0.3.dev-20110405" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade billiard" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Paste" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade amqp" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade anyjson" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py-bcrypt" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade wtforms" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade python-dateutil" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alembic" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade waitress" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade imagesize" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alabaster" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade snowballstemmer" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade docutils" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Pygments" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade beautifulsoup4" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade WebOb" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py" - mediagoblin
su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade execnet" - mediagoblin
# create some directories
mkdir /var/log/mediagoblin
chown -hR mediagoblin:www-data /var/log/mediagoblin
mkdir /var/run/mediagoblin
chown -hR mediagoblin:www-data /var/run/mediagoblin
if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin.ini ]; then
echo $'mediagoblin.ini not found'
exit 737529
fi
if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/paste.ini ]; then
echo $'paste.ini not found'
exit 52762
fi
cp -av mediagoblin.ini mediagoblin_local.ini
cp -av paste.ini paste_local.ini
chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY
# init with systemd
echo '[Unit]' > /etc/systemd/system/mediagoblin-celeryd.service
echo 'Description=Mediagoblin Celeryd' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'After=network.target' >> /etc/systemd/system/mediagoblin-celeryd.service
echo '' >> /etc/systemd/system/mediagoblin-celeryd.service
echo '[Service]' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'Type=simple' >> /etc/systemd/system/mediagoblin-celeryd.service
echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-celeryd.service
echo "Environment=MEDIAGOBLIN_CONFIG=$MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin_local.ini \\" >> /etc/systemd/system/mediagoblin-celeryd.service
echo ' CELERY_CONFIG_MODULE=mediagoblin.init.celery.from_celery' >> /etc/systemd/system/mediagoblin-celeryd.service
echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/celery worker \\" >> /etc/systemd/system/mediagoblin-celeryd.service
echo ' --logfile=/var/log/mediagoblin/celery.log \' >> /etc/systemd/system/mediagoblin-celeryd.service
echo ' --loglevel=INFO' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'PIDFile=/var/run/mediagoblin/mediagoblin-celeryd.pid' >> /etc/systemd/system/mediagoblin-celeryd.service
echo '' >> /etc/systemd/system/mediagoblin-celeryd.service
echo '[Install]' >> /etc/systemd/system/mediagoblin-celeryd.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-celeryd.service
echo '[Unit]' > /etc/systemd/system/mediagoblin-paster.service
echo 'Description=Mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service
echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-paster.service
echo 'After=network.target' >> /etc/systemd/system/mediagoblin-paster.service
echo '' >> /etc/systemd/system/mediagoblin-paster.service
echo '[Service]' >> /etc/systemd/system/mediagoblin-paster.service
echo 'Type=forking' >> /etc/systemd/system/mediagoblin-paster.service
echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service
echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service
echo 'Environment=CELERY_ALWAYS_EAGER=false' >> /etc/systemd/system/mediagoblin-paster.service
echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-paster.service
echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service
echo " $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini \\" >> /etc/systemd/system/mediagoblin-paster.service
echo ' --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service
echo ' --log-file=/var/log/mediagoblin/mediagoblin.log \' >> /etc/systemd/system/mediagoblin-paster.service
echo ' --daemon \' >> /etc/systemd/system/mediagoblin-paster.service
echo ' --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543' >> /etc/systemd/system/mediagoblin-paster.service
echo "ExecStop=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service
echo ' --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service
echo " $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini stop" >> /etc/systemd/system/mediagoblin-paster.service
echo 'PIDFile=/var/run/mediagoblin/mediagoblin.pid' >> /etc/systemd/system/mediagoblin-paster.service
echo '' >> /etc/systemd/system/mediagoblin-paster.service
echo '[Install]' >> /etc/systemd/system/mediagoblin-paster.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-paster.service
systemctl daemon-reload
systemctl enable mediagoblin-celeryd
systemctl enable mediagoblin-paster
systemctl daemon-reload
systemctl start mediagoblin-celeryd
systemctl start mediagoblin-paster
MEDIAGOBLIN_ONION_HOSTNAME=$(add_onion_service mediagoblin 80 ${MEDIAGOBLIN_ONION_PORT})
if ! grep -q "Mediagoblin onion domain" $COMPLETION_FILE; then
echo "Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}" >> $COMPLETION_FILE
else
sed -i "s|Mediagoblin onion domain.*|Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}|g" $COMPLETION_FILE
fi
if [[ $MEDIAGOBLIN_ONION_HOSTNAME == *"not found"* ]]; then
echo $'Problem creating onion address for mediagoblin'
exit 672652
fi
# web config
MEDIAGOBLIN_VIRTUAL_HOST=/etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
nginx_http_redirect $MEDIAGOBLIN_DOMAIN_NAME
if [[ $ONION_ONLY == 'no' ]]; then
echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' listen 443 ssl;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' default_type application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m'
nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME
nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " server_name $MEDIAGOBLIN_DOMAIN_NAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
else
echo -n '' > $MEDIAGOBLIN_VIRTUAL_HOST
fi
echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " listen 127.0.0.1:${MEDIAGOBLIN_ONION_PORT} default_server;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' default_type application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m'
nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " server_name $MEDIAGOBLIN_ONION_HOSTNAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST
echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST
create_site_certificate $MEDIAGOBLIN_DOMAIN_NAME
nginx_ensite $MEDIAGOBLIN_DOMAIN_NAME
systemctl restart php5-fpm
systemctl restart nginx
add_ddns_domain $MEDIAGOBLIN_DOMAIN_NAME
if ! grep -q "Mediagoblin domain" $COMPLETION_FILE; then
echo "Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME" >> $COMPLETION_FILE
else
sed -i "s/Mediagoblin domain.*/Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME/g" $COMPLETION_FILE
fi
echo 'install_mediagoblin' >> $COMPLETION_FILE
}
function create_upgrade_script {
if [ -f /usr/local/bin/${PROJECT_NAME}-upgrade ]; then
cp /usr/local/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
else
cp /usr/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
fi
if grep -Fxq "create_upgrade_script" $COMPLETION_FILE; then
return
fi
apt-get -y install unattended-upgrades
echo 'create_upgrade_script' >> $COMPLETION_FILE
}
function intrusion_detection {
if grep -Fxq "intrusion_detection" $COMPLETION_FILE; then
return
fi
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
apt-get -y install tripwire
apt-get -y autoremove
cd /etc/tripwire
cp site.key $DEFAULT_DOMAIN_NAME-site.key
echo '*** Installing intrusion detection ***'
echo '
' | tripwire --init
# make a script for easy resetting of the tripwire
echo '#!/bin/sh' > /usr/bin/reset-tripwire
echo 'tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt' >> /usr/bin/reset-tripwire
chmod +x /usr/bin/reset-tripwire
sed -i 's/SYSLOGREPORTING.*/SYSLOGREPORTING =false/g' /etc/tripwire/twcfg.txt
# only send emails if something has changed
sed -i 's|MAILNOVIOLATIONS.*|MAILNOVIOLATIONS = false|g' /etc/tripwire/twcfg.txt
sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt
sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt
# Don't show any changes to /proc
sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt
# Don't report log changes
sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt
# Ignore /etc/tripwire
if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt
fi
# ignore tt-rss cache
if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then
sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt
fi
if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
fi
# Avoid logging the changed database
sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
# recreate the configuration
echo '
' | twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
# reset
echo '
' | reset-tripwire
echo 'intrusion_detection' >> $COMPLETION_FILE
}
# see https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
# Local Redirection and Anonymizing Middlebox
function route_outgoing_traffic_through_tor {
if grep -Fxq "route_outgoing_traffic_through_tor" $COMPLETION_FILE; then
return
fi
if [[ $ROUTE_THROUGH_TOR != "yes" ]]; then
return
fi
apt-get -y install tor tor-arm
### set variables
# Destinations you don't want routed through Tor
_non_tor="192.168.1.0/24 192.168.0.0/24"
# The user that Tor runs as
_tor_uid="debian-tor"
# Tor's TransPort
_trans_port="9040"
# Your internal interface
_int_if="eth0"
### Set iptables *nat
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
# Allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor; do
iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN
done
# Redirect all other pre-routing and output to Tor
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
iptables -A OUTPUT -d $_clearnet -j ACCEPT
done
# Allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
save_firewall_settings
if ! grep -q "fs.file-max" /etc/sysctl.conf; then
echo "fs.file-max=100000" >> /etc/sysctl.conf
/sbin/sysctl -p
fi
echo 'domain localdomain' > /etc/resolv.conf
echo 'search localdomain' >> /etc/resolv.conf
echo 'nameserver 127.0.0.1' >> /etc/resolv.conf
if ! grep -q "VirtualAddrNetworkIPv4" /etc/tor/torrc; then
echo 'VirtualAddrNetworkIPv4 10.192.0.0/10' >> /etc/tor/torrc
fi
if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
fi
if ! grep -q "TransPort" /etc/tor/torrc; then
echo 'TransPort 9040' >> /etc/tor/torrc
fi
if ! grep -q "TransListenAddress 127.0.0.1" /etc/tor/torrc; then
echo 'TransListenAddress 127.0.0.1' >> /etc/tor/torrc
fi
if ! grep -q "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then
echo "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc
fi
if ! grep -q "DNSPort" /etc/tor/torrc; then
echo 'DNSPort 53' >> /etc/tor/torrc
fi
if ! grep -q "DNSListenAddress 127.0.0.1" /etc/tor/torrc; then
echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc
fi
if ! grep -q "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then
echo "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc
fi
echo 'route_outgoing_traffic_through_tor' >> $COMPLETION_FILE
}
# A command to create a git repository for a project
function create_git_project {
if grep -Fxq "create_git_project" $COMPLETION_FILE; then
return
fi
apt-get -y install git
echo '#!/bin/bash' > /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'GIT_PROJECT_NAME=$1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'if [ ! $GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo ' echo "Please specify a project name, without any spaces"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo ' exit 1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'if [ ! -d /home/$USER/projects/$GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo ' mkdir -p /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'cd /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'git init --bare' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo -n 'echo "Your project has been created, ' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'use the following command to clone the repository"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo -n " git clone ssh://$MY_USERNAME@$DEFAULT_DOMAIN_NAME:$SSH_PORT" >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo '/home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'exit 0' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
chmod +x /usr/bin/$CREATE_GIT_PROJECT_COMMAND
echo 'create_git_project' >> $COMPLETION_FILE
}
function check_date {
curr_date=$(date)
if [[ $curr_date == *"1970"* ]]; then
apt-get -y install ntp
fi
}
function install_dynamicdns {
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
# update to the next commit
set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
if grep -Fxq "install_dynamicdns" $COMPLETION_FILE; then
return
fi
# Here we compile from source because the current package
# doesn't support https, which could result in passwords
# being leaked
# Debian version 1.99.4-1
# https version 1.99.8
apt-get -y install build-essential curl libgnutls28-dev automake1.11
if [ ! -d $INSTALL_DIR/inadyn ]; then
git_clone $INADYN_REPO $INSTALL_DIR/inadyn
fi
if [ ! -d $INSTALL_DIR/inadyn ]; then
echo 'inadyn repo not cloned'
echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs
exit 6785
fi
cd $INSTALL_DIR/inadyn
git checkout $INADYN_COMMIT -b $INADYN_COMMIT
if ! grep -q "inadyn commit" $COMPLETION_FILE; then
echo "inadyn commit:$INADYN_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/inadyn commit.*/inadyn commit:$INADYN_COMMIT/g" $COMPLETION_FILE
fi
./configure
if [ ! "$?" = "0" ]; then
exit 74890
fi
USE_OPENSSL=1 make
if [ ! "$?" = "0" ]; then
exit 74858
fi
make install
if [ ! "$?" = "0" ]; then
exit 3785
fi
# create an unprivileged user
#useradd -r -s /bin/false debian-inadyn
# create a configuration file
echo 'background' > /etc/inadyn.conf
echo 'verbose 1' >> /etc/inadyn.conf
echo 'period 300' >> /etc/inadyn.conf
echo 'startup-delay 60' >> /etc/inadyn.conf
echo 'cache-dir /run/inadyn' >> /etc/inadyn.conf
echo 'logfile /dev/null' >> /etc/inadyn.conf
chmod 600 /etc/inadyn.conf
echo '[Unit]' > /etc/systemd/system/inadyn.service
echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service
echo 'After=network.target' >> /etc/systemd/system/inadyn.service
echo '' >> /etc/systemd/system/inadyn.service
echo '[Service]' >> /etc/systemd/system/inadyn.service
echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service
echo 'Restart=always' >> /etc/systemd/system/inadyn.service
echo 'Type=forking' >> /etc/systemd/system/inadyn.service
echo '' >> /etc/systemd/system/inadyn.service
echo '[Install]' >> /etc/systemd/system/inadyn.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service
systemctl enable inadyn
systemctl start inadyn
systemctl daemon-reload
echo 'install_dynamicdns' >> $COMPLETION_FILE
}
function get_voip_server_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "VoIP server password" /home/$MY_USERNAME/README; then
if [ ! $VOIP_SERVER_PASSWORD ]; then
VOIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "VoIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
function get_sip_server_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "SIP server password" /home/$MY_USERNAME/README; then
if [ ! $SIP_SERVER_PASSWORD ]; then
SIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "SIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//')
fi
fi
fi
}
function install_ipfs {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
return
fi
select_go_version
# update to the next commit
set_repo_commit $GOPATH/src/github.com/ipfs/go-ipfs "ipfs commit" "$IPFS_COMMIT" $IPFS_REPO
if grep -Fxq "install_ipfs" $COMPLETION_FILE; then
return
fi
apt-get -y install golang libpam0g-dev fuse
if [ ! -d /home/git ]; then
# add a gogs user account
adduser --disabled-login --gecos 'Gogs' git
# install Go
if ! grep -q "export GOPATH=" ~/.bashrc; then
echo "export GOPATH=$GOPATH" >> ~/.bashrc
else
sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc
fi
systemctl set-environment GOPATH=$GOPATH
if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
else
sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc
fi
if [ ! -d $GOPATH ]; then
mkdir -p $GOPATH
fi
fi
IPFS_PATH=$GOPATH/bin
export PATH="$GOPATH/bin:$PATH:"
if ! grep -q 'GOPATH/bin' ~/.bashrc; then
echo 'export PATH="$GOPATH/bin:$PATH:";' >> ~/.bashrc
else
sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc
fi
# set gopath for the user
if ! grep -q "GOPATH=" /home/$MY_USERNAME/.bashrc; then
echo "export GOPATH=$GOPATH" >> /home/$MY_USERNAME/.bashrc
echo 'export PATH="$GOPATH/bin:$PATH:";' >> /home/$MY_USERNAME/.bashrc
else
sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" /home/$MY_USERNAME/.bashrc
fi
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.bashrc
IPFS_GO_REPO2=$(echo "$IPFS_GO_REPO" | sed 's|https://||g')
go get -u ${IPFS_GO_REPO2}/cmd/ipfs
if [ ! "$?" = "0" ]; then
exit 8242
fi
cd $GOPATH/src/$IPFS_GO_REPO2
git checkout $IPFS_COMMIT -b $IPFS_COMMIT
if ! grep -q "ipfs commit" $COMPLETION_FILE; then
echo "ipfs commit:$IPFS_COMMIT" >> $COMPLETION_FILE
else
sed -i "s/ipfs commit.*/ipfs commit:$IPFS_COMMIT/g" $COMPLETION_FILE
fi
# initialise
su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME
if [ ! -d /home/$MY_USERNAME/.ipfs ]; then
echo "IPFS could not be initialised for user $MY_USERNAME"
exit 7358
fi
# directories to mount to
if [ ! -d /ipfs ]; then
mkdir /ipfs
mkdir /ipns
chown $MY_USERNAME:$MY_USERNAME /ipfs
chown $MY_USERNAME:$MY_USERNAME /ipns
fi
if [ -f /etc/fuse.conf ]; then
chown $MY_USERNAME:$MY_USERNAME /etc/fuse.conf
fi
if [ -f /dev/fuse ]; then
chown $MY_USERNAME:$MY_USERNAME /dev/fuse
fi
echo '[Unit]' > /etc/systemd/system/ipfs.service
echo 'Description=IPFS daemon' >> /etc/systemd/system/ipfs.service
echo 'After=syslog.target' >> /etc/systemd/system/ipfs.service
echo 'After=network.target' >> /etc/systemd/system/ipfs.service
echo '' >> /etc/systemd/system/ipfs.service
echo '[Service]' >> /etc/systemd/system/ipfs.service
echo 'Type=simple' >> /etc/systemd/system/ipfs.service
echo "User=$MY_USERNAME" >> /etc/systemd/system/ipfs.service
echo "Group=$MY_USERNAME" >> /etc/systemd/system/ipfs.service
echo "WorkingDirectory=/home/$MY_USERNAME" >> /etc/systemd/system/ipfs.service
echo "ExecStart=$IPFS_PATH/ipfs daemon --mount" >> /etc/systemd/system/ipfs.service
echo 'Restart=on-failure' >> /etc/systemd/system/ipfs.service
echo "Environment=\"USER=$MY_USERNAME\" \"HOME=/home/$MY_USERNAME\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/ipfs.service
echo '' >> /etc/systemd/system/ipfs.service
echo '[Install]' >> /etc/systemd/system/ipfs.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ipfs.service
systemctl enable ipfs
systemctl daemon-reload
systemctl restart ipfs
if [ -d /etc/avahi ]; then
su -c "echo $($IPFS_PATH/ipfs id | grep '\"ID\":' | awk -F '\"' '{print $4}') > /tmp/ipfsid" - $MY_USERNAME
if [ ! -f /tmp/ipfsid ]; then
echo 'No IPFS identity was created'
exit 37895
fi
IPFS_PEER_ID=$(cat /tmp/ipfsid)
if [ ${#IPFS_PEER_ID} -lt 10 ]; then
echo 'Invalid IPFS peer ID'
echo "$IPFS_PEER_ID"
exit 74782
fi
# Add an avahi service
echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/ipfs.service
echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/ipfs.service
echo '<service-group>' >> /etc/avahi/services/ipfs.service
echo ' <name replace-wildcards="yes">%h IPFS</name>' >> /etc/avahi/services/ipfs.service
echo ' <service>' >> /etc/avahi/services/ipfs.service
echo ' <type>_ipfs._tcp</type>' >> /etc/avahi/services/ipfs.service
echo " <port>$IPFS_PORT</port>" >> /etc/avahi/services/ipfs.service
echo " <txt-record>$IPFS_PEER_ID</txt-record>" >> /etc/avahi/services/ipfs.service
echo ' </service>' >> /etc/avahi/services/ipfs.service
echo '</service-group>' >> /etc/avahi/services/ipfs.service
rm /tmp/ipfsid
fi
echo 'install_ipfs' >> $COMPLETION_FILE
}
function install_voip {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
if grep -Fxq "install_voip" $COMPLETION_FILE; then
return
fi
apt-get -y install mumble-server
get_voip_server_password
if [ ! $VOIP_SERVER_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
VOIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
VOIP_SERVER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
if [ ${#VOIP_SERVER_PASSWORD} -lt $MINIMUM_PASSWORD_LENGTH ]; then
VOIP_SERVER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
fi
# Make an ssl cert for the server
if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH
check_certificates mumble
fi
# Check that the cert was created
if [ ! -f /etc/ssl/certs/mumble.crt ]; then
echo $'VoIP server certificate not created'
exit 57892
fi
if [ ! -f /etc/ssl/private/mumble.key ]; then
echo $'VoIP server key not created'
exit 57893
fi
if [ ! -d /var/lib/mumble-server ]; then
mkdir /var/lib/mumble-server
fi
cp /etc/ssl/certs/mumble.* /var/lib/mumble-server
cp /etc/ssl/private/mumble.key /var/lib/mumble-server
chown -R mumble-server:mumble-server /var/lib/mumble-server
sed -i "s|welcometext=.*|welcometext=\"<br />Welcome to $DEFAULT_DOMAIN_NAME <b>VoIP</b>.<br />Chat freely!<br />\"|g" /etc/mumble-server.ini
if [[ $VOIP_SERVER_PASSWORD && $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
sed -i "s|serverpassword=.*|serverpassword=$VOIP_SERVER_PASSWORD|g" /etc/mumble-server.ini
fi
sed -i 's|#autobanAttempts.*|autobanAttempts = 10|g' /etc/mumble-server.ini
sed -i 's|#autobanTimeframe.*|autobanTimeframe = 120|g' /etc/mumble-server.ini
sed -i 's|#autobanTime.*|autobanTime = 300|g' /etc/mumble-server.ini
sed -i 's|#sendversion=.*|sendversion=False|g' /etc/mumble-server.ini
sed -i 's|sendversion=.*|sendversion=False|g' /etc/mumble-server.ini
if ! grep -q "allowping" /etc/mumble-server.ini; then
echo 'allowping=False' >> /etc/mumble-server.ini
fi
sed -i 's|allowping=.*|allowping=False|g' /etc/mumble-server.ini
sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.crt|g' /etc/mumble-server.ini
sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
sed -i 's|#certrequired=.*|certrequired=True|g' /etc/mumble-server.ini
sed -i 's|users=100|users=10|g' /etc/mumble-server.ini
sed -i 's|#channelnestinglimit=10|channelnestinglimit=10|g' /etc/mumble-server.ini
sed -i 's|#textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini
sed -i 's|textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini
sed -i 's|#imagemessagelength=.*|imagemessagelength=131072|g' /etc/mumble-server.ini
sed -i 's|#allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini
sed -i 's|allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini
sed -i "s|port=.*|port=${VOIP_PORT}|g" /etc/mumble-server.ini
VOIP_ONION_HOSTNAME=$(add_onion_service voip ${VOIP_PORT} ${VOIP_PORT})
if ! grep -q $"VoIP onion domain" $COMPLETION_FILE; then
echo "VoIP onion domain:$VOIP_ONION_HOSTNAME" >> $COMPLETION_FILE
fi
systemctl restart mumble-server
if ! grep -q $"VoIP Server" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'VoIP Server' >> /home/$MY_USERNAME/README
echo '===========' >> /home/$MY_USERNAME/README
echo $"VoIP onion domain:$VOIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
echo $'VoIP server username: mumble-server' >> /home/$MY_USERNAME/README
if [[ $SYSTEM_TYPE != "VARIANT_MESH" ]]; then
echo $"VoIP server password: $VOIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README
fi
echo '' >> /home/$MY_USERNAME/README
echo $'To connect to the VoIP server use your username and the server password shown above.' >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_voip' >> $COMPLETION_FILE
}
function update_sipwitch_daemon {
if [ ! -f /etc/init.d/sipwitch ]; then
return
fi
service sipwitch stop
# remove the original sipwitch daemon if it exists
if [ -f /etc/init.d/sipwitch ]; then
rm -f /etc/init.d/sipwitch
fi
# daemon
echo '[Unit]' > /etc/systemd/system/sipwitch.service
echo 'Description=GNU SIP Witch, a SIP telephony service daemon.' >> /etc/systemd/system/sipwitch.service
echo 'After=network.target' >> /etc/systemd/system/sipwitch.service
echo '' >> /etc/systemd/system/sipwitch.service
echo '[Service]' >> /etc/systemd/system/sipwitch.service
echo 'Type=simple' >> /etc/systemd/system/sipwitch.service
echo 'Group=sipwitch' >> /etc/systemd/system/sipwitch.service
echo 'PIDFile=/var/run/sipwitch/pidfile' >> /etc/systemd/system/sipwitch.service
echo 'EnvironmentFile=-/etc/conf.d/sipwitch' >> /etc/systemd/system/sipwitch.service
echo 'EnvironmentFile=-/etc/sipwitch.conf' >> /etc/systemd/system/sipwitch.service
echo 'EnvironmentFile=-/etc/default/sipwitch' >> /etc/systemd/system/sipwitch.service
echo 'ExecStartPre=-/bin/rm -f /var/run/sipwitch/control' >> /etc/systemd/system/sipwitch.service
echo "ExecStart=/usr/sbin/sipw -f \$OPTIONS -P$SIP_PORT" >> /etc/systemd/system/sipwitch.service
echo 'Restart=always' >> /etc/systemd/system/sipwitch.service
echo 'NotifyAccess=main' >> /etc/systemd/system/sipwitch.service
echo '' >> /etc/systemd/system/sipwitch.service
echo '[Install]' >> /etc/systemd/system/sipwitch.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/sipwitch.service
systemctl enable sipwitch
systemctl daemon-reload
systemctl start sipwitch
}
function install_sip {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
if grep -Fxq "install_sip" $COMPLETION_FILE; then
return
fi
apt-get -y install sipwitch
get_sip_server_password
if [ ! $SIP_SERVER_PASSWORD ]; then
if [ -f $IMAGE_PASSWORD_FILE ]; then
SIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
else
SIP_SERVER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
fi
fi
echo '<?xml version="1.0"?>' > /etc/sipwitch.conf
echo '<sipwitch>' >> /etc/sipwitch.conf
echo '<provision>' >> /etc/sipwitch.conf
echo "<user id=\"$MY_USERNAME\">" >> /etc/sipwitch.conf
echo '<extension>201</extension>' >> /etc/sipwitch.conf
echo "<secret>$SIP_SERVER_PASSWORD</secret>" >> /etc/sipwitch.conf
echo "<display>$MY_USERNAME 201</display>" >> /etc/sipwitch.conf
echo '</user>' >> /etc/sipwitch.conf
echo '</provision>' >> /etc/sipwitch.conf
echo '<access>' >> /etc/sipwitch.conf
echo '</access>' >> /etc/sipwitch.conf
echo '<stack>' >> /etc/sipwitch.conf
echo " <localnames>$DEFAULT_DOMAIN_NAME</localnames>" >> /etc/sipwitch.conf
echo ' <mapped>200</mapped>' >> /etc/sipwitch.conf
echo ' <threading>2</threading>' >> /etc/sipwitch.conf
echo ' <interface>*</interface>' >> /etc/sipwitch.conf
echo ' <dumping>false</dumping>' >> /etc/sipwitch.conf
echo ' <system>system</system>' >> /etc/sipwitch.conf
echo ' <anon>anonymous</anon>' >> /etc/sipwitch.conf
echo '</stack>' >> /etc/sipwitch.conf
echo '<timers>' >> /etc/sipwitch.conf
echo ' <!-- ring every 4 seconds -->' >> /etc/sipwitch.conf
echo ' <ring>4</ring>' >> /etc/sipwitch.conf
echo ' <!-- call forward no answer after x rings -->' >> /etc/sipwitch.conf
echo ' <cfna>4</cfna>' >> /etc/sipwitch.conf
echo ' <!-- call reset to clear cid in stack, 6 seconds -->' >> /etc/sipwitch.conf
echo ' <reset>6</reset>' >> /etc/sipwitch.conf
echo '</timers>' >> /etc/sipwitch.conf
echo '<!-- we have 2xx numbers plus space for external users -->' >> /etc/sipwitch.conf
echo '<registry>' >> /etc/sipwitch.conf
echo ' <prefix>200</prefix>' >> /etc/sipwitch.conf
echo ' <range>100</range>' >> /etc/sipwitch.conf
echo ' <keysize>77</keysize>' >> /etc/sipwitch.conf
echo ' <mapped>200</mapped>' >> /etc/sipwitch.conf
echo ' <!-- <realm>GNU Telephony</realm> -->' >> /etc/sipwitch.conf
echo '</registry>' >> /etc/sipwitch.conf
echo '<routing>' >> /etc/sipwitch.conf
echo '</routing>' >> /etc/sipwitch.conf
echo '</sipwitch>' >> /etc/sipwitch.conf
sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch
sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch
groupadd sipwitch
usermod -aG sipwitch $MY_USERNAME
SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT})
if ! grep -q $"SIP onion domain" $COMPLETION_FILE; then
echo "SIP onion domain:$SIP_ONION_HOSTNAME" >> $COMPLETION_FILE
fi
if ! grep -q $"SIP Server" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'SIP Server' >> /home/$MY_USERNAME/README
echo '==========' >> /home/$MY_USERNAME/README
echo $"SIP onion_domain: $SIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
echo $"SIP server username: $MY_USERNAME" >> /home/$MY_USERNAME/README
echo $"SIP server extension: 201" >> /home/$MY_USERNAME/README
echo $"SIP server password: $SIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
echo 'install_sip' >> $COMPLETION_FILE
}
function install_sip_turn {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
fi
if grep -Fxq "install_sip_turn" $COMPLETION_FILE; then
return
fi
apt-get -y install turnserver
# create a nonce if needed
if [ ! $VOIP_TURN_NONCE ]; then
VOIP_TURN_NONCE="$(openssl rand -base64 32 | cut -c1-30)"
fi
create_site_certificate $DEFAULT_DOMAIN_NAME
echo '##' > /etc/turnserver/turnserver.conf
echo '# TurnServer configuration file.' >> /etc/turnserver/turnserver.conf
echo '#' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Public IPv4 address of any relayed address (if not set, no relay for IPv4).' >> /etc/turnserver/turnserver.conf
echo '## To have multiple address, separate addresses with a comma' >> /etc/turnserver/turnserver.conf
echo '## (i.e. listen_address = { "172.16.0.1", "172.17.0.1" }).' >> /etc/turnserver/turnserver.conf
echo "listen_address = { \"192.168.0.1\" }" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Public IPv6 address of any relayed address (if not set, no relay for IPv6).' >> /etc/turnserver/turnserver.conf
echo '## To have multiple address, separate address with a comma' >> /etc/turnserver/turnserver.conf
echo '## (i.e. listen_addressv6 = { "2001:db8:1::1", "2001:db8:2::1" }).' >> /etc/turnserver/turnserver.conf
echo "#listen_addressv6 = { \"2001:db8::1\" }" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## UDP listening port.' >> /etc/turnserver/turnserver.conf
echo "udp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## TCP listening port.' >> /etc/turnserver/turnserver.conf
echo "tcp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## TLS listening port.' >> /etc/turnserver/turnserver.conf
echo "tls_port = $VOIP_TURN_TLS_PORT" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## TLS support.' >> /etc/turnserver/turnserver.conf
echo 'tls = true' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## DTLS support. It is an experimental feature and is not defined in TURN' >> /etc/turnserver/turnserver.conf
echo '## standard.' >> /etc/turnserver/turnserver.conf
echo 'dtls = false' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Maximum allocation port number.' >> /etc/turnserver/turnserver.conf
echo 'max_port = 65535' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Minimum allocation port number.' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo 'min_port = 49152' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## TURN-TCP support.' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo 'turn_tcp = true' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## TURN-TCP buffering mode:' >> /etc/turnserver/turnserver.conf
echo '## - true, use userspace buffering;' >> /etc/turnserver/turnserver.conf
echo '## - false, use kernel buffering.' >> /etc/turnserver/turnserver.conf
echo 'tcp_buffer_userspace = true' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## TURN-TCP maximum buffer size.' >> /etc/turnserver/turnserver.conf
echo 'tcp_buffer_size = 32768' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Daemon mode.' >> /etc/turnserver/turnserver.conf
echo 'daemon = true' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Unprivileged user.' >> /etc/turnserver/turnserver.conf
echo '## If you want to use this feature create a system user.' >> /etc/turnserver/turnserver.conf
echo '## On Linux: adduser --system --group turnserver' >> /etc/turnserver/turnserver.conf
echo 'unpriv_user = turnserver' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Realm value.' >> /etc/turnserver/turnserver.conf
echo "realm = \"$DEFAULT_DOMAIN_NAME\"" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Nonce key.' >> /etc/turnserver/turnserver.conf
echo "nonce_key = \"$VOIP_TURN_NONCE\"" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Max relay per username.' >> /etc/turnserver/turnserver.conf
echo 'max_relay_per_username = 5' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Allocation lifetime.' >> /etc/turnserver/turnserver.conf
echo 'allocation_lifetime = 1800' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Allocation bandwidth limitation (in KBytes/s).' >> /etc/turnserver/turnserver.conf
echo '## 0 value means bandwidth quota disabled.' >> /etc/turnserver/turnserver.conf
echo 'bandwidth_per_allocation = 150' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Restricted user bandwidth (in KBytes/s).' >> /etc/turnserver/turnserver.conf
echo '## 0 value means bandwidth limitation disabled.' >> /etc/turnserver/turnserver.conf
echo 'restricted_bandwidth = 10' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Denied addresses.' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '# disallow relaying to localhost' >> /etc/turnserver/turnserver.conf
echo 'denied_address {' >> /etc/turnserver/turnserver.conf
echo ' address = "127.0.0.1"' >> /etc/turnserver/turnserver.conf
echo ' mask = "8"' >> /etc/turnserver/turnserver.conf
echo ' port = 0' >> /etc/turnserver/turnserver.conf
echo '}' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '# disallow relaying to ip6-localhost' >> /etc/turnserver/turnserver.conf
echo 'denied_address {' >> /etc/turnserver/turnserver.conf
echo ' address = "::1"' >> /etc/turnserver/turnserver.conf
echo ' mask = "128"' >> /etc/turnserver/turnserver.conf
echo ' port = 0' >> /etc/turnserver/turnserver.conf
echo '}' >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Certification Authority file.' >> /etc/turnserver/turnserver.conf
echo "ca_file = \"/etc/ssl/certs/ca-certificates.crt\"" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Server certificate file.' >> /etc/turnserver/turnserver.conf
if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem ]; then
echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem\"" >> /etc/turnserver/turnserver.conf
else
if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt ]; then
echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt\"" >> /etc/turnserver/turnserver.conf
fi
fi
echo '' >> /etc/turnserver/turnserver.conf
echo '## Private key file.' >> /etc/turnserver/turnserver.conf
echo "private_key_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.key\"" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Account method.' >> /etc/turnserver/turnserver.conf
echo "account_method = \"file\"" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## Account file (if account_method = file).' >> /etc/turnserver/turnserver.conf
echo "account_file = \"/etc/turnserver/turnusers.txt\"" >> /etc/turnserver/turnserver.conf
echo '' >> /etc/turnserver/turnserver.conf
echo '## mod_tmpuser.' >> /etc/turnserver/turnserver.conf
echo 'mod_tmpuser = false' >> /etc/turnserver/turnserver.conf
echo "${MY_USERNAME}:password:${DEFAULT_DOMAIN_NAME}:authorized" > /etc/turnserver/turnusers.txt
systemctl restart turnserver
echo 'install_sip_turn' >> $COMPLETION_FILE
}
function install_final {
if grep -Fxq "install_final" $COMPLETION_FILE; then
return
fi
# unmount any attached usb drive
if [ -d $USB_MOUNT ]; then
umount $USB_MOUNT
rm -rf $USB_MOUNT
fi
split_gpg_key_into_fragments
echo 'install_final' >> $COMPLETION_FILE
clear
echo ''
echo $"
*** ${PROJECT_NAME} installation is complete. Rebooting... ***
Now forward these ports from your internet router
HTTP 80
HTTPS 443
SSH 2222
DLNA 1900
DLNA 8200
XMPP 5222-5223
XMPP 5269
XMPP 5280-5281
IRC 6697
Git 9418
Email 25
Email 587
Email 465
Email 993
VoIP 64738
VoIP 5060
Tox 33445
"
if [ -f "/home/$MY_USERNAME/README" ]; then
echo $"See /home/$MY_USERNAME/README for post-installation instructions."
echo ''
fi
# add user menu on ssh login
if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
echo 'control' >> /home/$MY_USERNAME/.bashrc
fi
if [ ! -f $IMAGE_PASSWORD_FILE ]; then
reboot
fi
}
read_configuration
set_default_onion_domains
locale_setup
parse_args
check_domains
install_not_on_BBB
remove_default_user
configure_firewall
configure_firewall_ping
configure_firewall_for_ssh
configure_firewall_for_dns
configure_firewall_for_ftp
configure_firewall_for_web_access
configure_firewall_for_voip
configure_firewall_for_voip_turn
configure_firewall_for_sip4
configure_firewall_for_avahi
configure_firewall_for_zeronet
configure_firewall_for_ipfs
create_repo_sources
configure_dns
initial_setup
install_tor
#resolve_dns_via_tor
install_command_line_browser
enable_ssh_via_onion
check_date
install_dynamicdns
randomize_cron
create_freedns_updater
mark_admin_user_account
enforce_good_passwords
install_editor
change_login_message
enable_zram
random_number_generator
set_your_domain_name
time_synchronisation
configure_internet_protocol
create_git_project
setup_wifi
configure_ssh
configure_ssh_onion
allow_ssh_to_onion_address
remove_instructions_from_motd
check_hwrng
search_for_attached_usb_drive
regenerate_ssh_keys
create_mirrors
create_upgrade_script
letsencrypt_renewals
install_zeronet
install_watchdog_script
configure_avahi
create_avahi_onion_domains
install_zeronet_blog
install_zeronet_mail
install_zeronet_forum
#install_atheros_wifi
configure_firewall_for_cjdns
mesh_cjdns
mesh_cjdns_tools
configure_firewall_for_batman
mesh_batman
configure_firewall_for_babel
mesh_babel
route_outgoing_traffic_through_tor
configure_email
create_procmail
handle_admin_emails
spam_filtering
configure_imap
#configure_imap_client_certs
configure_gpg
refresh_gpg_keys
configure_backup_key
install_monkeysphere
encrypt_incoming_email
encrypt_outgoing_email
email_client
email_archiving
email_from_address
configure_firewall_for_email
create_public_mailing_list
#create_private_mailing_list
encrypt_all_email
import_email
script_for_attaching_usb_drive
install_web_server
install_web_server_access_control
configure_firewall_for_web_server
configure_firewall_for_syncthing
install_syncthing
upgrade_golang
install_gogs
install_xmpp
install_xmpp_client
install_tox_node
install_tox_client
tox_avahi
configure_firewall_for_xmpp
install_irc_server
configure_firewall_for_irc
install_irc_client
install_voip
install_sip
update_sipwitch_daemon
install_wiki
install_sip_turn
install_blog
mark_blog_domain
install_gnu_social
expire_gnu_social_posts
install_gnu_social_theme
install_gnu_social_markdown
install_gnu_social_plugin_sharings
install_gnu_social_plugin_sharings_theme
install_rss_reader
install_rss_reader_gnusocial
install_rss_mobile_reader
install_hubzilla
#install_webmail
#install_search_engine
install_dlna_server
configure_firewall_for_dlna
#install_media_server
#install_mediagoblin
#install_ipfs
repair_databases_script
backup_to_friends_servers
intrusion_detection
install_final
echo "${PROJECT_NAME} installation is complete"
exit 0
Reference in New Issue View Git Blame Copy Permalink