867 lines
34 KiB
Bash
Executable File
867 lines
34 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# .---. . .
|
|
# | | |
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
#
|
|
# Freedom in the Cloud
|
|
#
|
|
# SKS Keyserver
|
|
#
|
|
# License
|
|
# =======
|
|
#
|
|
# Copyright (C) 2017 Bob Mottram <bob@freedombone.net>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
VARIANTS='full full-vim'
|
|
|
|
IN_DEFAULT_INSTALL=0
|
|
SHOW_ON_ABOUT=1
|
|
|
|
KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"
|
|
KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'
|
|
KEYSERVER_PORT=11371
|
|
KEYSERVER_ONION_PORT=8122
|
|
KEYSERVER_DOMAIN_NAME=
|
|
KEYSERVER_CODE=
|
|
|
|
keyserver_variables=(ONION_ONLY
|
|
MY_USERNAME
|
|
DEFAULT_DOMAIN_NAME
|
|
KEYSERVER_DOMAIN_NAME
|
|
KEYSERVER_CODE)
|
|
|
|
function check_keyserver_directory_size {
|
|
dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
|
|
# 500M
|
|
if [ $dirsize -gt 500000 ]; then
|
|
echo "1"
|
|
return
|
|
fi
|
|
echo "0"
|
|
}
|
|
|
|
function keyserver_watchdog {
|
|
ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
|
|
ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
|
|
keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"
|
|
keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server. You may need to restore the keyserver from backup."
|
|
keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"
|
|
keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"
|
|
read_config_param KEYSERVER_DOMAIN_NAME
|
|
|
|
# check database size hourly
|
|
keyserver_watchdog_script=/tmp/keyserver-watchdog
|
|
echo '#!/bin/bash' > $keyserver_watchdog_script
|
|
echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script
|
|
echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script
|
|
|
|
echo " echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
|
|
|
|
echo ' if [ $dirsize -gt 500000 ]; then' >> $keyserver_watchdog_script
|
|
echo " nginx_dissite $KEYSERVER_DOMAIN_NAME" >> $keyserver_watchdog_script
|
|
echo ' systemctl stop sks' >> $keyserver_watchdog_script
|
|
echo ' systemctl disable sks' >> $keyserver_watchdog_script
|
|
echo " echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
|
|
echo ' fi' >> $keyserver_watchdog_script
|
|
echo 'fi' >> $keyserver_watchdog_script
|
|
chmod +x $keyserver_watchdog_script
|
|
|
|
if [ ! -f /etc/cron.hourly/keyserver-watchdog ]; then
|
|
cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
|
|
else
|
|
HASH1=$(sha256sum $keyserver_watchdog_script | awk -F ' ' '{print $1}')
|
|
HASH2=$(sha256sum /etc/cron.hourly/keyserver-watchdog | awk -F ' ' '{print $1}')
|
|
if [[ "$HASH1" != "$HASH2" ]]; then
|
|
cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
|
|
fi
|
|
fi
|
|
rm $keyserver_watchdog_script
|
|
}
|
|
|
|
|
|
function configure_firewall_for_keyserver {
|
|
if [[ $ONION_ONLY != "no" ]]; then
|
|
return
|
|
fi
|
|
firewall_add keyserver 11370 tcp
|
|
firewall_add keyserver 11371 tcp
|
|
firewall_add keyserver 11372 tcp
|
|
mark_completed $FUNCNAME
|
|
}
|
|
|
|
function keyserver_reset_database {
|
|
if [ -d /var/lib/sks/DB ]; then
|
|
rm -rf /var/lib/sks/DB
|
|
fi
|
|
sks build
|
|
chown -Rc debian-sks: /var/lib/sks
|
|
systemctl restart sks
|
|
}
|
|
|
|
function logging_on_keyserver {
|
|
echo -n ''
|
|
}
|
|
|
|
function logging_off_keyserver {
|
|
echo -n ''
|
|
}
|
|
|
|
function reconfigure_keyserver {
|
|
echo -n ''
|
|
}
|
|
|
|
function upgrade_keyserver {
|
|
keyserver_watchdog
|
|
|
|
CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
|
|
if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
|
|
return
|
|
fi
|
|
|
|
if grep -q "keyserver domain" $COMPLETION_FILE; then
|
|
KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")
|
|
fi
|
|
|
|
# update to the next commit
|
|
function_check set_repo_commit
|
|
set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO
|
|
|
|
read_config_param MY_USERNAME
|
|
USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
|
|
GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
|
|
if [ ! $GPG_ID ]; then
|
|
echo $'No GPG ID for admin user'
|
|
exit 846336
|
|
fi
|
|
if [ ${#GPG_ID} -lt 5 ]; then
|
|
echo $'GPG ID not retrieved for admin user'
|
|
exit 835292
|
|
fi
|
|
if [[ "$GPG_ID" == *"error"* ]]; then
|
|
echo $'GPG ID not retrieved for admin user due to error'
|
|
exit 74825
|
|
fi
|
|
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
|
|
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
|
|
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
|
|
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
|
|
|
|
chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
|
|
}
|
|
|
|
function backup_local_keyserver {
|
|
# remove any unused log files
|
|
cd /var/lib/sks/DB
|
|
db_archive -d
|
|
|
|
source_directory=/etc/sks
|
|
if [ -d $source_directory ]; then
|
|
systemctl stop sks
|
|
dest_directory=keyserverconfig
|
|
function_check backup_directory_to_usb
|
|
backup_directory_to_usb $source_directory $dest_directory
|
|
systemctl start sks
|
|
fi
|
|
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
|
|
echo $'WARNING: Keyserver database size is too large to backup'
|
|
return
|
|
fi
|
|
source_directory=/var/lib/sks/DB
|
|
if [ -d $source_directory ]; then
|
|
systemctl stop sks
|
|
dest_directory=keyserver
|
|
function_check backup_directory_to_usb
|
|
backup_directory_to_usb $source_directory $dest_directory
|
|
systemctl start sks
|
|
fi
|
|
}
|
|
|
|
function restore_local_keyserver {
|
|
if [ ! -d /var/lib/sks/DB ]; then
|
|
return
|
|
fi
|
|
echo $"Restoring SKS Keyserver"
|
|
systemctl stop sks
|
|
|
|
temp_restore_dir=/root/tempkeyserverconfig
|
|
function_check restore_directory_from_usb
|
|
restore_directory_from_usb $temp_restore_dir keyserverconfig
|
|
if [ -d $temp_restore_dir/etc/sks ]; then
|
|
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
|
|
else
|
|
cp -r $temp_restore_dir/* /etc/sks/
|
|
fi
|
|
rm -rf $temp_restore_dir
|
|
chown -Rc debian-sks: /etc/sks/sksconf
|
|
chown -Rc debian-sks: /etc/sks/mailsync
|
|
|
|
temp_restore_dir=/root/tempkeyserver
|
|
function_check restore_directory_from_usb
|
|
restore_directory_from_usb $temp_restore_dir keyserver
|
|
mv /var/lib/sks/DB /var/lib/sks/DB_prev
|
|
if [ -d $temp_restore_dir/var/lib/sks/DB ]; then
|
|
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
|
|
else
|
|
if [ ! -d /var/lib/sks/DB ]; then
|
|
mkdir /var/lib/sks/DB
|
|
fi
|
|
cp -r $temp_restore_dir/* /var/lib/sks/DB
|
|
fi
|
|
if [ ! "$?" = "0" ]; then
|
|
# restore the old database
|
|
rm -rf /var/lib/sks/DB
|
|
mv /var/lib/sks/DB_prev /var/lib/sks/DB
|
|
|
|
rm -rf $temp_restore_dir
|
|
function_check set_user_permissions
|
|
set_user_permissions
|
|
function_check backup_unmount_drive
|
|
backup_unmount_drive
|
|
exit 5627294
|
|
fi
|
|
rm -rf $temp_restore_dir
|
|
chown -Rc debian-sks: /var/lib/sks
|
|
|
|
# remove the old database
|
|
rm -rf /var/lib/sks/DB_prev
|
|
|
|
systemctl enable sks
|
|
systemctl start sks
|
|
nginx_ensite $KEYSERVER_DOMAIN_NAME
|
|
}
|
|
|
|
function backup_remote_keyserver {
|
|
# remove any unused log files
|
|
cd /var/lib/sks/DB
|
|
db_archive -d
|
|
|
|
source_directory=/etc/sks
|
|
if [ -d $source_directory ]; then
|
|
systemctl stop sks
|
|
dest_directory=keyserverconfig
|
|
function_check backup_directory_to_friend
|
|
backup_directory_to_friend $source_directory $dest_directory
|
|
systemctl start sks
|
|
fi
|
|
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
|
|
echo $'WARNING: Keyserver database size is too large to backup'
|
|
return
|
|
fi
|
|
source_directory=/var/lib/sks/DB
|
|
if [ -d $source_directory ]; then
|
|
systemctl stop sks
|
|
dest_directory=keyserver
|
|
function_check backup_directory_to_friend
|
|
backup_directory_to_friend $source_directory $dest_directory
|
|
systemctl start sks
|
|
fi
|
|
}
|
|
|
|
function restore_remote_keyserver {
|
|
if [ ! -d /var/lib/sks/DB ]; then
|
|
return
|
|
fi
|
|
echo $"Restoring SKS Keyserver"
|
|
systemctl stop sks
|
|
|
|
temp_restore_dir=/root/tempkeyserverconfig
|
|
function_check restore_directory_from_friend
|
|
restore_directory_from_friend $temp_restore_dir keyserverconfig
|
|
if [ -d $temp_restore_dir/etc/sks ]; then
|
|
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
|
|
else
|
|
cp -r $temp_restore_dir/* /etc/sks/
|
|
fi
|
|
rm -rf $temp_restore_dir
|
|
chown -Rc debian-sks: /etc/sks/sksconf
|
|
chown -Rc debian-sks: /etc/sks/mailsync
|
|
|
|
temp_restore_dir=/root/tempkeyserver
|
|
function_check restore_directory_from_friend
|
|
restore_directory_from_friend $temp_restore_dir keyserver
|
|
mv /var/lib/sks/DB /var/lib/sks/DB_prev
|
|
if [ -d $temp_restore_dir/var/lib/sks/DB ]; then
|
|
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
|
|
else
|
|
if [ ! -d /var/lib/sks/DB ]; then
|
|
mkdir /var/lib/sks/DB
|
|
fi
|
|
cp -r $temp_restore_dir/* /var/lib/sks/DB
|
|
fi
|
|
if [ ! "$?" = "0" ]; then
|
|
# restore the old database
|
|
rm -rf /var/lib/sks/DB
|
|
mv /var/lib/sks/DB_prev /var/lib/sks/DB
|
|
|
|
rm -rf $temp_restore_dir
|
|
function_check set_user_permissions
|
|
set_user_permissions
|
|
return
|
|
fi
|
|
rm -rf $temp_restore_dir
|
|
chown -Rc debian-sks: /var/lib/sks
|
|
|
|
# remove the old database
|
|
rm -rf /var/lib/sks/DB_prev
|
|
|
|
systemctl enable sks
|
|
systemctl start sks
|
|
nginx_ensite $KEYSERVER_DOMAIN_NAME
|
|
}
|
|
|
|
function remove_keyserver {
|
|
systemctl stop sks
|
|
if [ -f /etc/cron.hourly/keyserver-watchdog ]; then
|
|
rm /etc/cron.hourly/keyserver-watchdog
|
|
fi
|
|
apt-get -qy remove sks dirmngr
|
|
|
|
read_config_param "KEYSERVER_DOMAIN_NAME"
|
|
nginx_dissite $KEYSERVER_DOMAIN_NAME
|
|
remove_certs ${KEYSERVER_DOMAIN_NAME}
|
|
if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then
|
|
rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
|
|
fi
|
|
if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
|
|
rm -rf /var/www/$KEYSERVER_DOMAIN_NAME
|
|
fi
|
|
function_check remove_ddns_domain
|
|
remove_ddns_domain $KEYSERVER_DOMAIN_NAME
|
|
|
|
remove_config_param KEYSERVER_DOMAIN_NAME
|
|
remove_config_param KEYSERVER_CODE
|
|
function_check remove_onion_service
|
|
remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
|
|
remove_onion_service sks 11370 11371 11372
|
|
remove_completion_param "install_keyserver"
|
|
|
|
firewall_remove 11370 tcp
|
|
firewall_remove 11371 tcp
|
|
firewall_remove 11372 tcp
|
|
|
|
sed -i '/keyserver/d' $COMPLETION_FILE
|
|
sed -i '/sks onion/d' $COMPLETION_FILE
|
|
if [ -d /var/lib/sks ]; then
|
|
rm -rf /var/lib/sks
|
|
fi
|
|
}
|
|
|
|
function install_interactive_keyserver {
|
|
if [ ! $ONION_ONLY ]; then
|
|
ONION_ONLY='no'
|
|
fi
|
|
|
|
if [[ $ONION_ONLY != "no" ]]; then
|
|
KEYSERVER_DOMAIN_NAME='keyserver.local'
|
|
write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"
|
|
else
|
|
function_check interactive_site_details
|
|
interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"
|
|
fi
|
|
APP_INSTALLED=1
|
|
}
|
|
|
|
function keyserver_create_mailsync {
|
|
echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
|
|
echo '' >> /etc/sks/mailsync
|
|
chown -Rc debian-sks: /etc/sks/mailsync
|
|
}
|
|
|
|
function keyserver_create_membership {
|
|
if [ -f /etc/sks/membership ]; then
|
|
return
|
|
fi
|
|
systemctl stop sks
|
|
echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership
|
|
echo '#' >> /etc/sks/membership
|
|
echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership
|
|
echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership
|
|
echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership
|
|
echo '' >> /etc/sks/membership
|
|
chown -Rc debian-sks: /etc/sks/membership
|
|
systemctl start sks
|
|
}
|
|
|
|
function keyserver_import_keys {
|
|
# NOTE: this function isn't used, but kept for reference
|
|
dialog --title $"Import public keys database" \
|
|
--backtitle $"Freedombone Control Panel" \
|
|
--defaultno \
|
|
--yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60
|
|
sel=$?
|
|
case $sel in
|
|
1) return;;
|
|
255) return;;
|
|
esac
|
|
if [ ! -d /var/lib/sks/dump ]; then
|
|
mkdir -p /var/lib/sks/dump
|
|
fi
|
|
cd /var/lib/sks/dump
|
|
echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'
|
|
rm -rf /var/lib/sks/dump/*
|
|
KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"
|
|
wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \
|
|
-A pgp,txt $KEYSERVER_DUMP_URL
|
|
|
|
cd /var/lib/sks
|
|
echo $'Building the keyserver database from the downloaded dump'
|
|
keyserver_reset_database
|
|
}
|
|
|
|
function keyserver_sync {
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --backtitle $"Freedombone Control Panel" \
|
|
--title $"Sync with other keyserver" \
|
|
--form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
|
|
$"Domain:" 1 1 "" 1 25 32 64 \
|
|
$"Port:" 2 1 "11370" 2 25 6 6 \
|
|
$"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
|
|
2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) return;;
|
|
255) return;;
|
|
esac
|
|
other_keyserver_domain=$(cat $data | sed -n 1p)
|
|
other_keyserver_port=$(cat $data | sed -n 2p)
|
|
other_keyserver_email=$(cat $data | sed -n 3p)
|
|
if [[ "$other_keyserver_domain" != *'.'* ]]; then
|
|
return
|
|
fi
|
|
if [[ "$other_keyserver_domain" == *' '* ]]; then
|
|
return
|
|
fi
|
|
if [[ "$other_keyserver_port" == *'.'* ]]; then
|
|
return
|
|
fi
|
|
if [[ "$other_keyserver_port" == *' '* ]]; then
|
|
return
|
|
fi
|
|
if [ ${#other_keyserver_domain} -lt 4 ]; then
|
|
return
|
|
fi
|
|
if [ ${#other_keyserver_port} -lt 4 ]; then
|
|
return
|
|
fi
|
|
|
|
# Warn if trying to sync
|
|
if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then
|
|
dialog --title $"Sync with other keyserver" \
|
|
--msgbox $"\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60
|
|
return
|
|
fi
|
|
|
|
if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
|
|
if [[ "$other_keyserver_email" == *"@"* ]]; then
|
|
if [[ "$other_keyserver_email" == *"."* ]]; then
|
|
keyserver_create_mailsync
|
|
if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
|
|
echo "$other_keyserver_email" >> /etc/sks/mailsync
|
|
chown -Rc debian-sks: /etc/sks/mailsync
|
|
fi
|
|
else
|
|
dialog --title $"Sync with other keyserver" \
|
|
--msgbox $"Email doesn't look right: $other_keyserver_email" 6 60
|
|
return
|
|
fi
|
|
fi
|
|
fi
|
|
keyserver_create_membership
|
|
if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
|
|
return
|
|
fi
|
|
if grep -q "$other_keyserver_domain " /etc/sks/membership; then
|
|
sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
|
|
else
|
|
echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
|
|
fi
|
|
chown -Rc debian-sks: /etc/sks/membership
|
|
systemctl restart sks
|
|
dialog --title $"Sync with other keyserver" \
|
|
--msgbox $"Keyserver added" 6 40
|
|
}
|
|
|
|
function keyserver_edit {
|
|
if [ ! -f /etc/sks/membership ]; then
|
|
return
|
|
fi
|
|
editor /etc/sks/membership
|
|
chown -Rc debian-sks: /etc/sks/membership
|
|
systemctl restart sks
|
|
}
|
|
|
|
function keyserver_remove_key {
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --title $"Remove a key" \
|
|
--backtitle $"Freedombone Control Panel" \
|
|
--inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>$data
|
|
sel=$?
|
|
case $sel in
|
|
0)
|
|
remove_key_id=$(<$data)
|
|
if [ ${#remove_key_id} -gt 8 ]; then
|
|
sks drop $remove_key_id
|
|
dialog --title $"Remove a key" \
|
|
--msgbox $"The key was removed" 6 40
|
|
fi
|
|
;;
|
|
esac
|
|
}
|
|
|
|
function configure_interactive_keyserver {
|
|
while true
|
|
do
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --backtitle $"Freedombone Control Panel" \
|
|
--title $"SKS Keyserver" \
|
|
--radiolist $"Choose an operation:" 12 70 4 \
|
|
1 $"Remove a key" off \
|
|
2 $"Sync with other keyserver" off \
|
|
3 $"Edit sync keyservers" off \
|
|
4 $"Exit" on 2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) return;;
|
|
255) return;;
|
|
esac
|
|
case $(cat $data) in
|
|
1) keyserver_remove_key;;
|
|
2) keyserver_sync;;
|
|
3) keyserver_edit;;
|
|
4) break;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
function install_keyserver {
|
|
apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
|
|
keyserver_reset_database
|
|
sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
|
|
apt-get -qy install dirmngr
|
|
systemctl restart sks
|
|
|
|
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
|
|
mkdir /var/www/$KEYSERVER_DOMAIN_NAME
|
|
fi
|
|
|
|
cd /var/www/$KEYSERVER_DOMAIN_NAME
|
|
if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
|
|
rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
|
|
fi
|
|
|
|
if [ -d /repos/keyserverweb ]; then
|
|
mkdir htdocs
|
|
cp -r -p /repos/keyserverweb/. htdocs
|
|
cd htdocs
|
|
git pull
|
|
else
|
|
git_clone $KEYSERVER_WEB_REPO htdocs
|
|
fi
|
|
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
|
|
echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"
|
|
exit 6539230
|
|
fi
|
|
|
|
cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
|
|
git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT
|
|
set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"
|
|
|
|
|
|
USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
|
|
GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
|
|
if [ ! $GPG_ID ]; then
|
|
echo $'No GPG ID for admin user'
|
|
exit 846336
|
|
fi
|
|
if [ ${#GPG_ID} -lt 5 ]; then
|
|
echo $'GPG ID not retrieved for admin user'
|
|
exit 835292
|
|
fi
|
|
if [[ "$GPG_ID" == *"error"* ]]; then
|
|
echo $'GPG ID not retrieved for admin user due to error'
|
|
exit 74825
|
|
fi
|
|
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
|
|
sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
|
|
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
|
|
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
|
|
|
|
sksconf_file=/etc/sks/sksconf
|
|
sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
|
|
sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
|
|
sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
|
|
sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
|
|
sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
|
|
sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
|
|
sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
|
|
sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
|
|
sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
|
|
sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
|
|
sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
|
|
sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
|
|
sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file
|
|
|
|
if ! grep -q "#disable_mailsync" $sksconf_file; then
|
|
echo '#disable_mailsync:' >> $sksconf_file
|
|
else
|
|
sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
|
|
fi
|
|
if ! grep -q "membership_reload_interval:" $sksconf_file; then
|
|
echo 'membership_reload_interval: 1' >> $sksconf_file
|
|
else
|
|
sed -i 's|#membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
|
|
sed -i 's|membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
|
|
fi
|
|
if ! grep -q "max_matches:" $sksconf_file; then
|
|
echo 'max_matches: 50' >> $sksconf_file
|
|
else
|
|
sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
|
|
sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
|
|
fi
|
|
if ! grep -q "stat_hour:" $sksconf_file; then
|
|
echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
|
|
else
|
|
sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
|
|
sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
|
|
fi
|
|
if ! grep -q "disable_log_diffs:" $sksconf_file; then
|
|
echo "disable_log_diffs:" >> $sksconf_file
|
|
else
|
|
sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
|
|
sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
|
|
fi
|
|
if ! grep -q "debuglevel:" $sksconf_file; then
|
|
echo "debuglevel: 0" >> $sksconf_file
|
|
else
|
|
sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file
|
|
sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file
|
|
fi
|
|
|
|
chown debian-sks: $sksconf_file
|
|
|
|
if ! grep -q "hidden_service_sks" /etc/tor/torrc; then
|
|
echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc
|
|
echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc
|
|
echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc
|
|
echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc
|
|
echo $'Added onion site for sks'
|
|
fi
|
|
|
|
onion_update
|
|
wait_for_onion_service 'sks'
|
|
|
|
if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
|
|
echo $'sks onion site hostname not found'
|
|
exit 8352982
|
|
fi
|
|
SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)
|
|
|
|
KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})
|
|
|
|
keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
|
|
if [[ $ONION_ONLY == "no" ]]; then
|
|
# NOTE: without http active on port 80 the keyserver doesn't work
|
|
# from the commandline
|
|
echo 'server {' > $keyserver_nginx_site
|
|
echo ' listen 80;' >> $keyserver_nginx_site
|
|
echo ' listen 0.0.0.0:11371;' >> $keyserver_nginx_site
|
|
echo ' listen [::]:80;' >> $keyserver_nginx_site
|
|
echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Logs' >> $keyserver_nginx_site
|
|
echo ' access_log /dev/null;' >> $keyserver_nginx_site
|
|
echo ' error_log /dev/null;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Root' >> $keyserver_nginx_site
|
|
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location / {' >> $keyserver_nginx_site
|
|
function_check nginx_limits
|
|
nginx_limits $KEYSERVER_DOMAIN_NAME '128k'
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location /pks {' >> $keyserver_nginx_site
|
|
echo ' proxy_pass http://127.0.0.1:11373;' >> $keyserver_nginx_site
|
|
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
|
|
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site
|
|
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
|
|
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
|
|
echo ' client_body_buffer_size 128k;' >> $keyserver_nginx_site
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '}' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo 'server {' >> $keyserver_nginx_site
|
|
echo ' listen 443 ssl;' >> $keyserver_nginx_site
|
|
echo ' listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site
|
|
echo ' listen [::]:443 ssl;' >> $keyserver_nginx_site
|
|
echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
|
|
echo ' deny all;' >> $keyserver_nginx_site
|
|
echo ' return 404;' >> $keyserver_nginx_site
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Security' >> $keyserver_nginx_site
|
|
function_check nginx_ssl
|
|
nginx_ssl $KEYSERVER_DOMAIN_NAME
|
|
|
|
function_check nginx_disable_sniffing
|
|
nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
|
|
|
|
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Logs' >> $keyserver_nginx_site
|
|
echo ' access_log /dev/null;' >> $keyserver_nginx_site
|
|
echo ' error_log /dev/null;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Root' >> $keyserver_nginx_site
|
|
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
|
|
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location / {' >> $keyserver_nginx_site
|
|
function_check nginx_limits
|
|
nginx_limits $KEYSERVER_DOMAIN_NAME '128k'
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location /pks {' >> $keyserver_nginx_site
|
|
echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
|
|
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
|
|
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site
|
|
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
|
|
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
|
|
echo ' client_body_buffer_size 128k;' >> $keyserver_nginx_site
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '}' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
else
|
|
echo -n '' > $keyserver_nginx_site
|
|
fi
|
|
echo 'server {' >> $keyserver_nginx_site
|
|
echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
|
|
echo " server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
|
|
echo ' deny all;' >> $keyserver_nginx_site
|
|
echo ' return 404;' >> $keyserver_nginx_site
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
function_check nginx_disable_sniffing
|
|
nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Logs' >> $keyserver_nginx_site
|
|
echo ' access_log /dev/null;' >> $keyserver_nginx_site
|
|
echo ' error_log /dev/null;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' # Root' >> $keyserver_nginx_site
|
|
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
|
|
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location / {' >> $keyserver_nginx_site
|
|
function_check nginx_limits
|
|
nginx_limits $KEYSERVER_DOMAIN_NAME '128k'
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '' >> $keyserver_nginx_site
|
|
echo ' location /pks {' >> $keyserver_nginx_site
|
|
echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
|
|
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
|
|
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site
|
|
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
|
|
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
|
|
echo ' client_body_buffer_size 128k;' >> $keyserver_nginx_site
|
|
echo ' }' >> $keyserver_nginx_site
|
|
echo '}' >> $keyserver_nginx_site
|
|
|
|
function_check create_site_certificate
|
|
if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
|
|
create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'
|
|
fi
|
|
|
|
if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then
|
|
mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
|
|
fi
|
|
if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
|
|
chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
|
|
sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}
|
|
fi
|
|
if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then
|
|
chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key
|
|
fi
|
|
|
|
chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
|
|
|
|
function_check nginx_ensite
|
|
nginx_ensite $KEYSERVER_DOMAIN_NAME
|
|
|
|
configure_firewall_for_keyserver
|
|
|
|
# remove membership file - don't try to sync with other keyservers
|
|
if [ -f /etc/sks/membership ]; then
|
|
rm /etc/sks/membership
|
|
fi
|
|
|
|
if ! grep -q "pgp-public-keys" /etc/aliases; then
|
|
echo 'pgp-public-keys: "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
|
|
fi
|
|
chown -Rc debian-sks: /etc/sks/mailsync
|
|
|
|
systemctl enable sks
|
|
systemctl restart sks
|
|
systemctl restart nginx
|
|
|
|
set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
|
|
set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
|
|
set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"
|
|
|
|
keyserver_watchdog
|
|
|
|
APP_INSTALLED=1
|
|
}
|
|
|
|
# NOTE: deliberately no exit 0
|