Stockholm initial

src/freedombone-app-babel

@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Babel mesh functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Babel mesh
+ENABLE_BABEL="no"
+BABEL_PORT=6696
+
+function mesh_babel {
+	if grep -Fxq "mesh_babel" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_BABEL != "yes" ]]; then
+		return
+	fi
+
+	${PROJECT_NAME}-mesh-install -f babel
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install babel'
+		exit 67242
+	fi
+
+	function_check configure_firewall_for_babel
+	configure_firewall_for_babel
+	echo 'mesh_babel' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-app-batman

@@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# batman adv mesh functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# B.A.T.M.A.N settings
+ENABLE_BATMAN="no"
+BATMAN_CELLID='any'
+
+function mesh_batman {
+	if grep -Fxq "mesh_batman" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_BATMAN != "yes" ]]; then
+		return
+	fi
+
+	${PROJECT_NAME}-mesh-install -f batman
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install batman'
+		exit 72524
+	fi
+
+	if ! grep -q "Mesh Networking (B.A.T.M.A.N)" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo 'Mesh Networking (B.A.T.M.A.N)' >> /home/$MY_USERNAME/README
+		echo '=============================' >> /home/$MY_USERNAME/README
+		echo "Mesh ESSID: $WIFI_SSID" >> /home/$MY_USERNAME/README
+		echo "Mesh cell ID: $BATMAN_CELLID" >> /home/$MY_USERNAME/README
+		echo "Mesh wifi channel: $WIFI_CHANNEL" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check configure_firewall_for_batman
+	configure_firewall_for_batman
+	echo 'mesh_batman' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-blog

@@ -0,0 +1,343 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Blog functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+FULLBLOG_DOMAIN_NAME=
+FULLBLOG_CODE=
+FULLBLOG_ONION_PORT=8086
+FULLBLOG_REPO="https://github.com/danpros/htmly"
+FULLBLOG_COMMIT='bf5fe9486160be4da86d8987d3e5c977e1dc6d32'
+MY_BLOG_TITLE="My Blog"
+MY_BLOG_SUBTITLE="Another ${PROJECT_NAME} Blog"
+
+function mark_blog_domain {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if ! grep -q "Blog domain:" $COMPLETION_FILE; then
+		echo "Blog domain:$FULLBLOG_DOMAIN_NAME" >> $COMPLETION_FILE
+	fi
+}
+
+function get_blog_admin_password {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "Your blog password is" /home/$MY_USERNAME/README; then
+			FULLBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Your blog password is" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
+}
+
+function install_blog {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! $FULLBLOG_DOMAIN_NAME ]; then
+		echo $'The blog domain name was not specified'
+		exit 5062
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit /var/www/$FULLBLOG_DOMAIN_NAME/htdocs "Blog commit" "$FULLBLOG_COMMIT" $FULLBLOG_REPO
+
+	if grep -Fxq "install_blog" $COMPLETION_FILE; then
+		return
+	fi
+
+	# for the avatar changing command
+	apt-get -y install imagemagick
+
+	if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME ]; then
+		mkdir /var/www/$FULLBLOG_DOMAIN_NAME
+	fi
+
+	cd /var/www/$FULLBLOG_DOMAIN_NAME
+	git_clone $FULLBLOG_REPO htdocs
+	cd htdocs
+	git checkout $FULLBLOG_COMMIT -b $FULLBLOG_COMMIT
+	if ! grep -q "Blog commit" $COMPLETION_FILE; then
+		echo "Blog commit:$FULLBLOG_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/Blog commit.*/Blog commit:$FULLBLOG_COMMIT/g" $COMPLETION_FILE
+	fi
+	cd /var/www/$FULLBLOG_DOMAIN_NAME
+
+	chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
+
+	if [[ $ONION_ONLY == "no" ]]; then
+	    function_check nginx_http_redirect
+		nginx_http_redirect $FULLBLOG_DOMAIN_NAME
+		echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		function_check nginx_limits
+		nginx_limits $FULLBLOG_DOMAIN_NAME
+		function_check nginx_ssl
+		nginx_ssl $FULLBLOG_DOMAIN_NAME
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
+		echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	else
+		echo -n '' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	fi
+	echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "    listen 127.0.0.1:${FULLBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	function_check nginx_limits
+	nginx_limits $FULLBLOG_DOMAIN_NAME
+	function_check nginx_disable_sniffing
+	nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME
+	echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+	echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+
+    function_check create_site_certificate
+	create_site_certificate $FULLBLOG_DOMAIN_NAME 'yes'
+
+    function_check configure_php
+	configure_php
+
+	# blog settings
+	cp /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini.example /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i "s|site.url.*|site.url = '/'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i "s|blog.title.*|blog.title = '$MY_BLOG_TITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i "s|blog.tagline.*|blog.tagline = '$MY_BLOG_SUBTITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i 's|timezone.*|timezone = "Europe/London"|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i "s|Your name|$MY_NAME|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+
+	# set social networks
+	if grep -q "social.hubzilla" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then
+		sed -i "s|;social.hubzilla|social.hubzilla|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+		sed -i "s|social.hubzilla.*|social.hubzilla = \"$HUBZILLA_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	fi
+	if grep -q "social.gnusocial" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then
+		sed -i "s|;social.gnusocial|social.gnusocial|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+		sed -i "s|social.gnusocial.*|social.gnusocial = \"$MICROBLOG_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	fi
+
+	# clear proprietary social network strings
+	sed -i 's|social.facebook.*|social.facebook = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i 's|social.twitter.*|social.twitter = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+	sed -i 's|social.google.*|social.google = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini
+
+	# create a user password
+	function_check get_blog_admin_password
+	get_blog_admin_password
+	if [ ! $FULLBLOG_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			FULLBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			FULLBLOG_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'HTMLy Blog' >> /home/$MY_USERNAME/README
+		echo '==========' >> /home/$MY_USERNAME/README
+		echo $"Your blog username: $MY_USERNAME" >> /home/$MY_USERNAME/README
+		echo $"Your blog password is: $FULLBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
+		if [[ $ONION_ONLY == 'no' ]]; then
+			echo $"Log into your blog at https://$FULLBLOG_DOMAIN_NAME/login" >> /home/$MY_USERNAME/README
+		fi
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	# create a user
+	FULLBLOG_ADMIN_PASSWORD_HASH=$(freedombone-sec --bloghash "$FULLBLOG_ADMIN_PASSWORD")
+	if [ ${#FULLBLOG_ADMIN_PASSWORD_HASH} -lt 8 ]; then
+		echo $'Blog admin password could not be hashed'
+		exit 625728
+	fi
+	echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
+	echo "password = $FULLBLOG_ADMIN_PASSWORD_HASH" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
+	echo 'encryption = password_hash' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
+	echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
+	echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
+
+    function_check nginx_ensite
+	nginx_ensite $FULLBLOG_DOMAIN_NAME
+
+	FULLBLOG_ONION_HOSTNAME=$(add_onion_service blog 80 ${FULLBLOG_ONION_PORT})
+
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	if ! grep -q "Blog onion domain" /home/$MY_USERNAME/README; then
+		echo $"Blog onion domain: ${FULLBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo $"Log into your blog at https://${FULLBLOG_ONION_HOSTNAME}/login" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+	echo "Blog onion domain:${FULLBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE
+
+    function_check add_ddns_domain
+	add_ddns_domain $FULLBLOG_DOMAIN_NAME
+
+	echo 'install_blog' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-cjdns

@@ -0,0 +1,447 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# cjdns functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# cjdns settings
+ENABLE_CJDNS="no"
+CJDNS_PRIVATE_KEY=
+CJDNS_PUBLIC_KEY=
+CJDNS_IPV6=
+CJDNS_PASSWORD=
+CJDNS_PORT=
+CJDNS_REPO="https://github.com/cjdelisle/cjdns.git"
+CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca'
+CJDCMD_REPO="https://github.com/inhies/cjdcmd"
+CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808'
+
+function get_cjdns_public_key {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "cjdns public key" /home/$MY_USERNAME/README; then
+			if [ ! $CJDNS_PUBLIC_KEY ]; then
+				CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		fi
+	fi
+}
+
+function get_cjdns_private_key {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "cjdns private key" /home/$MY_USERNAME/README; then
+			if [ ! $CJDNS_PRIVATE_KEY ]; then
+				CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		fi
+	fi
+}
+
+function get_cjdns_ipv6_address {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then
+			if [ ! $CJDNS_IPV6 ]; then
+				CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		fi
+	fi
+}
+
+function get_cjdns_port {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "cjdns port" /home/$MY_USERNAME/README; then
+			if [ ! $CJDNS_PORT ]; then
+				CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		fi
+	fi
+}
+
+function get_cjdns_password {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "cjdns password" /home/$MY_USERNAME/README; then
+			if [ ! $CJDNS_PASSWORD ]; then
+				CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		fi
+	fi
+}
+
+function mesh_cjdns {
+	if [[ $ENABLE_CJDNS != "yes" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO
+
+	if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install nodejs git build-essential nmap
+
+	# if a README exists then obtain the cjdns parameters
+	function_check get_cjdns_ipv6_address
+	get_cjdns_ipv6_address
+
+	function_check get_cjdns_public_key
+	get_cjdns_public_key
+
+	function_check get_cjdns_private_key
+	get_cjdns_private_key
+
+	function_check get_cjdns_port
+	get_cjdns_port
+
+	function_check get_cjdns_password
+	get_cjdns_password
+
+	# special compile settings for running ./do on the Beaglebone Black
+	if [[ $INSTALLING_ON_BBB == "yes" ]]; then
+		CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized"
+		export LDFLAGS="$CFLAGS"
+	fi
+
+	if [ ! -d /etc/cjdns ]; then
+		function_check git_pull
+		git_clone $CJDNS_REPO /etc/cjdns
+		cd /etc/cjdns
+
+		git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT
+		if ! grep -q "cjdns commit" $COMPLETION_FILE; then
+			echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE
+		else
+			sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE
+		fi
+
+		./do
+		if [ ! "$?" = "0" ]; then
+			exit 7439
+		fi
+		# create a configuration
+		if [ ! -f /etc/cjdns/cjdroute.conf ]; then
+			./cjdroute --genconf > /etc/cjdns/cjdroute.conf
+			if [ ! "$?" = "0" ]; then
+				exit 5922
+			fi
+		fi
+		# create a user to run as
+		useradd cjdns
+	else
+		cd /etc/cjdns
+		function_check git_pull
+		git_pull $CJDNS_REPO
+		./do
+		if [ ! "$?" = "0" ]; then
+			exit 9926
+		fi
+	fi
+
+	# set permissions
+	chown -R cjdns:cjdns /etc/cjdns
+	chmod 600 /etc/cjdns/cjdroute.conf
+
+	/sbin/ip tuntap add mode tun user cjdns dev cjdroute0
+
+	# insert values into the configuration file
+	if [ $CJDNS_PRIVATE_KEY ]; then
+		sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf
+	else
+		CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p)
+	fi
+	if [ $CJDNS_PUBLIC_KEY ]; then
+		sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf
+	else
+		CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p)
+	fi
+	if [ $CJDNS_IPV6 ]; then
+		sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf
+	else
+		CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p)
+	fi
+	if [ $CJDNS_PASSWORD ]; then
+		sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf
+	else
+		CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p)
+	fi
+	if [ $CJDNS_PORT ]; then
+		sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf
+	else
+		CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p)
+	fi
+
+	function_check enable_ipv6
+	enable_ipv6
+
+	echo '#!/bin/sh -e' > /etc/init.d/cjdns
+	echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns
+	echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns
+	echo '# Provides:          cjdroute' >> /etc/init.d/cjdns
+	echo '# Required-Start:    $remote_fs $network' >> /etc/init.d/cjdns
+	echo '# Required-Stop:     $remote_fs $network' >> /etc/init.d/cjdns
+	echo '# Default-Start:     2 3 4 5' >> /etc/init.d/cjdns
+	echo '# Default-Stop:      0 1 6' >> /etc/init.d/cjdns
+	echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns
+	echo '# Description:       A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns
+	echo '# cjdns git repo:    https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns
+	echo '### END INIT INFO' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo 'PROG="cjdroute"' >> /etc/init.d/cjdns
+	echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
+	echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
+	echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns
+	echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns
+	echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo 'start() {' >> /etc/init.d/cjdns
+	echo '     # Start it up with the user cjdns' >> /etc/init.d/cjdns
+	echo '     if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
+	echo '     then' >> /etc/init.d/cjdns
+	echo '         echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns
+	echo '     else' >> /etc/init.d/cjdns
+	echo '         echo " * Starting cjdroute"' >> /etc/init.d/cjdns
+	echo '         su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns
+	echo '         /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns
+	echo '         /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns
+	echo '         /sbin/ip link set tun0 up' >> /etc/init.d/cjdns
+	echo '         /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns
+	echo '     fi' >> /etc/init.d/cjdns
+	echo '}' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo 'stop() {' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo '     if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns
+	echo '     then' >> /etc/init.d/cjdns
+	echo '         echo "cjdns isnt running."' >> /etc/init.d/cjdns
+	echo '     else' >> /etc/init.d/cjdns
+	echo '         echo "Killing cjdroute"' >> /etc/init.d/cjdns
+	echo '         killall cjdroute' >> /etc/init.d/cjdns
+	echo '     fi' >> /etc/init.d/cjdns
+	echo '}' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo 'status() {' >> /etc/init.d/cjdns
+	echo '     if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
+	echo '     then' >> /etc/init.d/cjdns
+	echo '         echo "Cjdns is running"' >> /etc/init.d/cjdns
+	echo '     else' >> /etc/init.d/cjdns
+	echo '         echo "Cjdns is not running"' >> /etc/init.d/cjdns
+	echo '     fi' >> /etc/init.d/cjdns
+	echo '}' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo ' update() {' >> /etc/init.d/cjdns
+	echo '     cd $GIT_PATH' >> /etc/init.d/cjdns
+	echo '     echo "Updating..."' >> /etc/init.d/cjdns
+	echo '     git pull' >> /etc/init.d/cjdns
+	echo '     ./do' >> /etc/init.d/cjdns
+	echo '}' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns
+	echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns
+	echo '    echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns
+	echo '    exit 1' >> /etc/init.d/cjdns
+	echo 'fi' >> /etc/init.d/cjdns
+	echo '' >> /etc/init.d/cjdns
+	echo 'case $1 in' >> /etc/init.d/cjdns
+	echo '     start)' >> /etc/init.d/cjdns
+	echo '         start' >> /etc/init.d/cjdns
+	echo '         exit 0' >> /etc/init.d/cjdns
+	echo '     ;;' >> /etc/init.d/cjdns
+	echo '     stop)' >> /etc/init.d/cjdns
+	echo '         stop' >> /etc/init.d/cjdns
+	echo '         exit 0' >> /etc/init.d/cjdns
+	echo '     ;;' >> /etc/init.d/cjdns
+	echo '     reload|restart|force-reload)' >> /etc/init.d/cjdns
+	echo '         stop' >> /etc/init.d/cjdns
+	echo '         sleep 1' >> /etc/init.d/cjdns
+	echo '         start' >> /etc/init.d/cjdns
+	echo '         exit 0' >> /etc/init.d/cjdns
+	echo '     ;;' >> /etc/init.d/cjdns
+	echo '     status)' >> /etc/init.d/cjdns
+	echo '         status' >> /etc/init.d/cjdns
+	echo '         exit 0' >> /etc/init.d/cjdns
+	echo '     ;;' >> /etc/init.d/cjdns
+	echo '     update|upgrade)' >> /etc/init.d/cjdns
+	echo '         update' >> /etc/init.d/cjdns
+	echo '         stop' >> /etc/init.d/cjdns
+	echo '         sleep 2' >> /etc/init.d/cjdns
+	echo '         start' >> /etc/init.d/cjdns
+	echo '         exit 0' >> /etc/init.d/cjdns
+	echo '     ;;' >> /etc/init.d/cjdns
+	echo '     **)' >> /etc/init.d/cjdns
+	echo '         echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns
+	echo '         exit 1' >> /etc/init.d/cjdns
+	echo '     ;;' >> /etc/init.d/cjdns
+	echo 'esac' >> /etc/init.d/cjdns
+	chmod +x /etc/init.d/cjdns
+	update-rc.d cjdns defaults
+	service cjdns start
+	if [ ! "$?" = "0" ]; then
+		systemctl status cjdns.service
+		exit 8260
+	fi
+
+	apt-get -y install radvd
+	echo 'interface eth0' > /etc/radvd.conf
+	echo '{' >> /etc/radvd.conf
+	echo '    AdvSendAdvert on;' >> /etc/radvd.conf
+	echo '    prefix fdfc::1/64' >> /etc/radvd.conf
+	echo '    {' >> /etc/radvd.conf
+	echo '        AdvRouterAddr on;' >> /etc/radvd.conf
+	echo '    };' >> /etc/radvd.conf
+	echo '};' >> /etc/radvd.conf
+	systemctl restart radvd
+	if [ ! "$?" = "0" ]; then
+		systemctl status radvd.service
+		exit 4395
+	fi
+
+	if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then
+		echo '' >> /etc/network/interfaces
+		echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces
+		echo 'iface eth0 inet6 static' >> /etc/network/interfaces
+		echo '    pre-up modprobe ipv6' >> /etc/network/interfaces
+		echo '    address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces
+		echo '    netmask 64' >> /etc/network/interfaces
+		service network-manager restart
+		if [ ! "$?" = "0" ]; then
+			systemctl status networking.service
+			exit 6949
+		fi
+	fi
+
+	ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
+	ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
+
+	function_ckeck save_firewall_settings
+	save_firewall_settings
+
+	if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
+		CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}')
+
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README
+		echo '=======================' >> /home/$MY_USERNAME/README
+		echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README
+		echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README
+		echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README
+		echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README
+		echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README
+		echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README
+		echo $'to you using your default password' >> /home/$MY_USERNAME/README
+		echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README
+		echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README
+		echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README
+		echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README
+		echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README
+		echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README
+		echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README
+		echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README
+		echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README
+		echo $'each password is for.' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README
+		echo '    http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README
+		echo '    http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	echo 'mesh_cjdns' >> $COMPLETION_FILE
+}
+
+function mesh_cjdns_tools {
+	if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_CJDNS != "yes" ]]; then
+		return
+	fi
+	if [ ! -d /etc/cjdns ]; then
+		mesh_cjdns
+	fi
+
+	function_check select_go_version
+	select_go_version
+
+	apt-get -y install golang mercurial
+	if [ ! -f ~/.bashrc ]; then
+		touch ~/.bashrc
+	fi
+
+	if [ ! -d /home/git ]; then
+		# add a gogs user account
+		adduser --disabled-login --gecos 'Gogs' git
+
+		# install Go
+		if ! grep -q "export GOPATH=" ~/.bashrc; then
+			echo "export GOPATH=$GOPATH" >> ~/.bashrc
+		fi
+		systemctl set-environment GOPATH=$GOPATH
+		if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
+			echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
+		fi
+		if [ ! -d $GOPATH ]; then
+			mkdir -p $GOPATH
+		fi
+	fi
+
+	if ! grep -q "export GOPATH=" ~/.bashrc; then
+		echo "export GOPATH=$GOPATH" >> ~/.bashrc
+	fi
+	expected_go_path='export PATH=$PATH:'${GOPATH}'/bin'
+	export PATH=$PATH:${GOPATH}/bin
+	if ! grep -q "$expected_go_path" ~/.bashrc; then
+		echo "$expected_go_path" >> ~/.bashrc
+	fi
+	export PATH=$PATH:$GOPATH/bin
+	CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g')
+	go get $CJDCMD_REPO2
+	if [ ! -f $GOPATH/bin/cjdcmd ]; then
+		echo $'cjdcmd was not compiled. Check your golang installation'
+		exit 7439
+	fi
+	cp $GOPATH/bin/cjdcmd /usr/bin
+
+	# initialise from the cjdns config
+	/usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf
+
+	echo 'mesh_cjdns_tools' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-dlna

@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# DLNA application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function install_dlna_server {
+	if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	apt-get -y install minidlna
+
+	if [ ! -f /etc/minidlna.conf ]; then
+		echo $"ERROR: minidlna does not appear to have installed. $CHECK_MESSAGE"
+		exit 55
+	fi
+
+	sed -i "s|media_dir=/var/lib/minidlna|media_dir=A,/home/$MY_USERNAME/Music|g" /etc/minidlna.conf
+	if ! grep -q "/home/$MY_USERNAME/Pictures" /etc/minidlna.conf; then
+		echo "media_dir=P,/home/$MY_USERNAME/Pictures" >> /etc/minidlna.conf
+	fi
+	if ! grep -q "/home/$MY_USERNAME/Videos" /etc/minidlna.conf; then
+		echo "media_dir=V,/home/$MY_USERNAME/Videos" >> /etc/minidlna.conf
+	fi
+	if ! grep -q "$USB_MOUNT/Music" /etc/minidlna.conf; then
+		echo "media_dir=A,$USB_MOUNT/Music" >> /etc/minidlna.conf
+	fi
+	if ! grep -q "$USB_MOUNT/Pictures" /etc/minidlna.conf; then
+		echo "media_dir=P,$USB_MOUNT/Pictures" >> /etc/minidlna.conf
+	fi
+	if ! grep -q "$USB_MOUNT/Videos" /etc/minidlna.conf; then
+		echo "media_dir=V,$USB_MOUNT/Videos" >> /etc/minidlna.conf
+	fi
+	sed -i 's/#root_container=./root_container=B/g' /etc/minidlna.conf
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		sed -i 's/#network_interface=/network_interface=eth0/g' /etc/minidlna.conf
+	else
+		sed -i 's/#network_interface=/network_interface=$WIFI_INTERFACE/g' /etc/minidlna.conf
+	fi
+	sed -i "s/#friendly_name=/friendly_name=\"${PROJECT_NAME} Media\"/g" /etc/minidlna.conf
+	sed -i 's|#db_dir=/var/cache/minidlna|db_dir=/var/cache/minidlna|g' /etc/minidlna.conf
+	sed -i 's/#inotify=yes/inotify=yes/g' /etc/minidlna.conf
+	sed -i 's/#notify_interval=895/notify_interval=300/g' /etc/minidlna.conf
+	sed -i "s|#presentation_url=/|presentation_url=http://localhost:8200|g" /etc/minidlna.conf
+	service minidlna force-reload
+	service minidlna reload
+
+	sed -i 's/fs.inotify.max_user_watches*/fs.inotify.max_user_watches=65536/g' /etc/sysctl.conf
+	if ! grep -q "max_user_watches" $COMPLETION_FILE; then
+		echo 'fs.inotify.max_user_watches=65536' >> /etc/sysctl.conf
+	fi
+	/sbin/sysctl -p
+
+	function_check configure_firewall_for_dlna
+	configure_firewall_for_dlna
+	echo 'install_dlna_server' >> $COMPLETION_FILE
+}
+
+function script_for_attaching_usb_drive {
+	if grep -Fxq "script_for_attaching_usb_drive" $COMPLETION_FILE; then
+		return
+	fi
+	echo '#!/bin/bash' > /usr/bin/attach-music
+	echo 'remove-music' >> /usr/bin/attach-music
+	echo "if [ ! -d $USB_MOUNT ]; then" >> /usr/bin/attach-music
+	echo "  mkdir $USB_MOUNT" >> /usr/bin/attach-music
+	echo 'fi' >> /usr/bin/attach-music
+	echo "mount /dev/sda1 $USB_MOUNT" >> /usr/bin/attach-music
+	echo "chown root:root $USB_MOUNT" >> /usr/bin/attach-music
+	echo "chown -R minidlna:minidlna $USB_MOUNT/*" >> /usr/bin/attach-music
+	echo 'service minidlna restart' >> /usr/bin/attach-music
+	echo 'minidlnad -R' >> /usr/bin/attach-music
+	chmod +x /usr/bin/attach-music
+	ln -s /usr/bin/attach-music /usr/bin/attach-usb
+	ln -s /usr/bin/attach-music /usr/bin/attach-videos
+	ln -s /usr/bin/attach-music /usr/bin/attach-pictures
+	ln -s /usr/bin/attach-music /usr/bin/attach-media
+
+	echo '#!/bin/bash' > /usr/bin/remove-music
+	echo "if [ -d $USB_MOUNT ]; then" >> /usr/bin/remove-music
+	echo "  umount $USB_MOUNT" >> /usr/bin/remove-music
+	echo "  rm -rf $USB_MOUNT" >> /usr/bin/remove-music
+	echo 'fi' >> /usr/bin/remove-music
+	chmod +x /usr/bin/remove-music
+	ln -s /usr/bin/remove-music /usr/bin/detach-music
+	ln -s /usr/bin/remove-music /usr/bin/detach-usb
+	ln -s /usr/bin/remove-music /usr/bin/remove-usb
+	ln -s /usr/bin/remove-music /usr/bin/detach-media
+	ln -s /usr/bin/remove-music /usr/bin/remove-media
+	ln -s /usr/bin/remove-music /usr/bin/detach-videos
+	ln -s /usr/bin/remove-music /usr/bin/remove-videos
+	ln -s /usr/bin/remove-music /usr/bin/detach-pictures
+	ln -s /usr/bin/remove-music /usr/bin/remove-pictures
+
+	echo 'script_for_attaching_usb_drive' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-editor

@@ -0,0 +1,113 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Editor applications
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function install_editor {
+	if grep -Fxq "install_editor" $COMPLETION_FILE; then
+		return
+	fi
+	update-alternatives --set editor /usr/bin/emacs24
+
+	# A minimal emacs configuration
+	#echo -n "(add-to-list 'load-path " > /home/$MY_USERNAME/.emacs
+	#echo '"~/.emacs.d/")' >> /home/$MY_USERNAME/.emacs
+	#echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Remove trailing whitepace ======================================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo ";;(add-hook 'before-save-hook 'delete-trailing-whitespace)" >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo ';; Goto a line number with CTRL-l' >> /home/$MY_USERNAME/.emacs
+	echo -n '(global-set-key "\C-l" ' >> /home/$MY_USERNAME/.emacs
+	echo "'goto-line)" >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Show line numbers ==============================================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo "(add-hook 'find-file-hook (lambda () (linum-mode 1)))" >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Enable line wrapping in org-mode ===============================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo " (add-hook 'org-mode-hook" >> /home/$MY_USERNAME/.emacs
+	echo "           '(lambda ()" >> /home/$MY_USERNAME/.emacs
+	echo "              (visual-line-mode 1)))" >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Enable shift select in org mode ================================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Set standard indent to 4 rather that 4 =========================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs
+	echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs
+	echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Support Wheel Mouse Scrolling ==================================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Place Backup Files in Specific Directory =======================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs
+	echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs
+	echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Make Text mode the default mode for new buffers ================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Line length ====================================================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Enable Line and Column Numbering ===============================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(line-number-mode 1)' >> /home/$MY_USERNAME/.emacs
+	echo '(column-number-mode 1)' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Turn on Auto Fill mode automatically in all modes ==============' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo ';; Auto-fill-mode the the automatic wrapping of lines and insertion of' >> /home/$MY_USERNAME/.emacs
+	echo ';; newlines when the cursor goes over the column limit.' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo ';; This should actually turn on auto-fill-mode by default in all major' >> /home/$MY_USERNAME/.emacs
+	echo ';; modes. The other way to do this is to turn on the fill for specific modes' >> /home/$MY_USERNAME/.emacs
+	echo ';; via hooks.' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo '(setq auto-fill-mode 1)' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo $';; ===== Enable GPG encryption =========================================' >> /home/$MY_USERNAME/.emacs
+	echo '' >> /home/$MY_USERNAME/.emacs
+	echo "(require 'epa)" >> /home/$MY_USERNAME/.emacs
+	echo '(epa-file-enable)' >> /home/$MY_USERNAME/.emacs
+	cp /home/$MY_USERNAME/.emacs /root/.emacs
+	chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
+
+	echo 'install_editor' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-gnusocial

@@ -0,0 +1,660 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# GNU Social application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+MICROBLOG_DOMAIN_NAME=
+MICROBLOG_CODE=
+MICROBLOG_ONION_PORT=8087
+MICROBLOG_REPO="https://git.gnu.io/gnu/gnu-social.git"
+MICROBLOG_COMMIT='c67b89e56bf0f90730a9e22beca7e1bd41fc26c3'
+MICROBLOG_ADMIN_PASSWORD=
+MICROBLOG_THEME_REPO="https://git.gnu.io/h2p/Qvitter.git"
+MICROBLOG_THEME_COMMIT='34510bcf37c727f91afad789fb0a531a45171ccf'
+MICROBLOG_WELCOME_MESSAGE=$'<h1>Welcome to GNU Social – a federated microblog</h1><p>Another Freedombone site</p>'
+MICROBLOG_BACKGROUND_IMAGE_URL=
+MICROBLOG_MARKDOWN_REPO="https://git.gnu.io/chimo/markdown.git"
+MICROBLOG_MARKDOWN_COMMIT='03c53942f94b3376f0946e6e1fe566cc21ccf232'
+
+# Sharings plugin for the microblog
+SHARINGS_REPO="http://git.lasindias.club/bashrc/Sharings"
+SHARINGS_COMMIT='d5c6c7f855d9afff9086c09ea706f38c859bc0d4'
+SHARINGS_THEME_REPO="http://git.lasindias.club/manuel/SharingsTheme"
+SHARINGS_THEME_COMMIT='7106c7ef03'
+
+function install_gnu_social {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! $MICROBLOG_DOMAIN_NAME ]; then
+		echo $'No domain name was given for the microblog'
+		exit 7359
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs "GNU Social commit" "$MICROBLOG_COMMIT" $MICROBLOG_REPO
+
+	# add a script to check that the daemon is running
+	echo '#!/bin/bash' > /etc/cron.hourly/gnusocial-daemons
+	echo 'daemon_lines=$(ps aux | grep "scripts/queuedaemon.php" | grep "/var/www")' >> /etc/cron.hourly/gnusocial-daemons
+	echo 'if [[ $daemon_lines != *"/var/www/"* ]]; then' >> /etc/cron.hourly/gnusocial-daemons
+
+	echo "    ADMIN_USER=\$(cat $COMPLETION_FILE | grep 'Admin user' | awk -F ':' '{print \$2}')" >> /etc/cron.hourly/gnusocial-daemons
+	echo '    MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME' >> /etc/cron.hourly/gnusocial-daemons
+	echo '    echo "Restarting GNU Social daemons" | mail -s "GNU Social daemons not found" $MY_EMAIL_ADDRESS' >> /etc/cron.hourly/gnusocial-daemons
+	echo "    cd /var/www/${MICROBLOG_DOMAIN_NAME}/htdocs" >> /etc/cron.hourly/gnusocial-daemons
+	echo '    scripts/startdaemons.sh' >> /etc/cron.hourly/gnusocial-daemons
+	echo 'fi' >> /etc/cron.hourly/gnusocial-daemons
+	chmod +x /etc/cron.hourly/gnusocial-daemons
+
+	if grep -Fxq "install_gnu_social" $COMPLETION_FILE; then
+		return
+	fi
+
+	function_check install_mariadb
+	install_mariadb
+
+	function_check get_mariadb_password
+	get_mariadb_password
+
+	function_check repair_databases_script
+	repair_databases_script
+
+	apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser
+	apt-get -y install php5-memcached
+
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME ]; then
+		mkdir /var/www/$MICROBLOG_DOMAIN_NAME
+	fi
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then
+		function_check git_clone
+		git_clone $MICROBLOG_REPO /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+		if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then
+			echo $'Unable to clone gnusocial repo'
+			exit 87525
+		fi
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+	git checkout $MICROBLOG_COMMIT -b $MICROBLOG_COMMIT
+	if ! grep -q "GNU Social commit" $COMPLETION_FILE; then
+		echo "GNU Social commit:$MICROBLOG_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/GNU Social commit.*/GNU Social commit:$MICROBLOG_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+	chown www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+	chmod +x /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php
+
+	function_check get_mariadb_gnusocial_admin_password
+	get_mariadb_gnusocial_admin_password
+	if [ ! $MICROBLOG_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			MICROBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			MICROBLOG_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+	fi
+
+	function_check create_database
+	create_database gnusocial "$MICROBLOG_ADMIN_PASSWORD" $MY_USERNAME
+
+	if [ ! -f "/etc/aliases" ]; then
+		touch /etc/aliases
+	fi
+	if ! grep -q "www-data: root" /etc/aliases; then
+		echo 'www-data: root' >> /etc/aliases
+	fi
+	if ! grep -q "/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" /etc/aliases; then
+		echo "*: /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" >> /etc/aliases
+	fi
+
+	function_check add_ddns_domain
+	add_ddns_domain $MICROBLOG_DOMAIN_NAME
+
+	microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+	if [[ $ONION_ONLY == "no" ]]; then
+		function_check nginx_http_redirect
+		nginx_http_redirect $MICROBLOG_DOMAIN_NAME
+		echo 'server {' >> $microblog_nginx_site
+		echo '  listen 443 ssl;' >> $microblog_nginx_site
+		echo "  server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Security' >> $microblog_nginx_site
+		function_check nginx_ssl
+		nginx_ssl $MICROBLOG_DOMAIN_NAME
+
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME
+
+		function_check nginx_limits
+		nginx_limits $MICROBLOG_DOMAIN_NAME '15m'
+		echo '  add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Logs' >> $microblog_nginx_site
+		echo '  access_log off;' >> $microblog_nginx_site
+		echo '  error_log off;' >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Root' >> $microblog_nginx_site
+		echo "  root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Index' >> $microblog_nginx_site
+		echo '  index index.php;' >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # PHP' >> $microblog_nginx_site
+		echo '  location ~ \.php {' >> $microblog_nginx_site
+		echo '    include snippets/fastcgi-php.conf;' >> $microblog_nginx_site
+		echo '    fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site
+		echo '  }' >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Location' >> $microblog_nginx_site
+		echo '  location / {' >> $microblog_nginx_site
+		echo '    try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site
+		echo '  }' >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Fancy URLs' >> $microblog_nginx_site
+		echo '  location @gnusocial {' >> $microblog_nginx_site
+		echo '    rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site
+		echo '  }' >> $microblog_nginx_site
+		echo '' >> $microblog_nginx_site
+		echo '  # Restrict access that is unnecessary anyway' >> $microblog_nginx_site
+		echo '  location ~ /\.(ht|git) {' >> $microblog_nginx_site
+		echo '    deny all;' >> $microblog_nginx_site
+		echo '  }' >> $microblog_nginx_site
+		echo '}' >> $microblog_nginx_site
+	else
+		echo -n '' > $microblog_nginx_site
+	fi
+	echo 'server {' >> $microblog_nginx_site
+	echo "    listen 127.0.0.1:$MICROBLOG_ONION_PORT default_server;" >> $microblog_nginx_site
+	echo "    server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	function_check nginx_disable_sniffing
+	nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME
+	function_check nginx_limits
+	nginx_limits $MICROBLOG_DOMAIN_NAME '15m'
+	echo '' >> $microblog_nginx_site
+	echo '  # Logs' >> $microblog_nginx_site
+	echo '  access_log off;' >> $microblog_nginx_site
+	echo '  error_log off;' >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	echo '  # Root' >> $microblog_nginx_site
+	echo "  root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	echo '  # Index' >> $microblog_nginx_site
+	echo '  index index.php;' >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	echo '  # PHP' >> $microblog_nginx_site
+	echo '  location ~ \.php {' >> $microblog_nginx_site
+	echo '    include snippets/fastcgi-php.conf;' >> $microblog_nginx_site
+	echo '    fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site
+	echo '  }' >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	echo '  # Location' >> $microblog_nginx_site
+	echo '  location / {' >> $microblog_nginx_site
+	echo '    try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site
+	echo '  }' >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	echo '  # Fancy URLs' >> $microblog_nginx_site
+	echo '  location @gnusocial {' >> $microblog_nginx_site
+	echo '    rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site
+	echo '  }' >> $microblog_nginx_site
+	echo '' >> $microblog_nginx_site
+	echo '  # Restrict access that is unnecessary anyway' >> $microblog_nginx_site
+	echo '  location ~ /\.(ht|git) {' >> $microblog_nginx_site
+	echo '    deny all;' >> $microblog_nginx_site
+	echo '  }' >> $microblog_nginx_site
+	echo '}' >> $microblog_nginx_site
+
+	function_check configure_php
+	configure_php
+
+	function_check create_site_certificate
+	create_site_certificate $MICROBLOG_DOMAIN_NAME 'yes'
+
+	# Ensure that the database gets backed up locally, if remote
+	# backups are not being used
+	function_check backup_databases_script_header
+	backup_databases_script_header
+
+	function_check backup_database_local
+	backup_database_local gnusocial
+
+	function_check nginx_ensite
+	nginx_ensite $MICROBLOG_DOMAIN_NAME
+
+	# NOTE: For the typical case always enable SSL and only
+	# disable it if in onion only mode. This is due to complexities
+	# with the way URLs are generated by GNU Social
+	gnu_social_ssl='always'
+	if [[ $ONION_ONLY != 'no' ]]; then
+		gnu_social_ssl='never'
+	fi
+
+	MICROBLOG_ONION_HOSTNAME=$(add_onion_service microblog 80 ${MICROBLOG_ONION_PORT})
+
+	MICROBLOG_SERVER=${MICROBLOG_DOMAIN_NAME}
+	if [[ $ONION_ONLY != 'no' ]]; then
+		MICROBLOG_SERVER=${MICROBLOG_ONION_HOSTNAME}
+	fi
+
+	# Create the configuration
+	gnu_social_installer=/var/www/${MICROBLOG_DOMAIN_NAME}/htdocs/scripts/install_cli.php
+	if [ ! -f $gnu_social_installer ]; then
+		echo $'No GNU Social commandline installer found'
+		exit 53026
+	fi
+	${gnu_social_installer} --server "${MICROBLOG_SERVER}" \
+							--host="localhost" --database="gnusocial" \
+							--dbtype=mysql --username="root" -v \
+							--password="$MARIADB_PASSWORD" \
+							--sitename=$"GNU Social" --fancy='yes' \
+							--admin-nick="$MY_USERNAME" \
+							--admin-pass="$MICROBLOG_ADMIN_PASSWORD" \
+							--site-profile="community" \
+							--ssl=${gnu_social_ssl}
+	# There can be a lot of warnings here so the return value check is disabled
+	#if [ ! "$?" = "0" ]; then
+	#    # failed to install
+	#    echo $'Could not install GNU Social'
+	#    exit 72357
+	#fi
+
+	# check microblog has a config file
+	microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
+	if [ ! -f $microblog_config_file ]; then
+		echo $'Microblog config.php not found'
+		exit 87586
+	fi
+
+	# Some useful settings
+	if ! grep -q "Recommended GNU social settings" $microblog_config_file; then
+		echo "" >> $microblog_config_file
+		echo "// Recommended GNU social settings" >> $microblog_config_file
+		echo "\$config['thumbnail']['maxsize'] = 3000;" >> $microblog_config_file
+		echo "\$config['profile']['delete'] = true;" >> $microblog_config_file
+		echo "\$config['profile']['changenick'] = true;" >> $microblog_config_file
+		echo "\$config['public']['localonly'] = false;" >> $microblog_config_file
+		echo "addPlugin('StoreRemoteMedia');" >> $microblog_config_file
+		echo "\$config['queue']['enabled'] = true;" >> $microblog_config_file
+		echo "\$config['queue']['daemon'] = true;" >> $microblog_config_file
+	fi
+
+	# This improves performance
+	sed -i "s|//\$config\['db'\]\['schemacheck'\].*|\$config\['db'\]\['schemacheck'\] = 'script';|g" $microblog_config_file
+
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	freedombone-addemail -u $MY_USERNAME -e "noreply@$MICROBLOG_DOMAIN_NAME" -g gnusocial --public no
+
+	# some post-install instructions for the user
+	if ! grep -q $"Microblog administrator" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Microblog' >> /home/$MY_USERNAME/README
+		echo '=========' >> /home/$MY_USERNAME/README
+		echo $"Microblog administrator nickname: $MY_USERNAME" >> /home/$MY_USERNAME/README
+		echo $"Microblog administrator password: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	if ! grep -q "Microblog onion domain" /home/$MY_USERNAME/README; then
+		echo $"Microblog onion domain: ${MICROBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+	echo "GNU Social onion domain:${MICROBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE
+
+	echo "GNU Social domain:$MICROBLOG_DOMAIN_NAME" >> $COMPLETION_FILE
+	echo 'install_gnu_social' >> $COMPLETION_FILE
+}
+
+function install_gnu_social_plugin_sharings {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then
+		echo $'No local/plugins directory found for the microblog'
+		exit 72945
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings plugin commit" "$SHARINGS_COMMIT" $SHARINGS_REPO
+
+	if grep -Fxq "install_gnu_social_plugin_sharings" $COMPLETION_FILE; then
+		return
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
+	function_check git_clone
+	git_clone $SHARINGS_REPO Sharings
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings ]; then
+		echo $'Unable to clone microblog sharings plugin'
+		exit 36738
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings
+	git stash
+	git checkout master
+	git branch -D $SHARINGS_COMMIT
+	git checkout $SHARINGS_COMMIT -b $SHARINGS_COMMIT
+
+	# enable the plugin
+	if ! grep -q "addPlugin('Sharings');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then
+		echo "addPlugin('Sharings');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+	php scripts/checkschema.php
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings
+	php scripts/seedsharings.php
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+	php scripts/checkschema.php
+
+	# Languages
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en/LC_MESSAGES
+	msgfmt -o Sharings.mo Sharings.po
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_GB/LC_MESSAGES
+	msgfmt -o Sharings.mo Sharings.po
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_US/LC_MESSAGES
+	msgfmt -o Sharings.mo Sharings.po
+
+	chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+
+	if ! grep -q "GNU Social sharings plugin commit" $COMPLETION_FILE; then
+		echo "GNU Social sharings plugin commit:$SHARINGS_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s|GNU Social sharings plugin commit.*|GNU Social sharings plugin commit:$SHARINGS_COMMIT|g" $COMPLETION_FILE
+	fi
+	echo 'install_gnu_social_plugin_sharings' >> $COMPLETION_FILE
+}
+
+function install_gnu_social_plugin_sharings_theme {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then
+		echo $'No local/plugins directory found for the microblog'
+		exit 74458
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings theme plugin commit" "$SHARINGS_THEME_COMMIT" $SHARINGS_THEME_REPO
+
+	if grep -Fxq "install_gnu_social_plugin_sharings_theme" $COMPLETION_FILE; then
+		return
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
+	function_check git_clone
+	git_clone $SHARINGS_THEME_REPO SharingsTheme
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme ]; then
+		echo $'Unable to clone microblog sharings plugin theme'
+		exit 639253
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme
+	git stash
+	git checkout master
+	git branch -D $SHARINGS_THEME_COMMIT
+	git checkout $SHARINGS_THEME_COMMIT -b $SHARINGS_THEME_COMMIT
+
+	# enable the plugin
+	if ! grep -q "addPlugin('SharingsTheme');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then
+		echo "addPlugin('SharingsTheme');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+	php scripts/checkschema.php
+
+	chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+
+	if ! grep -q "GNU Social sharings plugin theme commit" $COMPLETION_FILE; then
+		echo "GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s|GNU Social sharings plugin theme commit.*|GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT|g" $COMPLETION_FILE
+	fi
+	echo 'install_gnu_social_plugin_sharings_theme' >> $COMPLETION_FILE
+}
+
+function expire_gnu_social_posts {
+	# To prevent the database size from growing endlessly this script expires posts
+	# after a number of months
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then
+		return
+	fi
+
+	gnusocial_expire_script=/usr/bin/gnusocial-expire
+
+	echo '<?php' > $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo '// GNU Social post expiry script, based on StatExpire by Tony Baldwin' >> $gnusocial_expire_script
+	echo '// https://github.com/tonybaldwin/statexpire' >> $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script
+	echo '$username="root";' >> $gnusocial_expire_script
+	echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script
+	echo '$database="gnusocial";' >> $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script
+	echo '    echo "Could not connect to mariadb";' >> $gnusocial_expire_script
+	echo '    exit;' >> $gnusocial_expire_script
+	echo '}' >> $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo 'if (!mysql_select_db($database, $link)) {' >> $gnusocial_expire_script
+	echo '    echo "Could not select gnusocial database";' >> $gnusocial_expire_script
+	echo '    exit;' >> $gnusocial_expire_script
+	echo '}' >> $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo "\$notice_query=\"DELETE FROM notice WHERE created <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script
+	echo "\$conversation_query=\"DELETE FROM conversation WHERE created <= '$oldate 01:01:01'\";" >> $gnusocial_expire_script
+	echo "\$reply_query=\"DELETE FROM reply WHERE modified <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo 'mysql_query($notice_query);' >> $gnusocial_expire_script
+	echo '$rowaff1=mysql_affected_rows();' >> $gnusocial_expire_script
+	echo 'mysql_query($conversation_query);' >> $gnusocial_expire_script
+	echo '$rowaff2=mysql_affected_rows();' >> $gnusocial_expire_script
+	echo 'mysql_query($reply_query);' >> $gnusocial_expire_script
+	echo '$rowaff3=mysql_affected_rows();' >> $gnusocial_expire_script
+	echo 'mysql_close();' >> $gnusocial_expire_script
+	echo '' >> $gnusocial_expire_script
+	echo 'echo "Expire GNU Social posts: $rowaff1 notices, $rowaff2 conversations, and $rowaff3 replies deleted from database.\n";' >> $gnusocial_expire_script
+	chmod +x $gnusocial_expire_script
+
+	# Add a cron job
+	if ! grep -q "$gnusocial_expire_script" /etc/crontab; then
+		echo "10 3 5   *   *   root /usr/bin/timeout 500 /usr/bin/php $gnusocial_expire_script" >> /etc/crontab
+	fi
+
+	# remove old expire script
+	if [ -f /etc/cron.weekly/clear-microblog-database ]; then
+		rm /etc/cron.weekly/clear-microblog-database
+	fi
+}
+
+function install_gnu_social_theme {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter "GNU Social theme commit" "$MICROBLOG_THEME_COMMIT" $MICROBLOG_THEME_REPO
+
+	# customise with project logo
+	if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then
+		if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then
+			cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png
+		fi
+	fi
+
+	if grep -Fxq "install_gnu_social_theme" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install wget
+
+	if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then
+		mkdir -p /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
+	fi
+
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins
+	function_check git_clone
+	git_clone $MICROBLOG_THEME_REPO Qvitter
+	cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter
+	git checkout $MICROBLOG_THEME_COMMIT -b $MICROBLOG_THEME_COMMIT
+
+	# download a custom background image
+	MICROBLOG_BACKGROUND_IMAGE_URL_EXT=
+	if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then
+		if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpeg" || $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpg" ]]; then
+			MICROBLOG_BACKGROUND_IMAGE_URL_EXT="jpg"
+		fi
+		if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".png" ]]; then
+			MICROBLOG_BACKGROUND_IMAGE_URL_EXT="png"
+		fi
+		if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".gif" ]]; then
+			MICROBLOG_BACKGROUND_IMAGE_URL_EXT="gif"
+		fi
+		if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then
+			wget $MICROBLOG_BACKGROUND_IMAGE_URL -O img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}
+			if [ ! -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then
+				echo "$MICROBLOG_BACKGROUND_IMAGE_URL"
+				echo $'Custom background image for microblog could not be downloaded'
+				exit 87524
+			fi
+		fi
+	fi
+
+	microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php
+	if ! grep -q "addPlugin('Qvitter')" $microblog_config_file; then
+		MICROBLOG_WELCOME_MESSAGE=$(echo $MICROBLOG_WELCOME_MESSAGE | sed "s|\$MICROBLOG_DOMAIN_NAME|$MICROBLOG_DOMAIN_NAME|g")
+		echo "" >> $microblog_config_file
+		echo "// Qvitter settings" >> $microblog_config_file
+		echo "addPlugin('Qvitter');" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['enabledbydefault'] = true;" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['defaultbackgroundcolor'] = '#f4f4f4';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['defaultlinkcolor'] = '#0084B4';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['timebetweenpolling'] = 30000; // 30 secs" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['urlshortenerapiurl'] = 'http://qttr.at/shortener.php';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['urlshortenersignature'] = 'b6afeec983';" >> $microblog_config_file
+		if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then
+			echo "\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';" >> $microblog_config_file
+		else
+			echo "\$config['site']['qvitter']['sitebackground'] = 'img/vagnsmossen.jpg';" >> $microblog_config_file
+		fi
+		echo "\$config['site']['qvitter']['favicon'] = 'img/favicon.ico?v=4';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['sprite'] = Plugin::staticPath('Qvitter', '').'img/sprite.png?v=40';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['enablewelcometext'] = true;" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['customwelcometext']['en'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['customwelcometext']['de'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['customwelcometext']['fr'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['customwelcometext']['es'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file
+		echo "\$config['site']['qvitter']['blocked_ips'] = array();" >> $microblog_config_file
+	else
+		if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then
+			if [ -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then
+				sed -i "s|\$config['site']['qvitter']['sitebackground'].*|\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';|g" $microblog_config_file
+			fi
+		fi
+	fi
+
+	# customise with project logo
+	if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then
+		if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then
+			cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png
+		fi
+	fi
+
+	if ! grep -q "GNU Social theme commit" $COMPLETION_FILE; then
+		echo "GNU Social theme commit:$MICROBLOG_THEME_COMMIT" >> $COMPLETION_FILE
+	fi
+
+	chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+
+	echo 'install_gnu_social_theme' >> $COMPLETION_FILE
+}
+
+function install_gnu_social_markdown {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	MICROBLOG_PATH=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $MICROBLOG_PATH/local/plugins/Markdown "GNU Social Markdown commit" "$MICROBLOG_MARKDOWN_COMMIT" $MICROBLOG_MARKDOWN_REPO
+
+	if grep -Fxq "install_gnu_social_markdown" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ -d $MICROBLOG_PATH/local/plugins/Markdown ]; then
+		rm -rf $MICROBLOG_PATH/local/plugins/Markdown
+	fi
+
+	if [ ! -d $MICROBLOG_PATH/local/plugins ]; then
+		mkdir -p $MICROBLOG_PATH/local/plugins
+	fi
+
+	cd $MICROBLOG_PATH/local/plugins
+	function_check git_clone
+	git_clone $MICROBLOG_MARKDOWN_REPO Markdown
+	cd $MICROBLOG_PATH/local/plugins/Markdown
+	git checkout $MICROBLOG_MARKDOWN_COMMIT -b $MICROBLOG_MARKDOWN_COMMIT
+
+	microblog_config_file=$MICROBLOG_PATH/config.php
+	if ! grep -q "addPlugin('Markdown'" $microblog_config_file; then
+		echo "" >> $microblog_config_file
+		echo "// Markdown settings" >> $microblog_config_file
+		echo "addPlugin('Markdown');" >> $microblog_config_file
+	fi
+
+	if ! grep -q "GNU Social Markdown commit" $COMPLETION_FILE; then
+		echo "GNU Social Markdown commit:$MICROBLOG_MARKDOWN_COMMIT" >> $COMPLETION_FILE
+	fi
+
+	chown -R www-data:www-data $MICROBLOG_PATH
+
+	echo 'install_gnu_social_markdown' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-app-gogs

@@ -0,0 +1,410 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Gogs functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+GIT_DOMAIN_NAME=
+GIT_CODE=
+GIT_ONION_PORT=8090
+GIT_DOMAIN_REPO="https://github.com/gogits/gogs"
+GIT_ADMIN_PASSWORD=
+GOGS_COMMIT='3fb4f7f4980b4339fd9ef6a3ba5b0acab83d264d'
+
+function install_gogs {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! $GIT_DOMAIN_NAME ]; then
+		return
+	fi
+
+	function_check select_go_version
+	select_go_version
+
+	# update to the next commit
+	function_check
+	set_repo_commit $GOPATH/src/github.com/gogits/gogs "Gogs commit" "$GOGS_COMMIT" $GIT_DOMAIN_REPO
+
+	if grep -Fxq "install_gogs" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ -d $GOPATH/src/github.com/gogits ]; then
+		rm -rf $GOPATH/src/github.com/gogits
+	fi
+
+	if [ -d /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits ]; then
+		rm -rf /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits
+	fi
+
+	if [ -d /home/git/gogs-repositories ]; then
+		rm -rf /home/git/gogs-repositories
+	fi
+
+	if [ ! -d /home/git ]; then
+		# add a gogs user account
+		adduser --disabled-login --gecos 'Gogs' git
+	fi
+	if [ -d /home/git/Maildir ]; then
+		rm -rf /home/git/Maildir
+	fi
+
+	if [ -d $GOPATH/src/github.com/gogits ]; then
+		rm -rf $GOPATH/src/github.com/gogits
+	fi
+
+	# install Go
+	apt-get -y install golang libpam0g-dev
+	if ! grep -q "export GOPATH=" ~/.bashrc; then
+		echo "export GOPATH=$GOPATH" >> ~/.bashrc
+	else
+		sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc
+	fi
+	systemctl set-environment GOPATH=$GOPATH
+	if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
+		echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
+	else
+		sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc
+	fi
+	if [ ! -d $GOPATH ]; then
+		mkdir -p $GOPATH
+	fi
+	GO_PACKAGE_MANAGER_REPO2=$(echo "$GO_PACKAGE_MANAGER_REPO" | sed 's|https://||g')
+	go get -u $GO_PACKAGE_MANAGER_REPO2
+	if [ ! "$?" = "0" ]; then
+		echo $'install_gogs: go get failed'
+		exit 479832
+	fi
+
+	# clone the repo
+	if [ ! -d $GOPATH/src/github.com/gogits ]; then
+		mkdir -p $GOPATH/src/github.com/gogits
+	fi
+	function_check git_clone
+	git_clone $GIT_DOMAIN_REPO $GOPATH/src/github.com/gogits/gogs
+	if [ ! -d $GOPATH/src/github.com/gogits/gogs ]; then
+		echo $"Unable to clone repo $GOPATH/src/github.com/gogits/gogs"
+		exit 85482
+	fi
+	cd $GOPATH/src/github.com/gogits/gogs
+
+	# install
+	go get -u ./...
+
+	git checkout $GOGS_COMMIT -b $GOGS_COMMIT
+	if ! grep -q "Gogs commit" $COMPLETION_FILE; then
+		echo "Gogs commit:$GOGS_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/Gogs commit.*/Gogs commit:$GOGS_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	go build
+	if [ ! "$?" = "0" ]; then
+		echo $'install_gogs: go build failed'
+		exit 546750
+	fi
+
+	function_check install_mariadb
+	install_mariadb
+
+	function_check get_mariadb_password
+	get_mariadb_password
+
+	function_check get_mariadb_git_admin_password
+	get_mariadb_git_admin_password
+	if [ ! $GIT_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			GIT_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			GIT_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+	fi
+
+	if ! grep -q $"Gogs admin user password" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo 'Gogs' >> /home/$MY_USERNAME/README
+		echo '====' >> /home/$MY_USERNAME/README
+		echo $'Install Steps For First-time Run:' >> /home/$MY_USERNAME/README
+		echo $'Leave email service settings empty' >> /home/$MY_USERNAME/README
+		echo $'Check "Enable Register Confirmation"' >> /home/$MY_USERNAME/README
+		echo $'Check "Enable Mail Notification"' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'If you want to disable new account registrations then append the following:' >> /home/$MY_USERNAME/README
+		echo '  [service]' >> /home/$MY_USERNAME/README
+		echo '  DISABLE_REGISTRATION = true' >> /home/$MY_USERNAME/README
+		echo $'Then restart with:' >> /home/$MY_USERNAME/README
+		echo '  systemctl restart gogs' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $"Note that there's a usability/security trade-off made here." >> /home/$MY_USERNAME/README
+		echo $"In order to allow git clone via http we don't redirect everything" >> /home/$MY_USERNAME/README
+		echo $'over https. Instead only critical things such as user login,' >> /home/$MY_USERNAME/README
+		echo $'settings and admin are encrypted.' >> /home/$MY_USERNAME/README
+		echo $'There are also potential security issues with cloning/pulling/pushing' >> /home/$MY_USERNAME/README
+		echo $'code over http, since a determined adversary could inject malware' >> /home/$MY_USERNAME/README
+		echo $'into the stream as it passes, so beware.' >> /home/$MY_USERNAME/README
+		echo $'If you have a bought domain and a non-self signed cert then you' >> /home/$MY_USERNAME/README
+		echo $"should change /etc/nginx/sites-available/$GIT_DOMAIN_NAME to redirect everything over https." >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check create_database
+	create_database gogs "$GOGS_ADMIN_PASSWORD"
+	if [ ! -f $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql ]; then
+		echo $'MySql template for Gogs was not found'
+		exit 72528
+	fi
+	function_check initialise_database
+	initialise_database gogs $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql
+
+	chmod 600 $GOPATH/src/github.com/gogits/gogs/custom/conf/app.ini
+
+	chown -R git:git /home/git
+	echo '[Unit]' > /etc/systemd/system/gogs.service
+	echo 'Description=Gogs (Go Git Service)' >> /etc/systemd/system/gogs.service
+	echo 'After=syslog.target' >> /etc/systemd/system/gogs.service
+	echo 'After=network.target' >> /etc/systemd/system/gogs.service
+	echo 'After=mysqld.service' >> /etc/systemd/system/gogs.service
+	echo '' >> /etc/systemd/system/gogs.service
+	echo '[Service]' >> /etc/systemd/system/gogs.service
+	echo '#LimitMEMLOCK=infinity' >> /etc/systemd/system/gogs.service
+	echo '#LimitNOFILE=65535' >> /etc/systemd/system/gogs.service
+	echo 'Type=simple' >> /etc/systemd/system/gogs.service
+	echo 'User=git' >> /etc/systemd/system/gogs.service
+	echo 'Group=git' >> /etc/systemd/system/gogs.service
+	echo "WorkingDirectory=$GOPATH/src/github.com/gogits/gogs" >> /etc/systemd/system/gogs.service
+	echo "ExecStart=$GOPATH/src/github.com/gogits/gogs/gogs web" >> /etc/systemd/system/gogs.service
+	echo 'Restart=always' >> /etc/systemd/system/gogs.service
+	echo 'RestartSec=10' >> /etc/systemd/system/gogs.service
+	echo 'TimeoutStartSec=120' >> /etc/systemd/system/gogs.service
+	echo "Environment=\"USER=git\" \"HOME=/home/git\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/gogs.service
+	echo '' >> /etc/systemd/system/gogs.service
+	echo '[Install]' >> /etc/systemd/system/gogs.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/gogs.service
+
+	systemctl enable gogs
+	systemctl daemon-reload
+	systemctl restart gogs
+
+	if [ ! -d /var/www/$GIT_DOMAIN_NAME ]; then
+		mkdir /var/www/$GIT_DOMAIN_NAME
+	fi
+	if [ -d /var/www/$GIT_DOMAIN_NAME/htdocs ]; then
+		rm -rf /var/www/$GIT_DOMAIN_NAME/htdocs
+	fi
+
+	if [[ $ONION_ONLY == "no" ]]; then
+		function_check nginx_http_redirect
+		nginx_http_redirect $GIT_DOMAIN_NAME
+		echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo "    root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo "    server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo "    error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		function_check nginx_limits
+		nginx_limits $GIT_DOMAIN_NAME '10G'
+		function_check nginx_ssl
+		nginx_ssl $GIT_DOMAIN_NAME
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $GIT_DOMAIN_NAME
+		echo '    add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '        proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '        allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '        log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '        access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	else
+		echo -n '' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	fi
+	echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo "    listen 127.0.0.1:${GIT_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo "    root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo "    server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo "    error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	function_check nginx_limits
+	nginx_limits $GIT_DOMAIN_NAME '10G'
+	function_check nginx_disable_sniffing
+	nginx_disable_sniffing $GIT_DOMAIN_NAME
+	echo '    add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '        proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '        allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '        log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '        access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+	echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+
+	function_check configure_php
+	configure_php
+
+	function_check create_site_certificate
+	create_site_certificate $GIT_DOMAIN_NAME 'yes'
+
+	nginx_ensite $GIT_DOMAIN_NAME
+
+	if [ ! -d /var/lib/tor ]; then
+		echo $'No Tor installation found. Gogs onion site cannot be configured.'
+		exit 877367
+	fi
+	if ! grep -q "hidden_service_gogs" /etc/tor/torrc; then
+		echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/' >> /etc/tor/torrc
+		echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}" >> /etc/tor/torrc
+		echo "HiddenServicePort 9418 127.0.0.1:9418" >> /etc/tor/torrc
+		echo $'Added onion site for Gogs'
+	fi
+
+	systemctl restart tor
+
+	function_check wait_for_onion_service
+	wait_for_onion_service 'gogs'
+
+	GIT_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_gogs/hostname)
+
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	if ! grep -q "Gogs onion domain" /home/$MY_USERNAME/README; then
+		echo "Gogs onion domain: ${GIT_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+	if ! grep -q "Gogs onion domain" $COMPLETION_FILE; then
+		echo "Gogs onion domain:${GIT_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	fi
+
+	function_check add_ddns_domain
+	add_ddns_domain $GIT_DOMAIN_NAME
+
+	# obtain the secret key
+	GOGS_SECRET_KEY=
+	if grep -q "Gogs secret key:" /home/$MY_USERNAME/README; then
+		GOGS_SECRET_KEY=$(cat /home/$MY_USERNAME/README | grep "Gogs secret key:" | awk -F ':' '{print $2}' | sed 's/^ *//')
+	else
+		GOGS_SECRET_KEY="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		echo "Gogs secret key:$GOGS_SECRET_KEY" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+	fi
+
+	# create the configuration
+	GOGS_CONFIG_PATH=/home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits/gogs/custom/conf
+	if [ ! -d $GOGS_CONFIG_PATH ]; then
+		mkdir -p $GOGS_CONFIG_PATH
+	fi
+	GOGS_CONFIG_FILE=$GOGS_CONFIG_PATH/app.ini
+	echo 'RUN_USER = git' > $GOGS_CONFIG_FILE
+	echo 'RUN_MODE = prod' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[database]' >> $GOGS_CONFIG_FILE
+	echo 'DB_TYPE = mysql' >> $GOGS_CONFIG_FILE
+	echo 'HOST = 127.0.0.1:3306' >> $GOGS_CONFIG_FILE
+	echo 'NAME = gogs' >> $GOGS_CONFIG_FILE
+	echo 'USER = root' >> $GOGS_CONFIG_FILE
+	echo "PASSWD = $MARIADB_PASSWORD" >> $GOGS_CONFIG_FILE
+	echo 'SSL_MODE = disable' >> $GOGS_CONFIG_FILE
+	echo 'PATH = data/gogs.db' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[repository]' >> $GOGS_CONFIG_FILE
+	echo 'ROOT = /home/git/gogs-repositories' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[server]' >> $GOGS_CONFIG_FILE
+	if [[ $ONION_ONLY == 'no' ]]; then
+		echo "DOMAIN = ${GIT_DOMAIN_NAME}" >> $GOGS_CONFIG_FILE
+	else
+		echo "DOMAIN = ${GIT_ONION_HOSTNAME}" >> $GOGS_CONFIG_FILE
+	fi
+	echo 'HTTP_PORT = 3000' >> $GOGS_CONFIG_FILE
+	echo "ROOT_URL = http://$GIT_DOMAIN_NAME/" >> $GOGS_CONFIG_FILE
+	echo "SSH_PORT = $SSH_PORT" >> $GOGS_CONFIG_FILE
+	echo 'SSH_DOMAIN = %(DOMAIN)s' >> $GOGS_CONFIG_FILE
+	echo "CERT_FILE = /etc/ssl/certs/${GIT_DOMAIN_NAME}.crt" >> $GOGS_CONFIG_FILE
+	echo "KEY_FILE = /etc/ssl/private/${GIT_DOMAIN_NAME}.key" >> $GOGS_CONFIG_FILE
+	echo 'DISABLE_ROUTER_LOG = true' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[session]' >> $GOGS_CONFIG_FILE
+	echo 'PROVIDER = file' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[log]' >> $GOGS_CONFIG_FILE
+	echo 'MODE = file' >> $GOGS_CONFIG_FILE
+	echo 'LEVEL = Info' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[security]' >> $GOGS_CONFIG_FILE
+	echo 'INSTALL_LOCK = true' >> $GOGS_CONFIG_FILE
+	echo "SECRET_KEY = $GOGS_SECRET_KEY" >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[service]' >> $GOGS_CONFIG_FILE
+	echo 'DISABLE_REGISTRATION = false' >> $GOGS_CONFIG_FILE
+	echo 'SHOW_REGISTRATION_BUTTON = true' >> $GOGS_CONFIG_FILE
+	echo 'REQUIRE_SIGNIN_VIEW = false' >> $GOGS_CONFIG_FILE
+	echo 'ENABLE_CAPTCHA = false' >> $GOGS_CONFIG_FILE
+	echo '' >> $GOGS_CONFIG_FILE
+	echo '[other]' >> $GOGS_CONFIG_FILE
+	echo 'SHOW_FOOTER_BRANDING = false' >> $GOGS_CONFIG_FILE
+	echo 'SHOW_FOOTER_VERSION = false' >> $GOGS_CONFIG_FILE
+
+	chmod 750 $GOGS_CONFIG_FILE
+	chown -R git:git /home/git
+
+	systemctl restart gogs
+
+	if ! grep -q "Gogs domain:" $COMPLETION_FILE; then
+		echo "Gogs domain:$GIT_DOMAIN_NAME" >> $COMPLETION_FILE
+	fi
+
+	function_check configure_firewall_for_git
+	configure_firewall_for_git
+	echo 'install_gogs' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-hubzilla

@@ -0,0 +1,388 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Hubzilla application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+HUBZILLA_DOMAIN_NAME=
+HUBZILLA_CODE=
+HUBZILLA_ONION_PORT=8085
+HUBZILLA_REPO="https://github.com/redmatrix/hubzilla.git"
+HUBZILLA_THEMES_REPO="https://github.com/DeadSuperHero/redmatrix-themes"
+HUBZILLA_ADDONS_REPO="https://github.com/redmatrix/hubzilla-addons.git"
+HUBZILLA_ADMIN_PASSWORD=
+HUBZILLA_COMMIT='2d79e75788aa71664a379c4cea0b6bfe3ab87ad0'
+HUBZILLA_ADDONS_COMMIT='67b40c7a40f328a93ee030eb15e9e1261f3cba64'
+
+function install_hubzilla {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! $HUBZILLA_DOMAIN_NAME ]; then
+		return
+	fi
+
+	HUBZILLA_PATH=/var/www/$HUBZILLA_DOMAIN_NAME/htdocs
+
+	# update to a new commit if needed
+	function_check set_repo_commit
+	set_repo_commit $HUBZILLA_PATH "Hubzilla commit" "$HUBZILLA_COMMIT" $HUBZILLA_REPO
+	set_repo_commit $HUBZILLA_PATH/addon "Hubzilla addons commit" "$HUBZILLA_ADDONS_COMMIT" $HUBZILLA_ADDONS_REPO
+	if [ -d $HUBZILLA_PATH/redmatrix-themes1 ]; then
+		cd $HUBZILLA_PATH/redmatrix-themes1
+		git stash
+		git pull
+		cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/
+		chown -R www-data:www-data $HUBZILLA_PATH
+	fi
+
+	if grep -Fxq "install_hubzilla" $COMPLETION_FILE; then
+		return
+	fi
+
+    function_check install_mariadb
+	install_mariadb
+
+    function_check get_mariadb_password
+    get_mariadb_password
+
+    function_check repair_databases_script
+    repair_databases_script
+
+	apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git
+	apt-get -y install php5-dev imagemagick php5-imagick
+	apt-get -y install php5-memcached
+
+	if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then
+		mkdir /var/www/$HUBZILLA_DOMAIN_NAME
+	fi
+	if [ ! -d $HUBZILLA_PATH ]; then
+		mkdir $HUBZILLA_PATH
+	fi
+
+	if [ ! -f $HUBZILLA_PATH/index.php ]; then
+		cd $INSTALL_DIR
+		function_check git_clone
+		git_clone $HUBZILLA_REPO hubzilla
+		git checkout $HUBZILLA_COMMIT -b $HUBZILLA_COMMIT
+		if ! grep -q "Hubzilla commit" $COMPLETION_FILE; then
+			echo "Hubzilla commit:$HUBZILLA_COMMIT" >> $COMPLETION_FILE
+		else
+			sed -i "s/Hubzilla commit.*/Hubzilla commit:$HUBZILLA_COMMIT/g" $COMPLETION_FILE
+		fi
+
+		rm -rf $HUBZILLA_PATH
+		mv hubzilla $HUBZILLA_PATH
+
+		git_clone $HUBZILLA_ADDONS_REPO $HUBZILLA_PATH/addon
+		cd $HUBZILLA_PATH/addon
+		git checkout $HUBZILLA_ADDONS_COMMIT -b $HUBZILLA_ADDONS_COMMIT
+		if ! grep -q "Hubzilla addons commit" $COMPLETION_FILE; then
+			echo "Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT" >> $COMPLETION_FILE
+		else
+			sed -i "s/Hubzilla addons commit.*/Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT/g" $COMPLETION_FILE
+		fi
+
+		# some extra themes
+		git_clone $HUBZILLA_THEMES_REPO $HUBZILLA_PATH/redmatrix-themes1
+		cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/
+
+		chown -R www-data:www-data $HUBZILLA_PATH
+	fi
+
+	HUBZILLA_ONION_HOSTNAME=
+	if [[ $ONION_ONLY != "no" ]]; then
+		HUBZILLA_ONION_HOSTNAME=$(add_onion_service hubzilla 80 ${HUBZILLA_ONION_PORT})
+		echo "Hubzilla onion domain:${HUBZILLA_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	fi
+
+    function_check get_mariadb_hubzilla_admin_password
+	get_mariadb_hubzilla_admin_password
+	if [ ! $HUBZILLA_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			HUBZILLA_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			HUBZILLA_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo 'Hubzilla' >> /home/$MY_USERNAME/README
+		echo '========' >> /home/$MY_USERNAME/README
+		if [[ $ONION_ONLY == 'no' ]]; then
+			echo $"Open https://$HUBZILLA_DOMAIN_NAME and register a new user" >> /home/$MY_USERNAME/README
+		else
+			echo $"Open http://$HUBZILLA_ONION_HOSTNAME and register a new user" >> /home/$MY_USERNAME/README
+		fi
+		echo $"Your MariaDB Hubzilla admin password is: $HUBZILLA_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+    function_check create_database
+	create_database hubzilla "$HUBZILLA_ADMIN_PASSWORD"
+
+	if ! grep -q "$HUBZILLA_PATH" /etc/crontab; then
+		echo "12,22,32,42,52 * *   *   *   root cd $HUBZILLA_PATH; /usr/bin/timeout 500 /usr/bin/php include/poller.php" >> /etc/crontab
+	fi
+
+    function check add_ddns_domain
+	add_ddns_domain $HUBZILLA_DOMAIN_NAME
+
+	if [[ $ONION_ONLY == "no" ]]; then
+	    function_check nginx_http_redirect
+		nginx_http_redirect $HUBZILLA_DOMAIN_NAME
+		echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		function_check nginx_limits
+		nginx_limits $HUBZILLA_DOMAIN_NAME
+		function_check nginx_ssl
+		nginx_ssl $HUBZILLA_DOMAIN_NAME
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME
+		echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '      deny  all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+	else
+		echo 'server {' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    listen 127.0.0.1:${HUBZILLA_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    server_name $HUBZILLA_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		nginx_limits $HUBZILLA_DOMAIN_NAME
+		nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME
+		echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '      deny  all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+		echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+	fi
+
+    function_check configure_php
+	configure_php
+
+    function_check create_site_certificate
+	create_site_certificate $HUBZILLA_DOMAIN_NAME 'yes'
+
+	if [ ! -d $HUBZILLA_PATH/view/tpl/smarty3 ]; then
+		mkdir $HUBZILLA_PATH/view/tpl/smarty3
+	fi
+	if [ ! -d "$HUBZILLA_PATH/store" ]; then
+		mkdir "$HUBZILLA_PATH/store"
+	fi
+	if [ ! -d "$HUBZILLA_PATH/store/[data]" ]; then
+		mkdir "$HUBZILLA_PATH/store/[data]"
+	fi
+	if [ ! -d "$HUBZILLA_PATH/store/[data]/smarty3" ]; then
+		mkdir "$HUBZILLA_PATH/store/[data]/smarty3"
+		chmod 777 "$HUBZILLA_PATH/store/[data]/smarty3"
+	fi
+	chmod 777 $HUBZILLA_PATH/view/tpl
+	chown -R www-data:www-data "$HUBZILLA_PATH/store"
+	chmod 777 $HUBZILLA_PATH/view/tpl/smarty3
+
+	# Ensure that the database gets backed up locally, if remote
+	# backups are not being used
+	function_check backup_databases_script_header
+	backup_databases_script_header
+
+    function_check backup_database_local
+	backup_database_local hubzilla
+
+	chown -R www-data:www-data $HUBZILLA_PATH
+
+    function_check nginx_ensite
+	nginx_ensite $HUBZILLA_DOMAIN_NAME
+
+	# initialize the database
+	if [ ! -f $HUBZILLA_PATH/install/schema_mysql.sql ]; then
+		echo $'No database schema found for hubzilla'
+		exit 252782
+	fi
+	function_check initialise_database
+	initialise_database hubzilla $HUBZILLA_PATH/install/schema_mysql.sql
+
+	# create the config file
+	echo '<?php' > $HUBZILLA_PATH/.htconfig.php
+	echo "\$db_host = 'localhost';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$db_port = '0';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$db_user = 'root';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$db_pass = '${MARIADB_PASSWORD}';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$db_data = 'hubzilla';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$db_type = '0';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$default_timezone = 'Europe/London';" >> $HUBZILLA_PATH/.htconfig.php
+	if [[ $ONION_ONLY == 'no' ]]; then
+		echo "\$a->config['system']['baseurl'] = 'https://${HUBZILLA_DOMAIN_NAME}';" >> $HUBZILLA_PATH/.htconfig.php
+	else
+		echo "\$a->config['system']['baseurl'] = 'http://${HUBZILLA_ONION_HOSTNAME}';" >> $HUBZILLA_PATH/.htconfig.php
+	fi
+	echo "\$a->config['system']['sitename'] = \"Hubzilla\";" >> $HUBZILLA_PATH/.htconfig.php
+	HUBZILLA_LOCATION_HASH="$(create_password 30)"
+	echo "\$a->config['system']['location_hash'] = '${HUBZILLA_LOCATION_HASH}';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['register_policy'] = REGISTER_OPEN;" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['register_text'] = '';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['admin_email'] = '${MY_EMAIL_ADDRESS}';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['verify_email'] = 1;" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['access_policy'] = ACCESS_PRIVATE;" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['sellpage'] = '';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['max_import_size'] = 200000;" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['php_path'] = '/usr/bin/php';" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['directory_mode']  = DIRECTORY_MODE_NORMAL;" >> $HUBZILLA_PATH/.htconfig.php
+	echo "\$a->config['system']['theme'] = 'redbasic';" >> $HUBZILLA_PATH/.htconfig.php
+	chown www-data:www-data $HUBZILLA_PATH/.htconfig.php
+	chmod 755 $HUBZILLA_PATH/.htconfig.php
+
+	systemctl restart php5-fpm
+	systemctl restart nginx
+	systemctl restart cron
+
+	freedombone-addemail -u $MY_USERNAME -e "noreply@$HUBZILLA_DOMAIN_NAME" -g hubzilla --public no
+
+	echo "Hubzilla domain:${HUBZILLA_DOMAIN_NAME}" >> $COMPLETION_FILE
+	echo 'install_hubzilla' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-app-intrusion

@@ -0,0 +1,88 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Intrusion detection application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function intrusion_detection {
+	if grep -Fxq "intrusion_detection" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	apt-get -y install tripwire
+	apt-get -y autoremove
+	cd /etc/tripwire
+	cp site.key $DEFAULT_DOMAIN_NAME-site.key
+	echo '*** Installing intrusion detection ***'
+	echo '
+
+' | tripwire --init
+
+	# make a script for easy resetting of the tripwire
+	echo '#!/bin/sh' > /usr/bin/reset-tripwire
+	echo 'tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt' >> /usr/bin/reset-tripwire
+	chmod +x /usr/bin/reset-tripwire
+
+	sed -i 's/SYSLOGREPORTING.*/SYSLOGREPORTING =false/g' /etc/tripwire/twcfg.txt
+	# only send emails if something has changed
+	sed -i 's|MAILNOVIOLATIONS.*|MAILNOVIOLATIONS = false|g' /etc/tripwire/twcfg.txt
+	sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt
+	sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt
+	# Don't show any changes to /proc
+	sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt
+	# Don't report log changes
+	sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt
+	# Ignore /etc/tripwire
+	if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
+		sed -i '\|/etc\t\t->.*|a\    !/etc/tripwire ;' /etc/tripwire/twpol.txt
+	fi
+	# ignore tt-rss cache
+	if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then
+		sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt
+	fi
+	if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
+		sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
+	fi
+	# Avoid logging the changed database
+	sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
+	# recreate the configuration
+	echo '
+
+	   ' | twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
+	# reset
+	echo '
+
+
+
+	   ' | reset-tripwire
+
+	echo 'intrusion_detection' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-ipfs

@@ -0,0 +1,167 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# ipfs functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+IPFS_GO_REPO="https://github.com/ipfs/go-ipfs"
+IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166'
+IPFS_PORT=4001
+
+function install_ipfs {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
+		return
+	fi
+
+	function_check select_go_version
+	select_go_version
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $GOPATH/src/github.com/ipfs/go-ipfs "ipfs commit" "$IPFS_COMMIT" $IPFS_REPO
+
+	if grep -Fxq "install_ipfs" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install golang libpam0g-dev fuse
+
+	if [ ! -d /home/git ]; then
+		# add a gogs user account
+		adduser --disabled-login --gecos 'Gogs' git
+
+		# install Go
+		if ! grep -q "export GOPATH=" ~/.bashrc; then
+			echo "export GOPATH=$GOPATH" >> ~/.bashrc
+		else
+			sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc
+		fi
+		systemctl set-environment GOPATH=$GOPATH
+		if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
+			echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
+		else
+			sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc
+		fi
+		if [ ! -d $GOPATH ]; then
+			mkdir -p $GOPATH
+		fi
+	fi
+
+	IPFS_PATH=$GOPATH/bin
+	export PATH="$GOPATH/bin:$PATH:"
+	if ! grep -q 'GOPATH/bin' ~/.bashrc; then
+		echo 'export PATH="$GOPATH/bin:$PATH:";' >> ~/.bashrc
+	else
+		sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc
+	fi
+
+	# set gopath for the user
+	if ! grep -q "GOPATH=" /home/$MY_USERNAME/.bashrc; then
+		echo "export GOPATH=$GOPATH" >> /home/$MY_USERNAME/.bashrc
+		echo 'export PATH="$GOPATH/bin:$PATH:";' >> /home/$MY_USERNAME/.bashrc
+	else
+		sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" /home/$MY_USERNAME/.bashrc
+	fi
+	chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.bashrc
+
+	IPFS_GO_REPO2=$(echo "$IPFS_GO_REPO" | sed 's|https://||g')
+	go get -u ${IPFS_GO_REPO2}/cmd/ipfs
+	if [ ! "$?" = "0" ]; then
+		exit 8242
+	fi
+
+	cd $GOPATH/src/$IPFS_GO_REPO2
+	git checkout $IPFS_COMMIT -b $IPFS_COMMIT
+	if ! grep -q "ipfs commit" $COMPLETION_FILE; then
+		echo "ipfs commit:$IPFS_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/ipfs commit.*/ipfs commit:$IPFS_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	# initialise
+	su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME
+	if [ ! -d /home/$MY_USERNAME/.ipfs ]; then
+		echo "IPFS could not be initialised for user $MY_USERNAME"
+		exit 7358
+	fi
+
+	# directories to mount to
+	if [ ! -d /ipfs ]; then
+		mkdir /ipfs
+		mkdir /ipns
+		chown $MY_USERNAME:$MY_USERNAME /ipfs
+		chown $MY_USERNAME:$MY_USERNAME /ipns
+	fi
+
+	if [ -f /etc/fuse.conf ]; then
+		chown $MY_USERNAME:$MY_USERNAME /etc/fuse.conf
+	fi
+	if [ -f /dev/fuse ]; then
+		chown $MY_USERNAME:$MY_USERNAME /dev/fuse
+	fi
+
+	echo '[Unit]' > /etc/systemd/system/ipfs.service
+	echo 'Description=IPFS daemon' >> /etc/systemd/system/ipfs.service
+	echo 'After=syslog.target' >> /etc/systemd/system/ipfs.service
+	echo 'After=network.target' >> /etc/systemd/system/ipfs.service
+	echo '' >> /etc/systemd/system/ipfs.service
+	echo '[Service]' >> /etc/systemd/system/ipfs.service
+	echo 'Type=simple' >> /etc/systemd/system/ipfs.service
+	echo "User=$MY_USERNAME" >> /etc/systemd/system/ipfs.service
+	echo "Group=$MY_USERNAME" >> /etc/systemd/system/ipfs.service
+	echo "WorkingDirectory=/home/$MY_USERNAME" >> /etc/systemd/system/ipfs.service
+	echo "ExecStart=$IPFS_PATH/ipfs daemon --mount" >> /etc/systemd/system/ipfs.service
+	echo 'Restart=on-failure' >> /etc/systemd/system/ipfs.service
+	echo "Environment=\"USER=$MY_USERNAME\" \"HOME=/home/$MY_USERNAME\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/ipfs.service
+	echo '' >> /etc/systemd/system/ipfs.service
+	echo '[Install]' >> /etc/systemd/system/ipfs.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ipfs.service
+
+	systemctl enable ipfs
+	systemctl daemon-reload
+	systemctl restart ipfs
+
+	if [ -d /etc/avahi ]; then
+		su -c "echo $($IPFS_PATH/ipfs id | grep '\"ID\":' | awk -F '\"' '{print $4}') > /tmp/ipfsid" - $MY_USERNAME
+		if [ ! -f /tmp/ipfsid ]; then
+			echo 'No IPFS identity was created'
+			exit 37895
+		fi
+		IPFS_PEER_ID=$(cat /tmp/ipfsid)
+		if [ ${#IPFS_PEER_ID} -lt 10 ]; then
+			echo 'Invalid IPFS peer ID'
+			echo "$IPFS_PEER_ID"
+			exit 74782
+		fi
+		# Add an avahi service
+		function_check create_avahi_service
+		create_avahi_service ipfs "ipfs" udp $IPFS_PORT "$IPFS_PEER_ID"
+		rm /tmp/ipfsid
+	fi
+
+	echo 'install_ipfs' >> $COMPLETION_FILE
+}

src/freedombone-app-irc

@@ -0,0 +1,239 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# IRC server application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+IRC_PORT=6697
+IRC_ONION_PORT=6697
+
+# An optional password to log into IRC. This applies to all users
+IRC_PASSWORD=
+
+function install_irc_server {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "install_irc_server" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install ngircd
+
+	if [ ! -d /etc/ngircd ]; then
+		echo $"ERROR: ngircd does not appear to have installed. $CHECK_MESSAGE"
+		exit 53
+	fi
+
+	if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then
+		${PROJECT_NAME}-addcert -h ngircd --dhkey $DH_KEYLENGTH
+		function_check check_certificates
+		check_certificates ngircd
+	fi
+
+	DEFAULTDOMAIN=$DEFAULT_DOMAIN_NAME
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		DEFAULTDOMAIN="${DEFAULT_DOMAIN_NAME}.local"
+	fi
+
+	# create a login password if needed
+	if [ ! $IRC_PASSWORD ]; then
+		IRC_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+	fi
+
+	echo '**************************************************' > /etc/ngircd/motd
+	echo $'*           F R E E D O M B O N E   I R C        *' >> /etc/ngircd/motd
+	echo '*                                                *' >> /etc/ngircd/motd
+	echo $'*               Freedom in the Cloud             *' >> /etc/ngircd/motd
+	echo '**************************************************' >> /etc/ngircd/motd
+	sed -i 's|MotdFile = /etc/ngircd/ngircd.motd|MotdFile = /etc/ngircd/motd|g' /etc/ngircd/ngircd.conf
+	sed -i "s/irc@irc.example.com/$MY_EMAIL_ADDRESS/g" /etc/ngircd/ngircd.conf
+	sed -i "s/irc.example.net/$DEFAULTDOMAIN/g" /etc/ngircd/ngircd.conf
+	sed -i "s|Yet another IRC Server running on Debian GNU/Linux|IRC Server of $DEFAULTDOMAIN|g" /etc/ngircd/ngircd.conf
+	sed -i 's/;Password = wealllikedebian/Password =/g' /etc/ngircd/ngircd.conf
+	sed -i 's|;CertFile = /etc/ssl/certs/server.crt|CertFile = /etc/ssl/certs/ngircd.crt|g' /etc/ngircd/ngircd.conf
+	sed -i 's|;DHFile = /etc/ngircd/dhparams.pem|DHFile = /etc/ssl/certs/ngircd.dhparam|g' /etc/ngircd/ngircd.conf
+	sed -i 's|;KeyFile = /etc/ssl/private/server.key|KeyFile = /etc/ssl/private/ngircd.key|g' /etc/ngircd/ngircd.conf
+	sed -i "s/;Ports =.*/Ports = $IRC_PORT/1" /etc/ngircd/ngircd.conf
+	sed -i "s/;Ports =.*/Ports = $IRC_PORT/2" /etc/ngircd/ngircd.conf
+	sed -i "s/;Name = #ngircd/Name = #${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf
+	sed -i "s/;Topic = Our ngircd testing channel/Topic = ${PROJECT_NAME} chat channel/g" /etc/ngircd/ngircd.conf
+	sed -i 's/;MaxUsers = 23/MaxUsers = 23/g' /etc/ngircd/ngircd.conf
+	sed -i "s|;KeyFile = /etc/ngircd/#chan.key|KeyFile = /etc/ngircd/#${PROJECT_NAME}.key|g" /etc/ngircd/ngircd.conf
+	sed -i "s/;CloakHost = cloaked.host/CloakHost = ${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf
+	IRC_SALT="$(create_password 30)"
+	if [ -f $IMAGE_PASSWORD_FILE ]; then
+		IRC_OPERATOR_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+	else
+		IRC_OPERATOR_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+	fi
+	sed -i "s|;CloakHostSalt = abcdefghijklmnopqrstuvwxyz|CloakHostSalt = $IRC_SALT|g" /etc/ngircd/ngircd.conf
+	sed -i 's/;ConnectIPv4 = yes/ConnectIPv4 = yes/g' /etc/ngircd/ngircd.conf
+	sed -i 's/;MorePrivacy = no/MorePrivacy = yes/g' /etc/ngircd/ngircd.conf
+	sed -i 's/;RequireAuthPing = no/RequireAuthPing = no/g' /etc/ngircd/ngircd.conf
+	sed -i "s/;Name = TheOper/Name = $MY_USERNAME/g" /etc/ngircd/ngircd.conf
+	sed -i "s/;Password = ThePwd/Password = $IRC_OPERATOR_PASSWORD/g" /etc/ngircd/ngircd.conf
+	sed -i 's|;Listen =.*|Listen = 0.0.0.0,0.0.0.0:9050,127.0.0.1,127.0.0.1:9050|g' /etc/ngircd/ngircd.conf
+	if [ $IRC_PASSWORD ]; then
+		sed -i "0,/RE/s/Password =.*/Password =$IRC_PASSWORD/" /etc/ngircd/ngircd.conf
+	fi
+	# If we are on a mesh then DNS is not available
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		sed -i "s/;DNS =.*/DNS = no/g" /etc/ngircd/ngircd.conf
+	fi
+	# upgrade a cypher
+	sed -i 's|SECURE128|SECURE256|g' /etc/ngircd/ngircd.conf
+	mkdir /var/run/ircd
+	chown -R irc:irc /var/run/ircd
+	mkdir /var/run/ngircd
+	touch /var/run/ngircd/ngircd.pid
+	chown -R irc:irc /var/run/ngircd
+
+	IRC_ONION_HOSTNAME=$(add_onion_service irc ${IRC_PORT} ${IRC_ONION_PORT})
+	if ! grep -q $"IRC onion domain" $COMPLETION_FILE; then
+		echo "IRC onion domain:$IRC_ONION_HOSTNAME" >> $COMPLETION_FILE
+	fi
+
+	systemctl restart ngircd
+
+	# keep the daemon running
+	echo '' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '# keep irc daemon running' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'IRC_RUNNING=$(pgrep ngircd > /dev/null && echo Running)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'if [ ! $IRC_RUNNING ]; then' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '  systemctl start ngircd' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '  echo -n $CURRENT_DATE >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '  echo " IRC daemon restarted" >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'fi' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+
+	if ! grep -q $"IRC Server" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'IRC Server' >> /home/$MY_USERNAME/README
+		echo '==========' >> /home/$MY_USERNAME/README
+		echo $'To connect to your IRC server in irssi:' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		if [[ $ONION_ONLY != 'yes' ]]; then
+			echo "  irssi" >> /home/$MY_USERNAME/README
+			echo "  /server add -auto -ssl $DEFAULTDOMAIN $IRC_PORT" >> /home/$MY_USERNAME/README
+			echo "  /connect $DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README
+		else
+			echo "  usetorwith irssi" >> /home/$MY_USERNAME/README
+			echo "  /server add -auto $IRC_ONION_HOSTNAME $IRC_PORT" >> /home/$MY_USERNAME/README
+			echo "  /connect $IRC_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
+		fi
+		echo "  /join #${PROJECT_NAME}" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check configure_firewall_for_irc
+	configure_firewall_for_irc
+	echo 'install_irc_server' >> $COMPLETION_FILE
+}
+
+function install_irc_client {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "install_irc_client" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install irssi
+
+	if [ ! -d /home/$MY_USERNAME/.irssi ]; then
+		mkdir /home/$MY_USERNAME/.irssi
+	fi
+
+	echo 'servers = (' > /home/$MY_USERNAME/.irssi/config
+	echo '  {' >> /home/$MY_USERNAME/.irssi/config
+	echo '    address = "chat.freenode.net";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    chatnet = "Freenode";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    port = "6667";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    autoconnect = "no";' >> /home/$MY_USERNAME/.irssi/config
+	echo '  },' >> /home/$MY_USERNAME/.irssi/config
+	echo '  {' >> /home/$MY_USERNAME/.irssi/config
+	echo '    address = "irc.oftc.net";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    chatnet = "OFTC";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    port = "6667";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config
+	echo '  },' >> /home/$MY_USERNAME/.irssi/config
+	echo '  {' >> /home/$MY_USERNAME/.irssi/config
+	echo "    address = \"127.0.0.1\";" >> /home/$MY_USERNAME/.irssi/config
+	if [[ $ONION_ONLY == 'no' ]]; then
+		echo "    port = \"${IRC_PORT}\";" >> /home/$MY_USERNAME/.irssi/config
+		echo '    use_ssl = "yes";' >> /home/$MY_USERNAME/.irssi/config
+	else
+		IRC_ONION_HOSTNAME=$(cat $COMPLETION_FILE | grep "IRC onion domain" | awk -F ':' '{print $2}')
+		echo "    port = \"${IRC_ONION_PORT}\";" >> /home/$MY_USERNAME/.irssi/config
+		echo '    use_ssl = "no";' >> /home/$MY_USERNAME/.irssi/config
+	fi
+	echo '    chatnet = "Freedombone";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    ssl_verify = "no";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config
+	if [ $IRC_PASSWORD ]; then
+		echo "    password = \"${IRC_PASSWORD}\";" >> /home/$MY_USERNAME/.irssi/config
+	fi
+	echo '  }' >> /home/$MY_USERNAME/.irssi/config
+	echo ');' >> /home/$MY_USERNAME/.irssi/config
+	echo '' >> /home/$MY_USERNAME/.irssi/config
+	echo 'chatnets = {' >> /home/$MY_USERNAME/.irssi/config
+	echo '  Freedombone = {' >> /home/$MY_USERNAME/.irssi/config
+	echo '    type = "IRC";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '  };' >> /home/$MY_USERNAME/.irssi/config
+	echo '  Freenode = {' >> /home/$MY_USERNAME/.irssi/config
+	echo '    type = "IRC";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '  };' >> /home/$MY_USERNAME/.irssi/config
+	echo '  OFTC = {' >> /home/$MY_USERNAME/.irssi/config
+	echo '    type = "IRC";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_msgs = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '    max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config
+	echo '  };' >> /home/$MY_USERNAME/.irssi/config
+	echo '};' >> /home/$MY_USERNAME/.irssi/config
+	echo '' >> /home/$MY_USERNAME/.irssi/config
+	echo 'channels = (' >> /home/$MY_USERNAME/.irssi/config
+	echo '  { name = "#freedombone"; chatnet = "Freedombone"; autojoin = "Yes"; },' >> /home/$MY_USERNAME/.irssi/config
+	echo ');' >> /home/$MY_USERNAME/.irssi/config
+	echo '' >> /home/$MY_USERNAME/.irssi/config
+	echo 'settings = {' >> /home/$MY_USERNAME/.irssi/config
+	echo "  core = { real_name = \"$MY_NAME\"; user_name = \"$MY_USERNAME\"; nick = \"$MY_USERNAME\"; };" >> /home/$MY_USERNAME/.irssi/config
+	echo '  "fe-text" = { actlist_sort = "refnum"; };' >> /home/$MY_USERNAME/.irssi/config
+	echo '};' >> /home/$MY_USERNAME/.irssi/config
+	echo 'ignores = ( { level = "CTCPS"; } );' >> /home/$MY_USERNAME/.irssi/config
+
+	chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.irssi
+
+	echo 'install_irc_client' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-mediagoblin

@@ -0,0 +1,370 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# mediagoblin functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+MEDIAGOBLIN_DOMAIN_NAME=
+MEDIAGOBLIN_CODE=
+MEDIAGOBLIN_REPO="git://git.savannah.gnu.org/mediagoblin.git"
+MEDIAGOBLIN_COMMIT='d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba'
+MEDIAGOBLIN_ADMIN_PASSWORD=
+MEDIAGOBLIN_ONION_PORT=8096
+
+function install_mediagoblin {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! $MEDIAGOBLIN_DOMAIN_NAME ]; then
+		return
+	fi
+
+	MEDIAGOBLIN_WORKING_DIRECTORY=/var/www/$MEDIAGOBLIN_DOMAIN_NAME/htdocs
+
+	# update to a new commit if needed
+	function_check set_repo_commit
+	set_repo_commit $MEDIAGOBLIN_WORKING_DIRECTORY "Mediagoblin commit" "$MEDIAGOBLIN_COMMIT" $MEDIAGOBLIN_REPO
+	if [ -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then
+		chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY
+	fi
+
+	if grep -Fxq "install_mediagoblin" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install git-core python python-dev python-lxml python-pil
+	apt-get -y install python-virtualenv npm nodejs-legacy automake
+	apt-get -y install fcgiwrap
+
+	#apt-get -y install postgresql postgresql-client python-psycopg2
+	#apt-get -y install python-gst-1.0 libjpeg62-turbo-dev gstreamer1.0-plugins-base python-gobject
+	#apt-get -y install gstreamer1.0-plugins-good gstreamer1.0-libav libav-tools gstreamer0.10-tools
+	#apt-get -y install python-numpy python-scipy libsndfile1-dev python-gst0.10-dev
+	#apt-get -y install gstreamer0.10-plugins-base gstreamer0.10-plugins-good gstreamer1.0-tools
+	#su -c "createuser -A -D mediagoblin" - postgres
+	#su -c "createdb -E UNICODE -O mediagoblin mediagoblin" - postgres
+
+	useradd -c "GNU MediaGoblin system account" -d /var/lib/mediagoblin -m -r -g www-data mediagoblin
+	groupadd mediagoblin
+	usermod --append -G mediagoblin mediagoblin
+
+	if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then
+		mkdir -p $MEDIAGOBLIN_WORKING_DIRECTORY
+	fi
+
+	function_check git_clone
+	git_clone $MEDIAGOBLIN_REPO $MEDIAGOBLIN_WORKING_DIRECTORY
+	cd $MEDIAGOBLIN_WORKING_DIRECTORY
+	git checkout $MEDIAGOBLIN_COMMIT -b $MEDIAGOBLIN_COMMIT
+	git submodule init
+	git submodule update
+
+	if ! grep -q "Mediagoblin commit" $COMPLETION_FILE; then
+		echo "Mediagoblin commit:$MEDIAGOBLIN_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/Mediagoblin commit.*/Mediagoblin commit:$MEDIAGOBLIN_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bootstrap.sh" - mediagoblin
+	if [ ! "$?" = "0" ]; then
+		exit 278826
+	fi
+
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./configure" - mediagoblin
+	if [ ! "$?" = "0" ]; then
+		exit 462826
+	fi
+
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && make" - mediagoblin
+	if [ ! "$?" = "0" ]; then
+		exit 738229
+	fi
+
+	if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev ]; then
+		mkdir $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev
+	fi
+	chmod 750 $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install flup==1.0.3.dev-20110405" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade billiard" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Paste" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade amqp" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade anyjson" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py-bcrypt" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade wtforms" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade python-dateutil" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alembic" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade waitress" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade imagesize" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alabaster" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade snowballstemmer" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade docutils" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Pygments" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade beautifulsoup4" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade WebOb" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py" - mediagoblin
+	su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade execnet" - mediagoblin
+
+	# create some directories
+	mkdir /var/log/mediagoblin
+	chown -hR mediagoblin:www-data /var/log/mediagoblin
+	mkdir /var/run/mediagoblin
+	chown -hR mediagoblin:www-data /var/run/mediagoblin
+
+	if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin.ini ]; then
+		echo $'mediagoblin.ini not found'
+		exit 737529
+	fi
+	if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/paste.ini ]; then
+		echo $'paste.ini not found'
+		exit 52762
+	fi
+
+	cp -av mediagoblin.ini mediagoblin_local.ini
+	cp -av paste.ini paste_local.ini
+
+	chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY
+
+	# init with systemd
+	echo '[Unit]' > /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'Description=Mediagoblin Celeryd' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'After=network.target' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '[Service]' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'Type=simple' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo "Environment=MEDIAGOBLIN_CONFIG=$MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin_local.ini \\" >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '    CELERY_CONFIG_MODULE=mediagoblin.init.celery.from_celery' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/celery worker \\" >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '    --logfile=/var/log/mediagoblin/celery.log \' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '    --loglevel=INFO' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'PIDFile=/var/run/mediagoblin/mediagoblin-celeryd.pid' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo '[Install]' >> /etc/systemd/system/mediagoblin-celeryd.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-celeryd.service
+
+	echo '[Unit]' > /etc/systemd/system/mediagoblin-paster.service
+	echo 'Description=Mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'After=network.target' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '[Service]' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'Type=forking' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'Environment=CELERY_ALWAYS_EAGER=false' >> /etc/systemd/system/mediagoblin-paster.service
+	echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-paster.service
+	echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service
+	echo "    $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini \\" >> /etc/systemd/system/mediagoblin-paster.service
+	echo '    --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '    --log-file=/var/log/mediagoblin/mediagoblin.log \' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '    --daemon \' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '    --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543' >> /etc/systemd/system/mediagoblin-paster.service
+	echo "ExecStop=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service
+	echo '    --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service
+	echo "    $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini stop" >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'PIDFile=/var/run/mediagoblin/mediagoblin.pid' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '' >> /etc/systemd/system/mediagoblin-paster.service
+	echo '[Install]' >> /etc/systemd/system/mediagoblin-paster.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-paster.service
+	systemctl daemon-reload
+	systemctl enable mediagoblin-celeryd
+	systemctl enable mediagoblin-paster
+	systemctl daemon-reload
+	systemctl start mediagoblin-celeryd
+	systemctl start mediagoblin-paster
+
+	MEDIAGOBLIN_ONION_HOSTNAME=$(add_onion_service mediagoblin 80 ${MEDIAGOBLIN_ONION_PORT})
+	if ! grep -q "Mediagoblin onion domain" $COMPLETION_FILE; then
+		echo "Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	else
+		sed -i "s|Mediagoblin onion domain.*|Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}|g" $COMPLETION_FILE
+	fi
+	if [[ $MEDIAGOBLIN_ONION_HOSTNAME == *"not found"* ]]; then
+		echo $'Problem creating onion address for mediagoblin'
+		exit 672652
+	fi
+
+	# web config
+	MEDIAGOBLIN_VIRTUAL_HOST=/etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
+	function_check nginx_http_redirect
+	nginx_http_redirect $MEDIAGOBLIN_DOMAIN_NAME
+	if [[ $ONION_ONLY == 'no' ]]; then
+		echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  listen 443 ssl;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  default_type  application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		function_check nginx_limits
+		nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m'
+		function_check nginx_ssl
+		nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo "  server_name $MEDIAGOBLIN_DOMAIN_NAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '    fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '    include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '    # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '      # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '    fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '    fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST
+		echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	else
+		echo -n '' > $MEDIAGOBLIN_VIRTUAL_HOST
+	fi
+
+	echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo "  listen 127.0.0.1:${MEDIAGOBLIN_ONION_PORT} default_server;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  default_type  application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	function_check nginx_limits
+	nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m'
+	function_check nginx_disable_sniffing
+	nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo "  server_name $MEDIAGOBLIN_ONION_HOSTNAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo "    alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '    fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '    include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '    # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '      # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '    fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '    fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '  }' >> $MEDIAGOBLIN_VIRTUAL_HOST
+	echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST
+
+	function_check create_site_certificate
+	create_site_certificate $MEDIAGOBLIN_DOMAIN_NAME
+
+	nginx_ensite $MEDIAGOBLIN_DOMAIN_NAME
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	add_ddns_domain $MEDIAGOBLIN_DOMAIN_NAME
+
+	if ! grep -q "Mediagoblin domain" $COMPLETION_FILE; then
+		echo "Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME" >> $COMPLETION_FILE
+	else
+		sed -i "s/Mediagoblin domain.*/Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME/g" $COMPLETION_FILE
+	fi
+
+	echo 'install_mediagoblin' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-mumble

@@ -0,0 +1,159 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Mumble application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Password used for VoIP server
+VOIP_SERVER_PASSWORD=
+# Port on which VoIP server listens
+VOIP_PORT=64738
+
+# Location of VoIP database and configuration
+VOIP_DATABASE="mumble-server.sqlite"
+VOIP_CONFIG_FILE="mumble-server.ini"
+
+function get_voip_server_password {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "VoIP server password" /home/$MY_USERNAME/README; then
+			if [ ! $VOIP_SERVER_PASSWORD ]; then
+				VOIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "VoIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		else
+			if grep -q "Mumble server password" /home/$MY_USERNAME/README; then
+				if [ ! $VOIP_SERVER_PASSWORD ]; then
+					VOIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Mumble server password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+				fi
+			fi
+		fi
+	fi
+}
+
+function install_mumble {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "install_mumble" $COMPLETION_FILE; then
+		return
+	fi
+	if grep -Fxq "install_voip" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install mumble-server
+
+	function_check get_voip_server_password
+	get_voip_server_password
+	if [ ! $VOIP_SERVER_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			VOIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			VOIP_SERVER_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+			if [ ${#VOIP_SERVER_PASSWORD} -lt $MINIMUM_PASSWORD_LENGTH ]; then
+				VOIP_SERVER_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+			fi
+		fi
+	fi
+
+	# Make an ssl cert for the server
+	if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
+		${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH
+		function_check check_certificates
+		check_certificates mumble
+	fi
+
+	# Check that the cert was created
+	if [ ! -f /etc/ssl/certs/mumble.crt ]; then
+		echo $'VoIP server certificate not created'
+		exit 57892
+	fi
+	if [ ! -f /etc/ssl/private/mumble.key ]; then
+		echo $'VoIP server key not created'
+		exit 57893
+	fi
+	if [ ! -d /var/lib/mumble-server ]; then
+		mkdir /var/lib/mumble-server
+	fi
+	cp /etc/ssl/certs/mumble.* /var/lib/mumble-server
+	cp /etc/ssl/private/mumble.key /var/lib/mumble-server
+	chown -R mumble-server:mumble-server /var/lib/mumble-server
+
+	sed -i "s|welcometext=.*|welcometext=\"<br />Welcome to $DEFAULT_DOMAIN_NAME <b>VoIP</b>.<br />Chat freely!<br />\"|g" /etc/mumble-server.ini
+
+	if [[ $VOIP_SERVER_PASSWORD && $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		sed -i "s|serverpassword=.*|serverpassword=$VOIP_SERVER_PASSWORD|g" /etc/mumble-server.ini
+	fi
+
+	sed -i 's|#autobanAttempts.*|autobanAttempts = 10|g' /etc/mumble-server.ini
+	sed -i 's|#autobanTimeframe.*|autobanTimeframe = 120|g' /etc/mumble-server.ini
+	sed -i 's|#autobanTime.*|autobanTime = 300|g' /etc/mumble-server.ini
+	sed -i 's|#sendversion=.*|sendversion=False|g' /etc/mumble-server.ini
+	sed -i 's|sendversion=.*|sendversion=False|g' /etc/mumble-server.ini
+	if ! grep -q "allowping" /etc/mumble-server.ini; then
+		echo 'allowping=False' >> /etc/mumble-server.ini
+	fi
+	sed -i 's|allowping=.*|allowping=False|g' /etc/mumble-server.ini
+	sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.crt|g' /etc/mumble-server.ini
+	sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
+	sed -i 's|#certrequired=.*|certrequired=True|g' /etc/mumble-server.ini
+	sed -i 's|users=100|users=10|g' /etc/mumble-server.ini
+	sed -i 's|#channelnestinglimit=10|channelnestinglimit=10|g' /etc/mumble-server.ini
+	sed -i 's|#textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini
+	sed -i 's|textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini
+	sed -i 's|#imagemessagelength=.*|imagemessagelength=131072|g' /etc/mumble-server.ini
+	sed -i 's|#allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini
+	sed -i 's|allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini
+	sed -i "s|port=.*|port=${VOIP_PORT}|g" /etc/mumble-server.ini
+
+	VOIP_ONION_HOSTNAME=$(add_onion_service voip ${VOIP_PORT} ${VOIP_PORT})
+	if ! grep -q $"VoIP onion domain" $COMPLETION_FILE; then
+		echo "VoIP onion domain:$VOIP_ONION_HOSTNAME" >> $COMPLETION_FILE
+	fi
+
+	systemctl restart mumble-server
+
+	if ! grep -q $"Mumble Server" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Mumble Server' >> /home/$MY_USERNAME/README
+		echo '=============' >> /home/$MY_USERNAME/README
+		echo $"Mumble onion domain:$VOIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
+		echo $'Mumble server username: mumble-server' >> /home/$MY_USERNAME/README
+		if [[ $SYSTEM_TYPE != "VARIANT_MESH" ]]; then
+			echo $"Mumble server password: $VOIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README
+		fi
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'To connect to the Mumble server use your username and the server password shown above.' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check configure_firewall_for_voip
+	configure_firewall_for_voip
+	echo 'install_mumble' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-rss

@@ -0,0 +1,422 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# RSS reader application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+RSS_READER_REPO="https://tt-rss.org/git/tt-rss.git"
+RSS_READER_COMMIT='9e84bab449f9ed55e02e60378b0af1521026f3b8'
+RSS_READER_ADMIN_PASSWORD=
+RSS_READER_ONION_PORT=8092
+RSS_MOBILE_READER_ONION_PORT=8095
+RSS_READER_DOMAIN_NAME=ttrss
+RSS_MOBILE_READER_REPO="https://github.com/mboinet/ttrss-mobile"
+RSS_MOBILE_READER_COMMIT='d5242e1c269e9480ab3b66b7a38da3c892dfb326'
+RSS_READER_PATH=/etc/share/tt-rss
+RSS_READER_GNUSOCIAL_REPO="https://github.com/bashrc/ttrss-gnusocial"
+RSS_READER_GNUSOCIAL_COMMIT='8b92b8f5db7b0d12459c7bd86a50f48815efe642'
+
+function rss_reader_modifications {
+	# modify the rss reader to use a socks5 proxy rather than a http proxy
+	if [ ! -d $RSS_READER_PATH ]; then
+		return
+	fi
+
+	# ensure that socks5 proxy is used
+	if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/plugins/af_unburn/init.php; then
+		sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/plugins/af_unburn/init.php
+	fi
+	if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/include/functions.php; then
+		sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/include/functions.php
+	fi
+	chown -R www-data:www-data $RSS_READER_PATH
+	chmod a+x $RSS_READER_PATH
+}
+
+function install_rss_reader {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $RSS_READER_PATH "RSS reader commit" "$RSS_READER_COMMIT" $RSS_READER_REPO
+
+	if grep -Fxq "install_rss_reader" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser
+
+	if [ ! -d /etc/share ]; then
+		mkdir /etc/share
+	fi
+	cd /etc/share
+	function_check git_clone
+	git_clone $RSS_READER_REPO tt-rss
+	if [ ! -d $RSS_READER_PATH ]; then
+		echo $'Could not clone RSS reader repo'
+		exit 52925
+	fi
+	cd $RSS_READER_PATH
+	git checkout $RSS_READER_COMMIT -b $RSS_READER_COMMIT
+	if ! grep -q "RSS reader commit" $COMPLETION_FILE; then
+		echo "RSS reader commit:$RSS_READER_COMMIT" >> $COMPLETION_FILE
+	fi
+
+	function_check install_mariadb
+	install_mariadb
+
+	function_check get_mariadb_password
+	get_mariadb_password
+
+	function_check repair_databases_script
+	repair_databases_script
+
+	function_check get_mariadb_rss_reader_admin_password
+	get_mariadb_rss_reader_admin_password
+	if [ ! $RSS_READER_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			RSS_READER_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			RSS_READER_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+	fi
+
+	function_check create_database
+	create_database ttrss "$RSS_READER_ADMIN_PASSWORD" $MY_USERNAME
+
+	RSS_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_READER_ONION_PORT})
+	RSS_MOBILE_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_MOBILE_READER_ONION_PORT})
+
+	echo 'server {' > /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo "  listen 127.0.0.1:$RSS_MOBILE_READER_ONION_PORT;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo "  server_name $RSS_MOBILE_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  root /etc/share/ttrss-mobile;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  index index.html index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location /tt-rss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    try_files $uri $uri/ @ttrss_base;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    rewrite ^(.*)$ /index.html?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location @ttrss_base {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo 'server {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo "  listen 127.0.0.1:$RSS_READER_ONION_PORT default_server;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo "  server_name $RSS_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  root /etc/share/tt-rss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  index index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  set $mobile_rewrite do_not_perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  ## chi http_user_agent for mobile / smart phones ##' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  if ($mobile_rewrite = perform) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo "    rewrite ^/(.*) http://$RSS_MOBILE_READER_ONION_HOSTNAME permanent;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    break;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '    deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '  client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+	echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME
+
+	if [ ! -f $RSS_READER_PATH/config.php ]; then
+		# generate a config file
+		RSS_FEED_CRYPT_KEY="$(create_password 24)"
+		echo '<?php' > $RSS_READER_PATH/config.php
+		echo "  define ('_CURL_HTTP_PROXY', '127.0.0.1:9050');" >> $RSS_READER_PATH/config.php
+		echo "  define('DB_TYPE', 'mysql');" >> $RSS_READER_PATH/config.php
+		echo "  define('DB_HOST', 'localhost');" >> $RSS_READER_PATH/config.php
+		echo "  define('DB_USER', 'root');" >> $RSS_READER_PATH/config.php
+		echo "  define('DB_NAME', 'ttrss');" >> $RSS_READER_PATH/config.php
+		echo "  define('DB_PASS', '${MARIADB_PASSWORD}');" >> $RSS_READER_PATH/config.php
+		echo "  define('DB_PORT', '3306');" >> $RSS_READER_PATH/config.php
+		echo "  define('MYSQL_CHARSET', 'UTF8');" >> $RSS_READER_PATH/config.php
+		echo "  define('SELF_URL_PATH', 'http://${RSS_READER_ONION_HOSTNAME}/');" >> $RSS_READER_PATH/config.php
+		echo "  define('FEED_CRYPT_KEY', '${RSS_FEED_CRYPT_KEY}');" >> $RSS_READER_PATH/config.php
+		echo "  define('SINGLE_USER_MODE', false);" >> $RSS_READER_PATH/config.php
+		echo "  define('SIMPLE_UPDATE_MODE', false);" >> $RSS_READER_PATH/config.php
+		echo "  define('PHP_EXECUTABLE', '/usr/bin/php');" >> $RSS_READER_PATH/config.php
+		echo "  define('LOCK_DIRECTORY', 'lock');" >> $RSS_READER_PATH/config.php
+		echo "  define('CACHE_DIR', 'cache');" >> $RSS_READER_PATH/config.php
+		echo "  define('ICONS_DIR', \"feed-icons\");" >> $RSS_READER_PATH/config.php
+		echo "  define('ICONS_URL', \"feed-icons\");" >> $RSS_READER_PATH/config.php
+		echo "  define('AUTH_AUTO_CREATE', true);" >> $RSS_READER_PATH/config.php
+		echo "  define('AUTH_AUTO_LOGIN', true);" >> $RSS_READER_PATH/config.php
+		echo "  define('FORCE_ARTICLE_PURGE', 0);" >> $RSS_READER_PATH/config.php
+		echo "  define('PUBSUBHUBBUB_HUB', '');" >> $RSS_READER_PATH/config.php
+		echo "  define('PUBSUBHUBBUB_ENABLED', false);" >> $RSS_READER_PATH/config.php
+		echo "  define('SPHINX_SERVER', 'localhost:9312');" >> $RSS_READER_PATH/config.php
+		echo "  define('SPHINX_INDEX', 'ttrss, delta');" >> $RSS_READER_PATH/config.php
+		echo "  define('ENABLE_REGISTRATION', false);" >> $RSS_READER_PATH/config.php
+		echo "  define('REG_NOTIFY_ADDRESS', '${MY_EMAIL_ADDRESS}');" >> $RSS_READER_PATH/config.php
+		echo "  define('REG_MAX_USERS', 10);" >> $RSS_READER_PATH/config.php
+		echo "  define('SESSION_COOKIE_LIFETIME', 86400);" >> $RSS_READER_PATH/config.php
+		echo "  define('SMTP_FROM_NAME', 'Tiny Tiny RSS');" >> $RSS_READER_PATH/config.php
+		echo "  define('SMTP_FROM_ADDRESS', 'noreply@${RSS_READER_ONION_HOSTNAME}');" >> $RSS_READER_PATH/config.php
+		echo "  define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');" >> $RSS_READER_PATH/config.php
+		echo "  define('SMTP_SERVER', '');" >> $RSS_READER_PATH/config.php
+		echo "  define('SMTP_LOGIN', '');" >> $RSS_READER_PATH/config.php
+		echo "  define('SMTP_PASSWORD', '');" >> $RSS_READER_PATH/config.php
+		echo "  define('SMTP_SECURE', '');" >> $RSS_READER_PATH/config.php
+		echo "  define('CHECK_FOR_UPDATES', false);" >> $RSS_READER_PATH/config.php
+		echo "  define('ENABLE_GZIP_OUTPUT', false);" >> $RSS_READER_PATH/config.php
+		echo "  define('PLUGINS', 'auth_internal, note, gnusocial');" >> $RSS_READER_PATH/config.php
+		echo "  define('LOG_DESTINATION', 'sql');" >> $RSS_READER_PATH/config.php
+		echo "  define('CONFIG_VERSION', 26);" >> $RSS_READER_PATH/config.php
+	fi
+
+	# initialize the database
+	if [ ! -f $RSS_READER_PATH/schema/ttrss_schema_mysql.sql ]; then
+		echo $'No database schema found for rss reader'
+		exit 52926
+	fi
+	initialise_database ttrss $RSS_READER_PATH/schema/ttrss_schema_mysql.sql
+
+	# change the password from the default
+	RSS_READER_ADMIN_PASSWORD_HASH=$(echo -n "${RSS_READER_ADMIN_PASSWORD}" | sha1sum | awk -F ' ' '{print $1}')
+
+	function_check run_query
+    run_query ttrss "update ttrss_users set pwd_hash = 'SHA1:${RSS_READER_ADMIN_PASSWORD_HASH}', salt= '' WHERE login = 'admin';"
+
+	function_check rss_reader_modifications
+	rss_reader_modifications
+
+	function_check configure_php
+	configure_php
+
+	nginx_ensite $RSS_READER_DOMAIN_NAME
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	if ! grep -q "RSS reader onion domain" $COMPLETION_FILE; then
+		echo "RSS reader onion domain:${RSS_READER_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	fi
+	if ! grep -q "RSS reader domain" $COMPLETION_FILE; then
+		echo "RSS reader domain:${RSS_READER_DOMAIN_NAME}" >> $COMPLETION_FILE
+	fi
+
+	# daemon to update feeds
+	echo '[Unit]' > /etc/systemd/system/ttrss.service
+	echo 'Description=ttrss_backend' >> /etc/systemd/system/ttrss.service
+	echo 'After=network.target mysql.service' >> /etc/systemd/system/ttrss.service
+	echo 'After=tor.service' >> /etc/systemd/system/ttrss.service
+	echo '' >> /etc/systemd/system/ttrss.service
+	echo '[Service]' >> /etc/systemd/system/ttrss.service
+	echo 'User=www-data' >> /etc/systemd/system/ttrss.service
+	echo "ExecStart=/usr/bin/php $RSS_READER_PATH/update.php --daemon" >> /etc/systemd/system/ttrss.service
+	echo '' >> /etc/systemd/system/ttrss.service
+	echo '[Install]' >> /etc/systemd/system/ttrss.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ttrss.service
+	systemctl enable ttrss
+	systemctl daemon-reload
+	systemctl start ttrss
+
+	# some post-install instructions for the user
+	if ! grep -q $"RSS Reader" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'RSS Reader' >> /home/$MY_USERNAME/README
+		echo '==========' >> /home/$MY_USERNAME/README
+		echo $"RSS reader domain: ${RSS_READER_DOMAIN_NAME}" >> /home/$MY_USERNAME/README
+		echo $"RSS reader onion domain: ${RSS_READER_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo $"RSS reader admin username: admin" >> /home/$MY_USERNAME/README
+		echo $"RSS reader admin password: ${RSS_READER_ADMIN_PASSWORD}" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	echo 'install_rss_reader' >> $COMPLETION_FILE
+}
+
+function install_rss_reader_gnusocial {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	if [ ! $MICROBLOG_DOMAIN_NAME ]; then
+		return
+	fi
+
+	if [ ! $RSS_READER_PATH ]; then
+		RSS_READER_PATH=/etc/share/tt-rss
+	fi
+	RSS_READER_GNUSOCIAL_PATH=${RSS_READER_PATH}/plugins/gnusocial
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $RSS_READER_GNUSOCIAL_PATH "RSS reader gnusocial commit" "$RSS_READER_GNUSOCIAL_COMMIT" $RSS_READER_GNUSOCIAL_REPO
+	chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH
+
+	if grep -Fxq "install_rss_reader_gnusocial" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir -p $INSTALL_DIR
+	fi
+
+	cd $INSTALL_DIR
+	function_check git_clone
+	git_clone $RSS_READER_GNUSOCIAL_REPO ttrss-gnusocial
+	if [ ! -d $INSTALL_DIR/ttrss-gnusocial ]; then
+		echo $'Could not clone repo for RSS reader GNU Social plugin'
+		exit 52838
+	fi
+	cp -r $INSTALL_DIR/ttrss-gnusocial $RSS_READER_GNUSOCIAL_PATH
+	cd $RSS_READER_GNUSOCIAL_PATH
+	git checkout $RSS_READER_GNUSOCIAL_COMMIT -b $RSS_READER_GNUSOCIAL_COMMIT
+	if ! grep -q "RSS reader gnusocial commit" $COMPLETION_FILE; then
+		echo "RSS reader gnusocial commit:$RSS_READER_GNUSOCIAL_COMMIT" >> $COMPLETION_FILE
+	fi
+	chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH
+
+	echo 'install_rss_reader_gnusocial' >> $COMPLETION_FILE
+}
+
+function install_rss_mobile_reader {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	if [ ! $RSS_READER_PATH ]; then
+		RSS_READER_PATH=/etc/share/tt-rss
+	fi
+
+	if [ ! -d $RSS_READER_PATH ]; then
+		echo $'tt-rss is not installed, so the mobile version cannot be installed'
+		exit 63452
+	fi
+
+	RSS_MOBILE_READER_PATH=/etc/share/ttrss-mobile
+
+	# remove any previous install
+	if [ -d $RSS_READER_PATH/g2ttree-mobile ]; then
+		if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then
+			sed -i '/install_rss_mobile_reader/d' $COMPLETION_FILE
+			sed -i '/RSS mobile reader commit/d' $COMPLETION_FILE
+			rm -rf $RSS_READER_PATH/g2ttree-mobile
+		fi
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $RSS_MOBILE_READER_PATH "RSS mobile reader commit" "$RSS_MOBILE_READER_COMMIT" $RSS_MOBILE_READER_REPO
+
+	if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then
+		return
+	fi
+
+	cd /etc/share
+	function_check git_clone
+	git_clone $RSS_MOBILE_READER_REPO ttrss-mobile
+	if [ ! -d $RSS_MOBILE_READER_PATH ]; then
+		echo $'Could not clone RSS mobile reader repo'
+		exit 24816
+	fi
+	cd $RSS_MOBILE_READER_PATH
+	git checkout $RSS_MOBILE_READER_COMMIT -b $RSS_MOBILE_READER_COMMIT
+	if ! grep -q "RSS mobile reader commit" $COMPLETION_FILE; then
+		echo "RSS mobile reader commit:$RSS_MOBILE_READER_COMMIT" >> $COMPLETION_FILE
+	fi
+
+	echo 'define({' > $RSS_MOBILE_READER_PATH/scripts/conf.js
+	echo '  apiPath: "/tt-rss/"' >> $RSS_MOBILE_READER_PATH/scripts/conf.js
+	echo '});' >> $RSS_MOBILE_READER_PATH/scripts/conf.js
+
+	# link to the main site
+	ln -s $RSS_READER_PATH $RSS_MOBILE_READER_PATH/tt-rss
+
+	chown -R www-data:www-data $RSS_MOBILE_READER_PATH
+	chown -R www-data:www-data $RSS_READER_PATH
+	chmod a+x $RSS_MOBILE_READER_PATH
+
+	echo 'install_rss_mobile_reader' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-search

@@ -0,0 +1,248 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Search engine application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SEARCH_ENGINE_REPO="https://github.com/asciimoo/searx"
+SEARCH_ENGINE_COMMIT='fee556c9904637051a9ba874ba7e71cd9f10789f'
+SEARCH_ENGINE_PATH=/etc
+SEARCH_ENGINE_ONION_PORT=8094
+SEARCH_ENGINE_ONION_HOSTNAME=
+SEARCH_ENGINE_LOGIN_TEXT=$"Search engine login"
+SEARCH_ENGINE_PASSWORD=
+
+function install_search_engine {
+	# Note: currently socks5 outgoing proxies to other search engines does not work
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! -d /etc/nginx ]; then
+		echo $'Webserver is not installed'
+		exit 62429
+	fi
+
+	# update to a new commit if needed
+	set_repo_commit $SEARCH_ENGINE_PATH/searx "Search engine commit" "$SEARCH_ENGINE_COMMIT" $SEARCH_ENGINE_REPO
+	if grep "Search engine key" $COMPLETION_FILE; then
+		if [ -f ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml ]; then
+			# note: this might change to a --tor option in a later version
+			if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then
+				echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+				echo '    proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+				echo '        http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+				echo '        https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+			fi
+			SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}')
+			sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+			if [ -f /var/lib/tor/hidden_service_searx/hostname ]; then
+				SEARCH_ENGINE_ONION_HOSTNAME=$(echo /var/lib/tor/hidden_service_searx/hostname)
+				sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+			fi
+		fi
+	fi
+
+	if grep -Fxq "install_search_engine" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install python-pip libyaml-dev python-werkzeug python-babel python-lxml apache2-utils
+	apt-get -y install git build-essential libxslt-dev python-dev python-virtualenv python-pybabel zlib1g-dev uwsgi uwsgi-plugin-python libapache2-mod-uwsgi
+
+	pip install --upgrade pip
+
+	pip install certifi
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install certifi'
+		exit 737692
+	fi
+
+	pip install pyyaml
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install pyyaml'
+		exit 469242
+	fi
+
+	pip install flask --upgrade
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install flask'
+		exit 888575
+	fi
+
+	pip install flask_restless --upgrade
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install flask_restless'
+		exit 54835
+	fi
+
+	pip install flask_babel --upgrade
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install flask_babel'
+		exit 63738
+	fi
+
+	if [ ! -d $SEARCH_ENGINE_PATH ]; then
+		mkdir -p $SEARCH_ENGINE_PATH
+	fi
+
+	# clone the repo
+	cd $SEARCH_ENGINE_PATH
+	function_check git_clone
+	git_clone $SEARCH_ENGINE_REPO searx
+	git checkout $SEARCH_ENGINE_COMMIT -b $SEARCH_ENGINE_COMMIT
+	if ! grep -q "Search engine commit" $COMPLETION_FILE; then
+		echo "Search engine commit:$SEARCH_ENGINE_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/Search engine commit.*/Search engine commit:$SEARCH_ENGINE_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	# create an onion service
+	SEARCH_ENGINE_ONION_HOSTNAME=$(add_onion_service searx 80 ${SEARCH_ENGINE_ONION_PORT})
+	if ! grep "Search engine onion domain" $COMPLETION_FILE; then
+		echo "Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	else
+		sed -i "s|Search engine onion domain.*|Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}|g" $COMPLETION_FILE
+	fi
+
+	# an unprivileged user to run as
+	useradd -d ${SEARCH_ENGINE_PATH}/searx/ -s /bin/false searx
+	adduser searx debian-tor
+
+	# daemon
+	echo '[Unit]' > /etc/systemd/system/searx.service
+	echo 'Description=Searx (search engine)' >> /etc/systemd/system/searx.service
+	echo 'After=syslog.target' >> /etc/systemd/system/searx.service
+	echo 'After=network.target' >> /etc/systemd/system/searx.service
+	echo '' >> /etc/systemd/system/searx.service
+	echo '[Service]' >> /etc/systemd/system/searx.service
+	echo 'Type=simple' >> /etc/systemd/system/searx.service
+	echo 'User=searx' >> /etc/systemd/system/searx.service
+	echo 'Group=searx' >> /etc/systemd/system/searx.service
+	echo "WorkingDirectory=${SEARCH_ENGINE_PATH}/searx" >> /etc/systemd/system/searx.service
+	echo "ExecStart=/usr/bin/python ${SEARCH_ENGINE_PATH}/searx/searx/webapp.py" >> /etc/systemd/system/searx.service
+	echo 'Restart=always' >> /etc/systemd/system/searx.service
+	echo 'Environment="USER=searx"' >> /etc/systemd/system/searx.service
+	echo '' >> /etc/systemd/system/searx.service
+	echo '[Install]' >> /etc/systemd/system/searx.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/searx.service
+
+	# create a webserver file
+	echo 'server {' > /etc/nginx/sites-available/searx
+	echo "    listen 127.0.0.1:${SEARCH_ENGINE_ONION_PORT} default_server;" >> /etc/nginx/sites-available/searx
+	echo "    root ${SEARCH_ENGINE_PATH}/searx;" >> /etc/nginx/sites-available/searx
+	echo "    server_name ${SEARCH_ENGINE_ONION_HOSTNAME};" >> /etc/nginx/sites-available/searx
+	echo '    access_log off;' >> /etc/nginx/sites-available/searx
+	echo "    error_log /var/log/searx_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/searx
+	echo '' >> /etc/nginx/sites-available/searx
+	function_check nginx_limits
+	nginx_limits searx '1M'
+	function_check nginx_disable_sniffing
+	nginx_disable_sniffing searx
+	echo '    add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/searx
+	echo '' >> /etc/nginx/sites-available/searx
+	echo '    location / {' >> /etc/nginx/sites-available/searx
+	echo '        proxy_pass http://localhost:8888;' >> /etc/nginx/sites-available/searx
+	echo '        proxy_set_header Host $host;' >> /etc/nginx/sites-available/searx
+	echo '        proxy_set_header X-Real-IP $remote_addr;' >> /etc/nginx/sites-available/searx
+	echo '        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' >> /etc/nginx/sites-available/searx
+	echo '        proxy_set_header X-Remote-Port $remote_port;' >> /etc/nginx/sites-available/searx
+	echo '        proxy_set_header X-Forwarded-Proto $scheme;' >> /etc/nginx/sites-available/searx
+	echo '        proxy_redirect off;' >> /etc/nginx/sites-available/searx
+
+	echo "        auth_basic \"${SEARCH_ENGINE_LOGIN_TEXT}\";" >> /etc/nginx/sites-available/searx
+	echo '        auth_basic_user_file /etc/nginx/.htpasswd;' >> /etc/nginx/sites-available/searx
+	echo '    }' >> /etc/nginx/sites-available/searx
+	echo '' >> /etc/nginx/sites-available/searx
+	echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/searx
+	echo '' >> /etc/nginx/sites-available/searx
+	echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/searx
+	echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/searx
+	echo '' >> /etc/nginx/sites-available/searx
+	echo '    location = /robots.txt {' >> /etc/nginx/sites-available/searx
+	echo '        allow all;' >> /etc/nginx/sites-available/searx
+	echo '        log_not_found off;' >> /etc/nginx/sites-available/searx
+	echo '        access_log off;' >> /etc/nginx/sites-available/searx
+	echo '    }' >> /etc/nginx/sites-available/searx
+	echo '}' >> /etc/nginx/sites-available/searx
+
+	# replace the secret key
+	if ! grep "Search engine key" $COMPLETION_FILE; then
+		SEARCH_ENGINE_SECRET_KEY="$(create_password 30)"
+		echo "Search engine key:${SEARCH_ENGINE_SECRET_KEY}" >> $COMPLETION_FILE
+	else
+		SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}')
+	fi
+	sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+	sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml
+	sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+	sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml
+
+	# note: this might change to a --tor option in a later version
+	if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then
+		echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+		echo '    proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+		echo '        http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+		echo '        https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml
+	fi
+
+	chown -R searx:searx ${SEARCH_ENGINE_PATH}/searx
+
+	# enable the site
+	nginx_ensite searx
+
+	# restart the web server
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	# start the daemon
+	systemctl enable searx.service
+	systemctl daemon-reload
+	systemctl start searx.service
+
+	if ! grep -q "Your search engine password is" /home/$MY_USERNAME/README; then
+		if [ ${#SEARCH_ENGINE_PASSWORD} -lt 8 ]; then
+			if [ -f $IMAGE_PASSWORD_FILE ]; then
+				SEARCH_ENGINE_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+			else
+				SEARCH_ENGINE_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+			fi
+		fi
+		echo "$SEARCH_ENGINE_PASSWORD" | htpasswd -i -s -c /etc/nginx/.htpasswd $MY_USERNAME
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Search Engine' >> /home/$MY_USERNAME/README
+		echo '=============' >> /home/$MY_USERNAME/README
+		echo $"Search engine onion domain: ${SEARCH_ENGINE_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo $"Your search engine password is: $SEARCH_ENGINE_PASSWORD" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	echo 'install_search_engine' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-sip

@@ -0,0 +1,318 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# SIP functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SIP_SERVER_PASSWORD=
+SIP_PORT=5060
+SIP_TLS_PORT=5061
+VOIP_TURN_PORT=3478
+VOIP_TURN_TLS_PORT=5349
+VOIP_TURN_NONCE=
+
+function get_sip_server_password {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "SIP server password" /home/$MY_USERNAME/README; then
+			if [ ! $SIP_SERVER_PASSWORD ]; then
+				SIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "SIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+			fi
+		fi
+	fi
+}
+
+function update_sipwitch_daemon {
+	if [ ! -f /etc/init.d/sipwitch ]; then
+		return
+	fi
+	service sipwitch stop
+
+	# remove the original sipwitch daemon if it exists
+	if [ -f /etc/init.d/sipwitch ]; then
+		rm -f /etc/init.d/sipwitch
+	fi
+
+	# daemon
+	echo '[Unit]' > /etc/systemd/system/sipwitch.service
+	echo 'Description=GNU SIP Witch, a SIP telephony service daemon.' >> /etc/systemd/system/sipwitch.service
+	echo 'After=network.target' >> /etc/systemd/system/sipwitch.service
+	echo '' >> /etc/systemd/system/sipwitch.service
+	echo '[Service]' >> /etc/systemd/system/sipwitch.service
+	echo 'Type=simple' >> /etc/systemd/system/sipwitch.service
+	echo 'Group=sipwitch' >> /etc/systemd/system/sipwitch.service
+	echo 'PIDFile=/var/run/sipwitch/pidfile' >> /etc/systemd/system/sipwitch.service
+	echo 'EnvironmentFile=-/etc/conf.d/sipwitch' >> /etc/systemd/system/sipwitch.service
+	echo 'EnvironmentFile=-/etc/sipwitch.conf' >> /etc/systemd/system/sipwitch.service
+	echo 'EnvironmentFile=-/etc/default/sipwitch' >> /etc/systemd/system/sipwitch.service
+	echo 'ExecStartPre=-/bin/rm -f /var/run/sipwitch/control' >> /etc/systemd/system/sipwitch.service
+	echo "ExecStart=/usr/sbin/sipw -f \$OPTIONS -P$SIP_PORT" >> /etc/systemd/system/sipwitch.service
+	echo 'Restart=always' >> /etc/systemd/system/sipwitch.service
+	echo 'NotifyAccess=main' >> /etc/systemd/system/sipwitch.service
+	echo '' >> /etc/systemd/system/sipwitch.service
+	echo '[Install]' >> /etc/systemd/system/sipwitch.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/sipwitch.service
+
+	systemctl enable sipwitch
+	systemctl daemon-reload
+	systemctl start sipwitch
+}
+
+function install_sip {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "install_sip" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install sipwitch
+
+	function_check get_sip_server_password
+	get_sip_server_password
+	if [ ! $SIP_SERVER_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			SIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			SIP_SERVER_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+	fi
+
+	echo '<?xml version="1.0"?>' > /etc/sipwitch.conf
+	echo '<sipwitch>' >> /etc/sipwitch.conf
+	echo '<provision>' >> /etc/sipwitch.conf
+
+	echo "<user id=\"$MY_USERNAME\">" >> /etc/sipwitch.conf
+	echo '<extension>201</extension>' >> /etc/sipwitch.conf
+	echo "<secret>$SIP_SERVER_PASSWORD</secret>" >> /etc/sipwitch.conf
+	echo "<display>$MY_USERNAME 201</display>" >> /etc/sipwitch.conf
+	echo '</user>' >> /etc/sipwitch.conf
+
+	echo '</provision>' >> /etc/sipwitch.conf
+	echo '<access>' >> /etc/sipwitch.conf
+	echo '</access>' >> /etc/sipwitch.conf
+	echo '<stack>' >> /etc/sipwitch.conf
+	echo "  <localnames>$DEFAULT_DOMAIN_NAME</localnames>" >> /etc/sipwitch.conf
+	echo '  <mapped>200</mapped>' >> /etc/sipwitch.conf
+	echo '  <threading>2</threading>' >> /etc/sipwitch.conf
+	echo '  <interface>*</interface>' >> /etc/sipwitch.conf
+	echo '  <dumping>false</dumping>' >> /etc/sipwitch.conf
+	echo '  <system>system</system>' >> /etc/sipwitch.conf
+	echo '  <anon>anonymous</anon>' >> /etc/sipwitch.conf
+	echo '</stack>' >> /etc/sipwitch.conf
+	echo '<timers>' >> /etc/sipwitch.conf
+	echo '  <!-- ring every 4 seconds -->' >> /etc/sipwitch.conf
+	echo '  <ring>4</ring>' >> /etc/sipwitch.conf
+	echo '  <!-- call forward no answer after x rings -->' >> /etc/sipwitch.conf
+	echo '  <cfna>4</cfna>' >> /etc/sipwitch.conf
+	echo '  <!-- call reset to clear cid in stack, 6 seconds -->' >> /etc/sipwitch.conf
+	echo '  <reset>6</reset>' >> /etc/sipwitch.conf
+	echo '</timers>' >> /etc/sipwitch.conf
+	echo '<!-- we have 2xx numbers plus space for external users -->' >> /etc/sipwitch.conf
+	echo '<registry>' >> /etc/sipwitch.conf
+	echo '  <prefix>200</prefix>' >> /etc/sipwitch.conf
+	echo '  <range>100</range>' >> /etc/sipwitch.conf
+	echo '  <keysize>77</keysize>' >> /etc/sipwitch.conf
+	echo '  <mapped>200</mapped>' >> /etc/sipwitch.conf
+	echo '  <!-- <realm>GNU Telephony</realm> -->' >> /etc/sipwitch.conf
+	echo '</registry>' >> /etc/sipwitch.conf
+	echo '<routing>' >> /etc/sipwitch.conf
+	echo '</routing>' >> /etc/sipwitch.conf
+	echo '</sipwitch>' >> /etc/sipwitch.conf
+
+	sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch
+	sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch
+	groupadd sipwitch
+	usermod -aG sipwitch $MY_USERNAME
+
+	SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT})
+	if ! grep -q $"SIP onion domain" $COMPLETION_FILE; then
+		echo "SIP onion domain:$SIP_ONION_HOSTNAME" >> $COMPLETION_FILE
+	fi
+
+	if ! grep -q $"SIP Server" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'SIP Server' >> /home/$MY_USERNAME/README
+		echo '==========' >> /home/$MY_USERNAME/README
+		echo $"SIP onion_domain: $SIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
+		echo $"SIP server username: $MY_USERNAME" >> /home/$MY_USERNAME/README
+		echo $"SIP server extension: 201" >> /home/$MY_USERNAME/README
+		echo $"SIP server password: $SIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check configure_firewall_for_sip4
+	configure_firewall_for_sip4
+	echo 'install_sip' >> $COMPLETION_FILE
+}
+
+function install_sip_turn {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "install_sip_turn" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install turnserver
+
+	# create a nonce if needed
+	if [ ! $VOIP_TURN_NONCE ]; then
+		VOIP_TURN_NONCE="$(create_password 30)"
+	fi
+
+	function_check create_site_certificate
+	create_site_certificate $DEFAULT_DOMAIN_NAME
+
+	echo '##' > /etc/turnserver/turnserver.conf
+	echo '# TurnServer configuration file.' >> /etc/turnserver/turnserver.conf
+	echo '#' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Public IPv4 address of any relayed address (if not set, no relay for IPv4).' >> /etc/turnserver/turnserver.conf
+	echo '## To have multiple address, separate addresses with a comma' >> /etc/turnserver/turnserver.conf
+	echo '## (i.e. listen_address = { "172.16.0.1", "172.17.0.1" }).' >> /etc/turnserver/turnserver.conf
+	echo "listen_address = { \"192.168.0.1\" }" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Public IPv6 address of any relayed address (if not set, no relay for IPv6).' >> /etc/turnserver/turnserver.conf
+	echo '## To have multiple address, separate address with a comma' >> /etc/turnserver/turnserver.conf
+	echo '## (i.e. listen_addressv6 = { "2001:db8:1::1", "2001:db8:2::1" }).' >> /etc/turnserver/turnserver.conf
+	echo "#listen_addressv6 = { \"2001:db8::1\" }" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## UDP listening port.' >> /etc/turnserver/turnserver.conf
+	echo "udp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## TCP listening port.' >> /etc/turnserver/turnserver.conf
+	echo "tcp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## TLS listening port.' >> /etc/turnserver/turnserver.conf
+	echo "tls_port = $VOIP_TURN_TLS_PORT" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## TLS support.' >> /etc/turnserver/turnserver.conf
+	echo 'tls = true' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## DTLS support. It is an experimental feature and is not defined in TURN' >> /etc/turnserver/turnserver.conf
+	echo '## standard.' >> /etc/turnserver/turnserver.conf
+	echo 'dtls = false' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Maximum allocation port number.' >> /etc/turnserver/turnserver.conf
+	echo 'max_port = 65535' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Minimum allocation port number.' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo 'min_port = 49152' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## TURN-TCP support.' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo 'turn_tcp = true' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## TURN-TCP buffering mode:' >> /etc/turnserver/turnserver.conf
+	echo '## - true, use userspace buffering;' >> /etc/turnserver/turnserver.conf
+	echo '## - false, use kernel buffering.' >> /etc/turnserver/turnserver.conf
+	echo 'tcp_buffer_userspace = true' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## TURN-TCP maximum buffer size.' >> /etc/turnserver/turnserver.conf
+	echo 'tcp_buffer_size = 32768' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Daemon mode.' >> /etc/turnserver/turnserver.conf
+	echo 'daemon = true' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Unprivileged user.' >> /etc/turnserver/turnserver.conf
+	echo '## If you want to use this feature create a system user.' >> /etc/turnserver/turnserver.conf
+	echo '## On Linux: adduser --system --group turnserver' >> /etc/turnserver/turnserver.conf
+	echo 'unpriv_user = turnserver' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Realm value.' >> /etc/turnserver/turnserver.conf
+	echo "realm = \"$DEFAULT_DOMAIN_NAME\"" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Nonce key.' >> /etc/turnserver/turnserver.conf
+	echo "nonce_key = \"$VOIP_TURN_NONCE\"" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Max relay per username.' >> /etc/turnserver/turnserver.conf
+	echo 'max_relay_per_username = 5' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Allocation lifetime.' >> /etc/turnserver/turnserver.conf
+	echo 'allocation_lifetime = 1800' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Allocation bandwidth limitation (in KBytes/s).' >> /etc/turnserver/turnserver.conf
+	echo '## 0 value means bandwidth quota disabled.' >> /etc/turnserver/turnserver.conf
+	echo 'bandwidth_per_allocation = 150' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Restricted user bandwidth (in KBytes/s).' >> /etc/turnserver/turnserver.conf
+	echo '## 0 value means bandwidth limitation disabled.' >> /etc/turnserver/turnserver.conf
+	echo 'restricted_bandwidth = 10' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Denied addresses.' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '# disallow relaying to localhost' >> /etc/turnserver/turnserver.conf
+	echo 'denied_address {' >> /etc/turnserver/turnserver.conf
+	echo '  address = "127.0.0.1"' >> /etc/turnserver/turnserver.conf
+	echo '  mask = "8"' >> /etc/turnserver/turnserver.conf
+	echo '  port = 0' >> /etc/turnserver/turnserver.conf
+	echo '}' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '# disallow relaying to ip6-localhost' >> /etc/turnserver/turnserver.conf
+	echo 'denied_address {' >> /etc/turnserver/turnserver.conf
+	echo '  address = "::1"' >> /etc/turnserver/turnserver.conf
+	echo '  mask = "128"' >> /etc/turnserver/turnserver.conf
+	echo '  port = 0' >> /etc/turnserver/turnserver.conf
+	echo '}' >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Certification Authority file.' >> /etc/turnserver/turnserver.conf
+	echo "ca_file = \"/etc/ssl/certs/ca-certificates.crt\"" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Server certificate file.' >> /etc/turnserver/turnserver.conf
+	if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem ]; then
+		echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem\"" >> /etc/turnserver/turnserver.conf
+	else
+		if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt ]; then
+			echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt\"" >> /etc/turnserver/turnserver.conf
+		fi
+	fi
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Private key file.' >> /etc/turnserver/turnserver.conf
+	echo "private_key_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.key\"" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Account method.' >> /etc/turnserver/turnserver.conf
+	echo "account_method = \"file\"" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## Account file (if account_method = file).' >> /etc/turnserver/turnserver.conf
+	echo "account_file = \"/etc/turnserver/turnusers.txt\"" >> /etc/turnserver/turnserver.conf
+	echo '' >> /etc/turnserver/turnserver.conf
+	echo '## mod_tmpuser.' >> /etc/turnserver/turnserver.conf
+	echo 'mod_tmpuser = false' >> /etc/turnserver/turnserver.conf
+
+	echo "${MY_USERNAME}:password:${DEFAULT_DOMAIN_NAME}:authorized" > /etc/turnserver/turnusers.txt
+
+	systemctl restart turnserver
+
+	function_check configure_firewall_for_voip_turn
+	configure_firewall_for_voip_turn
+	echo 'install_sip_turn' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-syncthing

@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Syncthing application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SYNCTHING_ID=
+SYNCTHING_CONFIG_PATH=/root/.config/syncthing
+SYNCTHING_CONFIG_FILE=$SYNCTHING_CONFIG_PATH/config.xml
+SYNCTHING_RELAY_SERVER='https://relays.syncthing.net/endpoint'
+SYNCTHING_RELEASES='https://api.github.com/repos/syncthing/syncthing/releases?per_page=30'
+SYNCTHING_PORT=22000
+SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared
+SYNCTHING_USER_IDS_FILE='.syncthingids'
+
+function install_syncthing {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "install_syncthing" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install curl
+
+	curl -s https://syncthing.net/release-key.txt | apt-key add -
+	echo "deb http://apt.syncthing.net/ syncthing release" | tee /etc/apt/sources.list.d/syncthing.list
+	apt-get update
+	apt-get -y install syncthing
+
+	# This probably does need to run as root so that it can access the Sync directories
+	# in each user's home directory
+	echo '[Unit]' > /etc/systemd/system/syncthing.service
+	echo 'Description=Syncthing - Open Source Continuous File Synchronization' >> /etc/systemd/system/syncthing.service
+	echo 'Documentation=man:syncthing(1)' >> /etc/systemd/system/syncthing.service
+	echo 'After=network.target' >> /etc/systemd/system/syncthing.service
+	echo 'Wants=syncthing-inotify@.service' >> /etc/systemd/system/syncthing.service
+	echo '' >> /etc/systemd/system/syncthing.service
+	echo '[Service]' >> /etc/systemd/system/syncthing.service
+	echo 'User=root' >> /etc/systemd/system/syncthing.service
+	echo "Environment='all_proxy=socks5://localhost:9050'" >> /etc/systemd/system/syncthing.service
+	echo 'ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0' >> /etc/systemd/system/syncthing.service
+	echo 'Restart=on-failure' >> /etc/systemd/system/syncthing.service
+	echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/syncthing.service
+	echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/syncthing.service
+	echo '' >> /etc/systemd/system/syncthing.service
+	echo '[Install]' >> /etc/systemd/system/syncthing.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/syncthing.service
+	systemctl enable syncthing
+	systemctl daemon-reload
+	systemctl start syncthing
+
+	function_check cron_add_mins
+	cron_add_mins 1 '/usr/local/bin/freedombone-syncthing > /dev/null'
+
+	function_check configure_firewall_for_syncthing
+	configure_firewall_for_syncthing
+	echo 'install_syncthing' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-tox

@@ -0,0 +1,172 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Tox Application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+TOX_PORT=33445
+TOXCORE_REPO="git://github.com/irungentoo/toxcore.git"
+TOXCORE_COMMIT='532629d486e3361c7d8d95b38293cc7d61dc4ee5'
+TOXID_REPO="https://github.com/bashrc/toxid"
+TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
+# These are some default nodes, but you can replace them with trusted nodes
+# as you prefer. See https://wiki.tox.im/Nodes
+TOX_NODES=
+#TOX_NODES=(
+#  '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US'
+#  '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
+#)
+TOXIC_REPO="https://github.com/Tox/toxic"
+TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2'
+TOXIC_FILE=/usr/local/bin/toxic
+
+function tox_avahi {
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "tox_avahi" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ ! -d /etc/avahi ]; then
+		echo $'tox_avahi: avahi is not installed'
+		exit 87359
+	fi
+
+	# install a command to obtain the Tox ID
+	cd $INSTALL_DIR
+	function_check git_clone
+	git_clone $TOXID_REPO $INSTALL_DIR/toxid
+	if [ ! -d $INSTALL_DIR/toxid ]; then
+		exit 63921
+	fi
+	cd $INSTALL_DIR/toxid
+	make
+	if [ ! "$?" = "0" ]; then
+		exit 58432
+	fi
+	make install
+
+	toxavahi
+
+	# publish regularly
+	function_check cron_add_mins
+	cron_add_mins 1 'toxavahi > /dev/null'
+
+	systemctl restart avahi-daemon
+
+	echo 'tox_avahi' >> $COMPLETION_FILE
+}
+
+function install_tox_node {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $INSTALL_DIR/toxcore "toxcore commit" "$TOXCORE_COMMIT" $TOXCORE_REPO
+
+	if grep -Fxq "install_tox_node" $COMPLETION_FILE; then
+		return
+	fi
+
+	${PROJECT_NAME}-mesh-install -f tox_node
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install tox node'
+		exit 26778
+	fi
+
+	TOX_ONION_HOSTNAME=$(add_onion_service tox ${TOX_PORT} ${TOX_PORT})
+
+	if ! grep -q "tox onion domain" $COMPLETION_FILE; then
+		echo "tox onion domain:${TOX_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	else
+		sed -i "s|tox onion domain.*|tox onion domain:${TOX_ONION_HOSTNAME}|g" $COMPLETION_FILE
+	fi
+
+	systemctl restart tox-bootstrapd.service
+
+	TOX_PUBLIC_KEY=$(cat /var/log/syslog | grep tox | grep "Public Key" | awk -F ' ' '{print $8}' | tail -1)
+	if [ ${#TOX_PUBLIC_KEY} -lt 30 ]; then
+		echo $'Could not obtain the tox node public key'
+		exit 6529
+	fi
+
+	# save the public key for later reference
+	echo "$TOX_PUBLIC_KEY" > $TOX_BOOTSTRAP_ID_FILE
+
+	function_check configure_firewall_for_tox
+	configure_firewall_for_tox
+
+	if ! grep -q $"Your Tox node public key is" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo 'Tox' >> /home/$MY_USERNAME/README
+		echo '===' >> /home/$MY_USERNAME/README
+		echo $"tox onion domain: ${TOX_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo $"Your Tox node public key is: $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README
+		echo $'In the Toxic client you can connect to it with:' >> /home/$MY_USERNAME/README
+		echo "  /connect $DEFAULT_DOMAIN_NAME.local $TOX_PORT $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check configure_firewall_for_tox
+	configure_firewall_for_tox
+	echo 'install_tox_node' >> $COMPLETION_FILE
+}
+
+function install_tox_client {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $INSTALL_DIR/toxic "Toxic commit" "$TOXIC_COMMIT" $TOXIC_REPO
+
+	if grep -Fxq "install_tox_client" $COMPLETION_FILE; then
+		return
+	fi
+
+	${PROJECT_NAME}-mesh-install -f tox_client
+	if [ ! "$?" = "0" ]; then
+		echo $'Could not install Tox client'
+		exit 67248
+	fi
+
+	# initial setup of username
+	#su -c "echo 'n
+	#/nick $MY_USERNAME
+	#/exit
+	#' | $TOXIC_FILE -d" - $MY_USERNAME
+
+	echo 'install_tox_client' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-vpn

@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# VPN functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function install_vpn_tunnel {
+	if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then
+		echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list
+		gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C
+		if [ ! "$?" = "0" ]; then
+			exit 76272
+		fi
+		gpg -a --export 16EF3F64CB201D9C | sudo apt-key add -
+		apt-get update
+		apt-get -y install fastd
+		if [ ! "$?" = "0" ]; then
+			exit 52026
+		fi
+	fi
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-app-webmail

@@ -0,0 +1,184 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Webmail application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+WEBMAIL_REPO="https://github.com/roundcube/roundcubemail"
+WEBMAIL_COMMIT='78cf9c2e5cff2d78cd8beb647d60570f195a2a9c'
+WEBMAIL_ONION_HOSTNAME=
+WEBMAIL_ONION_PORT=8097
+WEBMAIL_ADMIN_PASSWORD=
+
+function install_webmail {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	WEB_PATH=/var/www
+	WEBMAIL_PATH=$WEB_PATH/webmail
+
+	# update to a new commit if needed
+	function_check set_repo_commit
+	set_repo_commit $WEBMAIL_PATH "Webmail commit" "$WEBMAIL_COMMIT" $WEBMAIL_REPO
+
+	if grep -Fxq "install_webmail" $COMPLETION_FILE; then
+		return
+	fi
+	if [ -d /etc/apache2 ]; then
+		rm -rf /etc/apache2
+		echo $'Removed Apache installation after Dokuwiki install'
+	fi
+
+	function_check install_mariadb
+	install_mariadb
+
+	function_check get_mariadb_password
+	get_mariadb_password
+
+	function_check repair_databases_script
+	repair_databases_script
+
+	apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git
+	apt-get -y install php5-dev imagemagick php5-imagick php5-sqlite php-auth-sasl php-net-smtp php-mime-type
+	apt-get -y install php-mail-mime php-mail-mimedecode php-net-ldap3 php5-pspell
+	pear install Net_IDNA2
+
+	if [ ! -f $WEBMAIL_PATH/index.php ]; then
+		cd $WEB_PATH
+		git_clone $WEBMAIL_REPO webmail
+		cd $WEBMAIL_PATH
+		git checkout $WEBMAIL_COMMIT -b $WEBMAIL_COMMIT
+		if ! grep -q "Webmail commit" $COMPLETION_FILE; then
+			echo "Webmail commit:$WEBMAIL_COMMIT" >> $COMPLETION_FILE
+		else
+			sed -i "s/Webmail commit.*/Webmail commit:$WEBMAIL_COMMIT/g" $COMPLETION_FILE
+		fi
+	fi
+	if [ ! -f $WEBMAIL_PATH/index.php ]; then
+		echo $'Did not clone webmail repo'
+		exit 52825
+	fi
+
+	WEBMAIL_ONION_HOSTNAME=$(add_onion_service webmail 80 ${WEBMAIL_ONION_PORT})
+	echo "Webmail onion domain:${WEBMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE
+
+	function_check get_mariadb_webmail_admin_password
+	get_mariadb_webmail_admin_password
+	if [ ! $WEBMAIL_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			WEBMAIL_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			WEBMAIL_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+	fi
+	function_check create_database
+	create_database webmail "$WEBMAIL_ADMIN_PASSWORD"
+	mysql -u root --password="$MARIADB_PASSWORD" -D webmail < $WEBMAIL_PATH/SQL/mysql.initial.sql
+
+	if [ ! -d /var/www/$DEFAULT_DOMAIN_NAME/htdocs ]; then
+		mkdir -p /var/www/$DEFAULT_DOMAIN_NAME/htdocs
+	fi
+	ln -s $WEBMAIL_PATH /var/www/$DEFAULT_DOMAIN_NAME/htdocs/webmail
+
+	if [ ! -f /var/www/webmail/config/config.inc.php ]; then
+		# generate the configuration
+		echo '<?php' > /var/www/webmail/config/config.inc.php
+		echo "\$config['db_dsnw'] = 'mysql://root:${MARIADB_PASSWORD}@localhost/webmail';" >> /var/www/webmail/config/config.inc.php
+		echo "\$config['default_host'] = 'localhost';" >> /var/www/webmail/config/config.inc.php
+		echo "\$config['support_url'] = '';" >> /var/www/webmail/config/config.inc.php
+		WEBMAIL_DES_KEY="$(create_password 25)"
+		echo "\$config['des_key'] = '${WEBMAIL_DES_KEY}';" >> /var/www/webmail/config/config.inc.php
+		echo "\$config['product_name'] = '${PROJECT_NAME}';" >> /var/www/webmail/config/config.inc.php
+		echo "\$config['plugins'] = array('enigma');" >> /var/www/webmail/config/config.inc.php
+		echo "\$config['mime_param_folding'] = 0;" >> /var/www/webmail/config/config.inc.php
+		echo "\$config['enable_installer'] = false;" >> /var/www/webmail/config/config.inc.php
+	fi
+
+	chown -R www-data:www-data $WEBMAIL_PATH
+
+	echo 'server {' > /etc/nginx/sites-available/webmail
+	echo "  listen 127.0.0.1:$WEBMAIL_ONION_PORT default_server;" >> /etc/nginx/sites-available/webmail
+	echo "  server_name $WEBMAIL_ONION_HOSTNAME;" >> /etc/nginx/sites-available/webmail
+	echo "  root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail
+	echo '  index index.php index.html index.htm;' >> /etc/nginx/sites-available/webmail
+	echo '  access_log off;' >> /etc/nginx/sites-available/webmail
+	echo '  error_log off;' >> /etc/nginx/sites-available/webmail
+	echo '  location / {' >> /etc/nginx/sites-available/webmail
+	echo '    try_files $uri $uri/ /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/webmail
+	echo '  }' >> /etc/nginx/sites-available/webmail
+	echo '  error_page 404 /404.html;' >> /etc/nginx/sites-available/webmail
+	echo '  error_page 500 502 503 504 /50x.html;' >> /etc/nginx/sites-available/webmail
+	echo '  location = /50x.html {' >> /etc/nginx/sites-available/webmail
+	echo "    root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail
+	echo '  }' >> /etc/nginx/sites-available/webmail
+	echo '  location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {' >> /etc/nginx/sites-available/webmail
+	echo '    deny all;' >> /etc/nginx/sites-available/webmail
+	echo '  }' >> /etc/nginx/sites-available/webmail
+	echo '  location ~ ^/(config|temp|logs)/ {' >> /etc/nginx/sites-available/webmail
+	echo '    deny all;' >> /etc/nginx/sites-available/webmail
+	echo '  }' >> /etc/nginx/sites-available/webmail
+	echo '  location ~ /\. {' >> /etc/nginx/sites-available/webmail
+	echo '    deny all;' >> /etc/nginx/sites-available/webmail
+	echo '    access_log off;' >> /etc/nginx/sites-available/webmail
+	echo '    log_not_found off;' >> /etc/nginx/sites-available/webmail
+	echo '  }' >> /etc/nginx/sites-available/webmail
+	echo '  location ~ \.php$ {' >> /etc/nginx/sites-available/webmail
+	echo '    try_files $uri =404;' >> /etc/nginx/sites-available/webmail
+	echo '    fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/webmail
+	echo '    fastcgi_index index.php;' >> /etc/nginx/sites-available/webmail
+	echo '    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/webmail
+	echo '    include fastcgi_params;' >> /etc/nginx/sites-available/webmail
+	echo '  }' >> /etc/nginx/sites-available/webmail
+	echo '  add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/webmail
+	echo '  add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/webmail
+	echo '  client_max_body_size 15m;' >> /etc/nginx/sites-available/webmail
+	echo '}' >> /etc/nginx/sites-available/webmail
+
+	nginx_ensite webmail
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	if ! grep -q "Webmail" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo 'Webmail' >> /home/$MY_USERNAME/README
+		echo '=======' >> /home/$MY_USERNAME/README
+		if [[ $ONION_ONLY == 'no' ]]; then
+			echo $"Open https://$DEFAULT_DOMAIN_NAME/webmail/index.php" >> /home/$MY_USERNAME/README
+		else
+			echo $"Open http://$WEBMAIL_ONION_HOSTNAME" >> /home/$MY_USERNAME/README
+		fi
+		echo $"MariaDB webmail admin password: $WEBMAIL_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	echo 'install_webmail' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-wiki

@@ -0,0 +1,413 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Wiki application
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+WIKI_DOMAIN_NAME=
+WIKI_ADMIN_PASSWORD=
+WIKI_TITLE="${PROJECT_NAME} Wiki"
+WIKI_CODE=
+WIKI_ONION_PORT=8089
+
+function get_wiki_admin_password {
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "Wiki password" /home/$MY_USERNAME/README; then
+			WIKI_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Wiki password:" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
+}
+
+function install_wiki {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MASH" ]]; then
+		return
+	fi
+	if grep -Fxq "install_wiki" $COMPLETION_FILE; then
+		return
+	fi
+	if [ ! $WIKI_DOMAIN_NAME ]; then
+		return
+	fi
+	apt-get -y install dokuwiki
+	apt-get -y remove --purge apache*
+	if [ -d /etc/apache2 ]; then
+		rm -rf /etc/apache2
+		echo $'Removed Apache installation after Dokuwiki install'
+	fi
+
+	if [ ! -d /var/www/$WIKI_DOMAIN_NAME ]; then
+		mkdir /var/www/$WIKI_DOMAIN_NAME
+	fi
+	if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then
+		rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
+	fi
+
+	ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs
+
+	mkdir /var/lib/dokuwiki/custom
+	cp /etc/dokuwiki/local.php.dist /var/lib/dokuwiki/custom/local.php
+	ln -s /var/lib/dokuwiki/custom/local.php /etc/dokuwiki/local.php
+
+	chown www-data /var/lib/dokuwiki/custom
+	chown www-data /var/lib/dokuwiki/custom/local.php
+	chown -R www-data /etc/dokuwiki
+	chown -R www-data /usr/share/dokuwiki/lib/
+	chmod 600 /var/lib/dokuwiki/custom/local.php
+	chmod -R 755 /usr/share/dokuwiki/lib
+
+	sed -i 's|//$conf|$conf|g' /var/lib/dokuwiki/custom/local.php
+	sed -i "s|joe|$MY_USERNAME|g" /var/lib/dokuwiki/custom/local.php
+
+	sed -i "s|Debian DokuWiki|$WIKI_TITLE|g" /etc/dokuwiki/local.php
+
+	# set the admin user
+	sed -i "s/@admin/$MY_USERNAME/g" /etc/dokuwiki/local.php
+
+	# disallow registration of new users
+	if ! grep -q "disableactions" /etc/dokuwiki/local.php; then
+		echo "\$conf['disableactions'] = 'register';" >> /etc/dokuwiki/local.php
+	fi
+	if ! grep -q "disableactions" /var/lib/dokuwiki/custom/local.php; then
+		echo "\$conf['disableactions'] = 'register';" >> /var/lib/dokuwiki/custom/local.php
+	fi
+
+	if ! grep -q "authtype" /var/lib/dokuwiki/custom/local.php; then
+		echo "\$conf['authtype'] = 'authplain';" >> /var/lib/dokuwiki/custom/local.php
+	fi
+	if ! grep -q "authtype" /etc/dokuwiki/local.php; then
+		echo "\$conf['authtype'] = 'authplain';" >> /etc/dokuwiki/local.php
+	fi
+
+    function_check get_wiki_admin_password
+	get_wiki_admin_password
+	if [ ! $WIKI_ADMIN_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			WIKI_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			WIKI_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+		fi
+	fi
+	HASHED_WIKI_PASSWORD=$(echo -n "$WIKI_ADMIN_PASSWORD" | md5sum | awk -F ' ' '{print $1}')
+	echo -n "$MY_USERNAME:$HASHED_WIKI_PASSWORD:$MY_NAME:$MY_EMAIL:admin,user,upload" > /var/lib/dokuwiki/acl/users.auth.php
+	chmod 640 /var/lib/dokuwiki/acl/users.auth.php
+
+	if ! grep -q "video/ogg" /etc/dokuwiki/mime.conf; then
+		echo 'ogv     video/ogg' >> /etc/dokuwiki/mime.conf
+	fi
+	if ! grep -q "video/mp4" /etc/dokuwiki/mime.conf; then
+		echo 'mp4     video/mp4' >> /etc/dokuwiki/mime.conf
+	fi
+	if ! grep -q "video/webm" /etc/dokuwiki/mime.conf; then
+		echo 'webm    video/webm' >> /etc/dokuwiki/mime.conf
+	fi
+
+	WIKI_ONION_HOSTNAME=$(add_onion_service wiki 80 ${WIKI_ONION_PORT})
+
+	if [[ $ONION_ONLY == "no" ]]; then
+		echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $WIKI_DOMAIN_NAME
+		function_check nginx_limits
+		nginx_limits $WIKI_DOMAIN_NAME
+		echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		function_check nginx_limits
+		nginx_limits $WIKI_DOMAIN_NAME
+		function_check nginx_ssl
+		nginx_ssl $WIKI_DOMAIN_NAME
+		function_check nginx_disable_sniffing
+		nginx_disable_sniffing $WIKI_DOMAIN_NAME
+		echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # webmail' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location /webmail {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /webmail/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /webmail/installer/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+		echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	else
+		echo -n '' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	fi
+	echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "    listen 127.0.0.1:${WIKI_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "    server_name $WIKI_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	function_check nginx_limits
+	nginx_limits $WIKI_DOMAIN_NAME
+	function_check nginx_disable_sniffing
+	nginx_disable_sniffing $WIKI_DOMAIN_NAME
+	echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+	echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+
+    function_check create_site_certificate
+	create_site_certificate $WIKI_DOMAIN_NAME
+
+    function_check configure_php
+	configure_php
+
+	nginx_ensite $WIKI_DOMAIN_NAME
+
+	systemctl restart php5-fpm
+	systemctl restart nginx
+
+	echo "Wiki onion domain:${WIKI_ONION_HOSTNAME}" >> $COMPLETION_FILE
+
+    function_check add_ddns_domain
+	add_ddns_domain $WIKI_DOMAIN_NAME
+
+	# add some post-install instructions
+	if ! grep -q $"Wiki password" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Wiki' >> /home/$MY_USERNAME/README
+		echo '====' >> /home/$MY_USERNAME/README
+		echo $"Wiki onion domain: ${WIKI_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo $"Wiki username: $MY_USERNAME" >> /home/$MY_USERNAME/README
+		echo $"Wiki password: $WIKI_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'Once you have set up the wiki then remove the install file:' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo "  rm /var/www/$WIKI_DOMAIN_NAME/htdocs/install.php" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	echo "Wiki domain:$WIKI_DOMAIN_NAME" >> $COMPLETION_FILE
+	echo 'install_wiki' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-xmpp

@@ -0,0 +1,346 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# XMPP functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Directory where XMPP settings are stored
+XMPP_DIRECTORY="/var/lib/prosody"
+XMPP_PASSWORD=
+
+XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"'
+XMPP_ECC_CURVE='"secp384r1"'
+
+function update_prosody_modules {
+	if [ ! -d $INSTALL_DIR/prosody-modules ]; then
+		return
+	fi
+	if [ ! -d /usr/lib/prosody ]; then
+		return
+	fi
+
+	cd $INSTALL_DIR/prosody-modules
+	hg pull
+	hg update
+
+	# support onion addresses
+	if [ -f $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua /usr/lib/prosody/modules/mod_onions.lua
+	fi
+
+	# XEP-0313 message archive management
+	# https://modules.prosody.im/mod_mam.html
+	# Allows you to download your previous messages onto a new client
+	# This only applies if you are not using forward secret crypto
+	# such as OTR or OMEMO (eg. OpenPGP)
+	if [ -d $INSTALL_DIR/prosody-modules/mod_mam ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_mam/*.lua /usr/lib/prosody/modules
+	fi
+
+	# XEP-0352 Client State Indication
+	# Notifies the server if the app is in the background or not
+	if [ -d $INSTALL_DIR/prosody-modules/mod_csi ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_csi/*.lua /usr/lib/prosody/modules
+	fi
+
+	# XEP-0280 Message Carbons
+	# Ensures all messages get delivered to all clients (if you have a mobile and desktop client)
+	if [ -d $INSTALL_DIR/prosody-modules/mod_carbons ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_carbons/*.lua /usr/lib/prosody/modules
+	fi
+
+	# XEP-0198 Stream management
+	# Helps mobile apps recover when a device switches networks.
+	if [ -d $INSTALL_DIR/prosody-modules/mod_smacks ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_smacks/*.lua /usr/lib/prosody/modules
+	fi
+	if [ -d $INSTALL_DIR/prosody-modules/mod_smacks_offline ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_smacks_offline/*.lua /usr/lib/prosody/modules
+	fi
+
+	# XEP-0191: blocking
+	if [ -d $INSTALL_DIR/prosody-modules/mod_blocking ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_blocking/*.lua /usr/lib/prosody/modules
+	fi
+
+	# XEP-0016 Privacy lists
+	if [ -d $INSTALL_DIR/prosody-modules/mod_privacy_lists ]; then
+		cp $INSTALL_DIR/prosody-modules/mod_privacy_lists/*.lua /usr/lib/prosody/modules
+	fi
+}
+
+function install_xmpp {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	update_prosody_modules
+
+	if grep -Fxq "install_xmpp" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install lua-sec lua-bitop
+	apt-get -y install prosody prosody-modules mercurial
+
+	if [ ! -d /etc/prosody ]; then
+		echo $"ERROR: prosody does not appear to have installed. $CHECK_MESSAGE"
+		exit 52
+	fi
+
+	# obtain the prosody modules
+	cd $INSTALL_DIR
+	hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
+	if [ ! -d $INSTALL_DIR/prosody-modules/mod_onions ]; then
+		echo $'mod_onions prosody module could not be found'
+		exit 73254
+	fi
+
+	# install the onions module
+	update_prosody_modules
+	if [ ! -f /usr/lib/prosody/modules/mod_onions.lua ]; then
+		echo $'mod_onions.lua could not be copied to the prosody modules directory'
+		exit 63952
+	fi
+
+	# create a certificate
+	if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then
+		${PROJECT_NAME}-addcert -h xmpp --dhkey $DH_KEYLENGTH
+		check_certificates xmpp
+	fi
+	chown prosody:prosody /etc/ssl/private/xmpp.key
+	chown prosody:prosody /etc/ssl/certs/xmpp.*
+	cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
+
+	sed -i 's|/etc/prosody/certs/example.com.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/conf.avail/xmpp.cfg.lua
+	sed -i 's|/etc/prosody/certs/example.com.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/conf.avail/xmpp.cfg.lua
+	if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		sed -i '/certificate =/a\        dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		sed -i '/certificate =/a\        options = {"no_sslv2", "no_sslv3" };' /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	if ! grep -q 'ciphers =' /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		sed -i "/certificate =/a\        ciphers = $XMPP_CIPHERS;" /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	if ! grep -q 'depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		sed -i '/certificate =/a\        depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	if ! grep -q 'curve =' /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		sed -i "/certificate =/a\        curve = $XMPP_ECC_CURVE;" /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+
+	sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua
+	sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua
+
+	if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo 'modules_enabled = {' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "bosh"; -- Enable mod_bosh' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "tls"; -- Enable mod_tls' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "saslauth"; -- Enable mod_saslauth' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "onions"; -- Enable chat via onion service' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "mam"; -- Message archive management' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "csi"; -- Client state indication' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "carbons"; -- Message carbons' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "smacks"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "smacks_offline"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "pep"; -- Personal Eventing Protocol (to support OMEMO)' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "privacy"; -- Privacy lists' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "privacy_lists"; -- Privacy lists' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "blocking"; -- Blocking command' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '  "roster"; -- Roster versioning' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '}' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
+
+	sed -i 's|/etc/prosody/certs/localhost.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/prosody.cfg.lua
+	sed -i 's|/etc/prosody/certs/localhost.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/prosody.cfg.lua
+	if ! grep -q "xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then
+		sed -i '/certificate =/a\    dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/prosody.cfg.lua
+	fi
+	if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/prosody.cfg.lua; then
+		sed -i '/certificate =/a\    options = {"no_sslv2", "no_sslv3" };' /etc/prosody/prosody.cfg.lua
+	fi
+	if ! grep -q 'ciphers =' /etc/prosody/prosody.cfg.lua; then
+		sed -i "/certificate =/a\    ciphers = $XMPP_CIPHERS;" /etc/prosody/prosody.cfg.lua
+	fi
+	if ! grep -q 'depth = "1";' /etc/prosody/prosody.cfg.lua; then
+		sed -i '/certificate =/a\    depth = "1";' /etc/prosody/prosody.cfg.lua
+	fi
+	if ! grep -q 'curve =' /etc/prosody/prosody.cfg.lua; then
+		sed -i "/certificate =/a\    curve = $XMPP_ECC_CURVE;" /etc/prosody/prosody.cfg.lua
+	fi
+	sed -i 's/c2s_require_encryption = false/c2s_require_encryption = true/g' /etc/prosody/prosody.cfg.lua
+	if ! grep -q "s2s_require_encryption" /etc/prosody/prosody.cfg.lua; then
+		sed -i '/c2s_require_encryption/a\s2s_require_encryption = true' /etc/prosody/prosody.cfg.lua
+	fi
+	if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/prosody.cfg.lua; then
+		echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	sed -i 's/--"bosh";/"bosh";/g' /etc/prosody/prosody.cfg.lua
+	sed -i 's/authentication = "internal_plain"/authentication = "internal_hashed"/g' /etc/prosody/prosody.cfg.lua
+	sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/prosody.cfg.lua
+	sed -i 's|key = "/etc/prosody/certs/example.com.key"|key = "/etc/ssl/private/xmpp.key"|g' /etc/prosody/prosody.cfg.lua
+	sed -i 's|certificate = "/etc/prosody/certs/example.com.crt"|certificate = "/etc/ssl/certs/xmpp.crt"|g' /etc/prosody/prosody.cfg.lua
+	sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/prosody.cfg.lua
+
+	systemctl restart prosody
+	touch /home/$MY_USERNAME/README
+
+	if [ ! -d /var/lib/tor ]; then
+		echo $'No Tor installation found. XMPP onion site cannot be configured.'
+		exit 877367
+	fi
+	if ! grep -q "hidden_service_xmpp" /etc/tor/torrc; then
+		echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/' >> /etc/tor/torrc
+		echo "HiddenServicePort 5222 127.0.0.1:5222" >> /etc/tor/torrc
+		echo "HiddenServicePort 5269 127.0.0.1:5269" >> /etc/tor/torrc
+		echo $'Added onion site for XMPP chat'
+	fi
+
+	systemctl restart tor
+	wait_for_onion_service 'xmpp'
+
+	if [ ! -f /var/lib/tor/hidden_service_xmpp/hostname ]; then
+		echo $'XMPP onion site hostname not found'
+		exit 65349
+	fi
+	XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
+	if ! grep -q "${XMPP_ONION_HOSTNAME}" /etc/prosody/conf.avail/xmpp.cfg.lua; then
+		echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/conf.avail/xmpp.cfg.lua
+		echo '    modules_enabled = { "onions" };' >> /etc/prosody/conf.avail/xmpp.cfg.lua
+	fi
+	if ! grep -q "XMPP onion domain" $COMPLETION_FILE; then
+		echo "XMPP onion domain:${XMPP_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	else
+		sed -i "s|XMPP onion domain.*|XMPP onion domain:${XMPP_ONION_HOSTNAME}|g" $COMPLETION_FILE
+	fi
+
+	if ! grep -q "Your XMPP password is" /home/$MY_USERNAME/README; then
+		if [ ${#XMPP_PASSWORD} -lt 8 ]; then
+			if [ -f $IMAGE_PASSWORD_FILE ]; then
+				XMPP_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+			else
+				XMPP_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
+			fi
+		fi
+		prosodyctl register $MY_USERNAME $DEFAULT_DOMAIN_NAME $XMPP_PASSWORD
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo $'XMPP' >> /home/$MY_USERNAME/README
+		echo '====' >> /home/$MY_USERNAME/README
+		echo $"XMPP onion domain: ${XMPP_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+		echo $"Your XMPP password is: $XMPP_PASSWORD" >> /home/$MY_USERNAME/README
+		echo $'You can change it with: ' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo "    prosodyctl passwd $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	function_check configure_firewall_for_xmpp
+	configure_firewall_for_xmpp
+
+	echo 'install_xmpp' >> $COMPLETION_FILE
+}
+
+function install_xmpp_client {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "install_xmpp_client" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install profanity
+
+	XMPP_CLIENT_DIR=/home/$MY_USERNAME/.local/share/profanity
+	XMPP_CLIENT_ACCOUNTS=$XMPP_CLIENT_DIR/accounts
+	if [ ! -d $XMPP_CLIENT_DIR ]; then
+		mkdir -p $XMPP_CLIENT_DIR
+	fi
+
+	if [[ $ONION_ONLY == 'no' ]]; then
+		echo "[${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}]" > $XMPP_CLIENT_ACCOUNTS
+		echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS
+		echo "jid=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS
+		echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS
+		echo "muc.service=conference.${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS
+		echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS
+		echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS
+		if [ ${#XMPP_PASSWORD} -gt 2 ]; then
+			echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS
+		fi
+	fi
+
+	if [ -f /var/lib/tor/hidden_service_xmpp/hostname ]; then
+		XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
+		echo "[${MY_USERNAME}@${XMPP_ONION_HOSTNAME}]" >> $XMPP_CLIENT_ACCOUNTS
+		if [[ $ONION_ONLY == 'no' ]]; then
+			echo 'enabled=false' >> $XMPP_CLIENT_ACCOUNTS
+		else
+			echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS
+		fi
+		echo "jid=${MY_USERNAME}@${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS
+		echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS
+		echo "muc.service=conference.${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS
+		echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS
+		echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS
+		echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS
+		if [ ${#XMPP_PASSWORD} -gt 2 ]; then
+			echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS
+		fi
+	fi
+
+	if [ ! -d /home/$MY_USERNAME/.config/profanity ]; then
+		mkdir /home/$MY_USERNAME/.config/profanity
+	fi
+	echo '[connection]' > /home/$MY_USERNAME/.config/profanity/profrc
+	echo "account=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> /home/$MY_USERNAME/.config/profanity/profrc
+
+	chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.local
+	chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
+
+	echo 'install_xmpp_client' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-app-zeronet

@@ -0,0 +1,384 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Zeronet functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ZERONET_REPO="https://github.com/HelloZeroNet/ZeroNet.git"
+ZERONET_COMMIT='675bd462556c541d65e2d95f91f899146a373aad'
+ZERONET_BLOG_REPO="https://github.com/HelloZeroNet/ZeroBlog"
+ZERONET_BLOG_COMMIT='bbb0d6c36465fed2e6df71f1aab45fcc9c6ad609'
+ZERONET_MAIL_REPO="https://github.com/HelloZeroNet/ZeroMail"
+ZERONET_MAIL_COMMIT='955af09d643c72b02e4983d71eca5c0c93a6c131'
+ZERONET_FORUM_REPO="https://github.com/HelloZeroNet/ZeroTalk"
+ZERONET_FORUM_COMMIT='e2d2c9cb1cfbfef91b244935efb5c14c2ad95faa'
+ZERONET_URL=http://127.0.0.1:43110
+ZERONET_PORT=15441
+TRACKER_PORT=6969
+ZERONET_DEFAULT_BLOG_TAGLINE="Blogging on the Mesh"
+ZERONET_DEFAULT_FORUM_TAGLINE="A decentralized discussion group"
+ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh"
+ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID"
+ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b'
+
+function install_zeronet_blog {
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+    function_check set_repo_commit
+	set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroBlog "ZeroNet Blog commit" "$ZERONET_BLOG_COMMIT" $ZERONET_BLOG_REPO
+
+	if grep -Fxq "install_zeronet_blog" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ ! -f /home/$MY_USERNAME/README ]; then
+		touch /home/$MY_USERNAME/README
+	fi
+
+	if grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then
+		return
+	fi
+
+	if [ ! -d /etc/avahi ]; then
+		echo $'Avahi is not installed'
+		exit 736
+	fi
+
+	ZERONET_DEFAULT_BLOG_TITLE="${MY_USERNAME}'s Blog"
+
+	cd $MESH_INSTALL_DIR/zeronet
+	python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/blog.txt
+	if [ ! -f $MESH_INSTALL_DIR/zeronet/blog.txt ]; then
+		echo $'Unable to create blog'
+		exit 479
+	fi
+	blog_address=$(cat blog.txt | grep "Site address" | awk -F ':' '{print $2}')
+	blog_private_key=$(cat blog.txt | grep "Site private key" | awk -F ':' '{print $2}')
+	ZERONET_BLOG_ADDRESS=${blog_address//[[:blank:]]/}
+	ZERONET_BLOG_PRIVATE_KEY=${blog_private_key//[[:blank:]]/}
+
+	if [ ${#ZERONET_BLOG_ADDRESS} -lt 20 ]; then
+		echo $"Address:    $ZERONET_BLOG_ADDRESS"
+		echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY"
+		echo $'Unable to create zeronet blog address'
+		exit 7358
+	fi
+
+	if [ ${#ZERONET_BLOG_PRIVATE_KEY} -lt 20 ]; then
+		echo $"Address:    $ZERONET_BLOG_ADDRESS"
+		echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY"
+		echo $'Unable to create zeronet blog private key'
+		exit 1639
+	fi
+
+	if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS" ]; then
+		echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS"
+		exit 7638
+	fi
+
+    function_check git_clone
+	git_clone $ZERONET_BLOG_REPO ZeroBlog
+	if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroBlog ]; then
+		echo $'ZeroBlog repo could not be cloned'
+		exit 6739
+	fi
+	cd $MESH_INSTALL_DIR/zeronet/ZeroBlog
+	git checkout $ZERONET_BLOG_COMMIT -b $ZERONET_BLOG_COMMIT
+	if ! grep -q "ZeroNet Blog commit" $COMPLETION_FILE; then
+		echo "ZeroNet Blog commit:$ZERONET_BLOG_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/ZeroNet Blog commit.*/ZeroNet Blog commit:$ZERONET_BLOG_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	echo $"ZeroNet Blog address:     $ZERONET_BLOG_ADDRESS"
+	echo $"ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY"
+	cp -r $MESH_INSTALL_DIR/zeronet/ZeroBlog/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS
+
+	if [ ! -d $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data ]; then
+		mkdir $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data
+	fi
+	cp $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data-default/data.json $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data
+	sed -i "s/MyZeroBlog/$ZERONET_DEFAULT_BLOG_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json
+	sed -i "s/My ZeroBlog./$ZERONET_DEFAULT_BLOG_TAGLINE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json
+	sed -i "s/ZeroBlog Demo/$ZERONET_DEFAULT_BLOG_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html
+	sed -i "s|<h3 class=\"description\">.*|<h3 class=\"description\">$ZERONET_DEFAULT_BLOG_TAGLINE</h3>|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html
+	sed -i "s/Blogging platform Demo/Blogging platform/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/content.json
+	python zeronet.py siteSign $ZERONET_BLOG_ADDRESS $ZERONET_BLOG_PRIVATE_KEY
+
+	# Add an avahi service
+	function_check create_avahi_service
+	create_avahi_service zeronet-blog "zeronet-blog" udp $ZERONET_PORT "$ZERONET_URL/$ZERONET_BLOG_ADDRESS"
+	cp /tmp/zeronet-blog.service /etc/avahi/services/zeronet-blog.service
+
+	if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then
+		mkdir -p /home/$MY_USERNAME/.config/zeronet
+		chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
+	fi
+	echo "$ZERONET_URL/$ZERONET_BLOG_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myblog
+
+	if ! grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo "ZeroNet Blog address: $ZERONET_BLOG_ADDRESS" >> /home/$MY_USERNAME/README
+		echo "ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY" >> /home/$MY_USERNAME/README
+	fi
+
+	echo 'install_zeronet_blog' >> $COMPLETION_FILE
+}
+
+function install_zeronet_mail {
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+    function_check set_repo_commit
+	set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroMail "ZeroNet Mail commit" "$ZERONET_MAIL_COMMIT" $ZERONET_MAIL_REPO
+
+	if grep -Fxq "install_zeronet_mail" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ ! -f /home/$MY_USERNAME/README ]; then
+		touch /home/$MY_USERNAME/README
+	fi
+
+	if grep -q "ZeroNet Mail address" /home/$MY_USERNAME/README; then
+		return
+	fi
+
+	if [ ! -d /etc/avahi ]; then
+		echo 'Avahi is not installed'
+		exit 736
+	fi
+
+	ZERONET_DEFAULT_MAIL_TITLE="${MY_USERNAME}'s Mail"
+
+	cd $MESH_INSTALL_DIR/zeronet
+	python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/mail.txt
+	if [ ! -f $MESH_INSTALL_DIR/zeronet/mail.txt ]; then
+		echo $'Unable to create mail'
+		exit 479
+	fi
+	mail_address=$(cat mail.txt | grep "Site address" | awk -F ':' '{print $2}')
+	mail_private_key=$(cat mail.txt | grep "Site private key" | awk -F ':' '{print $2}')
+	ZERONET_MAIL_ADDRESS=${mail_address//[[:blank:]]/}
+	ZERONET_MAIL_PRIVATE_KEY=${mail_private_key//[[:blank:]]/}
+
+	if [ ${#ZERONET_MAIL_ADDRESS} -lt 20 ]; then
+		echo $"Address:    $ZERONET_MAIL_ADDRESS"
+		echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY"
+		echo $'Unable to create zeronet mail address'
+		exit 7358
+	fi
+
+	if [ ${#ZERONET_MAIL_PRIVATE_KEY} -lt 20 ]; then
+		echo $"Address:    $ZERONET_MAIL_ADDRESS"
+		echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY"
+		echo $'Unable to create zeronet mail private key'
+		exit 1639
+	fi
+
+	if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS" ]; then
+		echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS"
+		exit 7638
+	fi
+
+    function_check git_clone
+	git_clone $ZERONET_MAIL_REPO ZeroMail
+	if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroMail ]; then
+		echo $'ZeroMail repo could not be cloned'
+		exit 6739
+	fi
+	cd $MESH_INSTALL_DIR/zeronet/ZeroMail
+	git checkout $ZERONET_MAIL_COMMIT -b $ZERONET_MAIL_COMMIT
+	if ! grep -q "ZeroNet Mail commit" $COMPLETION_FILE; then
+		echo "ZeroNet Mail commit:$ZERONET_MAIL_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/ZeroNet Mail commit.*/ZeroNet Mail commit:$ZERONET_MAIL_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	echo $"ZeroNet Mail address:     $ZERONET_MAIL_ADDRESS"
+	echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY"
+	cp -r $MESH_INSTALL_DIR/zeronet/ZeroMail/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS
+
+	if [ ! -d $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data ]; then
+		mkdir $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data
+	fi
+	cp $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data-default/data.json $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data
+	sed -i "s/MyZeroMail/$ZERONET_DEFAULT_MAIL_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json
+	sed -i "s/My ZeroMail./$ZERONET_DEFAULT_MAIL_TAGLINE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json
+	sed -i "s/ZeroMail Demo/$ZERONET_DEFAULT_MAIL_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html
+	sed -i "s|<h3 class=\"description\">.*|<h3 class=\"description\">$ZERONET_DEFAULT_MAIL_TAGLINE</h3>|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html
+	sed -i "s/Mailging platform Demo/Mailging platform/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/content.json
+	python zeronet.py siteSign $ZERONET_MAIL_ADDRESS $ZERONET_MAIL_PRIVATE_KEY
+
+	# Add an avahi service
+	function_check create_avahi_service
+	create_avahi_service zeronet-mail "zeronet-mail" udp $ZERONET_PORT "$ZERONET_URL/$ZERONET_MAIL_ADDRESS"
+	cp /tmp/zeronet-mail.service /etc/avahi/services/zeronet-mail.service
+
+	if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then
+		mkdir -p /home/$MY_USERNAME/.config/zeronet
+		chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
+	fi
+	echo "$ZERONET_URL/$ZERONET_MAIL_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/mymail
+
+	if ! grep -q $"ZeroNet Mail address" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS" >> /home/$MY_USERNAME/README
+		echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY" >> /home/$MY_USERNAME/README
+	fi
+
+	echo 'install_zeronet_mail' >> $COMPLETION_FILE
+}
+
+function install_zeronet_forum {
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroTalk "ZeroNet Forum commit" "$ZERONET_FORUM_COMMIT" $ZERONET_FORUM_REPO
+
+	if grep -Fxq "install_zeronet_forum" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [ ! -f /home/$MY_USERNAME/README ]; then
+		touch /home/$MY_USERNAME/README
+	fi
+
+	if grep -q "ZeroNet Forum address" /home/$MY_USERNAME/README; then
+		return
+	fi
+
+	if [ ! -d /etc/avahi ]; then
+		echo $'Avahi is not installed'
+		exit 736
+	fi
+
+	ZERONET_DEFAULT_FORUM_TITLE=$"${MY_USERNAME}'s Forum"
+
+	cd $MESH_INSTALL_DIR/zeronet
+	python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/forum.txt
+	if [ ! -f $MESH_INSTALL_DIR/zeronet/forum.txt ]; then
+		echo $'Unable to create forum'
+		exit 479
+	fi
+	forum_address=$(cat forum.txt | grep "Site address" | awk -F ':' '{print $2}')
+	forum_private_key=$(cat forum.txt | grep "Site private key" | awk -F ':' '{print $2}')
+	ZERONET_FORUM_ADDRESS=${forum_address//[[:blank:]]/}
+	ZERONET_FORUM_PRIVATE_KEY=${forum_private_key//[[:blank:]]/}
+
+	if [ ${#ZERONET_FORUM_ADDRESS} -lt 20 ]; then
+		echo $"Address:    $ZERONET_FORUM_ADDRESS"
+		echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY"
+		echo $'Unable to create zeronet forum address'
+		exit 76352
+	fi
+
+	if [ ${#ZERONET_FORUM_PRIVATE_KEY} -lt 20 ]; then
+		echo $"Address:    $ZERONET_FORUM_ADDRESS"
+		echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY"
+		echo $'Unable to create zeronet forum private key'
+		exit 87356
+	fi
+
+	if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS" ]; then
+		echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS"
+		exit 7638
+	fi
+
+    function_check git_clone
+	git_clone $ZERONET_FORUM_REPO ZeroTalk
+	if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroTalk ]; then
+		echo $'ZeroTalk repo could not be cloned'
+		exit 6739
+	fi
+	git checkout $ZERONET_FORUM_COMMIT -b $ZERONET_FORUM_COMMIT
+	if ! grep -q "ZeroNet Forum commit" $COMPLETION_FILE; then
+		echo "ZeroNet Forum commit:$ZERONET_FORUM_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/ZeroNet Forum commit.*/ZeroNet Forum commit:$ZERONET_FORUM_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	echo $"Forum address:     $ZERONET_FORUM_ADDRESS"
+	echo $"Forum private key: $ZERONET_FORUM_PRIVATE_KEY"
+	cp -r $MESH_INSTALL_DIR/zeronet/ZeroTalk/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS
+	sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html
+	sed -i "s/ZeroTalk/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html
+	sed -i "s|Demo for dynamic, decentralized content publishing.|$ZERONET_DEFAULT_FORUM_TAGLINE|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html
+	sed -i 's/Messaging Board Demo/Messaging Board/g' $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json
+	sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json
+	python zeronet.py siteSign $ZERONET_FORUM_ADDRESS $ZERONET_FORUM_PRIVATE_KEY --inner_path data/users/content.json
+
+	# Add an avahi service
+	function_check create_avahi_service
+	create_avahi_service zeronet-forum "zeronet-forum" udp $ZERONET_PORT "$ZERONET_URL/$ZERONET_FORUM_ADDRESS"
+	sudo cp /tmp/zeronet-forum.service /etc/avahi/services/zeronet-forum.service
+
+	if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then
+		mkdir -p /home/$MY_USERNAME/.config/zeronet
+		chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config
+	fi
+	echo "$ZERONET_URL/$ZERONET_FORUM_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myforum
+
+	if ! grep -q $"ZeroNet Forum address" /home/$MY_USERNAME/README; then
+		echo '' >> /home/$MY_USERNAME/README
+		echo $"ZeroNet Forum address: $ZERONET_FORUM_ADDRESS" >> /home/$MY_USERNAME/README
+		echo $"ZeroNet Forum private key: $ZERONET_FORUM_PRIVATE_KEY" >> /home/$MY_USERNAME/README
+	fi
+
+	echo 'install_zeronet_forum' >> $COMPLETION_FILE
+}
+
+function install_zeronet {
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $MESH_INSTALL_DIR/zeronet "ZeroNet commit" "$ZERONET_COMMIT" $ZERONET_REPO
+
+	if grep -Fxq "install_zeronet" $COMPLETION_FILE; then
+		return
+	fi
+
+	${PROJECT_NAME}-mesh-install -f zeronet
+	systemctl daemon-reload
+	systemctl start tracker.service
+	systemctl start zeronet.service
+
+	function_check configure_firewall_for_zeronet
+	configure_firewall_for_zeronet
+	echo 'install_zeronet' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-avahi

@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Avahi functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function create_avahi_service {
+	service_name=$1
+	service_type=$2
+	service_protocol=$3
+	service_port=$4
+	service_description="$5"
+
+	if [ ! -d /etc/avahi ]; then
+	    echo $'create_avahi_service: avahi was not installed'
+		exit 52925
+	fi
+
+	echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/${service_name}.service
+	echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/${service_name}.service
+	echo '<service-group>' >> /etc/avahi/services/${service_name}.service
+	echo "  <name replace-wildcards=\"yes\">%h ${service_type}</name>" >> /etc/avahi/services/${service_name}.service
+	echo '  <service>' >> /etc/avahi/services/${service_name}.service
+	echo "    <type>_${service_type}._${service_protocol}</type>" >> /etc/avahi/services/${service_name}.service
+	echo "    <port>${service_port}</port>" >> /etc/avahi/services/${service_name}.service
+	if [ "$service_description" ]; then
+		echo "    <txt-record>$description</txt-record>" >> /tmp/zeronet-blog.service
+	fi
+	echo '  </service>' >> /etc/avahi/services/${service_name}.service
+	echo '</service-group>' >> /etc/avahi/services/${service_name}.service
+}
+
+function configure_avahi {
+	if grep -Fxq "configure_avahi" $COMPLETION_FILE; then
+		return
+	fi
+	# only enable avahi if we're doing mesh networking
+	if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then
+		return
+	fi
+
+	${PROJECT_NAME}-mesh-install -f avahi
+	if [ ! "$?" = "0" ]; then
+		echo $'Failed to install avahi'
+		exit 68442
+	fi
+
+	if [ $DEFAULT_DOMAIN_NAME ]; then
+		sed -i "s|#host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf
+		sed -i "s|host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf
+	else
+		decarray=( 1 2 3 4 5 6 7 8 9 0 )
+		PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
+		sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf
+		sed -i "s|host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf
+	fi
+
+	echo 'configure_avahi' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-utils-backup

@@ -0,0 +1,99 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Backup functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function configure_backup_key {
+	if grep -Fxq "configure_backup_key" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install gnupg
+
+	BACKUP_KEY_EXISTS=$(gpg_key_exists "root" "$MY_NAME (backup key)")
+	if [[ $BACKUP_KEY_EXISTS == "yes" ]]; then
+		return
+	fi
+
+	# Generate a GPG key for backups
+	BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
+	if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
+		echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
+		echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
+		echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
+		echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
+		echo "Name-Real:  $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
+		echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
+		echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf
+		echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
+		echo $'Backup key does not exist. Creating it.'
+		su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
+		shred -zu /home/$MY_USERNAME/gpg-genkey.conf
+		echo $'Checking that the Backup key was created'
+		BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
+		if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
+			echo $'Backup key could not be created'
+			exit 43382
+		fi
+	fi
+	MY_BACKUP_KEY_ID=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\" | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
+	echo "Backup key: $MY_BACKUP_KEY_ID"
+	MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
+	su -c "gpg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
+	su -c "gpg --output ${MY_BACKUP_KEY}_private.asc --armor --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
+	if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
+		echo 'Public backup key could not be exported'
+		exit 36829
+	fi
+	if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
+		echo 'Private backup key could not be exported'
+		exit 29235
+	fi
+
+	# import backup key to root user
+	gpg --import --import ${MY_BACKUP_KEY}_public.asc
+	gpg --allow-secret-key-import --import ${MY_BACKUP_KEY}_private.asc
+
+	shred -zu ${MY_BACKUP_KEY}_public.asc
+	shred -zu ${MY_BACKUP_KEY}_private.asc
+
+	echo 'configure_backup_key' >> $COMPLETION_FILE
+}
+
+function backup_to_friends_servers {
+	# update crontab
+	echo '#!/bin/bash' > /etc/cron.daily/backuptofriends
+	echo "if [ -f /usr/local/bin/${PROJECT_NAME}-backup-remote ]; then" >> /etc/cron.daily/backuptofriends
+	echo "    /usr/local/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends
+	echo 'else' >> /etc/cron.daily/backuptofriends
+	echo "    /usr/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends
+	echo 'fi' >> /etc/cron.daily/backuptofriends
+	chmod +x /etc/cron.daily/backuptofriends
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-config

@@ -0,0 +1,606 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Initial reading of the configuration file, typically called freedombone.cfg
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function read_configuration {
+	# if not installing on a Beaglebone then use sdb as the USB drive by default
+	if [ ! $INSTALLING_ON_BBB ]; then
+		if [[ $USB_DRIVE == /dev/sda1 ]]; then
+			USB_DRIVE=/dev/sdb1
+		fi
+	fi
+
+	if [[ $INSTALLING_FROM_CONFIGURATION_FILE == "yes"  ]]; then
+		if [ ! -f $CONFIGURATION_FILE ]; then
+			echo $"The configuration file $CONFIGURATION_FILE was not found"
+			exit 8935
+		fi
+	fi
+
+	if [ -f $CONFIGURATION_FILE ]; then
+		read_repo_servers
+
+		# Ensure that a copy of the config exists for upgrade purposes
+		if [[ $CONFIGURATION_FILE != "/root/${PROJECT_NAME}.cfg" ]]; then
+			cp $CONFIGURATION_FILE /root/${PROJECT_NAME}.cfg
+		fi
+		if grep -q "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE; then
+			REFRESH_GPG_KEYS_HOURS=$(grep "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WEBMAIL_REPO" $CONFIGURATION_FILE; then
+			WEBMAIL_REPO=$(grep "WEBMAIL_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WEBMAIL_COMMIT" $CONFIGURATION_FILE; then
+			WEBMAIL_COMMIT=$(grep "WEBMAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then
+			WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_SSID" $CONFIGURATION_FILE; then
+			WIFI_SSID=$(grep "WIFI_SSID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_TYPE" $CONFIGURATION_FILE; then
+			WIFI_TYPE=$(grep "WIFI_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_PASSPHRASE" $CONFIGURATION_FILE; then
+			WIFI_PASSPHRASE=$(grep "WIFI_PASSPHRASE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_HOTSPOT" $CONFIGURATION_FILE; then
+			WIFI_HOTSPOT=$(grep "WIFI_HOTSPOT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE; then
+			WIFI_NETWORKS_FILE=$(grep "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_ID" $CONFIGURATION_FILE; then
+			SYNCTHING_ID=$(grep "SYNCTHING_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE; then
+			SYNCTHING_CONFIG_PATH=$(grep "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE; then
+			SYNCTHING_CONFIG_FILE=$(grep "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE; then
+			SYNCTHING_RELAY_SERVER=$(grep "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_RELEASES" $CONFIGURATION_FILE; then
+			SYNCTHING_RELEASES=$(grep "SYNCTHING_RELEASES" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_PORT" $CONFIGURATION_FILE; then
+			SYNCTHING_PORT=$(grep "SYNCTHING_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE; then
+			SYNCTHING_SHARED_DATA=$(grep "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "VOIP_TURN_PORT" $CONFIGURATION_FILE; then
+			VOIP_TURN_PORT=$(grep "VOIP_TURN_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE; then
+			VOIP_TURN_TLS_PORT=$(grep "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "VOIP_TURN_NONCE" $CONFIGURATION_FILE; then
+			VOIP_TURN_NONCE=$(grep "VOIP_TURN_NONCE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DEFAULT_SEARCH" $CONFIGURATION_FILE; then
+			DEFAULT_SEARCH=$(grep "DEFAULT_SEARCH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE; then
+			SEARCH_ENGINE_PASSWORD=$(grep "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "XMPP_PASSWORD" $CONFIGURATION_FILE; then
+			XMPP_PASSWORD=$(grep "XMPP_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "RSS_READER_REPO" $CONFIGURATION_FILE; then
+			RSS_READER_REPO=$(grep "RSS_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE; then
+			RSS_MOBILE_READER_REPO=$(grep "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "RSS_READER_COMMIT" $CONFIGURATION_FILE; then
+			RSS_READER_COMMIT=$(grep "RSS_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE; then
+			RSS_MOBILE_READER_COMMIT=$(grep "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE; then
+			RSS_READER_ADMIN_PASSWORD=$(grep "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			RSS_READER_DOMAIN_NAME=$(grep "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE; then
+			MICROBLOG_BACKGROUND_IMAGE_URL=$(grep "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE; then
+			MICROBLOG_WELCOME_MESSAGE=$(grep "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "PROJECT_WEBSITE" $CONFIGURATION_FILE; then
+			PROJECT_WEBSITE=$(grep "PROJECT_WEBSITE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "PROJECT_REPO" $CONFIGURATION_FILE; then
+			PROJECT_REPO=$(grep "PROJECT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ONION_ONLY" $CONFIGURATION_FILE; then
+			ONION_ONLY=$(grep "ONION_ONLY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "IRC_PASSWORD" $CONFIGURATION_FILE; then
+			IRC_PASSWORD=$(grep "IRC_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DEFAULT_LANGUAGE" $CONFIGURATION_FILE; then
+			DEFAULT_LANGUAGE=$(grep "DEFAULT_LANGUAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MINIMAL_INSTALL" $CONFIGURATION_FILE; then
+			MINIMAL_INSTALL=$(grep "MINIMAL_INSTALL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then
+			LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "FULLBLOG_REPO" $CONFIGURATION_FILE; then
+			FULLBLOG_REPO=$(grep "FULLBLOG_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "FULLBLOG_COMMIT" $CONFIGURATION_FILE; then
+			FULLBLOG_COMMIT=$(grep "FULLBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GOGS_COMMIT" $CONFIGURATION_FILE; then
+			GOGS_COMMIT=$(grep "GOGS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TOXCORE_COMMIT" $CONFIGURATION_FILE; then
+			TOXCORE_COMMIT=$(grep "TOXCORE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TOXIC_COMMIT" $CONFIGURATION_FILE; then
+			TOXIC_COMMIT=$(grep "TOXIC_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GPGIT_REPO" $CONFIGURATION_FILE; then
+			GPGIT_REPO=$(grep "GPGIT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GPGIT_COMMIT" $CONFIGURATION_FILE; then
+			GPGIT_COMMIT=$(grep "GPGIT_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "HUBZILLA_REPO" $CONFIGURATION_FILE; then
+			HUBZILLA_REPO=$(grep "HUBZILLA_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then
+			HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "IPFS_COMMIT" $CONFIGURATION_FILE; then
+			IPFS_COMMIT=$(grep "IPFS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE; then
+			ZERONET_BLOG_COMMIT=$(grep "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE; then
+			ZERONET_MAIL_COMMIT=$(grep "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE; then
+			ZERONET_FORUM_COMMIT=$(grep "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MICROBLOG_COMMIT" $CONFIGURATION_FILE; then
+			MICROBLOG_COMMIT=$(grep "MICROBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "NGINX_ENSITE_REPO" $CONFIGURATION_FILE; then
+			NGINX_ENSITE_REPO=$(grep "NGINX_ENSITE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE; then
+			NGINX_ENSITE_COMMIT=$(grep "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE; then
+			CLEANUP_MAILDIR_COMMIT=$(grep "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE; then
+			CLEANUP_MAILDIR_REPO=$(grep "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ZERONET_COMMIT" $CONFIGURATION_FILE; then
+			ZERONET_COMMIT=$(grep "ZERONET_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "INADYN_REPO" $CONFIGURATION_FILE; then
+			INADYN_REPO=$(grep "INADYN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "INADYN_COMMIT" $CONFIGURATION_FILE; then
+			INADYN_COMMIT=$(grep "INADYN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GPG_KEYSERVER" $CONFIGURATION_FILE; then
+			GPG_KEYSERVER=$(grep "GPG_KEYSERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "IPFS_PORT" $CONFIGURATION_FILE; then
+			IPFS_PORT=$(grep "IPFS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TRACKER_PORT" $CONFIGURATION_FILE; then
+			TRACKER_PORT=$(grep "TRACKER_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ZERONET_PORT" $CONFIGURATION_FILE; then
+			ZERONET_PORT=$(grep "ZERONET_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then
+			DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "IRC_PORT" $CONFIGURATION_FILE; then
+			IRC_PORT=$(grep "IRC_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIFI_CHANNEL" $CONFIGURATION_FILE; then
+			WIFI_CHANNEL=$(grep "WIFI_CHANNEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "BATMAN_CELLID" $CONFIGURATION_FILE; then
+			BATMAN_CELLID=$(grep "BATMAN_CELLID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TOX_PORT" $CONFIGURATION_FILE; then
+			TOX_PORT=$(grep "TOX_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TOX_NODES" $CONFIGURATION_FILE; then
+			TOX_NODES=$(grep "TOX_NODES" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TOXCORE_REPO" $CONFIGURATION_FILE; then
+			TOXCORE_REPO=$(grep "TOXCORE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE; then
+			ENABLE_SOCIAL_KEY_MANAGEMENT=$(grep "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "IPV6_NETWORK" $CONFIGURATION_FILE; then
+			IPV6_NETWORK=$(grep "IPV6_NETWORK" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "HWRNG_TYPE" $CONFIGURATION_FILE; then
+			HWRNG_TYPE=$(grep "HWRNG_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			MEDIAGOBLIN_DOMAIN_NAME=$(grep "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE; then
+			MEDIAGOBLIN_CODE=$(grep "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE; then
+			MEDIAGOBLIN_REPO=$(grep "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE; then
+			MEDIAGOBLIN_COMMIT=$(grep "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE; then
+			GIT_ADMIN_PASSWORD=$(grep "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GIT_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			GIT_DOMAIN_NAME=$(grep "GIT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GIT_CODE" $CONFIGURATION_FILE; then
+			GIT_CODE=$(grep "GIT_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SYSTEM_TYPE" $CONFIGURATION_FILE; then
+			SYSTEM_TYPE=$(grep "SYSTEM_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSL_PROTOCOLS" $CONFIGURATION_FILE; then
+			SSL_PROTOCOLS=$(grep "SSL_PROTOCOLS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSL_CIPHERS" $CONFIGURATION_FILE; then
+			SSL_CIPHERS=$(grep "SSL_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSH_CIPHERS" $CONFIGURATION_FILE; then
+			SSH_CIPHERS=$(grep "SSH_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSH_MACS" $CONFIGURATION_FILE; then
+			SSH_MACS=$(grep "SSH_MACS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSH_KEX" $CONFIGURATION_FILE; then
+			SSH_KEX=$(grep "SSH_KEX" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE; then
+			SSH_HOST_KEY_ALGORITHMS=$(grep "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSH_PASSWORDS" $CONFIGURATION_FILE; then
+			SSH_PASSWORDS=$(grep "SSH_PASSWORDS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "XMPP_CIPHERS" $CONFIGURATION_FILE; then
+			XMPP_CIPHERS=$(grep "XMPP_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "XMPP_ECC_CURVE" $CONFIGURATION_FILE; then
+			XMPP_ECC_CURVE=$(grep "XMPP_ECC_CURVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then
+			MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DOMAIN_NAME" $CONFIGURATION_FILE; then
+			# for backwards compatability
+			DEFAULT_DOMAIN_NAME=$(grep "DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE; then
+			DEFAULT_DOMAIN_CODE=$(grep "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "NAMESERVER1" $CONFIGURATION_FILE; then
+			NAMESERVER1=$(grep "NAMESERVER1" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "NAMESERVER2" $CONFIGURATION_FILE; then
+			NAMESERVER2=$(grep "NAMESERVER2" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DEBIAN_REPO" $CONFIGURATION_FILE; then
+			DEBIAN_REPO=$(grep "DEBIAN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+			CHECK_MESSAGE=$"Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
+		fi
+		if grep -q "VOIP_PORT" $CONFIGURATION_FILE; then
+			VOIP_PORT=$(grep "VOIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then
+			VOIP_SERVER_PASSWORD=$(grep "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SIP_PORT" $CONFIGURATION_FILE; then
+			SIP_PORT=$(grep "SIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SIP_TLS_PORT" $CONFIGURATION_FILE; then
+			SIP_TLS_PORT=$(grep "SIP_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then
+			SIP_SERVER_PASSWORD=$(grep "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE; then
+			GET_IP_ADDRESS_URL=$(grep "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DDNS_PROVIDER" $CONFIGURATION_FILE; then
+			DDNS_PROVIDER=$(grep "DDNS_PROVIDER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DDNS_USERNAME" $CONFIGURATION_FILE; then
+			DDNS_USERNAME=$(grep "DDNS_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "DDNS_PASSWORD" $CONFIGURATION_FILE; then
+			DDNS_PASSWORD=$(grep "DDNS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE; then
+			LOCAL_NETWORK_STATIC_IP_ADDRESS=$(grep "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ENABLE_BABEL" $CONFIGURATION_FILE; then
+			ENABLE_BABEL=$(grep "ENABLE_BABEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ENABLE_BATMAN" $CONFIGURATION_FILE; then
+			ENABLE_BATMAN=$(grep "ENABLE_BATMAN" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ENABLE_CJDNS" $CONFIGURATION_FILE; then
+			ENABLE_CJDNS=$(grep "ENABLE_CJDNS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CJDNS_COMMIT" $CONFIGURATION_FILE; then
+			CJDNS_COMMIT=$(grep "CJDNS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CJDNS_IPV6" $CONFIGURATION_FILE; then
+			CJDNS_IPV6=$(grep "CJDNS_IPV6" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE; then
+			CJDNS_PUBLIC_KEY=$(grep "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE; then
+			CJDNS_PRIVATE_KEY=$(grep "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE; then
+			ROUTER_IP_ADDRESS=$(grep "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "CPU_CORES" $CONFIGURATION_FILE; then
+			CPU_CORES=$(grep "CPU_CORES" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE; then
+			WEBSERVER_LOG_LEVEL=$(grep "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE; then
+			ROUTE_THROUGH_TOR=$(grep "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIKI_TITLE" $CONFIGURATION_FILE; then
+			WIKI_TITLE=$(grep "WIKI_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_NAME" $CONFIGURATION_FILE; then
+			MY_NAME=$(grep "MY_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE; then
+			MY_EMAIL_ADDRESS=$(grep "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "INSTALLING_ON_BBB" $CONFIGURATION_FILE; then
+			INSTALLING_ON_BBB=$(grep "INSTALLING_ON_BBB" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "SSH_PORT" $CONFIGURATION_FILE; then
+			SSH_PORT=$(grep "SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE; then
+			INSTALLED_WITHIN_DOCKER=$(grep "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE; then
+			PUBLIC_MAILING_LIST=$(grep "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			MICROBLOG_DOMAIN_NAME=$(grep "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MICROBLOG_CODE" $CONFIGURATION_FILE; then
+			MICROBLOG_CODE=$(grep "MICROBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			HUBZILLA_DOMAIN_NAME=$(grep "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "HUBZILLA_CODE" $CONFIGURATION_FILE; then
+			HUBZILLA_CODE=$(grep "HUBZILLA_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			WIKI_DOMAIN_NAME=$(grep "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "WIKI_CODE" $CONFIGURATION_FILE; then
+			WIKI_CODE=$(grep "WIKI_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then
+			FULLBLOG_DOMAIN_NAME=$(grep "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "FULLBLOG_CODE" $CONFIGURATION_FILE; then
+			FULLBLOG_CODE=$(grep "FULLBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_BLOG_TITLE" $CONFIGURATION_FILE; then
+			MY_BLOG_TITLE=$(grep "MY_BLOG_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE; then
+			MY_BLOG_SUBTITLE=$(grep "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE; then
+			GPG_ENCRYPT_STORED_EMAIL=$(grep "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE; then
+			MY_GPG_PUBLIC_KEY=$(grep "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE; then
+			MY_GPG_PRIVATE_KEY=$(grep "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE; then
+			MY_GPG_PUBLIC_KEY_ID=$(grep "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "USB_DRIVE" $CONFIGURATION_FILE; then
+			USB_DRIVE=$(grep "USB_DRIVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MAX_PHP_MEMORY" $CONFIGURATION_FILE; then
+			MAX_PHP_MEMORY=$(grep "MAX_PHP_MEMORY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TLS_TIME_SOURCE1" $CONFIGURATION_FILE; then
+			TLS_TIME_SOURCE1=$(grep "TLS_TIME_SOURCE1" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "TLS_TIME_SOURCE2" $CONFIGURATION_FILE; then
+			TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+	fi
+	echo "System type: $SYSTEM_TYPE"
+}
+
+# check that domain names are sensible
+function check_domains {
+	if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then
+		function_check test_domain_name
+		test_domain_name "$WIKI_DOMAIN_NAME"
+
+		if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
+			echo $'Wiki domain name is the same as blog domain name. They must be different'
+			exit 97326
+		fi
+		if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
+			echo $'Wiki domain name is the same as microblog domain name. They must be different'
+			exit 36827
+		fi
+		if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
+			echo $'Wiki domain name is the same as hubzilla domain name. They must be different'
+			exit 65848
+		fi
+		if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
+			if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
+				echo $'Wiki domain name is the same as Gogs domain name. They must be different'
+				exit 73529
+			fi
+		fi
+	fi
+
+	if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then
+		function_check test_domain_name
+		test_domain_name "$FULLBLOG_DOMAIN_NAME"
+
+		if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
+			echo $'Blog domain name is the same as wiki domain name. They must be different'
+			exit 62348
+		fi
+		if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
+			echo $'Blog domain name is the same as microblog domain name. They must be different'
+			exit 38236
+		fi
+		if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
+			echo $'Blog domain name is the same as hubzilla domain name. They must be different'
+			exit 35483
+		fi
+		if [ $GIT_DOMAIN_NAME ]; then
+			if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
+				echo $'Blog domain name is the same as Gogs domain name. They must be different'
+				exit 84695
+			fi
+		fi
+	fi
+
+	if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then
+		function_check test_domain_name
+		test_domain_name "$MICROBLOG_DOMAIN_NAME"
+
+		if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
+			echo $'Microblog domain name is the same as wiki domain name. They must be different'
+			exit 73924
+		fi
+		if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
+			echo $'Microblog domain name is the same as blog domain name. They must be different'
+			exit 26832
+		fi
+		if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
+			echo $'Microblog domain name is the same as hubzilla domain name. They must be different'
+			exit 678382
+		fi
+		if [ $GIT_DOMAIN_NAME ]; then
+			if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
+				echo $'Microblog domain name is the same as Gogs domain name. They must be different'
+				exit 684325
+			fi
+		fi
+	fi
+
+	if [ $HUBZILLA_DOMAIN_NAME ]; then
+		function_check test_domain_name
+		test_domain_name "$HUBZILLA_DOMAIN_NAME"
+
+		if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
+			echo $'Hubzilla domain name is the same as wiki domain name. They must be different'
+			exit 83682
+		fi
+		if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
+			echo $'Hubzilla domain name is the same as blog domain name. They must be different'
+			exit 74817
+		fi
+		if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
+			echo $'Hubzilla domain name is the same as microblog domain name. They must be different'
+			exit 83683
+		fi
+		if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
+			if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then
+				echo $'Hubzilla domain name is the same as Gogs domain name. They must be different'
+				exit 135523
+			fi
+		fi
+	fi
+
+	if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
+		function_check test_domain_name
+		test_domain_name "$GIT_DOMAIN_NAME"
+
+		if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then
+			echo $'Hubzilla domain name is the same as wiki domain name. They must be different'
+			exit 83682
+		fi
+		if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then
+			echo $'Hubzilla domain name is the same as blog domain name. They must be different'
+			exit 74817
+		fi
+		if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then
+			echo $'Hubzilla domain name is the same as microblog domain name. They must be different'
+			exit 83683
+		fi
+		if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then
+			echo $'Microblog domain name is the same as hubzilla domain name. They must be different'
+			exit 678382
+		fi
+	fi
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-cron

@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Cron functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function cron_add_mins {
+	if ! grep -q "${2}" /etc/crontab; then
+		echo "*/${1}            * *   *   *   root ${2}" >> /etc/crontab
+		systemctl restart cron
+	fi
+}
+
+function randomize_cron {
+	# The predictable default timing of Debian cron jobs might
+	# be exploitable knowledge. Avoid too much predictability
+	# by randomizing the times when cron jobs run
+	if grep -Fxq "randomize_cron" $COMPLETION_FILE; then
+		return
+	fi
+
+	# randomize the day on which the weekly cron job runs
+	randdow=$(($RANDOM%6+1))
+	sed -i "s|\* \* 7|* * $randdow|g" /etc/crontab
+
+	# randomize the time when the weekly cron job runs
+	randmin=$(($RANDOM%60))
+	randhr=$(($RANDOM%3+1))
+	sed -i "s|47 6|$randmin $randhr|g" /etc/crontab
+
+	# randomize the time when the daily cron job runs
+	randmin=$(($RANDOM%60))
+	randhr=$(($RANDOM%3+4))
+	sed -i "s|25 6\t\* \* \*|$randmin $randhr\t* * *|g" /etc/crontab
+
+	# randomize the time when the hourly cron job runs
+	randmin=$(($RANDOM%60))
+	sed -i "s|17 \*\t|$randmin *\t|g" /etc/crontab
+
+	# randomize monthly cron job time and day
+	randmin=$(($RANDOM%60))
+	randhr=$(($RANDOM%22+1))
+	randdom=$(($RANDOM%27+1))
+	sed -i "s|52 6\t|$randmin $randhr\t|g" /etc/crontab
+	sed -i "s|\t1 \* \*|\t$randdom * *|g" /etc/crontab
+
+	systemctl restart cron
+
+	echo 'randomize_cron' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-utils-database

@@ -28,272 +28,298 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+# default MariaDB password
+MARIADB_PASSWORD=
+
+# Used to indicate whether the backup contains MariaDB databases or not
+BACKUP_INCLUDES_DATABASES="no"
+
+# contains the mysql root password which
+# is used for backups and repair
+DATABASE_PASSWORD_FILE=/root/dbpass
+
 function backup_database_local {
-# Makes local backups of databases which can then be automatically rolled
-# back if corruption is detected
-database_name=$1
-
-backup_databases_script=/usr/bin/backupdatabases
-echo '' >> $backup_databases_script
-echo "# Backup the ${database_name} database" >> $backup_databases_script
-echo "TEMPFILE=/root/${database_name}.sql" >> $backup_databases_script
-echo 'DAILYFILE=/var/backups/${database_name}_daily.sql' >> $backup_databases_script
-echo "mysqldump --password=\"\$MYSQL_PASSWORD\" ${database_name} > \$TEMPFILE" >> $backup_databases_script
-echo 'FILESIZE=$(stat -c%s $TEMPFILE)' >> $backup_databases_script
-echo 'if [ "$FILESIZE" -eq "0" ]; then' >> $backup_databases_script
-echo '    if [ -f $DAILYFILE ]; then' >> $backup_databases_script
-echo '        cp $DAILYFILE $TEMPFILE' >> $backup_databases_script
-echo '' >> $backup_databases_script
-echo '        # try to restore yesterdays database' >> $backup_databases_script
-echo "        mysql -u root --password=\"\$MYSQL_PASSWORD\" ${database_name} -o < \$DAILYFILE" >> $backup_databases_script
-echo '' >> $backup_databases_script
-echo '        # Send a warning email' >> $backup_databases_script
-echo "        echo \"Unable to create a backup of the ${database_name} database. Attempted to restore from yesterdays backup\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script
-echo '    else' >> $backup_databases_script
-echo '        # Send a warning email' >> $backup_databases_script
-echo "        echo \"Unable to create a backup of the ${database_name} database.\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script
-echo '    fi' >> $backup_databases_script
-echo 'else' >> $backup_databases_script
-echo '    chmod 600 $TEMPFILE' >> $backup_databases_script
-echo '    mv $TEMPFILE $DAILYFILE' >> $backup_databases_script
-echo '' >> $backup_databases_script
-echo '    # Make the backup readable only by root' >> $backup_databases_script
-echo '    chmod 600 $DAILYFILE' >> $backup_databases_script
-echo 'fi' >> $backup_databases_script
-
-weekly_backup_script=/etc/cron.weekly/backupdatabasesweekly
-if ! grep -q "${database_name}" ${weekly_backup_script}; then
-echo '' >> ${weekly_backup_script}
-echo "# ${database_name}" >> ${weekly_backup_script}
-echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${weekly_backup_script}
-echo "  cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_2weekly.sql" >> ${weekly_backup_script}
-echo 'fi' >> ${weekly_backup_script}
-echo "if [ -f /var/backups/${database_name}_daily.sql ]; then" >> ${weekly_backup_script}
-echo "  cp -f /var/backups/${database_name}_daily.sql /var/backups/${database_name}_weekly.sql" >> ${weekly_backup_script}
-echo 'fi' >> ${weekly_backup_script}
-fi
-
-monthly_backup_script=/etc/cron.monthly/backupdatabasesmonthly
-if ! grep -q "${database_name}" ${monthly_backup_script}; then
-echo '' >> ${monthly_backup_script}
-echo "# ${database_name}" >> ${monthly_backup_script}
-echo "if [ -f /var/backups/${database_name}_monthly.sql ]; then" >> ${monthly_backup_script}
-echo "  cp -f /var/backups/${database_name}_monthly.sql /var/backups/${database_name}_2monthly.sql" >> ${monthly_backup_script}
-echo 'fi' >> ${monthly_backup_script}
-echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${monthly_backup_script}
-echo "  cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_monthly.sql" >> ${monthly_backup_script}
-echo 'fi' >> ${monthly_backup_script}
-fi
-
-if ! grep -q "${database_name}" /etc/cron.hourly/repair; then
-echo "${PROJECT_NAME}-repair-database ${database_name}" >> /etc/cron.hourly/repair
-# remove legacy stuff
-sed -i 's|/usr/bin/repairdatabase redmatrix||g' /etc/cron.hourly/repair
-fi
+	# Makes local backups of databases which can then be automatically rolled
+	# back if corruption is detected
+	database_name=$1
+
+	backup_databases_script=/usr/bin/backupdatabases
+	echo '' >> $backup_databases_script
+	echo "# Backup the ${database_name} database" >> $backup_databases_script
+	echo "TEMPFILE=/root/${database_name}.sql" >> $backup_databases_script
+	echo 'DAILYFILE=/var/backups/${database_name}_daily.sql' >> $backup_databases_script
+	echo "mysqldump --password=\"\$MYSQL_PASSWORD\" ${database_name} > \$TEMPFILE" >> $backup_databases_script
+	echo 'FILESIZE=$(stat -c%s $TEMPFILE)' >> $backup_databases_script
+	echo 'if [ "$FILESIZE" -eq "0" ]; then' >> $backup_databases_script
+	echo '    if [ -f $DAILYFILE ]; then' >> $backup_databases_script
+	echo '        cp $DAILYFILE $TEMPFILE' >> $backup_databases_script
+	echo '' >> $backup_databases_script
+	echo '        # try to restore yesterdays database' >> $backup_databases_script
+	echo "        mysql -u root --password=\"\$MYSQL_PASSWORD\" ${database_name} -o < \$DAILYFILE" >> $backup_databases_script
+	echo '' >> $backup_databases_script
+	echo '        # Send a warning email' >> $backup_databases_script
+	echo "        echo \"Unable to create a backup of the ${database_name} database. Attempted to restore from yesterdays backup\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script
+	echo '    else' >> $backup_databases_script
+	echo '        # Send a warning email' >> $backup_databases_script
+	echo "        echo \"Unable to create a backup of the ${database_name} database.\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script
+	echo '    fi' >> $backup_databases_script
+	echo 'else' >> $backup_databases_script
+	echo '    chmod 600 $TEMPFILE' >> $backup_databases_script
+	echo '    mv $TEMPFILE $DAILYFILE' >> $backup_databases_script
+	echo '' >> $backup_databases_script
+	echo '    # Make the backup readable only by root' >> $backup_databases_script
+	echo '    chmod 600 $DAILYFILE' >> $backup_databases_script
+	echo 'fi' >> $backup_databases_script
+
+	weekly_backup_script=/etc/cron.weekly/backupdatabasesweekly
+	if ! grep -q "${database_name}" ${weekly_backup_script}; then
+		echo '' >> ${weekly_backup_script}
+		echo "# ${database_name}" >> ${weekly_backup_script}
+		echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${weekly_backup_script}
+		echo "  cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_2weekly.sql" >> ${weekly_backup_script}
+		echo 'fi' >> ${weekly_backup_script}
+		echo "if [ -f /var/backups/${database_name}_daily.sql ]; then" >> ${weekly_backup_script}
+		echo "  cp -f /var/backups/${database_name}_daily.sql /var/backups/${database_name}_weekly.sql" >> ${weekly_backup_script}
+		echo 'fi' >> ${weekly_backup_script}
+	fi
+
+	monthly_backup_script=/etc/cron.monthly/backupdatabasesmonthly
+	if ! grep -q "${database_name}" ${monthly_backup_script}; then
+		echo '' >> ${monthly_backup_script}
+		echo "# ${database_name}" >> ${monthly_backup_script}
+		echo "if [ -f /var/backups/${database_name}_monthly.sql ]; then" >> ${monthly_backup_script}
+		echo "  cp -f /var/backups/${database_name}_monthly.sql /var/backups/${database_name}_2monthly.sql" >> ${monthly_backup_script}
+		echo 'fi' >> ${monthly_backup_script}
+		echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${monthly_backup_script}
+		echo "  cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_monthly.sql" >> ${monthly_backup_script}
+		echo 'fi' >> ${monthly_backup_script}
+	fi
+
+	if ! grep -q "${database_name}" /etc/cron.hourly/repair; then
+		echo "${PROJECT_NAME}-repair-database ${database_name}" >> /etc/cron.hourly/repair
+		# remove legacy stuff
+		sed -i 's|/usr/bin/repairdatabase redmatrix||g' /etc/cron.hourly/repair
+	fi
 }
 
 function get_mariadb_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "MariaDB password" /home/$MY_USERNAME/README; then
-if [ -f $DATABASE_PASSWORD_FILE ]; then
-MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE)
-else
-MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
-chmod 600 $DATABASE_PASSWORD_FILE
-fi
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "MariaDB password" /home/$MY_USERNAME/README; then
+			if [ -f $DATABASE_PASSWORD_FILE ]; then
+				MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE)
+			else
+				MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+				echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
+				chmod 600 $DATABASE_PASSWORD_FILE
+			fi
+		fi
+	fi
 }
 
 function get_mariadb_media_server_admin_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "Media server administrator password" /home/$MY_USERNAME/README; then
-MEDIA_SERVER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Media server administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "Media server administrator password" /home/$MY_USERNAME/README; then
+			MEDIA_SERVER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Media server administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
 }
 
 function get_mariadb_gnusocial_admin_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then
-MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-if grep -q "Microblog administrator password" /home/$MY_USERNAME/README; then
-MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Microblog administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then
+			MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+		if grep -q "Microblog administrator password" /home/$MY_USERNAME/README; then
+			MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Microblog administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
 }
 
 function get_mariadb_webmail_admin_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "MariaDB webmail admin password" /home/$MY_USERNAME/README; then
-WEBMAIL_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB webmail admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "MariaDB webmail admin password" /home/$MY_USERNAME/README; then
+			WEBMAIL_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB webmail admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
 }
 
 function get_mariadb_rss_reader_admin_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "RSS reader admin password" /home/$MY_USERNAME/README; then
-RSS_READER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "RSS reader admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "RSS reader admin password" /home/$MY_USERNAME/README; then
+			RSS_READER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "RSS reader admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
 }
 
 function get_mariadb_git_admin_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "Gogs admin user password" /home/$MY_USERNAME/README; then
-GIT_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Gogs admin user password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "Gogs admin user password" /home/$MY_USERNAME/README; then
+			GIT_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Gogs admin user password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
 }
 
 function get_mariadb_hubzilla_admin_password {
-if [ -f /home/$MY_USERNAME/README ]; then
-if grep -q "MariaDB Hubzilla admin password" /home/$MY_USERNAME/README; then
-HUBZILLA_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB Hubzilla admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-fi
-fi
+	if [ -f /home/$MY_USERNAME/README ]; then
+		if grep -q "MariaDB Hubzilla admin password" /home/$MY_USERNAME/README; then
+			HUBZILLA_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB Hubzilla admin password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+		fi
+	fi
 }
 
 function install_mariadb {
-if grep -Fxq "install_mariadb" $COMPLETION_FILE; then
-return
-fi
-apt-get -y install python-software-properties debconf-utils
-apt-get -y install software-properties-common
-apt-get -y update
-
-get_mariadb_password
-if [ ! $MARIADB_PASSWORD ]; then
-if [ -f $IMAGE_PASSWORD_FILE ]; then
-MARIADB_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
-else
-MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
-fi
-echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
-chmod 600 $DATABASE_PASSWORD_FILE
-
-echo '' >> /home/$MY_USERNAME/README
-echo '' >> /home/$MY_USERNAME/README
-echo 'MariaDB / MySql' >> /home/$MY_USERNAME/README
-echo '===============' >> /home/$MY_USERNAME/README
-echo $"Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README
-echo '' >> /home/$MY_USERNAME/README
-chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
-chmod 600 /home/$MY_USERNAME/README
-fi
-
-debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD"
-debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD"
-apt-get -y install mariadb-server
-apt-get -y remove --purge apache*
-if [ -d /etc/apache2 ]; then
-rm -rf /etc/apache2
-echo $'Removed Apache installation after MariaDB install'
-fi
-
-if [ ! -d /etc/mysql ]; then
-echo $"ERROR: mariadb-server does not appear to have installed. $CHECK_MESSAGE"
-exit 54
-fi
-
-mysqladmin -u root password "$MARIADB_PASSWORD"
-echo 'install_mariadb' >> $COMPLETION_FILE
+	if grep -Fxq "install_mariadb" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install python-software-properties debconf-utils
+	apt-get -y install software-properties-common
+	apt-get -y update
+
+	function_check get_mariadb_password
+	get_mariadb_password
+	if [ ! $MARIADB_PASSWORD ]; then
+		if [ -f $IMAGE_PASSWORD_FILE ]; then
+			MARIADB_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+		else
+			MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
+		fi
+		echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
+		chmod 600 $DATABASE_PASSWORD_FILE
+
+		echo '' >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		echo 'MariaDB / MySql' >> /home/$MY_USERNAME/README
+		echo '===============' >> /home/$MY_USERNAME/README
+		echo $"Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README
+		echo '' >> /home/$MY_USERNAME/README
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+		chmod 600 /home/$MY_USERNAME/README
+	fi
+
+	debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD"
+	debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD"
+	apt-get -y install mariadb-server
+	apt-get -y remove --purge apache*
+	if [ -d /etc/apache2 ]; then
+		rm -rf /etc/apache2
+		echo $'Removed Apache installation after MariaDB install'
+	fi
+
+	if [ ! -d /etc/mysql ]; then
+		echo $"ERROR: mariadb-server does not appear to have installed. $CHECK_MESSAGE"
+		exit 54
+	fi
+
+	mysqladmin -u root password "$MARIADB_PASSWORD"
+	echo 'install_mariadb' >> $COMPLETION_FILE
 }
 
 function backup_databases_script_header {
-if [ ! -f /usr/bin/backupdatabases ]; then
-# daily
-echo '#!/bin/sh' > /usr/bin/backupdatabases
-echo '' >> /usr/bin/backupdatabases
-echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases
-echo '' >> /usr/bin/backupdatabases
-echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases
-echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases
-echo 'umask 0077' >> /usr/bin/backupdatabases
-echo '' >> /usr/bin/backupdatabases
-echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases
-echo "if [ -f $FRIENDS_SERVERS_LIST ]; then" >> /usr/bin/backupdatabases
-echo '  exit 1' >> /usr/bin/backupdatabases
-echo 'fi' >> /usr/bin/backupdatabases
-chmod 600 /usr/bin/backupdatabases
-chmod +x /usr/bin/backupdatabases
-
-echo '#!/bin/sh' > /etc/cron.daily/backupdatabasesdaily
-echo '/usr/bin/backupdatabases' >> /etc/cron.daily/backupdatabasesdaily
-chmod 600 /etc/cron.daily/backupdatabasesdaily
-chmod +x /etc/cron.daily/backupdatabasesdaily
-
-# weekly
-echo '#!/bin/sh' > /etc/cron.weekly/backupdatabasesweekly
-echo '' >> /etc/cron.weekly/backupdatabasesweekly
-echo 'umask 0077' >> /etc/cron.weekly/backupdatabasesweekly
-
-chmod 600 /etc/cron.weekly/backupdatabasesweekly
-chmod +x /etc/cron.weekly/backupdatabasesweekly
-
-# monthly
-echo '#!/bin/sh' > /etc/cron.monthly/backupdatabasesmonthly
-echo '' >> /etc/cron.monthly/backupdatabasesmonthly
-echo 'umask 0077' >> /etc/cron.monthly/backupdatabasesmonthly
-
-chmod 600 /etc/cron.monthly/backupdatabasesmonthly
-chmod +x /etc/cron.monthly/backupdatabasesmonthly
-fi
+	if [ ! -f /usr/bin/backupdatabases ]; then
+		# daily
+		echo '#!/bin/sh' > /usr/bin/backupdatabases
+		echo '' >> /usr/bin/backupdatabases
+		echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases
+		echo '' >> /usr/bin/backupdatabases
+		echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases
+		echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases
+		echo 'umask 0077' >> /usr/bin/backupdatabases
+		echo '' >> /usr/bin/backupdatabases
+		echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases
+		echo "if [ -f $FRIENDS_SERVERS_LIST ]; then" >> /usr/bin/backupdatabases
+		echo '  exit 1' >> /usr/bin/backupdatabases
+		echo 'fi' >> /usr/bin/backupdatabases
+		chmod 600 /usr/bin/backupdatabases
+		chmod +x /usr/bin/backupdatabases
+
+		echo '#!/bin/sh' > /etc/cron.daily/backupdatabasesdaily
+		echo '/usr/bin/backupdatabases' >> /etc/cron.daily/backupdatabasesdaily
+		chmod 600 /etc/cron.daily/backupdatabasesdaily
+		chmod +x /etc/cron.daily/backupdatabasesdaily
+
+		# weekly
+		echo '#!/bin/sh' > /etc/cron.weekly/backupdatabasesweekly
+		echo '' >> /etc/cron.weekly/backupdatabasesweekly
+		echo 'umask 0077' >> /etc/cron.weekly/backupdatabasesweekly
+
+		chmod 600 /etc/cron.weekly/backupdatabasesweekly
+		chmod +x /etc/cron.weekly/backupdatabasesweekly
+
+		# monthly
+		echo '#!/bin/sh' > /etc/cron.monthly/backupdatabasesmonthly
+		echo '' >> /etc/cron.monthly/backupdatabasesmonthly
+		echo 'umask 0077' >> /etc/cron.monthly/backupdatabasesmonthly
+
+		chmod 600 /etc/cron.monthly/backupdatabasesmonthly
+		chmod +x /etc/cron.monthly/backupdatabasesmonthly
+	fi
 }
 
 function repair_databases_script {
-if [ -f /etc/cron.hourly/repair ]; then
-sed -i "s|/usr/bin/repairdatabase|${PROJECT_NAME}-repair-database|g" /etc/cron.hourly/repair
-fi
+	if [ -f /etc/cron.hourly/repair ]; then
+		sed -i "s|/usr/bin/repairdatabase|${PROJECT_NAME}-repair-database|g" /etc/cron.hourly/repair
+	fi
 
-if grep -Fxq "repair_databases_script" $COMPLETION_FILE; then
-return
-fi
+	if grep -Fxq "repair_databases_script" $COMPLETION_FILE; then
+		return
+	fi
 
-if [ ! -f $DATABASE_PASSWORD_FILE ]; then
-return
-fi
+	if [ ! -f $DATABASE_PASSWORD_FILE ]; then
+		return
+	fi
 
-echo '#!/bin/bash' > /etc/cron.hourly/repair
-echo '' >> /etc/cron.hourly/repair
-chmod 600 /etc/cron.hourly/repair
-chmod +x /etc/cron.hourly/repair
+	echo '#!/bin/bash' > /etc/cron.hourly/repair
+	echo '' >> /etc/cron.hourly/repair
+	chmod 600 /etc/cron.hourly/repair
+	chmod +x /etc/cron.hourly/repair
 
-echo 'repair_databases_script' >> $COMPLETION_FILE
+	echo 'repair_databases_script' >> $COMPLETION_FILE
 }
 
 function remove_database {
-app_name="$1"
-if [ ! -d $INSTALL_DIR ]; then
-mkdir $INSTALL_DIR
-fi
-echo "drop database ${app_name};
+	app_name="$1"
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir $INSTALL_DIR
+	fi
+	echo "drop database ${app_name};
 quit" > $INSTALL_DIR/batch.sql
-chmod 600 $INSTALL_DIR/batch.sql
-mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql
-shred -zu $INSTALL_DIR/batch.sql
+	chmod 600 $INSTALL_DIR/batch.sql
+	mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql
+	shred -zu $INSTALL_DIR/batch.sql
 }
 
 function create_database {
-app_name="$1"
-app_admin_password="$2"
-app_admin_username=$3
-if [ ! -d $INSTALL_DIR ]; then
-mkdir $INSTALL_DIR
-fi
-if [ ! $app_admin_username ]; then
-app_admin_username=${app_name}admin
-fi
-echo "create database ${app_name};
+	app_name="$1"
+	app_admin_password="$2"
+	app_admin_username=$3
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir $INSTALL_DIR
+	fi
+	if [ ! $app_admin_username ]; then
+		app_admin_username=${app_name}admin
+	fi
+	echo "create database ${app_name};
 CREATE USER '$app_admin_username@localhost' IDENTIFIED BY '${app_admin_password}';
 GRANT ALL PRIVILEGES ON ${app_name}.* TO '$app_admin_username@localhost';
 quit" > $INSTALL_DIR/batch.sql
-chmod 600 $INSTALL_DIR/batch.sql
-mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql
-shred -zu $INSTALL_DIR/batch.sql
+	chmod 600 $INSTALL_DIR/batch.sql
+	mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql
+	shred -zu $INSTALL_DIR/batch.sql
+}
+
+function initialise_database {
+	database_name=$1
+	database_file=$2
+	mysql -u root --password="$MARIADB_PASSWORD" -D $database_name < $database_file
+	if [ ! "$?" = "0" ]; then
+		exit 62952
+	fi
+}
+
+function run_query {
+	database_name=$1
+	database_query=$2
+	mysql -u root --password="$MARIADB_PASSWORD" -e "$database_query" $database_name
 }
 
 # NOTE: deliberately there is no "exit 0"

src/freedombone-utils-depends

@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Dependency checking functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function function_check {
+    if [ ! "$(type ${1} 2>/dev/null)" ]; then
+		echo $"Dependency error: The function ${1} has not been defined"
+		exit 72528
+    fi
+}
+
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-utils-dns

@@ -0,0 +1,241 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# DNS functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# DNS
+NAMESERVER1='213.73.91.35'
+NAMESERVER2='85.214.20.141'
+
+# parameters used when adding a new domain
+DDNS_PROVIDER="default@freedns.afraid.org"
+DDNS_USERNAME=
+DDNS_PASSWORD=
+
+INADYN_REPO="https://github.com/bashrc/inadyn"
+INADYN_COMMIT='fadbe17f520d337dfb8d69ee4bf1fcaa23fce0d6'
+
+# web site used to obtain the external IP address of the system
+GET_IP_ADDRESS_URL="checkip.two-dns.de"
+
+# other possible services to obtain the external IP address
+EXTERNAL_IP_SERVICES=( \
+	    'https://check.torproject.org/' \
+		'https://www.whatsmydns.net/whats-my-ip-address.html' \
+		'https://www.privateinternetaccess.com/pages/whats-my-ip/' \
+		'http://checkip.two-dns.de' \
+		'http://ip.dnsexit.com' \
+		'http://ifconfig.me/ip' \
+		'http://ipecho.net/plain' \
+		'http://checkip.dyndns.org/plain' \
+		'http://ipogre.com/linux.php' \
+		'http://whatismyipaddress.com/' \
+		'http://ip.my-proxy.com/' \
+		'http://websiteipaddress.com/WhatIsMyIp' \
+		'http://getmyipaddress.org/' \
+		'http://www.my-ip-address.net/' \
+		'http://myexternalip.com/raw' \
+		'http://www.canyouseeme.org/' \
+		'http://www.trackip.net/' \
+		'http://icanhazip.com/' \
+		'http://www.iplocation.net/' \
+		'http://www.howtofindmyipaddress.com/' \
+		'http://www.ipchicken.com/' \
+		'http://whatsmyip.net/' \
+		'http://www.ip-adress.com/' \
+		'http://checkmyip.com/' \
+		'http://www.tracemyip.org/' \
+		'http://checkmyip.net/' \
+		'http://www.lawrencegoetz.com/programs/ipinfo/' \
+		'http://www.findmyip.co/' \
+		'http://ip-lookup.net/' \
+		'http://www.dslreports.com/whois' \
+		'http://www.mon-ip.com/en/my-ip/' \
+		'http://www.myip.ru' \
+		'http://ipgoat.com/' \
+		'http://www.myipnumber.com/my-ip-address.asp' \
+		'http://www.whatsmyipaddress.net/' \
+		'http://formyip.com/' \
+		'http://www.displaymyip.com/' \
+		'http://www.bobborst.com/tools/whatsmyip/' \
+		'http://www.geoiptool.com/' \
+		'http://checkip.dyndns.com/' \
+		'http://myexternalip.com/' \
+		'http://www.ip-adress.eu/' \
+		'http://www.infosniper.net/' \
+		'http://wtfismyip.com/' \
+		'http://ipinfo.io/' \
+		'http://httpbin.org/ip')
+
+function create_freedns_updater {
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+
+	# currently inadyn doesn't work as expected with freeDNS, so this is a workaround
+	if grep -Fxq "create_freedns_updater" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $DDNS_PROVIDER != "default@freedns.afraid.org" ]]; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	FREEDNS_WGET='wget -q --read-timeout=0.0 --waitretry=5 --tries=4 https://freedns.afraid.org/dynamic/update.php?'
+
+	echo '#!/bin/bash' > /usr/bin/dynamicdns
+	echo 'cd /tmp' >> /usr/bin/dynamicdns
+	if [ $DEFAULT_DOMAIN_CODE ]; then
+		echo "# $DEFAULT_DOMAIN_NAME" >> /usr/bin/dynamicdns
+		echo "$FREEDNS_WGET$DEFAULT_DOMAIN_CODE=" >> /usr/bin/dynamicdns
+	fi
+	if [ $WIKI_CODE ]; then
+		if [[ $WIKI_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
+			echo "# $WIKI_DOMAIN_NAME" >> /usr/bin/dynamicdns
+			echo "$FREEDNS_WGET$WIKI_CODE=" >> /usr/bin/dynamicdns
+		fi
+	fi
+	if [ $FULLBLOG_CODE ]; then
+		if [[ $FULLBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
+			echo "# $FULLBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns
+			echo "$FREEDNS_WGET$FULLBLOG_CODE=" >> /usr/bin/dynamicdns
+		fi
+	fi
+	if [ $HUBZILLA_CODE ]; then
+		if [[ $HUBZILLA_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
+			echo "# $HUBZILLA_DOMAIN_NAME" >> /usr/bin/dynamicdns
+			echo "$FREEDNS_WGET$HUBZILLA_CODE=" >> /usr/bin/dynamicdns
+		fi
+	fi
+	if [ $MICROBLOG_CODE ]; then
+		if [[ $MICROBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
+			echo "# $MICROBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns
+			echo "$FREEDNS_WGET$MICROBLOG_CODE=" >> /usr/bin/dynamicdns
+		fi
+	fi
+	if [ $GIT_CODE ]; then
+		if [[ $GIT_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
+			echo "# $GIT_DOMAIN_NAME" >> /usr/bin/dynamicdns
+			echo "$FREEDNS_WGET$GIT_CODE=" >> /usr/bin/dynamicdns
+		fi
+	fi
+	if [ $MEDIAGOBLIN_CODE ]; then
+		if [[ $MEDIAGOBLIN_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then
+			echo "# $MEDIAGOBLIN_DOMAIN_NAME" >> /usr/bin/dynamicdns
+			echo "$FREEDNS_WGET$MEDIAGOBLIN_CODE=" >> /usr/bin/dynamicdns
+		fi
+	fi
+	echo 'exit 0' >> /usr/bin/dynamicdns
+	chmod 600 /usr/bin/dynamicdns
+	chmod +x /usr/bin/dynamicdns
+
+	if ! grep -q "/usr/bin/dynamicdns" /etc/crontab; then
+		function_check cron_add_mins
+		cron_add_mins 3 '/usr/bin/dynamicdns'
+		systemctl restart cron
+	fi
+
+	echo 'create_freedns_updater' >> $COMPLETION_FILE
+}
+
+function add_ddns_domain {
+	if [ ! $1 ]; then
+		echo $'ddns domain not specified'
+		exit 5638
+	fi
+	CURRENT_DDNS_DOMAIN="$1"
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	if [ ! -f /etc/inadyn.conf ]; then
+		echo $'Unable to find inadyn configuration file /etc/inadyn.conf'
+		exit 5745
+	fi
+	if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then
+		echo '' >> /etc/inadyn.conf
+		echo "system $DDNS_PROVIDER" >> /etc/inadyn.conf
+		echo '  ssl' >> /etc/inadyn.conf
+		echo "  checkip-url $GET_IP_ADDRESS_URL /" >> /etc/inadyn.conf
+		if [ $DDNS_USERNAME ]; then
+			echo "  username $DDNS_USERNAME" >> /etc/inadyn.conf
+		fi
+		if [ $DDNS_PASSWORD ]; then
+			echo "  password $DDNS_PASSWORD" >> /etc/inadyn.conf
+		fi
+	fi
+
+	if ! grep -q "$CURRENT_DDNS_DOMAIN" /etc/inadyn.conf; then
+		echo "  alias $CURRENT_DDNS_DOMAIN" >> /etc/inadyn.conf
+	fi
+	chmod 600 /etc/inadyn.conf
+	systemctl restart inadyn
+	systemctl daemon-reload
+}
+
+function configure_dns {
+	if grep -Fxq "configure_dns" $COMPLETION_FILE; then
+		return
+	fi
+	echo 'domain localdomain' > /etc/resolv.conf
+	echo 'search localdomain' >> /etc/resolv.conf
+	echo "nameserver $NAMESERVER1" >> /etc/resolv.conf
+	echo "nameserver $NAMESERVER2" >> /etc/resolv.conf
+
+	# prevent resolv.conf from changing
+	chattr +i /etc/resolv.conf
+
+	echo 'configure_dns' >> $COMPLETION_FILE
+}
+
+function set_hostname {
+	DEFAULT_DOMAIN_NAME="$1"
+
+	echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname
+	hostname $DEFAULT_DOMAIN_NAME
+
+	if grep -q "127.0.1.1" /etc/hosts; then
+		sed -i "s/127.0.1.1.*/127.0.1.1       $DEFAULT_DOMAIN_NAME/g" /etc/hosts
+	else
+		echo "127.0.1.1  $DEFAULT_DOMAIN_NAME" >> /etc/hosts
+	fi
+}
+
+function set_your_domain_name {
+	if grep -Fxq "set_your_domain_name" $COMPLETION_FILE; then
+		return
+	fi
+
+	function_check set_hostname
+	set_hostname $DEFAULT_DOMAIN_NAME
+
+	echo 'set_your_domain_name' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-final

@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Final stage of install
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+OPEN_PORTS=()
+
+function install_final {
+	if grep -Fxq "install_final" $COMPLETION_FILE; then
+		return
+	fi
+	# unmount any attached usb drive
+	if [ -d $USB_MOUNT ]; then
+		umount $USB_MOUNT
+		rm -rf $USB_MOUNT
+	fi
+	function_check split_gpg_key_into_fragments
+	split_gpg_key_into_fragments
+	echo 'install_final' >> $COMPLETION_FILE
+	clear
+	echo ''
+
+	echo $"
+	*** ${PROJECT_NAME} installation is complete. Rebooting... ***
+
+	Now forward these ports from your internet router
+"
+	for p in "${OPEN_PORTS[@]}"
+	do
+		echo "  $p"
+	done
+	echo ''
+
+	if [ -f "/home/$MY_USERNAME/README" ]; then
+		echo $"See /home/$MY_USERNAME/README for post-installation instructions."
+		echo ''
+	fi
+	# add user menu on ssh login
+	if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
+		echo 'control' >> /home/$MY_USERNAME/.bashrc
+	fi
+	if [ ! -f $IMAGE_PASSWORD_FILE ]; then
+		reboot
+	fi
+}
+
+function setup_final {
+	function_check intrusion_detection
+	intrusion_detection
+
+	function_check install_final
+	install_final
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-firewall

@@ -0,0 +1,521 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Firewall functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function save_firewall_settings {
+	iptables-save > /etc/firewall.conf
+	ip6tables-save > /etc/firewall6.conf
+	printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
+	printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
+	printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
+	chmod +x /etc/network/if-up.d/iptables
+}
+
+function enable_ipv6 {
+	# endure that ipv6 is enabled and can route
+	sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
+	#sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
+	#sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
+	sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+}
+
+function configure_firewall {
+	if grep -q "RELATED" /etc/firewall.conf; then
+		# recreate the firewall to remove RELATED
+		sed -i "/firewall/d" $COMPLETION_FILE
+	fi
+	if grep -Fxq "configure_firewall" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	iptables -P INPUT ACCEPT
+	ip6tables -P INPUT ACCEPT
+	iptables -F
+	ip6tables -F
+	iptables -t nat -F
+	ip6tables -t nat -F
+	iptables -X
+	ip6tables -X
+	iptables -P INPUT DROP
+	ip6tables -P INPUT DROP
+	iptables -A INPUT -i lo -j ACCEPT
+	iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+	# Make sure incoming tcp connections are SYN packets
+	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+	# Drop packets with incoming fragments
+	iptables -A INPUT -f -j DROP
+
+	# Drop bogons
+	iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+	iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+	iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+	# Incoming malformed NULL packets:
+	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+	echo 'configure_firewall' >> $COMPLETION_FILE
+}
+
+function configure_firewall_ping {
+	if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then
+		return
+	fi
+	# Only allow ping for mesh installs
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+	iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+	echo 'configure_firewall_ping' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_voip {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Mumble   $VOIP_PORT")
+	echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_syncthing {
+	if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Syncthing $SYNCTHING_PORT")
+	echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_voip_turn {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("TURN     $VOIP_TURN_PORT")
+	OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT")
+	echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE
+}
+
+
+function configure_firewall_for_sip4 {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
+	iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("SIP      $SIP_PORT")
+	OPEN_PORTS+=("SIP TLS  $SIP_TLS_PORT")
+	echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_ipfs {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("IPFS     $IPFS_PORT")
+	echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_avahi {
+	if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 548 -j ACCEPT
+	iptables -A INPUT -p udp --dport 548 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
+	iptables -A INPUT -p udp --dport 5353 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
+	iptables -A INPUT -p udp --dport 5354 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+	echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_cjdns {
+	if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_CJDNS != "yes" ]]; then
+		return
+	fi
+	ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
+	ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+	echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_batman {
+	if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_BATMAN != "yes" ]]; then
+		return
+	fi
+
+	function_check save_firewall_settings
+	save_firewall_settings
+	echo 'configure_firewall_for_batman' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_babel {
+	if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_BABEL != "yes" ]]; then
+		return
+	fi
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Babel    $BABEL_PORT")
+	echo 'configure_firewall_for_babel' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_zeronet {
+	if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("ZeroNet  $ZERONET_PORT")
+	OPEN_PORTS+=("Tracker  $TRACKER_PORT")
+	echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_dlna {
+	if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport 1900 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('DLNA     1900')
+	OPEN_PORTS+=('DLNA     8200')
+	echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_dns {
+	if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+	echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_xmpp {
+	if [ ! -d /etc/prosody ]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('XMPP     5222-5223')
+	OPEN_PORTS+=('XMPP     5269')
+	OPEN_PORTS+=('XMPP     5280-5281')
+	echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_irc {
+	if [ ! -d /etc/ngircd ]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport $IRC_PORT  -j ACCEPT
+	iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("IRC      $IRC_PORT")
+	echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_web_access {
+	if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_web_server {
+	if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('HTTP     80')
+	OPEN_PORTS+=('HTTPS    443')
+	echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_tox {
+	if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Tox      $TOX_PORT")
+	echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_ssh {
+	if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("SSH      $SSH_PORT")
+	echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_git {
+	if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Git      9418")
+	echo 'configure_firewall_for_git' >> $COMPLETION_FILE
+}
+
+function configure_firewall_for_email {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 25 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 587 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 465 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 993 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('Email    25')
+	OPEN_PORTS+=('Email    587')
+	OPEN_PORTS+=('Email    465')
+	OPEN_PORTS+=('Email    993')
+	echo 'configure_firewall_for_email' >> $COMPLETION_FILE
+}
+
+function configure_internet_protocol {
+	if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
+	sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
+	if ! grep -q "ignore pings" /etc/sysctl.conf; then
+		echo '# ignore pings' >> /etc/sysctl.conf
+		echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
+		echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
+	fi
+	if ! grep -q "disable ipv6" /etc/sysctl.conf; then
+		echo '# disable ipv6' >> /etc/sysctl.conf
+		echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
+	fi
+	if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
+		echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
+		echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
+	fi
+	if ! grep -q "keepalive" /etc/sysctl.conf; then
+		echo '# keepalive' >> /etc/sysctl.conf
+		echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
+		echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
+		echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
+	fi
+	echo 'configure_internet_protocol' >> $COMPLETION_FILE
+}

src/freedombone-utils-git

@@ -88,24 +88,6 @@ function git_pull {
 	fi
 }
 
-# This might be replaced in future with a separate rss reader script
-function rss_reader_modifications {
-	# modify the rss reader to use a socks5 proxy rather than a http proxy
-	if [ ! -d $RSS_READER_PATH ]; then
-		return
-	fi
-
-	# ensure that socks5 proxy is used
-	if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/plugins/af_unburn/init.php; then
-		sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/plugins/af_unburn/init.php
-	fi
-	if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/include/functions.php; then
-		sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/include/functions.php
-	fi
-	chown -R www-data:www-data $RSS_READER_PATH
-	chmod a+x $RSS_READER_PATH
-}
-
 # This ensures that a given repo is on a given commit
 # If it isn't then it attempts to upgrade
 function set_repo_commit {
@@ -180,6 +162,7 @@ function set_repo_commit {
 					make install
 				fi
 				if [[ $repo_dir == $RSS_READER_PATH ]]; then
+					function_check rss_reader_modifications
 					rss_reader_modifications
 				fi
 				if [[ $repo_dir == *"inadyn" ]]; then

src/freedombone-utils-go

@@ -0,0 +1,148 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Go functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+GO_VERSION=1.5
+
+GO_PACKAGE_MANAGER_REPO="https://github.com/gpmgo/gopm"
+GVM_HOME=/home/git/gvm
+GVM_REPO="https://github.com/moovweb/gvm"
+GVM_COMMIT='25ea8ae158e2861c92e2b22c458e60840157832f'
+
+function select_go_version {
+	if [ ! -d $GVM_HOME/bin ]; then
+		echo $'GVM was not installed'
+		exit 629532
+	fi
+	export GVM_ROOT=$GVM_HOME
+	if ! grep -q "GVM_ROOT=" ~/.bashrc; then
+		echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc
+	else
+		sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc
+	fi
+	cd $GVM_ROOT/bin
+	[[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm"
+	gvm use go${GO_VERSION} --default
+	systemctl set-environment GOPATH=$GOPATH
+
+	if [ ${#GOPATH} -lt 2 ]; then
+		echo $'GOPATH was not set'
+		exit 629825
+	fi
+}
+
+function upgrade_golang {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	# NOTE: this is annoyingly hacky and going in the opposite
+	# direction of a pure blend, but it's necessary if you want
+	# to run the latest version of gogs
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $INSTALL_DIR/gvm "gvm commit" "$GVM_COMMIT" $GVM_REPO
+
+	if grep -Fxq "upgrade_golang" $COMPLETION_FILE; then
+		return
+	fi
+
+	export GVM_ROOT=$GVM_HOME
+
+	apt-get -y install curl git mercurial make binutils bison gcc build-essential
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir $INSTALL_DIR
+	fi
+	cd $INSTALL_DIR
+	function_check git_clone
+	git_clone $GVM_REPO gvm
+	cd $INSTALL_DIR/gvm
+	git checkout $GVM_COMMIT -b $GVM_COMMIT
+	if [ ! -f binscripts/gvm-installer ]; then
+		echo $'gvm installer not found'
+	fi
+	chmod +x binscripts/gvm-installer
+
+	if [ -d /root/.gvm ]; then
+		rm -rf /root/.gvm
+	fi
+	if [ -d $GVM_ROOT ]; then
+		rm -rf $GVM_ROOT
+	fi
+	sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc
+
+	if [ ! -d /home/git ]; then
+		# add a gogs user account within which the gvm home directory will exist
+		adduser --disabled-login --gecos 'Gogs' git
+	fi
+	if [ -d /home/git/Maildir ]; then
+		rm -rf /home/git/Maildir
+	fi
+
+	# TODO: this script is all over the place
+	# and contains hardcoded github. See if you can do better
+	./binscripts/gvm-installer master /home/git
+
+	if [ ! -d $GVM_ROOT ]; then
+		echo $'Unable to install gvm'
+		exit 83537
+	fi
+
+	[[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm"
+	if [ ! -f $GVM_ROOT/bin/gvm ]; then
+		echo $'gvm was not installed'
+	fi
+	if ! grep -q "export GVM_ROOT=" ~/.bashrc; then
+		echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc
+	fi
+
+	cd $GVM_ROOT/bin
+	gvm install go1.4
+	gvm use go1.4
+	export GOROOT_BOOTSTRAP=$GOROOT
+	gvm install go${GO_VERSION}
+	if [ ! "$?" = "0" ]; then
+		echo $'Unable to upgrade golang'
+		exit 529252
+	fi
+	gvm use go${GO_VERSION} --default
+
+	chown -R git:git $GVM_HOME
+
+	if ! grep -q "gvm commit" $COMPLETION_FILE; then
+		echo "gvm commit:$GVM_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/gvm commit.*/gvm commit:$GVM_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	echo 'upgrade_golang' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-utils-help

@@ -0,0 +1,81 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Show help
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function show_help {
+	echo ''
+	echo $"${PROJECT_NAME} -c [configuration file]"
+	echo ''
+	echo $'  -h --help             Show help'
+	echo $'     menuconfig         Easy interactive installation'
+	echo $'     menuconfig-full    Full interactive installation'
+	echo $'     menuconfig-onion   Interactive installation for onion-only sites'
+	echo $'  -c --config           Installing from a configuration file'
+	echo $'     --bbb              Installing on Beaglebone Black'
+	echo $'  -u --user             User to install the system as'
+	echo $'  -d --domain           Default domain name'
+	echo $'  -s --system           System type'
+	echo $'     --ip               Static LAN IP address of the system'
+	echo $'     --iprouter         LAN IP address of the internet router'
+	echo $'     --ddns             Dynamic DNS provider domain'
+	echo $'     --ddnsuser         Dynamic DNS provider username'
+	echo $'     --ddnspass         Dynamic DNS provider password'
+	echo ''
+	echo $'     --microblogdomain  Microblog domain name'
+	echo $'     --wikidomain       Wiki domain name'
+	echo $'     --blogdomain       Blog domain name'
+	echo $'     --hubzilladomain   Hubzilla domain name'
+	echo $'     --gitdomain        Git hosting domain name'
+	echo $'  -t --time             Domain used as a TLS time source'
+	echo $'     --ssh              ssh port number'
+	echo $'     --list             Public mailing list name'
+	echo $'     --cores            Number of CPU cores'
+	echo $'     --name             Your name'
+	echo $'     --email            Your email address'
+	echo $'     --usb              Path for the USB drive (eg. /dev/sdb1)'
+	echo $'     --cjdns            Enable CJDNS'
+	echo $'     --vpass            VoIP server password'
+	echo $'     --vport            VoIP server port'
+	echo $'     --ns1              First DNS nameserver'
+	echo $'     --ns2              Second DNS nameserver'
+	echo $'     --repo             Debian repository'
+	echo ''
+	echo $'system types'
+	echo '------------'
+	echo $'This can either be blank if you wish to install the full system,'
+	echo $"or for more specialised variants you can specify '$VARIANT_MAILBOX', '$VARIANT_CLOUD',"
+	echo $"'$VARIANT_CHAT', '$VARIANT_SOCIAL', '$VARIANT_MEDIA', '$VARIANT_WRITER', '$VARIANT_DEVELOPER'"
+	echo $"or '$VARIANT_MESH'."
+	echo ''
+	echo $"If you wish to install everything except email then use the '$VARIANT_NONMAILBOX' variaint."
+	echo ''
+	exit 0
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-interactive

@@ -0,0 +1,109 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Interactive install functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function interactive_configuration_remote_backups {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! -f /usr/local/bin/${PROJECT_NAME}-remote ]; then
+		if [ ! -f /usr/bin/${PROJECT_NAME}-remote ]; then
+			echo $"The command ${PROJECT_NAME}-remote was not found"
+			exit 87354
+		fi
+	fi
+	${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes
+	if [ ! "$?" = "0" ]; then
+		echo $'Command failed:'
+		echo ''
+		echo $"  ${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes"
+		echo ''
+		exit 65892
+	fi
+}
+
+function interactive_configuration {
+	if [ ! -f /usr/local/bin/${PROJECT_NAME}-config ]; then
+		if [ ! -f /usr/bin/${PROJECT_NAME}-config ]; then
+			echo $"The command ${PROJECT_NAME}-config was not found"
+			exit 63935
+		fi
+	fi
+	if [ -f /tmp/meshuserdevice ]; then
+		rm -f /tmp/meshuserdevice
+	fi
+
+	if [[ $ONION_ONLY == "no" ]]; then
+		if [[ $MINIMAL_INSTALL == "no" ]]; then
+			${PROJECT_NAME}-config \
+						   -f $CONFIGURATION_FILE \
+						   -w $PROJECT_WEBSITE \
+						   -m $MINIMUM_PASSWORD_LENGTH
+		else
+			${PROJECT_NAME}-config \
+						   -f $CONFIGURATION_FILE \
+						   -w $PROJECT_WEBSITE \
+						   -m $MINIMUM_PASSWORD_LENGTH \
+						   --minimal "yes"
+		fi
+	else
+		${PROJECT_NAME}-config \
+					   -f $CONFIGURATION_FILE \
+					   -w $PROJECT_WEBSITE \
+					   -m $MINIMUM_PASSWORD_LENGTH \
+					   --onion "yes"
+	fi
+	if [ -f /tmp/meshuserdevice ]; then
+		# mesh network user device installation
+		rm -f /tmp/meshuserdevice
+		exit 0
+	fi
+	if [ ! "$?" = "0" ]; then
+		echo $'Command failed:'
+		echo ''
+		echo $"  ${PROJECT_NAME}-config -u $MY_USERNAME -f $CONFIGURATION_FILE -w $PROJECT_WEBSITE -b $PROJECT_BITMESSAGE -m $MINIMUM_PASSWORD_LENGTH --minimal [yes|no]"
+		echo ''
+		exit 73594
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
+
+		dialog --title $"Encrypted backup to other servers" \
+			   --backtitle $"${PROJECT_NAME} Configuration" \
+			   --defaultno \
+			   --yesno $"\nDo you wish to configure some remote backup locations?" 7 60
+		sel=$?
+		case $sel in
+			0) interactive_configuration_remote_backups;;
+		esac
+	fi
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-international

@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# International/language functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function locale_setup {
+	if grep -Fxq "locale_setup" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install locales locales-all debconf
+
+	if [ ! "$DEFAULT_LANGUAGE" ]; then
+		DEFAULT_LANGUAGE='en_GB.UTF-8'
+	fi
+	if [ ${#DEFAULT_LANGUAGE} -lt 2 ]; then
+		DEFAULT_LANGUAGE='en_GB.UTF-8'
+	fi
+
+	update-locale LANG=${DEFAULT_LANGUAGE}
+	update-locale LANGUAGE=${DEFAULT_LANGUAGE}
+	update-locale LC_MESSAGES=${DEFAULT_LANGUAGE}
+	update-locale LC_ALL=${DEFAULT_LANGUAGE}
+	update-locale LC_CTYPE=${DEFAULT_LANGUAGE}
+
+	echo 'locale_setup' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-login

@@ -0,0 +1,86 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# login functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function change_login_message {
+	if grep -Fxq "change_login_message" $COMPLETION_FILE; then
+		return
+	fi
+
+	# remove automatic motd creator if it exists
+	if [ -f /etc/init.d/motd ]; then
+		rm -f /etc/init.d/motd
+	fi
+
+	echo '' > /etc/motd
+	echo ".---.                  .              .                   " >> /etc/motd
+	echo "|                      |              |                   " >> /etc/motd
+	echo "|--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-. " >> /etc/motd
+	echo "|    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-' " >> /etc/motd
+	echo "'    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'" >> /etc/motd
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
+		echo $'               M A I L B O X   E D I T I O N' >> /etc/motd
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
+		echo $'                 S O C I A L   E D I T I O N' >> /etc/motd
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
+		echo $'                  C H A T   E D I T I O N' >> /etc/motd
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then
+		echo $'                  C L O U D   E D I T I O N' >> /etc/motd
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then
+		echo $'                 W R I T E R   E D I T I O N ' >> /etc/motd
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then
+		echo $'                  M E D I A   E D I T I O N' >> /etc/motd
+	fi
+
+	if [[ $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		echo $'             D E V E L O P E R   E D I T I O N' >> /etc/motd
+	fi
+
+	echo '' >> /etc/motd
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		echo $'                  Freedom in the Cloud' >> /etc/motd
+	else
+		echo $'                   Freedom in the Mesh' >> /etc/motd
+	fi
+	echo '' >> /etc/motd
+	echo 'change_login_message' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-monkeysphere

@@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# monkeysphere functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function install_monkeysphere {
+	if grep -Fxq "install_monkeysphere" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install monkeysphere msva-perl
+	#su -c "monkeysphere gen-subkey $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
+	mkdir /home/$MY_USERNAME/.monkeysphere
+	chmod 755 /home/$MY_USERNAME/.monkeysphere
+	echo "$MY_NAME <${MY_EMAIL_ADDRESS}>" > /home/$MY_USERNAME/.monkeysphere/authorized_user_ids
+	chmod 644 /home/$MY_USERNAME/.monkeysphere/authorized_user_ids
+	chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.monkeysphere
+	monkeysphere-authentication update-users
+
+	if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+		echo $'monkeysphere import: ssh host key not found'
+		exit 76295
+	fi
+	monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
+	SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
+	monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
+
+	if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then
+		MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
+		if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
+			echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
+			exit 52825
+		fi
+	fi
+	# The admin user is the identity certifier
+	fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
+	monkeysphere-authentication add-identity-certifier $fpr
+
+	echo 'install_monkeysphere' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-network

@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Network functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# If the system is on an IPv6 network
+IPV6_NETWORK='2001:470:26:307'
+
+# The static IP address of the system within the local network
+# By default the IP address is dynamic within your LAN
+LOCAL_NETWORK_STATIC_IP_ADDRESS=
+
+# IP address of the router (gateway)
+ROUTER_IP_ADDRESS="192.168.1.254"
+
+MESH_INSTALL_DIR=/var/lib
+
+function install_static_network {
+	if grep -Fxq "install_static_network" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLING_ON_BBB == "yes" ]]; then
+		return
+	fi
+	if [ ! $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then
+		return
+	fi
+
+	echo '# The loopback network interface' > /etc/network/interfaces
+	echo 'auto lo' >> /etc/network/interfaces
+	echo 'iface lo inet loopback' >> /etc/network/interfaces
+	echo '' >> /etc/network/interfaces
+	echo '# The primary network interface' >> /etc/network/interfaces
+	echo 'auto eth0' >> /etc/network/interfaces
+	echo 'iface eth0 inet static' >> /etc/network/interfaces
+	echo "    address $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/network/interfaces
+	echo '    netmask 255.255.255.0' >> /etc/network/interfaces
+	echo "    gateway $ROUTER_IP_ADDRESS" >> /etc/network/interfaces
+	echo "    dns-nameservers $NAMESERVER1 $NAMESERVER2" >> /etc/network/interfaces
+	echo '# Example to keep MAC address between reboots' >> /etc/network/interfaces
+	echo '#hwaddress ether DE:AD:BE:EF:CA:FE' >> /etc/network/interfaces
+	echo '' >> /etc/network/interfaces
+	echo '# The secondary network interface' >> /etc/network/interfaces
+	echo '#auto eth1' >> /etc/network/interfaces
+	echo '#iface eth1 inet dhcp' >> /etc/network/interfaces
+	echo '' >> /etc/network/interfaces
+	echo '# WiFi Example' >> /etc/network/interfaces
+	echo "#auto $WIFI_INTERFACE" >> /etc/network/interfaces
+	echo "#iface $WIFI_INTERFACE inet dhcp" >> /etc/network/interfaces
+	echo '#    wpa-ssid "essid"' >> /etc/network/interfaces
+	echo '#    wpa-psk  "password"' >> /etc/network/interfaces
+	echo '' >> /etc/network/interfaces
+	echo '# Ethernet/RNDIS gadget (g_ether)' >> /etc/network/interfaces
+	echo '# ... or on host side, usbnet and random hwaddr' >> /etc/network/interfaces
+	echo '# Note on some boards, usb0 is automaticly setup with an init script' >> /etc/network/interfaces
+	echo '#iface usb0 inet static' >> /etc/network/interfaces
+	echo '#    address 192.168.7.2' >> /etc/network/interfaces
+	echo '#    netmask 255.255.255.0' >> /etc/network/interfaces
+	echo '#    network 192.168.7.0' >> /etc/network/interfaces
+	echo '#    gateway 192.168.7.1' >> /etc/network/interfaces
+
+	echo 'install_static_network' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-onion

@@ -0,0 +1,349 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Onion functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function wait_for_onion_service {
+	onion_service_name="$1"
+
+	sleep_ctr=0
+	while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do
+		sleep 1
+		sleep_ctr=$((sleep_ctr + 1))
+		if [ $sleep_ctr -gt 10 ]; then
+			break
+		fi
+	done
+
+	if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
+		# restart and try a second time
+		systemctl restart tor
+		sleep_ctr=0
+		while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do
+			sleep 1
+			sleep_ctr=$((sleep_ctr + 1))
+			if [ $sleep_ctr -gt 10 ]; then
+				break
+			fi
+		done
+	fi
+}
+
+function add_onion_service {
+	onion_service_name="$1"
+	onion_service_port_from=$2
+	onion_service_port_to=$3
+
+	if [ -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
+		echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname)
+		return
+	fi
+
+	if [ ! -d /var/lib/tor ]; then
+		echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured."
+		exit 877367
+	fi
+	if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then
+		echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc
+		echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> /etc/tor/torrc
+	fi
+
+	systemctl restart tor
+
+	function_check wait_for_onion_service
+	wait_for_onion_service ${onion_service_name}
+
+	if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
+		echo $"${onion_service_name} onion site hostname not found"
+		exit 76362
+	fi
+	echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname)
+}
+
+function set_default_onion_domains {
+	# If sites are only visible via Tor then for installation
+	# purposes assign them some default domain names
+	if [[ $ONION_ONLY == "no" ]]; then
+		return
+	fi
+
+	if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then
+		MICROBLOG_DOMAIN_NAME='microblog.local'
+	fi
+	if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then
+		FULLBLOG_DOMAIN_NAME='blog.local'
+	fi
+	if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then
+		WIKI_DOMAIN_NAME='wiki.local'
+	fi
+	if [ ${#DEFAULT_DOMAIN_NAME} -gt 1 ]; then
+		DEFAULT_DOMAIN_NAME="${PROJECT_NAME}.local"
+	fi
+	if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then
+		GIT_DOMAIN_NAME='git.local'
+	fi
+	if [ ${#MEDIAGOBLIN_DOMAIN_NAME} -gt 1 ]; then
+		MEDIAGOBLIN_DOMAIN_NAME='media.local'
+	fi
+}
+
+function create_avahi_onion_domains {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! -d /etc/avahi/services ]; then
+		return
+	fi
+	if [ $MICROBLOG_DOMAIN_NAME ]; then
+	    function_check create_avahi_service
+		create_avahi_service microblog http tcp $MICROBLOG_ONION_PORT
+	fi
+	if [ $FULLBLOG_DOMAIN_NAME ]; then
+	    function_check create_avahi_service
+		create_avahi_service blog http tcp $BLOG_ONION_PORT
+	fi
+	if [ $GIT_DOMAIN_NAME ]; then
+	    function_check create_avahi_service
+		create_avahi_service git http tcp $GIT_ONION_PORT
+	fi
+	if [ $WIKI_DOMAIN_NAME ]; then
+	    function_check create_avahi_service
+		create_avahi_service wiki http tcp $WIKI_ONION_PORT
+	fi
+}
+
+function allow_ssh_to_onion_address {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! -d /home/$MY_USERNAME/.ssh ]; then
+		mkdir /home/$MY_USERNAME/.ssh
+	fi
+	if [ ! -d /etc/tor ]; then
+		echo $'Tor not found when updating ssh'
+		exit 528257
+	fi
+	if ! grep -q "onion" /home/$MY_USERNAME/.ssh/config; then
+		echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config
+		echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config
+	fi
+}
+
+function enable_ssh_via_onion {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "enable_ssh_via_onion" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install tor connect-proxy
+	if ! grep -q 'Host *.onion' /home/$MY_USERNAME/.ssh/config; then
+		if [ ! -d /home/$MY_USERNAME/.ssh ]; then
+			mkdir /home/$MY_USERNAME/.ssh
+		fi
+		echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config
+		echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
+		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh/config
+	fi
+	if ! grep -q 'Host *.onion' /root/.ssh/config; then
+		if [ ! -d /root/.ssh ]; then
+			mkdir /root/.ssh
+		fi
+		echo 'Host *.onion' >> /root/.ssh/config
+		echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /root/.ssh/config
+	fi
+	echo 'enable_ssh_via_onion' >> $COMPLETION_FILE
+}
+
+function configure_ssh_onion {
+	if grep -Fxq "configure_ssh_onion" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	SSH_ONION_HOSTNAME=$(add_onion_service ssh ${SSH_PORT} ${SSH_PORT})
+
+	if ! grep -q "ssh onion domain" $COMPLETION_FILE; then
+		echo "ssh onion domain:${SSH_ONION_HOSTNAME}" >> $COMPLETION_FILE
+	else
+		sed -i "s|ssh onion domain.*|ssh onion domain:${SSH_ONION_HOSTNAME}|g" $COMPLETION_FILE
+	fi
+
+	echo 'configure_ssh_onion' >> $COMPLETION_FILE
+}
+
+function install_tor {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "install_tor" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install tor
+	if [ ! -f /etc/tor/torrc ]; then
+		echo 'Tor failed to install'
+		exit 38259
+	fi
+	echo 'install_tor' >> $COMPLETION_FILE
+}
+
+function resolve_dns_via_tor {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if grep -Fxq "resolve_dns_via_tor" $COMPLETION_FILE; then
+		return
+	fi
+	if [ ! -f /etc/tor/torrc ]; then
+		echo $'tor was not installed'
+		exit 52952
+	fi
+
+	# resolve DNS via tor
+	if ! grep 'DNSPort 53' /etc/tor/torrc; then
+		echo 'DNSPort 53' >> /etc/tor/torrc
+		echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
+		echo 'AutomapHostsSuffixes .exit,.onion' >> /etc/tor/torrc
+		systemctl restart tor
+	fi
+
+	# don't change resolv.conf
+	sed -i 's|, domain-name-servers||g' /etc/dhcp/dhclient.conf
+
+	# point resolv.conf to tor
+	echo 'nameserver 127.0.0.1:53' > /etc/resolv.conf
+
+	# prevent resolv.conf from changing
+	chattr +i /etc/resolv.conf
+
+	echo 'resolve_dns_via_tor' >> $COMPLETION_FILE
+}
+
+# see https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
+# Local Redirection and Anonymizing Middlebox
+function route_outgoing_traffic_through_tor {
+	if grep -Fxq "route_outgoing_traffic_through_tor" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ROUTE_THROUGH_TOR != "yes" ]]; then
+		return
+	fi
+	apt-get -y install tor tor-arm
+
+	### set variables
+	# Destinations you don't want routed through Tor
+	_non_tor="192.168.1.0/24 192.168.0.0/24"
+
+	# The user that Tor runs as
+	_tor_uid="debian-tor"
+
+	# Tor's TransPort
+	_trans_port="9040"
+
+	# Your internal interface
+	_int_if="eth0"
+
+	### Set iptables *nat
+	iptables -t nat -A OUTPUT -o lo -j RETURN
+	iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
+	iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
+
+	# Allow clearnet access for hosts in $_non_tor
+	for _clearnet in $_non_tor; do
+		iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
+		iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN
+	done
+
+	# Redirect all other pre-routing and output to Tor
+	iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
+	iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
+	iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
+
+	### set iptables *filter
+	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+	# Allow clearnet access for hosts in $_non_tor
+	for _clearnet in $_non_tor 127.0.0.0/8; do
+		iptables -A OUTPUT -d $_clearnet -j ACCEPT
+	done
+
+	# Allow only Tor output
+	iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
+	iptables -A OUTPUT -j REJECT
+
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	if ! grep -q "fs.file-max" /etc/sysctl.conf; then
+		echo "fs.file-max=100000" >> /etc/sysctl.conf
+		/sbin/sysctl -p
+	fi
+
+	echo 'domain localdomain' > /etc/resolv.conf
+	echo 'search localdomain' >> /etc/resolv.conf
+	echo 'nameserver 127.0.0.1' >> /etc/resolv.conf
+
+	if ! grep -q "VirtualAddrNetworkIPv4" /etc/tor/torrc; then
+		echo 'VirtualAddrNetworkIPv4 10.192.0.0/10' >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
+		echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "TransPort" /etc/tor/torrc; then
+		echo 'TransPort 9040' >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "TransListenAddress 127.0.0.1" /etc/tor/torrc; then
+		echo 'TransListenAddress 127.0.0.1' >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then
+		echo "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "DNSPort" /etc/tor/torrc; then
+		echo 'DNSPort 53' >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "DNSListenAddress 127.0.0.1" /etc/tor/torrc; then
+		echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc
+	fi
+
+	if ! grep -q "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then
+		echo "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc
+	fi
+
+	echo 'route_outgoing_traffic_through_tor' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-passwords

@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Password functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# If this file exists it contains a global password used with
+# disk image installs. This simplifies password management for
+# deployment at scale
+IMAGE_PASSWORD_FILE=/root/login.txt
+
+# Minimum number of characters in a password
+MINIMUM_PASSWORD_LENGTH=10
+
+function enforce_good_passwords {
+	# because humans are generally bad at choosing passwords
+	if grep -Fxq "enforce_good_passwords" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install libpam-cracklib
+
+	sed -i 's/password.*requisite.*pam_cracklib.so.*/password        required                       pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password
+	echo 'enforce_good_passwords' >> $COMPLETION_FILE
+}
+
+function create_password {
+    echo "$(openssl rand -base64 32 | cut -c1-${1})"
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-repos

@@ -0,0 +1,149 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Functions to set repositories
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The Debian package repository to use.
+DEBIAN_REPO="ftp.us.debian.org"
+
+# password used for accessing your repo mirrors
+MY_MIRRORS_PASSWORD=
+# friend's repo mirrors
+FRIENDS_MIRRORS_PASSWORD=
+FRIENDS_MIRRORS_SERVER=
+FRIENDS_MIRRORS_SSH_PORT=2222
+
+function create_repo_sources {
+	if grep -Fxq "create_repo_sources" $COMPLETION_FILE; then
+		return
+	fi
+	rm -rf /var/lib/apt/lists/*
+	apt-get clean
+
+	echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" > /etc/apt/sources.list
+	echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" >> /etc/apt/sources.list
+	echo '' >> /etc/apt/sources.list
+	echo "deb http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list
+	echo "deb-src http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list
+	echo '' >> /etc/apt/sources.list
+	echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list
+	echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list
+	echo '' >> /etc/apt/sources.list
+	echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list
+	echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list
+
+	apt-get update
+	apt-get -y install apt-transport-https
+
+	echo 'create_repo_sources' >> $COMPLETION_FILE
+}
+
+function read_repo_servers {
+	if [ -f $CONFIGURATION_FILE ]; then
+		if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
+			FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
+			FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
+			MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+		if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
+			FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+		fi
+	fi
+
+	if [ ! $FRIENDS_MIRRORS_SERVER ]; then
+		return
+	fi
+	if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then
+		return
+	fi
+
+	MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME}
+	if [ ! -f $MAIN_COMMAND ]; then
+		MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
+	fi
+
+	REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g'))
+
+	for line in "${REPOS[@]}"
+	do
+		repo_name=$(echo "$line" | awk -F '=' '{print $1}')
+		mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
+		friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
+		${repo_name}="${friends_repo_url}"
+	done
+}
+
+# A command to create a git repository for a project
+function create_git_project {
+	if grep -Fxq "create_git_project" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install git
+
+	echo '#!/bin/bash' > /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'GIT_PROJECT_NAME=$1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'if [ ! $GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '  echo "Please specify a project name, without any spaces"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '  exit 1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'if [ ! -d /home/$USER/projects/$GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '  mkdir -p /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'cd /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'git init --bare' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo -n 'echo "Your project has been created, ' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'use the following command to clone the repository"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo -n "  git clone ssh://$MY_USERNAME@$DEFAULT_DOMAIN_NAME:$SSH_PORT" >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '/home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	echo 'exit 0' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+	chmod +x /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+
+	echo 'create_git_project' >> $COMPLETION_FILE
+}
+
+function create_mirrors {
+	if [ -d /home/trove ]; then
+		userdel -r trove
+	fi
+	if grep -Fxq "create_mirrors" $COMPLETION_FILE; then
+		return
+	fi
+	${PROJECT_NAME}-mirrors
+	echo 'create_mirrors' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-rng

@@ -0,0 +1,167 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Random number generation functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The type of hardware random number generator being used
+# This can be empty, "beaglebone" or "onerng"
+HWRNG_TYPE=
+
+# Download location for OneRNG driver
+ONERNG_PACKAGE="onerng_3.4-1_all.deb"
+ONERNG_PACKAGE_DOWNLOAD="https://github.com/OneRNG/onerng.github.io/blob/master/sw/$ONERNG_PACKAGE?raw=true"
+# Hash for OneRNG driver
+ONERNG_PACKAGE_HASH='78f1c2f52ae573e3b398a695ece7ab9f41868252657ea269f0d5cf0bd4f2eb59'
+
+# device name for OneRNG
+ONERNG_DEVICE='ttyACM0'
+
+function check_hwrng {
+	if [[ $HWRNG_TYPE == "beaglebone" ]]; then
+		# If hardware random number generation was enabled then make sure that the device exists.
+		# if /dev/hwrng is not found then any subsequent cryptographic key generation would
+		# suffer from low entropy and might be insecure
+		if [ ! -e /dev/hwrng ]; then
+			ls /dev/hw*
+			echo $'The hardware random number generator is enabled but could not be detected on'
+			echo $'/dev/hwrng.  There may be a problem with the installation or the Beaglebone hardware.'
+			exit 75
+		fi
+	fi
+
+	# If a OneRNG device was installed then verify its firmware
+	#check_onerng_verification
+}
+
+function check_onerng_verification {
+	if grep -Fxq "check_onerng_verification" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $HWRNG_TYPE != "onerng" ]]; then
+		return
+	fi
+	echo $'Checking OneRNG firmware verification'
+	last_onerng_validation=$(cat /var/log/syslog.1 | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
+	if [[ $last_onerng_validation != *"passed OK"* ]]; then
+		last_onerng_validation=$(cat /var/log/syslog | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
+		if [[ $last_onerng_validation != *"passed OK"* ]]; then
+			echo $last_onerng_validation
+			echo $'OneRNG firmware verification failed'
+			exit 735026
+		fi
+	fi
+	echo $'OneRNG firmware verification passed'
+	# if haveged was previously installed then remove it
+	apt-get -y remove haveged
+	echo 'check_onerng_verification' >> $COMPLETION_FILE
+}
+
+function install_onerng {
+	apt-get -y install rng-tools at python-gnupg
+
+	# Move to the installation directory
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir $INSTALL_DIR
+	fi
+	cd $INSTALL_DIR
+
+	# Download the package
+	if [ ! -f $ONERNG_PACKAGE ]; then
+		wget $ONERNG_PACKAGE_DOWNLOAD
+		mv "$ONERNG_PACKAGE?raw=true" $ONERNG_PACKAGE
+	fi
+	if [ ! -f $ONERNG_PACKAGE ]; then
+		echo $"OneRNG package could not be downloaded"
+		exit 59249
+	fi
+
+	# Check the hash
+	hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}')
+	if [[ $hash != $ONERNG_PACKAGE_HASH ]]; then
+		echo $"OneRNG package: $ONERNG_PACKAGE"
+		echo $"Hash does not match. This could indicate that the package has been tampered with."
+		echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH"
+		echo $"OneRNG actual hash: $hash"
+		exit 25934
+	fi
+
+	# install the package
+	dpkg -i $ONERNG_PACKAGE
+
+	# Check that the install worked
+	if [ ! -f /etc/onerng.conf ]; then
+		echo $'OneRNG configuration file not found. The package may not have installed successfully.'
+		exit 42904
+	fi
+
+	dialog --title $"OneRNG Device" \
+		   --msgbox $"Please plug in the OneRNG device" 6 40
+
+	# check rng-tools configuration
+	if ! grep -q "/dev/$ONERNG_DEVICE" /etc/default/rng-tools; then
+		echo "HRNGDEVICE=/dev/$ONERNG_DEVICE" >> /etc/default/rng-tools
+	fi
+
+	systemctl restart rng-tools
+}
+
+function random_number_generator {
+	if grep -Fxq "random_number_generator" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# it is assumed that docker uses the random number
+		# generator of the host system
+		return
+	fi
+
+	# if the hrng type has not been set but /dev/hwrng is detected
+	if [[ $HWRNG_TYPE != "beaglebone" ]]; then
+		if [ -e /dev/hwrng ]; then
+			HWRNG_TYPE="beaglebone"
+		fi
+	fi
+
+	case $HWRNG_TYPE in
+		beaglebone)
+			apt-get -y install rng-tools
+			sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools
+			;;
+		onerng)
+			function_check install_onerng
+			install_onerng
+			;;
+		*)
+			apt-get -y install haveged
+			;;
+	esac
+
+	echo 'random_number_generator' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-setup

@@ -0,0 +1,368 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Setup functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Different system variants which may be specified within
+# the SYSTEM_TYPE option
+VARIANT_FULL="full"
+VARIANT_WRITER="writer"
+VARIANT_CLOUD="cloud"
+VARIANT_CHAT="chat"
+VARIANT_MAILBOX="mailbox"
+VARIANT_NONMAILBOX="nonmailbox"
+VARIANT_SOCIAL="social"
+VARIANT_MEDIA="media"
+VARIANT_DEVELOPER="developer"
+VARIANT_MESH="mesh"
+
+DEFAULT_DOMAIN_NAME=
+DEFAULT_DOMAIN_CODE=
+MY_USERNAME=
+SYSTEM_TYPE=$VARIANT_FULL
+
+# An optional configuration file which overrides some of these variables
+CONFIGURATION_FILE="${PROJECT_NAME}.cfg"
+
+# Directory where source code is downloaded and compiled
+INSTALL_DIR=$HOME/build
+
+# device name for an attached usb drive
+USB_DRIVE=/dev/sda1
+
+# Location where the USB drive is mounted to
+USB_MOUNT=/mnt/usb
+
+# Number of days to keep backups for
+BACKUP_MAX_DAYS=30
+
+# file containing a list of remote locations to backup to
+# Format: [username@friendsdomain//home/username] [ssh_password]
+# With the only space character being between the server and the password
+FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
+
+export DEBIAN_FRONTEND=noninteractive
+
+# used to limit CPU usage
+CPULIMIT='/usr/bin/cpulimit -l 20 -e'
+
+# command to create a git repository
+CREATE_GIT_PROJECT_COMMAND='create-project'
+
+# File which keeps track of what has already been installed
+COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
+
+# log file where details of remote backups are stored
+REMOTE_BACKUPS_LOG=/var/log/remotebackups.log
+
+# message if something fails to install
+CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
+
+# Default diffie-hellman key length in bits
+DH_KEYLENGTH=2048
+
+function initial_setup {
+	if grep -Fxq "initial_setup" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y remove --purge apache*
+	apt-get -y dist-upgrade
+	apt-get -y install ca-certificates emacs24 cpulimit
+	apt-get -y install cryptsetup libgfshare-bin obnam sshpass wget
+	apt-get -y install avahi-daemon avahi-utils avahi-discover
+	apt-get -y install connect-proxy
+
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir -p $INSTALL_DIR
+	fi
+
+	echo 'initial_setup' >> $COMPLETION_FILE
+}
+
+function search_for_attached_usb_drive {
+	# If a USB drive is attached then search for email,
+	# gpg, ssh keys and emacs configuration
+	if grep -Fxq "search_for_attached_usb_drive" $COMPLETION_FILE; then
+		return
+	fi
+	if [ -b $USB_DRIVE ]; then
+		if [ ! -d $USB_MOUNT ]; then
+			echo $'Mounting USB drive'
+			mkdir $USB_MOUNT
+			mount $USB_DRIVE $USB_MOUNT
+		fi
+		if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
+			if [ -d $USB_MOUNT/Maildir ]; then
+				echo $'Maildir found on USB drive'
+				IMPORT_MAILDIR=$USB_MOUNT/Maildir
+			fi
+			if [ -d $USB_MOUNT/.gnupg ]; then
+				echo $'Importing GPG keyring'
+				cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME
+				chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
+				GPG_KEYS_IMPORTED="yes"
+				if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then
+					echo $'GPG files did not copy'
+					exit 73529
+				fi
+			fi
+
+			if [ -f $USB_MOUNT/.procmailrc ]; then
+				echo $'Importing procmail settings'
+				cp $USB_MOUNT/.procmailrc /home/$MY_USERNAME
+				chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc
+			fi
+
+			if [ -f $USB_MOUNT/private_key.gpg ]; then
+				echo $'GPG private key found on USB drive'
+				MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
+			fi
+			if [ -f $USB_MOUNT/public_key.gpg ]; then
+				echo $'GPG public key found on USB drive'
+				MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
+			fi
+		fi
+		if [ -d $USB_MOUNT/prosody ]; then
+			if [ ! -d $XMPP_DIRECTORY ]; then
+				mkdir $XMPP_DIRECTORY
+			fi
+			cp -r $USB_MOUNT/prosody/* $XMPP_DIRECTORY
+			chown -R prosody:prosody $XMPP_DIRECTORY
+		fi
+		if [ -d $USB_MOUNT/.ssh ]; then
+			echo $'Importing ssh keys'
+			cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME
+			chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
+			# for security delete the ssh keys from the usb drive
+			if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then
+				echo $'ssh files did not copy'
+				exit 8
+			fi
+		fi
+		if [ -f $USB_MOUNT/.emacs ]; then
+			echo $'Importing .emacs file'
+			cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs
+			chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
+		fi
+		if [ -d $USB_MOUNT/.emacs.d ]; then
+			echo $'Importing .emacs.d directory'
+			cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME
+			chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d
+		fi
+		if [ -d $USB_MOUNT/ssl ]; then
+			echo $'Importing SSL certificates'
+			cp -r $USB_MOUNT/ssl/* /etc/ssl
+			chmod 640 /etc/ssl/certs/*
+			chmod 400 /etc/ssl/private/*
+			# change ownership of some certificates
+			if [ -d /etc/prosody ]; then
+				chown prosody:prosody /etc/ssl/private/xmpp.*
+				chown prosody:prosody /etc/ssl/certs/xmpp.*
+			fi
+			if [ -d /etc/dovecot ]; then
+				chown root:dovecot /etc/ssl/certs/dovecot.*
+				chown root:dovecot /etc/ssl/private/dovecot.*
+			fi
+			if [ -f /etc/ssl/private/exim.key ]; then
+				cp /etc/ssl/private/exim.key /etc/exim4
+				cp /etc/ssl/certs/exim.crt /etc/exim4
+				cp /etc/ssl/certs/exim.dhparam /etc/exim4
+				chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
+				chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
+			fi
+		fi
+		if [ -d $USB_MOUNT/personal ]; then
+			echo $'Importing personal directory'
+			cp -r $USB_MOUNT/personal /home/$MY_USERNAME
+			chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal
+		fi
+	else
+		if [ -d $USB_MOUNT ]; then
+			umount $USB_MOUNT
+			rm -rf $USB_MOUNT
+		fi
+		echo $'No USB drive attached'
+	fi
+	echo 'search_for_attached_usb_drive' >> $COMPLETION_FILE
+}
+
+function mark_admin_user_account {
+	if ! grep -q "Admin user:" $COMPLETION_FILE; then
+		echo "Admin user:$MY_USERNAME" >> $COMPLETION_FILE
+	fi
+}
+
+function remove_instructions_from_motd {
+	sed -i '/## /d' /etc/motd
+}
+
+function remove_default_user {
+	# make sure you don't use the default user account
+	if [[ $MY_USERNAME == "debian" ]]; then
+		echo 'Do not use the default debian user account. Create a different user with: adduser [username]'
+		exit 68
+	fi
+	# remove the default debian user to prevent it from becoming an attack vector
+	if [ -d /home/debian ]; then
+		userdel -r debian
+		echo 'Default debian user account removed'
+	fi
+}
+
+function setup_firewall {
+	configure_firewall
+	configure_firewall_ping
+	configure_firewall_for_dns
+	configure_firewall_for_avahi
+}
+
+function setup_system {
+	read_configuration
+	set_default_onion_domains
+	locale_setup
+	parse_args
+	check_domains
+	install_static_network
+	remove_default_user
+	setup_firewall
+	create_repo_sources
+	configure_dns
+	initial_setup
+	install_tor
+	#resolve_dns_via_tor
+	install_command_line_browser
+	enable_ssh_via_onion
+	check_date
+	install_dynamicdns
+	randomize_cron
+	create_freedns_updater
+	mark_admin_user_account
+	enforce_good_passwords
+	install_editor
+	change_login_message
+	enable_zram
+	random_number_generator
+	set_your_domain_name
+	time_synchronisation_tlsdate
+	configure_internet_protocol
+	create_git_project
+	setup_wifi
+	configure_ssh
+	configure_ssh_onion
+	allow_ssh_to_onion_address
+	remove_instructions_from_motd
+	check_hwrng
+	search_for_attached_usb_drive
+	regenerate_ssh_keys
+	create_mirrors
+	create_upgrade_script
+	letsencrypt_renewals
+	install_watchdog_script
+	configure_avahi
+	create_avahi_onion_domains
+	#install_atheros_wifi
+	route_outgoing_traffic_through_tor
+}
+
+function setup_mesh {
+	mesh_cjdns
+	mesh_cjdns_tools
+	mesh_batman
+	mesh_babel
+}
+
+function setup_email {
+	configure_email
+	create_procmail
+	handle_admin_emails
+	spam_filtering
+	configure_imap
+	#configure_imap_client_certs
+	configure_gpg
+	refresh_gpg_keys
+	configure_backup_key
+	install_monkeysphere
+	encrypt_incoming_email
+	encrypt_outgoing_email
+	email_client
+	email_archiving
+	email_from_address
+	create_public_mailing_list
+	#create_private_mailing_list
+	encrypt_all_email
+	import_email
+}
+
+function setup_web {
+	install_web_server
+	install_web_server_access_control
+}
+
+function setup_apps {
+	install_zeronet
+	install_zeronet_blog
+	install_zeronet_mail
+	install_zeronet_forum
+	install_syncthing
+	upgrade_golang
+	install_gogs
+	install_xmpp
+	install_xmpp_client
+	install_tox_node
+	install_tox_client
+	tox_avahi
+	install_irc_server
+	install_irc_client
+	install_mumble
+	install_sip
+	update_sipwitch_daemon
+	install_wiki
+	install_sip_turn
+	install_blog
+	mark_blog_domain
+	install_gnu_social
+	expire_gnu_social_posts
+	install_gnu_social_theme
+	install_gnu_social_markdown
+	install_gnu_social_plugin_sharings
+	install_gnu_social_plugin_sharings_theme
+	install_rss_reader
+	install_rss_reader_gnusocial
+	install_rss_mobile_reader
+	install_hubzilla
+	#install_webmail
+	#install_search_engine
+	install_dlna_server
+	#install_mediagoblin
+	#install_ipfs
+	repair_databases_script
+	backup_to_friends_servers
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-ssh

@@ -0,0 +1,142 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# ssh functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SSH_PORT=2222
+
+# ssh (from https://stribika.github.io/2015/01/04/secure-secure-shell.html)
+SSH_CIPHERS="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com"
+SSH_KEX="curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
+SSH_HOST_KEY_ALGORITHMS="ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa"
+
+function configure_ssh {
+	if grep -Fxq "configure_ssh" $COMPLETION_FILE; then
+		return
+	fi
+	sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config
+	sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
+	sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
+	sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
+	sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
+	sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
+	sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
+	if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
+		echo 'DebianBanner no' >> /etc/ssh/sshd_config
+	else
+		sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config
+	fi
+	if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then
+		sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config
+	else
+		echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config
+	fi
+	if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then
+		sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
+	else
+		echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config
+	fi
+	if grep -q 'Ciphers' /etc/ssh/sshd_config; then
+		sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config
+	else
+		echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config
+	fi
+	if grep -q 'MACs' /etc/ssh/sshd_config; then
+		sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config
+	else
+		echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config
+	fi
+	if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
+		sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config
+	else
+		echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config
+	fi
+
+	apt-get -y install fail2ban
+
+	function_check configure_firewall_for_ssh
+	configure_firewall_for_ssh
+	echo 'configure_ssh' >> $COMPLETION_FILE
+}
+
+# see https://stribika.github.io/2015/01/04/secure-secure-shell.html
+function ssh_remove_small_moduli {
+	awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
+	mv ~/moduli /etc/ssh/moduli
+}
+
+function configure_ssh_client {
+	if grep -Fxq "configure_ssh_client" $COMPLETION_FILE; then
+		return
+	fi
+	#sed -i 's/#   PasswordAuthentication.*/   PasswordAuthentication no/g' /etc/ssh/ssh_config
+	#sed -i 's/#   ChallengeResponseAuthentication.*/   ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config
+	sed -i "s/#   HostKeyAlgorithms.*/   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config
+	sed -i "s/#   Ciphers.*/   Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
+	sed -i "s/#   MACs.*/   MACs $SSH_MACS/g" /etc/ssh/ssh_config
+	if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then
+		echo "   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config
+	fi
+	sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
+	if ! grep -q "Ciphers " /etc/ssh/ssh_config; then
+		echo "   Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config
+	fi
+	sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config
+	if ! grep -q "MACs " /etc/ssh/ssh_config; then
+		echo "   MACs $SSH_MACS" >> /etc/ssh/ssh_config
+	fi
+
+	# Create ssh keys
+	if [ ! -f ~/.ssh/id_ed25519 ]; then
+		ssh-keygen -t ed25519 -o -a 100
+	fi
+	if [ ! -f ~/.ssh/id_rsa ]; then
+		ssh-keygen -t rsa -b 4096 -o -a 100
+	fi
+
+	function_check ssh_remove_small_moduli
+	ssh_remove_small_moduli
+	echo 'configure_ssh_client' >> $COMPLETION_FILE
+}
+
+function regenerate_ssh_keys {
+	if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then
+		return
+	fi
+	rm -f /etc/ssh/ssh_host_*
+	dpkg-reconfigure openssh-server
+
+	function_check ssh_remove_small_moduli
+	ssh_remove_small_moduli
+
+    systemctl restart ssh
+	echo 'regenerate_ssh_keys' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-time

@@ -0,0 +1,129 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Time functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Why use Google as a time source?
+# The thinking here is that it's likely to be reliable and fast.
+# The ping doesn't reveal any information other than that the server
+# is running, and if anyone maliciously alters the time on Google's
+# servers then that would certainly be newsworthy and they'd be
+# likely to do something about it quickly.
+# If you have better time sources then change them here.
+TLS_TIME_SOURCE1="google.com"
+TLS_TIME_SOURCE2="www.ptb.de"
+
+# Time synchronisation
+TLSDATE_REPO="https://github.com/bashrc/tlsdate"
+TLSDATE_COMMIT='505e31540eebde8074e7dc93b29be0d848def06a'
+
+function check_date {
+	curr_date=$(date)
+	if [[ $curr_date == *"1970"* ]]; then
+		apt-get -y install ntp
+	fi
+}
+
+function time_synchronisation {
+	# mesh peers typically don't sync over the internet
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then
+		cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate
+	else
+		cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate
+	fi
+	chmod +x /usr/bin/updatedate
+
+	if grep -Fxq "time_synchronisation" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install tlsdate
+	apt-get -y remove ntpdate
+
+	function_check cron_add_mins
+	cron_add_mins 15 '/usr/bin/updatedate'
+
+	systemctl restart cron
+
+	echo 'time_synchronisation' >> $COMPLETION_FILE
+}
+
+function time_synchronisation_tlsdate {
+	# mesh peers typically don't sync over the internet
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+
+	if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then
+		cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate
+	else
+		cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate
+	fi
+	chmod +x /usr/bin/updatedate
+
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir -p $INSTALL_DIR
+	fi
+	set_repo_commit $INSTALL_DIR/tlsdate "tlsdate commit" "$TLSDATE_COMMIT" $TLSDATE_REPO
+
+	if grep -Fxq "time_synchronisation_tlsdate" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y remove tlsdate ntpdate
+	apt-get -y install build-essential autoconf libevent-dev
+
+	cd $INSTALL_DIR
+	function_check git_clone
+	git_clone $TLSDATE_REPO $INSTALL_DIR/tlsdate
+	cd $INSTALL_DIR/tlsdate
+	git checkout $TLSDATE_COMMIT -b $TLSDATE_COMMIT
+	./autogen.sh
+	./configure
+	if [ ! "$?" = "0" ]; then
+		echo $'Unable to configure tlsdate'
+		exit 6825277
+	fi
+	make
+	if [ ! "$?" = "0" ]; then
+		echo $'Unable to build tlsdate'
+		exit 3792726
+	fi
+	make install
+
+	function_check cron_add_mins
+	cron_add_mins 15 '/usr/bin/updatedate'
+
+	echo 'time_synchronisation_tlsdate' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-upgrade

@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Upgrading functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# name of a script used to upgrade the system
+UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade"
+
+function create_upgrade_script {
+	if [ -f /usr/local/bin/${PROJECT_NAME}-upgrade ]; then
+		cp /usr/local/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
+	else
+		cp /usr/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
+	fi
+
+	if grep -Fxq "create_upgrade_script" $COMPLETION_FILE; then
+		return
+	fi
+
+	apt-get -y install unattended-upgrades
+
+	echo 'create_upgrade_script' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-watchdog

@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Watchdog functions to keep systems running even if they crash
+# systemd itself may be able to handle this to a large extent
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# name of a script which keeps running processes going even if they crash
+WATCHDOG_SCRIPT_NAME="keepon"
+
+function install_watchdog_script {
+	if grep -Fxq "install_watchdog_script" $COMPLETION_FILE; then
+		return
+	fi
+	echo '#!/bin/bash' > /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'LOGFILE=/var/log/keepon.log' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'CURRENT_DATE=$(date)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+	# application specific stuff is added later
+	chmod +x /usr/bin/$WATCHDOG_SCRIPT_NAME
+
+	function_check cron_add_mins
+	cron_add_mins 1 '/usr/bin/$WATCHDOG_SCRIPT_NAME'
+
+	echo 'install_watchdog_script' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-web

@@ -0,0 +1,551 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Web related functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# default search engine for command line browser
+DEFAULT_SEARCH='https://searx.laquadrature.net'
+
+# This isn't used here, but is included for mirrors creation purposes
+LETSENCRYPT_REPO="https://github.com/letsencrypt/letsencrypt"
+
+# Whether Let's Encrypt is enabled for all sites
+LETSENCRYPT_ENABLED="no"
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
+
+# list of encryption protocols
+SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
+
+# list of ciphers to use.  See bettercrypto.org recommendations
+SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
+
+NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
+NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
+
+# memory limit for php in MB
+MAX_PHP_MEMORY=64
+
+# logging level for Nginx
+WEBSERVER_LOG_LEVEL='warn'
+
+# test a domain name to see if it's valid
+function validate_domain_name {
+	# count the number of dots in the domain name
+	dots=${TEST_DOMAIN_NAME//[^.]}
+	no_of_dots=${#dots}
+	if (( $no_of_dots > 3 )); then
+		TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"
+	fi
+	if (( $no_of_dots == 0 )); then
+		TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"
+	fi
+}
+
+function nginx_disable_sniffing {
+	domain_name=$1
+	filename=/etc/nginx/sites-available/$domain_name
+	echo '    add_header X-Frame-Options DENY;' >> $filename
+	echo '    add_header X-Content-Type-Options nosniff;' >> $filename
+	echo '' >> $filename
+}
+
+function nginx_limits {
+	domain_name=$1
+	max_body='20m'
+	if [ $2 ]; then
+		max_body=$2
+	fi
+	filename=/etc/nginx/sites-available/$domain_name
+	echo "    client_max_body_size ${max_body};" >> $filename
+	echo '    client_body_buffer_size 128k;' >> $filename
+	echo '' >> $filename
+	echo '    limit_conn conn_limit_per_ip 10;' >> $filename
+	echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename
+	echo '' >> $filename
+}
+
+function nginx_http_redirect {
+	# redirect port 80 to https
+	domain_name=$1
+	filename=/etc/nginx/sites-available/$domain_name
+	echo 'server {' > $filename
+	echo '    listen 80;' >> $filename
+	echo '    listen [::]:80;' >> $filename
+	echo "    server_name ${domain_name};" >> $filename
+	echo "    root /var/www/${domain_name}/htdocs;" >> $filename
+	echo '    access_log off;' >> $filename
+	echo "    error_log /var/log/nginx/${domain_name}_error.log $WEBSERVER_LOG_LEVEL;" >> $filename
+	function_check nginx_limits
+	nginx_limits $domain_name
+	echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> $filename
+	echo '}' >> $filename
+	echo '' >> $filename
+}
+
+function nginx_ssl {
+	# creates the SSL/TLS section for a website
+	domain_name=$1
+	filename=/etc/nginx/sites-available/$domain_name
+	echo '    ssl on;' >> $filename
+	echo "    ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename
+	echo "    ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename
+	echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
+	echo '' >> $filename
+	echo '    ssl_session_timeout 60m;' >> $filename
+	echo '    ssl_prefer_server_ciphers on;' >> $filename
+	echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename
+	echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+}
+
+# check an individual domain name
+function test_domain_name {
+	if [ $1 ]; then
+		TEST_DOMAIN_NAME=$1
+		function_ckeck validate_domain_name
+		validate_domain_name
+		if [[ $TEST_DOMAIN_NAME != $1 ]]; then
+			echo $TEST_DOMAIN_NAME
+			exit 8528
+		fi
+	fi
+}
+
+# Checks whether certificates were generated for the given hostname
+function check_certificates {
+	if [ ! $1 ]; then
+		return
+	fi
+	USE_LETSENCRYPT='no'
+	if [ $2 ]; then
+		USE_LETSENCRYPT=$2
+	fi
+	if [[ $USE_LETSENCRYPT == 'no' ]]; then
+		if [ ! -f /etc/ssl/private/$1.key ]; then
+			echo $"Private certificate for $CHECK_HOSTNAME was not created"
+			exit 63959
+		fi
+		if [ ! -f /etc/ssl/certs/$1.crt ]; then
+			echo $"Public certificate for $CHECK_HOSTNAME was not created"
+			exit 7679
+		fi
+	else
+		if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
+			echo $"Private certificate for $CHECK_HOSTNAME was not created"
+			exit 6282
+		fi
+		if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
+			echo $"Public certificate for $CHECK_HOSTNAME was not created"
+			exit 5328
+		fi
+	fi
+	if [ ! -f /etc/ssl/certs/$1.dhparam ]; then
+		echo $"Diffie–Hellman parameters for $CHECK_HOSTNAME were not created"
+		exit 5989
+	fi
+}
+
+function create_site_certificate {
+	SITE_DOMAIN_NAME="$1"
+
+	# if yes then only "valid" certs are allowed, not self-signed
+	NO_SELF_SIGNED='no'
+	if [ $2 ]; then
+		NO_SELF_SIGNED="$2"
+	fi
+
+	if [[ $ONION_ONLY == "no" ]]; then
+		if [ ! -f /etc/ssl/certs/$SITE_DOMAIN_NAME.dhparam ]; then
+			if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+				${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+				function_check check_certificates
+				check_certificates $SITE_DOMAIN_NAME
+			else
+				${PROJECT_NAME}-addcert -e $SITE_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS
+				if [ ! "$?" = "0" ]; then
+					if [[ $NO_SELF_SIGNED == 'no' ]]; then
+						echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME, so try making a self-signed cert"
+						${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+						function_check check_certificates
+						check_certificates $SITE_DOMAIN_NAME
+					else
+						echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
+						exit 682529
+					fi
+				else
+					function_check check_certificates
+					check_certificates $SITE_DOMAIN_NAME 'yes'
+				fi
+			fi
+		fi
+	fi
+}
+
+# script to automatically renew any Let's Encrypt certificates
+function letsencrypt_renewals {
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+
+	renewals_script=/etc/cron.monthly/letsencrypt
+	renewals_retry_script=/etc/cron.daily/letsencrypt
+	renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
+	renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
+
+	# the main script tries to renew once per month
+	echo '#!/bin/bash' > $renewals_script
+	echo '' >> $renewals_script
+	echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script
+	echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script
+	echo '' >> $renewals_script
+	echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script
+	echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script
+	echo '        rm ~/letsencrypt_failed' >> $renewals_script
+	echo '    fi' >> $renewals_script
+	echo -n '    ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script
+	echo -n "awk -F ':' '{print " >> $renewals_script
+	echo -n '$2' >> $renewals_script
+	echo "}')" >> $renewals_script
+	echo '    ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script
+	echo '    for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script
+	echo -n '        LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script
+	echo -n "awk -F '/' '{print " >> $renewals_script
+	echo -n '$5' >> $renewals_script
+	echo "}')" >> $renewals_script
+	echo '        if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script
+	echo '            ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script
+	echo '            if [ ! "$?" = "0" ]; then' >> $renewals_script
+	echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script
+	echo '                echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script
+	echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script
+	echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script
+	echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script
+	echo '                rm ~/temp_renewletsencrypt.txt' >> $renewals_script
+	echo '                if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script
+	echo '                    touch ~/letsencrypt_failed' >> $renewals_script
+	echo '                fi' >> $renewals_script
+	echo '            fi' >> $renewals_script
+	echo '        fi' >> $renewals_script
+	echo '    done' >> $renewals_script
+	echo 'fi' >> $renewals_script
+	chmod +x $renewals_script
+
+	# a secondary script keeps trying to renew after a failure
+	echo '#!/bin/bash' > $renewals_retry_script
+	echo '' >> $renewals_retry_script
+	echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script
+	echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script
+	echo '' >> $renewals_retry_script
+	echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script
+	echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
+	echo '        rm ~/letsencrypt_failed' >> $renewals_retry_script
+	echo -n '        ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script
+	echo -n "awk -F ':' '{print " >> $renewals_retry_script
+	echo -n '$2' >> $renewals_retry_script
+	echo "}')" >> $renewals_retry_script
+	echo '        ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script
+	echo '        for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script
+	echo -n '            LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script
+	echo -n "awk -F '/' '{print " >> $renewals_retry_script
+	echo -n '$5' >> $renewals_retry_script
+	echo "}')" >> $renewals_retry_script
+	echo '            if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script
+	echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script
+	echo '                if [ ! "$?" = "0" ]; then' >> $renewals_retry_script
+	echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script
+	echo '                    echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
+	echo '                    ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
+	echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script
+	echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script
+	echo '                    rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
+	echo '                    if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
+	echo '                        touch ~/letsencrypt_failed' >> $renewals_retry_script
+	echo '                    fi' >> $renewals_retry_script
+	echo '                fi' >> $renewals_retry_script
+	echo '            fi' >> $renewals_retry_script
+	echo '        done' >> $renewals_retry_script
+	echo '    fi' >> $renewals_retry_script
+	echo 'fi' >> $renewals_retry_script
+	chmod +x $renewals_retry_script
+}
+
+function configure_php {
+	sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
+	sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
+	sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini
+	sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini
+	sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini
+}
+
+function install_web_server_access_control {
+	if [ ! -f /etc/pam.d/nginx ]; then
+		echo '#%PAM-1.0' > /etc/pam.d/nginx
+		echo '@include common-auth' >> /etc/pam.d/nginx
+		echo '@include common-account' >> /etc/pam.d/nginx
+		echo '@include common-session' >> /etc/pam.d/nginx
+	fi
+}
+
+function install_dynamicdns {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
+
+	if grep -Fxq "install_dynamicdns" $COMPLETION_FILE; then
+		return
+	fi
+
+	# Here we compile from source because the current package
+	# doesn't support https, which could result in passwords
+	# being leaked
+	# Debian version 1.99.4-1
+	# https version 1.99.8
+
+	apt-get -y install build-essential curl libgnutls28-dev automake1.11
+	if [ ! -d $INSTALL_DIR/inadyn ]; then
+		git_clone $INADYN_REPO $INSTALL_DIR/inadyn
+	fi
+	if [ ! -d $INSTALL_DIR/inadyn ]; then
+		echo 'inadyn repo not cloned'
+		echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs
+		exit 6785
+	fi
+	cd $INSTALL_DIR/inadyn
+	git checkout $INADYN_COMMIT -b $INADYN_COMMIT
+	if ! grep -q "inadyn commit" $COMPLETION_FILE; then
+		echo "inadyn commit:$INADYN_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/inadyn commit.*/inadyn commit:$INADYN_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	./configure
+	if [ ! "$?" = "0" ]; then
+		exit 74890
+	fi
+	USE_OPENSSL=1 make
+	if [ ! "$?" = "0" ]; then
+		exit 74858
+	fi
+	make install
+	if [ ! "$?" = "0" ]; then
+		exit 3785
+	fi
+
+	# create an unprivileged user
+	#useradd -r -s /bin/false debian-inadyn
+
+	# create a configuration file
+	echo 'background' > /etc/inadyn.conf
+	echo 'verbose        1' >> /etc/inadyn.conf
+	echo 'period         300' >> /etc/inadyn.conf
+	echo 'startup-delay  60' >> /etc/inadyn.conf
+	echo 'cache-dir      /run/inadyn' >> /etc/inadyn.conf
+	echo 'logfile        /dev/null' >> /etc/inadyn.conf
+	chmod 600 /etc/inadyn.conf
+
+	echo '[Unit]' > /etc/systemd/system/inadyn.service
+	echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service
+	echo 'After=network.target' >> /etc/systemd/system/inadyn.service
+	echo '' >> /etc/systemd/system/inadyn.service
+	echo '[Service]' >> /etc/systemd/system/inadyn.service
+	echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service
+	echo 'Restart=always' >> /etc/systemd/system/inadyn.service
+	echo 'Type=forking' >> /etc/systemd/system/inadyn.service
+	echo '' >> /etc/systemd/system/inadyn.service
+	echo '[Install]' >> /etc/systemd/system/inadyn.service
+	echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service
+	systemctl enable inadyn
+	systemctl start inadyn
+	systemctl daemon-reload
+
+	echo 'install_dynamicdns' >> $COMPLETION_FILE
+}
+
+function install_web_server {
+	if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
+		return
+	fi
+
+	# update to the next commit
+	function_check set_repo_commit
+	set_repo_commit $INSTALL_DIR/nginx_ensite "Nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
+
+	if grep -Fxq "install_web_server" $COMPLETION_FILE; then
+		return
+	fi
+	# remove apache
+	apt-get -y remove --purge apache2
+	if [ -d /etc/apache2 ]; then
+		rm -rf /etc/apache2
+	fi
+	# install nginx
+	apt-get -y install nginx php5-fpm git
+
+	# limit the number of php processes
+	sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf
+	#sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf
+
+	if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then
+		echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf
+		echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf
+		echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf
+		echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf
+		echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf
+	fi
+
+	if [ ! -d /etc/nginx ]; then
+		echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"
+		exit 51
+	fi
+
+	# Nginx settings
+	echo 'user www-data;' > /etc/nginx/nginx.conf
+	#echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
+	echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo 'events {' >> /etc/nginx/nginx.conf
+	echo '        worker_connections 50;' >> /etc/nginx/nginx.conf
+	echo '        # multi_accept on;' >> /etc/nginx/nginx.conf
+	echo '}' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo 'http {' >> /etc/nginx/nginx.conf
+	echo '        # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
+	echo '        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
+	echo '        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
+	echo '        client_body_buffer_size  128k;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
+	echo '        client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
+	echo '        large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
+	echo '        client_body_timeout   3m;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
+	echo '        client_header_timeout 3m;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '        # Basic Settings' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        sendfile on;' >> /etc/nginx/nginx.conf
+	echo '        tcp_nopush on;' >> /etc/nginx/nginx.conf
+	echo '        tcp_nodelay on;' >> /etc/nginx/nginx.conf
+	echo '        keepalive_timeout 65;' >> /etc/nginx/nginx.conf
+	echo '        types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
+	echo '        server_tokens off;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
+	echo '        # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
+	echo '        default_type application/octet-stream;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '        # Logging Settings' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf
+	echo '        error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        ###' >> /etc/nginx/nginx.conf
+	echo '        # Gzip Settings' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '        gzip on;' >> /etc/nginx/nginx.conf
+	echo '        gzip_disable "msie6";' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        # gzip_vary on;' >> /etc/nginx/nginx.conf
+	echo '        # gzip_proxied any;' >> /etc/nginx/nginx.conf
+	echo '        # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
+	echo '        # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
+	echo '        # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
+	echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '        # Virtual Host Configs' >> /etc/nginx/nginx.conf
+	echo '        ##' >> /etc/nginx/nginx.conf
+	echo '' >> /etc/nginx/nginx.conf
+	echo '        include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
+	echo '        include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
+	echo '}' >> /etc/nginx/nginx.conf
+
+	# install a script to easily enable and disable nginx virtual hosts
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir $INSTALL_DIR
+	fi
+	cd $INSTALL_DIR
+	function_check git_clone
+	git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite
+	cd $INSTALL_DIR/nginx_ensite
+	git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT
+	if ! grep -q "Nginx-ensite commit" $COMPLETION_FILE; then
+		echo "Nginx-ensite commit:$NGINX_ENSITE_COMMIT" >> $COMPLETION_FILE
+	else
+		sed -i "s/Nginx-ensite commit.*/Nginx-ensite commit:$NGINX_ENSITE_COMMIT/g" $COMPLETION_FILE
+	fi
+
+	make install
+	nginx_dissite default
+
+	function_check configure_firewall_for_web_access
+	configure_firewall_for_web_access
+
+	echo 'install_web_server' >> $COMPLETION_FILE
+}
+
+function install_command_line_browser {
+	if grep -Fxq "install_command_line_browser" $COMPLETION_FILE; then
+		return
+	fi
+	apt-get -y install elinks
+
+	# set the home page
+	if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then
+		if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
+			echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc
+		else
+			sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc
+		fi
+	fi
+
+	echo 'install_command_line_browser' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-wifi

@@ -0,0 +1,133 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Wifi functions
+
+# License
+# =======
+#
+# Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+WIFI_CHANNEL=2
+WIFI_INTERFACE=wlan0
+WIFI_TYPE='wpa2-psk'
+WIFI_SSID=
+WIFI_PASSPHRASE=
+WIFI_HOTSPOT='no'
+WIFI_NETWORKS_FILE=~/${PROJECT_NAME}-wifi.cfg
+
+# repo for atheros AR9271 wifi driver
+ATHEROS_WIFI_REPO="https://github.com/qca/open-ath9k-htc-firmware.git"
+
+function setup_wifi {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+		return
+	fi
+	if [ ! $WIFI_SSID ]; then
+		return
+	fi
+	if [ ${#WIFI_SSID} -lt 2 ]; then
+		return
+	fi
+	if grep -Fxq "setup_wifi" $COMPLETION_FILE; then
+		return
+	fi
+
+	HOTSPOT='no'
+	if [[ $WIFI_HOTSPOT != 'no' ]]; then
+		HOTSPOT='yes'
+	fi
+
+	if [ -f $WIFI_NETWORKS_FILE ]; then
+		${PROJECT_NAME}-wifi -i $WIFI_INTERFACE --networks $WIFI_NETWORKS_FILE
+		echo 'setup_wifi' >> $COMPLETION_FILE
+		return
+	fi
+
+	if [[ $WIFI_TYPE != 'none' ]]; then
+		if [ ! $WIFI_PASSPHRASE ]; then
+			echo $'No wifi passphrase was given'
+			return
+		fi
+		if [ ${#WIFI_PASSPHRASE} -lt 2 ]; then
+			echo $'Wifi passphrase was too short'
+			return
+		fi
+		${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE -p $WIFI_PASSPHRASE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE
+	else
+		${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE
+	fi
+	echo 'setup_wifi' >> $COMPLETION_FILE
+}
+
+# ath9k_htc driver
+function install_atheros_wifi {
+	if grep -Fxq "install_atheros_wifi" $COMPLETION_FILE; then
+		return
+	fi
+	if [ $INSTALLING_ON_BBB != "yes" ]; then
+		return
+	fi
+	if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then
+		return
+	fi
+	if [ -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then
+		return
+	fi
+	# have drivers already been installed ?
+	if [ -f /lib/firmware/htc_9271.fw ]; then
+		return
+	fi
+	apt-get -y install build-essential cmake git m4 texinfo
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir -p $INSTALL_DIR
+	fi
+	cd $INSTALL_DIR
+	if [ ! -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then
+		function_check git_clone
+		git_clone $ATHEROS_WIFI_REPO $INSTALL_DIR/open-ath9k-htc-firmware
+		if [ ! "$?" = "0" ]; then
+			rm -rf $INSTALL_DIR/open-ath9k-htc-firmware
+			exit 74283
+		fi
+	fi
+	cd $INSTALL_DIR/open-ath9k-htc-firmware
+	git checkout 1.4.0
+	make toolchain
+	if [ ! "$?" = "0" ]; then
+		rm -rf $INSTALL_DIR/open-ath9k-htc-firmware
+		exit 24820
+	fi
+	make firmware
+	if [ ! "$?" = "0" ]; then
+		rm -rf $INSTALL_DIR/open-ath9k-htc-firmware
+		exit 63412
+	fi
+	cp target_firmware/*.fw /lib/firmware/
+	if [ ! "$?" = "0" ]; then
+		exit 74681
+	fi
+	echo 'install_atheros_wifi' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0

src/freedombone-utils-zram

@@ -0,0 +1,46 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# zram functions
+#
+# License
+# =======
+#
+# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function enable_zram {
+	if grep -Fxq "enable_zram" $COMPLETION_FILE; then
+		return
+	fi
+
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then
+		${PROJECT_NAME}-zram off
+		return
+	fi
+
+	${PROJECT_NAME}-zram on
+
+	echo 'enable_zram' >> $COMPLETION_FILE
+}
+
+# NOTE: deliberately no exit 0