Merge branch 'stretch' of https://github.com/bashrc/freedombone

image_build/mod_omemo_all_access.lua

@@ -1,55 +0,0 @@
---
---
-
-local jid_bare = require "util.jid".bare;
-local st = require "util.stanza"
-local white_listed_namespace = "eu.siacs.conversations.axolotl."
-local disco_feature_namespace = white_listed_namespace .. "whitelisted"
-
-local mod_pep = module:depends"pep";
-local pep_data = mod_pep.module.save().data;
-
-local function on_account_disco_info(event)
-	(event.reply or event.stanza):tag("feature", {var=disco_feature_namespace}):up();
-end
-
-local function on_pep_request(event)
-	local session, stanza = event.origin, event.stanza
-	local payload = stanza.tags[1];
-	if stanza.attr.type == 'get' then
-		local node, requested_id;
-		payload = payload.tags[1]
-		if payload and payload.name == 'items' then
-			node = payload.attr.node
-			local item = payload.tags[1];
-			if item and item.name == 'item' then
-				requested_id = item.attr.id;
-			end 
-		end
-		if node and string.sub(node,1,string.len(white_listed_namespace)) == white_listed_namespace then
-			local user = stanza.attr.to and jid_bare(stanza.attr.to) or session.username..'@'..session.host;
-			local user_data = pep_data[user];
-			if user_data and user_data[node] then
-				local id, item = unpack(user_data[node]);
-				if not requested_id or id == requested_id then
-					local stanza = st.reply(stanza)
-						:tag('pubsub', {xmlns='http://jabber.org/protocol/pubsub'})
-							:tag('items', {node=node})
-								:add_child(item)
-							:up()
-						:up();
-					session.send(stanza);
-					module:log("debug","provided access to omemo node",node)
-					return true;
-				end
-			end
-			module:log("debug","requested node was white listed", node)
-		end
-	end
-end
-
-module:hook("iq/bare/http://jabber.org/protocol/pubsub:pubsub", on_pep_request, 10);
-module:hook("account-disco-info", on_account_disco_info);

src/freedombone-app-fedwiki

@@ -16,7 +16,7 @@
 # License
 # =======
 #
-# Copyright (C) 2017 Bob Mottram <bob@freedombone.net>
+# Copyright (C) 2017-2018 Bob Mottram <bob@freedombone.net>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -31,7 +31,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-VARIANTS=""
+VARIANTS='full full-vim writer'
 
 IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=1
@@ -141,7 +141,11 @@ function change_password_fedwiki {
         echo $'Fedwiki password is too short'
         return
     fi
-    #${PROJECT_NAME}-pass -u $FEDWIKI_USERNAME -a fedwiki -p "$FEDWIKI_PASSWORD"
+    ${PROJECT_NAME}-pass -u $FEDWIKI_USERNAME -a fedwiki -p "$FEDWIKI_PASSWORD"
+    sed -i "s|--cookieSecret .*|--cookieSecret '${FEDWIKI_PASSWORD}'|g" /etc/systemd/system/fedwiki.service
+    systemctl daemon-reload
+    systemctl restart fedwiki
+    write_config_param "FEDWIKI_COOKIE" "$FEDWIKI_PASSWORD"
 }
 
 function reconfigure_fedwiki {
@@ -422,7 +426,7 @@ function install_fedwiki {
     FEDWIKI_ONION_HOSTNAME=$(add_onion_service fedwiki 80 ${FEDWIKI_ONION_PORT})
 
     if [ ! $FEDWIKI_COOKIE ]; then
-        FEDWIKI_COOKIE="$(create_password 30)$(create_password 30)$(create_password 30)"
+        FEDWIKI_COOKIE="$(create_password 30)"
     fi
 
     echo '[Unit]' > /etc/systemd/system/fedwiki.service
@@ -434,7 +438,7 @@ function install_fedwiki {
     echo 'User=fedwiki' >> /etc/systemd/system/fedwiki.service
     echo 'Group=fedwiki' >> /etc/systemd/system/fedwiki.service
     echo "WorkingDirectory=/usr/local/lib/node_modules/wiki" >> /etc/systemd/system/fedwiki.service
-    echo "ExecStart=/usr/local/bin/wiki --security_type friends --cookieSecret '${FEDWIKI_COOKIE}' --session_duration 7 --data $FEDWIKI_DATA -p $FEDWIKI_PORT" >> /etc/systemd/system/fedwiki.service
+    echo "ExecStart=/usr/local/bin/wiki --security_type friends --session_duration 7 --data $FEDWIKI_DATA -p $FEDWIKI_PORT --cookieSecret '${FEDWIKI_COOKIE}'" >> /etc/systemd/system/fedwiki.service
     echo 'StandardOutput=syslog' >> /etc/systemd/system/fedwiki.service
     echo 'StandardError=syslog' >> /etc/systemd/system/fedwiki.service
     echo 'SyslogIdentifier=fedwiki' >> /etc/systemd/system/fedwiki.service
@@ -444,13 +448,22 @@ function install_fedwiki {
     echo '[Install]' >> /etc/systemd/system/fedwiki.service
     echo 'WantedBy=multi-user.target' >> /etc/systemd/system/fedwiki.service
 
+    if [ ! -d ${FEDWIKI_DATA}/status ]; then
+        mkdir -p ${FEDWIKI_DATA}/status
+    fi
+    fedwiki_auth_file=${FEDWIKI_DATA}/status/owner.json
+    echo '{' > $fedwiki_auth_file
+    echo "  \"name\": \"${MY_USERNAME}\"," >> $fedwiki_auth_file
+    echo '  \"friend\": {' >> $fedwiki_auth_file
+    echo "    \"secret\": \"${FEDWIKI_COOKIE}\"" >> $fedwiki_auth_file
+    echo '  }' >> $fedwiki_auth_file
+    echo '}' >> $fedwiki_auth_file
+
     chown -R fedwiki:fedwiki $FEDWIKI_DATA
 
     fedwiki_setup_web
 
-    ${PROJECT_NAME}-pass -u $MY_USERNAME -a fedwiki -p "$FEDWIKI_ADMIN_PASSWORD"
-
-    fedwiki_auth_file=/var/lib/fedwiki/status/owner.json
+    ${PROJECT_NAME}-pass -u $MY_USERNAME -a fedwiki -p "$FEDWIKI_COOKIE"
 
     function_check add_ddns_domain
     add_ddns_domain $FEDWIKI_DOMAIN_NAME

src/freedombone-app-pihole

@@ -47,7 +47,7 @@ PIHOLE_BLACKLIST=$piholeDir/blacklist.txt
 PIHOLE_WHITELIST=$piholeDir/whitelist.txt
 
 PIHOLE_REPO="https://github.com/pi-hole/pi-hole"
-PIHOLE_COMMIT='2ceeac41fe8e493f9040b54a7c82f1183ecf5566'
+PIHOLE_COMMIT='e602008459128c233899b1e9d70cca0f38f41670'
 
 pihole_variables=(ONION_ONLY
                   PIHOLE_IFACE

src/freedombone-app-xmpp

@@ -47,8 +47,8 @@ prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
 prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
 
 # From https://hg.prosody.im/prosody-modules
-prosody_modules_filename='prosody-modules-20170514.tar.gz'
-prosody_modules_hash='ef404c203317cc0de6da7aaec4f21765a57f630adfbf082cf2dd92b881c15f86'
+prosody_modules_filename='prosody-modules-20180104.tar.gz'
+prosody_modules_hash='7c81b4ed8a90130b4db5902dc1f299ad1c4dab57a0970552b71cb2042a490bc1'
 
 xmpp_variables=(ONION_ONLY
                 INSTALLED_WITHIN_DOCKER
@@ -326,46 +326,6 @@ function update_prosody_modules {
         return
     fi
 
-    # This module is a workaround for OMEMO within group chat
-    # See https://github.com/iNPUTmice/omemo_all_access
-    if [ -f ~/freedombone/image_build/mod_omemo_all_access.lua ]; then
-        if [ ! -d /var/lib/prosody/prosody-modules ]; then
-            mkdir -p /var/lib/prosody/prosody-modules
-        fi
-
-        copy_omemo_all_access=1
-        if [ -f /usr/lib/prosody/modules/mod_omemo_all_access.lua ]; then
-            curr_hash=$(sha256sum /usr/lib/prosody/modules/mod_omemo_all_access.lua)
-            new_hash=$(sha256sum ~/freedombone/image_build/mod_omemo_all_access.lua)
-            if [[ "$curr_hash" == "$new_hash" ]]; then
-                copy_omemo_all_access=
-            fi
-        fi
-
-        if [ $copy_omemo_all_access ]; then
-            systemctl stop prosody
-            cp ~/freedombone/image_build/mod_omemo_all_access.lua /var/lib/prosody/prosody-modules/mod_omemo_all_access.lua
-            cp ~/freedombone/image_build/mod_omemo_all_access.lua /usr/lib/prosody/modules/mod_omemo_all_access.lua
-
-            chmod +x /var/lib/prosody/prosody-modules/mod_omemo_all_access.lua
-            chmod +x /usr/lib/prosody/modules/mod_omemo_all_access.lua
-
-            if ! grep -q "omemo_all_access" /etc/prosody/prosody.cfg.lua; then
-                sed -i '/"pep";/a "omemo_all_access"; -- Fix for PEP with OMEMO' /etc/prosody/prosody.cfg.lua
-                sed -i 's|"omemo_all_access";|  "omemo_all_access";|g' /etc/prosody/prosody.cfg.lua
-            fi
-
-            if ! grep -q "omemo_all_access" /etc/prosody/conf.avail/xmpp.cfg.lua; then
-                sed -i '/"pep";/a "omemo_all_access"; -- Fix for PEP with OMEMO' /etc/prosody/conf.avail/xmpp.cfg.lua
-                sed -i 's|"omemo_all_access";|  "omemo_all_access";|g' /etc/prosody/conf.avail/xmpp.cfg.lua
-            fi
-
-            chown -R prosody:prosody /var/lib/prosody/prosody-modules
-            chown -R prosody:prosody /usr/lib/prosody/modules
-            systemctl start prosody
-        fi
-    fi
-
     if [ ! -f $INSTALL_DIR/$prosody_modules_filename ]; then
         # Obtain the modules
         if [ -f ~/freedombone/image_build/$prosody_modules_filename ]; then
@@ -413,6 +373,15 @@ function update_prosody_modules {
         sed -i '/"pep"/a "vcard";' /etc/prosody/prosody.cfg.lua
         systemctl start prosody
     fi
+    if ! grep -q "omemo_all_access" /etc/prosody/prosody.cfg.lua; then
+        sed -i '/"pep";/a "omemo_all_access"; -- Fix for PEP with OMEMO' /etc/prosody/prosody.cfg.lua
+        sed -i 's|"omemo_all_access";|  "omemo_all_access";|g' /etc/prosody/prosody.cfg.lua
+    fi
+
+    if ! grep -q "omemo_all_access" /etc/prosody/conf.avail/xmpp.cfg.lua; then
+        sed -i '/"pep";/a "omemo_all_access"; -- Fix for PEP with OMEMO' /etc/prosody/conf.avail/xmpp.cfg.lua
+        sed -i 's|"omemo_all_access";|  "omemo_all_access";|g' /etc/prosody/conf.avail/xmpp.cfg.lua
+    fi
 }
 
 function prosody_daemon_restart_script {

src/freedombone-upgrade

@@ -96,7 +96,7 @@ if [ -d $PROJECT_DIR ]; then
         apt-get -yq -t stretch-backports install certbot
         email_install_tls
         email_disable_chunking
-        defrag_filesystem
+        #defrag_filesystem
     fi
 fi
 

src/freedombone-utils-web

@@ -861,12 +861,27 @@ function update_default_domain {
             fi
         fi
 
-        if [ -d /etc/dovecot ]; then
-            if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then
-                if ! grep -q "ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/dovecot/conf.d/10-ssl.conf; then
-                    sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf
-                    sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf
-                    systemctl restart dovecot
+        if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then
+            if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+                if [ -d /etc/dovecot ]; then
+                    if ! grep -q "ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/dovecot/conf.d/10-ssl.conf; then
+                        sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf
+                        sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/dovecot/conf.d/10-ssl.conf
+                        systemctl restart dovecot
+                    fi
+                fi
+
+                if [ -d /etc/exim4 ]; then
+                    cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem /etc/exim4/
+                    chown root:Debian-exim /etc/exim4/*.pem
+                    chmod 640 /etc/exim4/*.pem
+
+                    sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
+                    sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template
+                    sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
+                    sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template
+
+                    systemctl restart exim4
                 fi
             fi
         fi
@@ -1026,14 +1041,22 @@ function email_install_tls {
         email_config_changed=1
     fi
     if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
-        if ! grep -q "MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file; then
-            sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file
+        cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem /etc/exim4/
+        chown root:Debian-exim /etc/exim4/*.pem
+        chmod 640 /etc/exim4/*.pem
+
+        if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then
+            sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file
             email_config_changed=1
         fi
     fi
     if [ -f /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key ]; then
-        if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file; then
-            sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file
+        cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem /etc/exim4/
+        chown root:Debian-exim /etc/exim4/*.pem
+        chmod 640 /etc/exim4/*.pem
+
+        if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then
+            sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file
             email_config_changed=1
         fi
     fi