Merge branch 'stretch' of https://github.com/bashrc/freedombone

src/freedombone-app-gogs

@@ -655,11 +655,11 @@ function install_gogs {
         echo $'No Tor installation found. Gogs onion site cannot be configured.'
         exit 877367
     fi
-    if ! grep -q "hidden_service_gogs" $ONION_SERVICES_FILE; then
+    if ! grep -q "hidden_service_gogs" "$ONION_SERVICES_FILE"; then
         { echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/';
           echo 'HiddenServiceVersion 3';
           echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}";
-          echo "HiddenServicePort 9418 127.0.0.1:9418"; } >> $ONION_SERVICES_FILE
+          echo "HiddenServicePort 9418 127.0.0.1:9418"; } >> "$ONION_SERVICES_FILE"
         echo $'Added onion site for Gogs'
     fi
 

src/freedombone-app-keyserver

@@ -656,12 +656,12 @@ function install_keyserver {
 
     chown debian-sks: $sksconf_file
 
-    if ! grep -q "hidden_service_sks" $ONION_SERVICES_FILE; then
+    if ! grep -q "hidden_service_sks" "$ONION_SERVICES_FILE"; then
         { echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/';
           echo 'HiddenServiceVersion 3';
           echo "HiddenServicePort 11370 127.0.0.1:11370";
           echo "HiddenServicePort 11373 127.0.0.1:11371";
-          echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> $ONION_SERVICES_FILE
+          echo "HiddenServicePort 11372 127.0.0.1:11372"; } >> "$ONION_SERVICES_FILE"
         echo $'Added onion site for sks'
     fi
 

src/freedombone-app-matrix

@@ -702,7 +702,7 @@ function install_home_server {
 
     #MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT})
     add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT}
-    echo "HiddenServicePort ${MATRIX_HTTP_PORT} 127.0.0.1:${MATRIX_FEDERATION_ONION_PORT}" >> $ONION_SERVICES_FILE
+    echo "HiddenServicePort ${MATRIX_HTTP_PORT} 127.0.0.1:${MATRIX_FEDERATION_ONION_PORT}" >> "$ONION_SERVICES_FILE"
     systemctl restart tor
 
     if [ ! "${MATRIX_PASSWORD}" ]; then

src/freedombone-app-pleroma

@@ -36,7 +36,7 @@ PLEROMA_CODE=
 PLEROMA_PORT=4000
 PLEROMA_ONION_PORT=8011
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
-PLEROMA_COMMIT='fc6f5bcad3ad94eefbfcb24ca361e818ed0319d6'
+PLEROMA_COMMIT='5b6d6d7f2d9363c494642bfda4d6e4d12daa53c7'
 PLEROMA_ADMIN_PASSWORD=
 PLEROMA_DIR=/etc/pleroma
 PLEROMA_SECRET_KEY=""
@@ -62,6 +62,24 @@ pleroma_variables=(ONION_ONLY
                    MY_EMAIL_ADDRESS
                    MY_USERNAME)
 
+function pleroma_add_filtering {
+    if grep -q "# begin filtering" $pleroma_secret; then
+        return
+    fi
+    sed -i '/pbkdf2_rounds/a reject: []' $pleroma_secret
+    sed -i '/pbkdf2_rounds/a federated_timeline_removal: [],' $pleroma_secret
+    sed -i '/pbkdf2_rounds/a media_nsfw: [],' $pleroma_secret
+    sed -i '/pbkdf2_rounds/a media_removal: [],' $pleroma_secret
+    sed -i '/pbkdf2_rounds/a config :pleroma, :mrf_simple,' $pleroma_secret
+    sed -i '/pbkdf2_rounds/a # begin filtering' $pleroma_secret
+
+    sed -i 's|reject: |  reject: |g' $pleroma_secret
+    sed -i 's|federated_timeline_removal: |  federated_timeline_removal: |g' $pleroma_secret
+    sed -i 's|media_nsfw: |  media_nsfw: |g' $pleroma_secret
+    sed -i 's|media_removal: |  media_removal: |g' $pleroma_secret
+    create_pleroma_blocklist
+}
+
 function pleroma_enable_chat {
     if [[ "$1" == 't'* || "$1" == 'y'* || "$1" == 'T'* || "$1" == 'Y'* ]]; then
         sed -i 's|"chatDisabled":.*|"chatDisabled": false,|g' $PLEROMA_DIR/priv/static/static/config.json
@@ -91,6 +109,7 @@ function create_pleroma_blocklist {
       echo 'users_query="DELETE FROM users WHERE"';
       echo 'websub_server_subscriptions_query="DELETE FROM websub_server_subscriptions WHERE"';
       echo 'websub_server_subscriptions_updated=';
+      echo 'filter_str=';
       echo 'while read blocked; do';
       echo "    if [[ \"\$blocked\" == *\".\"* || \"\$blocked\" == *\"@\"* ]]; then";
       echo "        if [ \${#blocked} -gt 4 ]; then";
@@ -102,6 +121,13 @@ function create_pleroma_blocklist {
       echo "            users_query=\"\${users_query} nickname ilike '%\${blocked}%'\"";
       echo '            objects_updated=1';
       echo "            if [[ \"\$blocked\" != *\"@\"* ]]; then";
+      echo '                # Create a filter string for the pleroma configuration';
+      echo "                if [ \"\$filter_str\" ]; then";
+      echo "                    filter_str=\"\${filter_str}, \\\"\$blocked\\\"\"";
+      echo '                else';
+      echo "                    filter_str=\"\\\"\${blocked}\\\"\"";
+      echo '                fi';
+      echo '';
       echo "                if ! grep -q \"127.0.0.1  \$blocked\" /etc/hosts; then";
       echo "                    echo \"127.0.0.1  \$blocked\" >> /etc/hosts";
       echo '                fi';
@@ -115,6 +141,19 @@ function create_pleroma_blocklist {
       echo '    fi';
       echo 'done </root/freedombone-firewall-domains.cfg';
       echo '';
+      echo "if [ \"\$filter_str\" ]; then";
+      echo "    if ! grep -q \" \$filter_str \" $pleroma_secret; then";
+      echo "        sed -i \"s| media_removal:.*| media_removal: [ \$filter_str ],|g\" $pleroma_secret";
+      echo "        sed -i \"s| federated_timeline_removal:.*| federated_timeline_removal: [ \$filter_str ],|g\" $pleroma_secret";
+      echo "        sed -i \"s| reject:.*| reject: [ \$filter_str ]|g\" $pleroma_secret";
+      echo "        chown -R pleroma:pleroma $PLEROMA_DIR";
+      echo '        sudo -u pleroma mix clean';
+      echo '        sudo -u pleroma mix deps.compile';
+      echo '        sudo -u pleroma mix compile';
+      echo '        systemctl restart pleroma';
+      echo '    fi';
+      echo 'fi';
+      echo '';
       echo 'cd /etc/postgresql';
       echo "if [ \$objects_updated ]; then";
       echo "    sudo -u postgres psql -d pleroma -c \"\$objects_query\"";
@@ -755,6 +794,8 @@ function upgrade_pleroma {
     read_config_param PLEROMA_DOMAIN_NAME
     read_config_param PLEROMA_EXPIRE_MONTHS
 
+    pleroma_add_filtering
+
     if ! grep -q "/media/" /etc/cron.daily/pleroma-expire; then
         rm $pleroma_expire_posts_script
     fi
@@ -1308,6 +1349,8 @@ function install_pleroma {
     fi
     sed -i 's|"chatDisabled":.*|"chatDisabled": true,|g' $PLEROMA_DIR/priv/static/static/config.json
 
+    pleroma_add_filtering
+
     systemctl daemon-reload
     systemctl enable pleroma
     systemctl start pleroma

src/freedombone-app-scuttlebot

@@ -376,6 +376,7 @@ function install_dat {
 }
 
 function mesh_install_scuttlebot {
+    #shellcheck disable=SC2153
     if [[ "$VARIANT" != "meshclient" && "$VARIANT" != "meshusb" ]]; then
         return
     fi

src/freedombone-app-xmpp

@@ -51,6 +51,7 @@ prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest
 # From https://hg.prosody.im/prosody-modules
 prosody_modules_filename='prosody-modules-20180322.tar.gz'
 prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072'
+xmpp_encryption_warning=$"For security reasons, OMEMO or PGP encryption is required for conversations on this server."
 
 xmpp_variables=(ONION_ONLY
                 INSTALLED_WITHIN_DOCKER
@@ -62,6 +63,37 @@ xmpp_variables=(ONION_ONLY
                 DEFAULT_DOMAIN_NAME
                 XMPP_DOMAIN_CODE)
 
+function xmpp_update_e2e_policy {
+    filename="$1"
+
+    read_config_param DEFAULT_DOMAIN_NAME
+    read_config_param ONION_ONLY
+
+    if ! grep -q "e2e_policy_muc" "$filename"; then
+        echo "e2e_policy_muc = \"none\"" >> "$filename"
+    else
+        sed -i 's|e2e_policy_muc.*|e2e_policy_muc = "none"|g' "$filename"
+    fi
+    if ! grep -q "e2e_policy_chat" "$filename"; then
+        echo "e2e_policy_chat = \"required\"" >> "$filename"
+    else
+        sed -i 's|e2e_policy_chat.*|e2e_policy_chat = "required"|g' "$filename"
+    fi
+    if ! grep -q "e2e_policy_message_required_chat" "$filename"; then
+        echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"" >> "$filename"
+    else
+        sed -i "s|e2e_policy_message_required_chat.*|e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"|g" "$filename"
+    fi
+
+    if [[ "$ONION_ONLY" != 'no' ]]; then
+        XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname)
+        sed -i "s|VirtualHost \".*.onion.*|VirtualHost \"${XMPP_ONION_HOSTNAME}\"|g" "$filename"
+        # TLS is not strictly needed for onion transport security
+        sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' "$filename"
+        sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' "$filename"
+    fi
+}
+
 function logging_on_xmpp {
     if [ -d /etc/prosody ]; then
         if [ ! -d /var/log/prosody ]; then
@@ -425,6 +457,10 @@ function upgrade_xmpp {
             usermod -a -G ssl-cert prosody
         fi
     fi
+
+    xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua
+    xmpp_update_e2e_policy /etc/prosody/prosody.cfg.lua
+
     prosody_daemon_restart_script
     function_check update_prosody_modules
     update_prosody_modules
@@ -608,7 +644,7 @@ function remove_xmpp {
 
     function_check remove_onion_service
     remove_onion_service xmpp 5222 5223 5269
-    sed -i '/HiddenServiceVersion 2/d' $ONION_SERVICES_FILE
+    sed -i '/HiddenServiceVersion 2/d' "$ONION_SERVICES_FILE"
 
     apt-mark -q unhold prosody
     apt-get -yq remove --purge prosody
@@ -818,11 +854,16 @@ function xmpp_create_config {
     else
         echo "    dhparam = \"/etc/ssl/certs/xmpp.dhparam\";" >> /etc/prosody/prosody.cfg.lua
     fi
+
     { echo '}';
       echo '';
       echo 'c2s_require_encryption = true';
       echo 's2s_require_encryption = true';
       echo '';
+      echo 'e2e_policy_muc = "none"';
+      echo 'e2e_policy_chat = "required"';
+      echo "e2e_policy_message_required_chat = \"$xmpp_encryption_warning\"";
+      echo '';
       echo 's2s_secure_auth = false';
       echo '';
       echo 'authentication = "internal_hashed"';
@@ -838,6 +879,9 @@ function xmpp_create_config {
       echo ''; } >> /etc/prosody/prosody.cfg.lua
     if [[ "$ONION_ONLY" != 'no' ]]; then
         echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/prosody.cfg.lua
+        # TLS is not needed for onion transport security
+        sed -i 's|s2s_require_encryption =.*|s2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua
+        sed -i 's|c2s_require_encryption =.*|c2s_require_encryption = false|g' /etc/prosody/prosody.cfg.lua
     else
         echo "VirtualHost \"${DEFAULT_DOMAIN_NAME}\"" >> /etc/prosody/prosody.cfg.lua
     fi
@@ -1068,6 +1112,14 @@ function install_xmpp {
     else
         sed -i 's|s2s_require_encryption.*|s2s_require_encryption = true|g' /etc/prosody/conf.avail/xmpp.cfg.lua
     fi
+
+    if [[ "$ONION_ONLY" != 'no' ]]; then
+        sed -i 's|c2s_require_encryption.*|c2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
+        sed -i 's|s2s_require_encryption.*|s2s_require_encryption = false|g' /etc/prosody/conf.avail/xmpp.cfg.lua
+    fi
+
+    xmpp_update_e2e_policy /etc/prosody/conf.avail/xmpp.cfg.lua
+
     if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/conf.avail/xmpp.cfg.lua; then
         echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua
     else
@@ -1079,11 +1131,11 @@ function install_xmpp {
         echo $'No Tor installation found. xmpp onion site cannot be configured.'
         exit 877367
     fi
-    if ! grep -q "hidden_service_xmpp" $ONION_SERVICES_FILE; then
+    if ! grep -q "hidden_service_xmpp" "$ONION_SERVICES_FILE"; then
         { echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/';
           echo 'HiddenServiceVersion 2';
           echo "HiddenServicePort 5222 127.0.0.1:5222";
-          echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> $ONION_SERVICES_FILE
+          echo "HiddenServicePort 5269 127.0.0.1:5269"; } >> "$ONION_SERVICES_FILE"
         echo $'Added onion site for xmpp chat'
     fi
 

src/freedombone-utils-onion

@@ -34,7 +34,7 @@ HIDDEN_SERVICE_PATH='/var/lib/tor/hidden_service_'
 ONION_SERVICES_FILE=/etc/torrc.d/${PROJECT_NAME}
 
 function torrc_migrate {
-    if [ -f $ONION_SERVICES_FILE ]; then
+    if [ -f "$ONION_SERVICES_FILE" ]; then
         if grep -q "#%include /etc/torrc.d" /etc/tor/torrc; then
             sed -i 's|#%include /etc/torrc.d|%include /etc/torrc.d|g' /etc/tor/torrc
             systemctl restart tor
@@ -45,9 +45,9 @@ function torrc_migrate {
 
     mkdir /etc/torrc.d
 
-    grep "HiddenServiceDir\\|HiddenServiceVersion\\|HiddenServicePort" /etc/tor/torrc | grep -v "#HiddenServiceDir" >> $ONION_SERVICES_FILE
+    grep "HiddenServiceDir\\|HiddenServiceVersion\\|HiddenServicePort" /etc/tor/torrc | grep -v "#HiddenServiceDir" >> "$ONION_SERVICES_FILE"
 
-    if ! grep "HiddenServiceVersion" $ONION_SERVICES_FILE; then
+    if ! grep "HiddenServiceVersion" "$ONION_SERVICES_FILE"; then
         systemctl restart tor
         return
     fi
@@ -121,17 +121,17 @@ function remove_onion_service {
     nick="$3"
 
     if [ ${#nick} -gt 0 ]; then
-        sed -i "/stealth ${nick}/d" $ONION_SERVICES_FILE
+        sed -i "/stealth ${nick}/d" "$ONION_SERVICES_FILE"
     fi
-    sed -i "/hidden_service_${onion_service_name}/,+1 d" $ONION_SERVICES_FILE
-    sed -i "/hidden_service_${onion_service_name}_mobile/,+1 d" $ONION_SERVICES_FILE
-    sed -i "/127.0.0.1:${onion_service_port_to}/d" $ONION_SERVICES_FILE
+    sed -i "/hidden_service_${onion_service_name}/,+1 d" "$ONION_SERVICES_FILE"
+    sed -i "/hidden_service_${onion_service_name}_mobile/,+1 d" "$ONION_SERVICES_FILE"
+    sed -i "/127.0.0.1:${onion_service_port_to}/d" "$ONION_SERVICES_FILE"
     if [ "$3" ]; then
-        sed -i "/127.0.0.1:${3}/d" $ONION_SERVICES_FILE
+        sed -i "/127.0.0.1:${3}/d" "$ONION_SERVICES_FILE"
         if [ "$4" ]; then
-            sed -i "/127.0.0.1:${4}/d" $ONION_SERVICES_FILE
+            sed -i "/127.0.0.1:${4}/d" "$ONION_SERVICES_FILE"
             if [ "$5" ]; then
-                sed -i "/127.0.0.1:${5}/d" $ONION_SERVICES_FILE
+                sed -i "/127.0.0.1:${5}/d" "$ONION_SERVICES_FILE"
             fi
         fi
     fi
@@ -164,16 +164,16 @@ function add_onion_service {
         USE_V2_ONION_ADDRESS=
         exit 877367
     fi
-    if ! grep -q "hidden_service_${onion_service_name}" $ONION_SERVICES_FILE; then
-        echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}${onion_service_name}/" >> $ONION_SERVICES_FILE
+    if ! grep -q "hidden_service_${onion_service_name}" "$ONION_SERVICES_FILE"; then
+        echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}${onion_service_name}/" >> "$ONION_SERVICES_FILE"
         if [ ! $USE_V2_ONION_ADDRESS ]; then
-            echo 'HiddenServiceVersion 3' >> $ONION_SERVICES_FILE
+            echo 'HiddenServiceVersion 3' >> "$ONION_SERVICES_FILE"
         else
-            echo 'HiddenServiceVersion 2' >> $ONION_SERVICES_FILE
+            echo 'HiddenServiceVersion 2' >> "$ONION_SERVICES_FILE"
         fi
-        echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> $ONION_SERVICES_FILE
+        echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> "$ONION_SERVICES_FILE"
         if [ ${#onion_stealth_name} -gt 0 ]; then
-            echo "HiddenServiceAuthorizeClient stealth ${onion_stealth_name}" >> $ONION_SERVICES_FILE
+            echo "HiddenServiceAuthorizeClient stealth ${onion_stealth_name}" >> "$ONION_SERVICES_FILE"
         fi
     fi