Onion site for owncloud

src/freedombone

@@ -202,6 +202,7 @@ GOGS_COMMIT='efea642d6cf419c9587d44b95ff2bc04e89f7bfe'
 # Domain name for Owncloud installation
 OWNCLOUD_DOMAIN_NAME=
 OWNCLOUD_CODE=
+OWNCLOUD_ONION_PORT=8088
 OWNCLOUD_ADMIN_PASSWORD=
 OWNCLOUD_MUSIC_APP_REPO="https://github.com/owncloud/music"
 OWNCLOUD_MUSIC_APP_COMMIT='7f79afb4ae9a6ecd8f530d87106f960306c0a15a'
@@ -5783,6 +5784,79 @@ quit" > $INSTALL_DIR/batch.sql
   echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
   echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
   echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo "    listen 127.0.0.1:${OWNCLOUD_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo "    root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo "    server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo "    error_log /var/log/nginx/${OWNCLOUD_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    # add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        log_not_found off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    location ~ ^/(data|config|\.ht|db_structure\.xml|README) {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        deny all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    location / {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        # The following 2 rules are only needed with webfinger' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        try_files $uri $uri/ index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    location ~ ^(.+?\.php)(/.*)?$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        try_files $1 =404;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        fastcgi_param SCRIPT_FILENAME $document_root$1;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        fastcgi_param PATH_INFO $2;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        fastcgi_param HTTPS on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    # Optional: set long EXPIRES header on static assets' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        expires 30d;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo "        # Optional: Don't log access to assets" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+  echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
 
   configure_php
 
@@ -5826,8 +5900,34 @@ quit" > $INSTALL_DIR/batch.sql
   echo 'fi' >> /usr/bin/backupdatabases
 
   nginx_ensite $OWNCLOUD_DOMAIN_NAME
+
+  if [ ! -d /var/lib/tor ]; then
+      echo $'No Tor installation found. Owncloud onion site cannot be configured.'
+      exit 877367
+  fi
+  if ! grep -q "hidden_service_owncloud" /etc/tor/torrc; then
+      echo 'HiddenServiceDir /var/lib/tor/hidden_service_owncloud/' >> /etc/tor/torrc
+      echo "HiddenServicePort 80 127.0.0.1:${OWNCLOUD_ONION_PORT}" >> /etc/tor/torrc
+      echo $'Added onion site for Owncloud'
+  fi
+
   service php5-fpm restart
   service nginx restart
+  systemctl restart tor
+
+  if [ ! -f /var/lib/tor/hidden_service_owncloud/hostname ]; then
+      echo $'Owncloud onion site hostname not found'
+      exit 76362
+  fi
+  OWNCLOUD_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_owncloud/hostname)
+
+  if ! grep -q "Owncloud onion domain" /home/$MY_USERNAME/README; then
+      echo "Owncloud onion domain: ${OWNCLOUD_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README
+      echo '' >> /home/$MY_USERNAME/README
+      chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+      chmod 600 /home/$MY_USERNAME/README
+  fi
+  echo "Owncloud onion domain:${OWNCLOUD_ONION_HOSTNAME}" >> $COMPLETION_FILE
 
   # update the dynamic DNS
   CURRENT_DDNS_DOMAIN=$OWNCLOUD_DOMAIN_NAME
@@ -7558,8 +7658,8 @@ quit" > $INSTALL_DIR/batch.sql
       echo $'Added onion site for GNU Social'
   fi
 
-  service php5-fpm restart
-  service nginx restart
+  systemctl restart php5-fpm
+  systemctl restart nginx
   systemctl restart tor
 
   if [ ! -f /var/lib/tor/hidden_service_microblog/hostname ]; then