Browse Source

Merge branch 'stretch' of https://github.com/bashrc/freedombone

Bob Mottram 8 years ago
parent
commit
801aab4f9f

+ 2
- 0
doc/EN/app_nextcloud.org View File

@@ -24,6 +24,8 @@ NextCloud is a system for file synchronisation and also has many other plugins f
24 24
 
25 25
 The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
26 26
 
27
+* Operational considerations
28
+If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and [[./app_syncthing.html][Syncthing]] could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
27 29
 * Installation
28 30
 Log into your system with:
29 31
 

BIN
image_build/prosody-0.10-1nightly410.tar.gz View File


+ 1
- 0
src/freedombone-app-gnusocial View File

@@ -299,6 +299,7 @@ function gnusocial_set_expire_months {
299 299
 }
300 300
 
301 301
 function configure_interactive_gnusocial {
302
+    read_config_param GNUSOCIAL_EXPIRE_MONTHS
302 303
     while true
303 304
     do
304 305
         data=$(tempfile 2>/dev/null)

+ 23
- 105
src/freedombone-app-mailpile View File

@@ -13,7 +13,7 @@
13 13
 # License
14 14
 # =======
15 15
 #
16
-# Copyright (C) 2016 Bob Mottram <bob@freedombone.net>
16
+# Copyright (C) 2016-2017 Bob Mottram <bob@freedombone.net>
17 17
 #
18 18
 # This program is free software: you can redistribute it and/or modify
19 19
 # it under the terms of the GNU Affero General Public License as published by
@@ -37,7 +37,7 @@ MAILPILE_DOMAIN_NAME=
37 37
 MAILPILE_CODE=
38 38
 MAILPILE_ONION_PORT=8103
39 39
 MAILPILE_REPO="https://github.com/mailpile/Mailpile"
40
-MAILPILE_COMMIT='6f56fe4ad736c8e385bea658454bed110d08c60d'
40
+MAILPILE_COMMIT='88ae8e5831dddc628c827c44224166dbdbed91f1'
41 41
 MAILPILE_PORT=33411
42 42
 
43 43
 mailpile_variables=(MAILPILE_REPO
@@ -45,6 +45,7 @@ mailpile_variables=(MAILPILE_REPO
45 45
                     MAILPILE_CODE
46 46
                     ONION_ONLY
47 47
                     DDNS_PROVIDER
48
+                    DEFAULT_DOMAIN_NAME
48 49
                     MY_USERNAME)
49 50
 
50 51
 function logging_on_mailpile {
@@ -109,118 +110,19 @@ function upgrade_mailpile {
109 110
 }
110 111
 
111 112
 function backup_local_mailpile {
112
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
113
-        return
114
-    fi
115
-    MAILPILE_DOMAIN_NAME='mailpile.local'
116
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
117
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
118
-    fi
119
-    source_directory=/var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
120
-    if [ -d $source_directory ]; then
121
-        systemctl stop mailpile
122
-
123
-        function_check backup_directory_to_usb
124
-        backup_directory_to_usb $source_directory mailpile
125
-
126
-        systemctl start mailpile
127
-    fi
113
+    echo -n ''
128 114
 }
129 115
 
130 116
 function restore_local_mailpile {
131
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
132
-        return
133
-    fi
134
-    MAILPILE_DOMAIN_NAME='mailpile.local'
135
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
136
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
137
-    fi
138
-    if [ $MAILPILE_DOMAIN_NAME ]; then
139
-        systemctl stop mailpile
140
-
141
-        temp_restore_dir=/root/tempmailpile
142
-        restore_directory_from_usb $temp_restore_dir mailpile
143
-        if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local ]; then
144
-            mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
145
-        fi
146
-        temp_source_dir=$(find ${temp_restore_dir} -name ".local")
147
-        cp -r ${temp_source_dir} /var/www/${MAILPILE_DOMAIN_NAME}/mail/
148
-        if [ ! "$?" = "0" ]; then
149
-            if [ -d mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
150
-                if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
151
-                    rm -rf /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
152
-                fi
153
-                mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
154
-            fi
155
-            backup_unmount_drive
156
-            exit 3685
157
-        fi
158
-        rm -rf ${temp_restore_dir}
159
-        chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
160
-
161
-        if [ -d /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME} ]; then
162
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${MAILPILE_DOMAIN_NAME}.key
163
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${MAILPILE_DOMAIN_NAME}.pem
164
-        fi
165
-
166
-        systemctl start mailpile
167
-    fi
117
+    echo -n ''
168 118
 }
169 119
 
170 120
 function backup_remote_mailpile {
171
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
172
-        return
173
-    fi
174
-    MAILPILE_DOMAIN_NAME='mailpile.local'
175
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
176
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
177
-    fi
178
-    source_directory=/var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
179
-    if [ -d $source_directory ]; then
180
-        systemctl stop mailpile
181
-
182
-        function_check backup_directory_to_usb
183
-        backup_directory_to_friend $source_directory mailpile
184
-
185
-        systemctl start mailpile
186
-    fi
121
+    echo -n ''
187 122
 }
188 123
 
189 124
 function restore_remote_mailpile {
190
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
191
-        return
192
-    fi
193
-    MAILPILE_DOMAIN_NAME='mailpile.local'
194
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
195
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
196
-    fi
197
-    if [ $MAILPILE_DOMAIN_NAME ]; then
198
-        systemctl stop mailpile
199
-
200
-        temp_restore_dir=/root/tempmailpile
201
-        restore_directory_from_friend $temp_restore_dir mailpile
202
-        if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local ]; then
203
-            mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
204
-        fi
205
-        temp_source_dir=$(find ${temp_restore_dir} -name ".local")
206
-        cp -r ${temp_source_dir} /var/www/${MAILPILE_DOMAIN_NAME}/mail/
207
-        if [ ! "$?" = "0" ]; then
208
-            if [ -d mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
209
-                mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
210
-            fi
211
-            backup_unmount_drive
212
-            exit 36732
213
-        fi
214
-        rm -rf ${temp_restore_dir}
215
-        chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
216
-
217
-        if [ -d /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME} ]; then
218
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${MAILPILE_DOMAIN_NAME}.key
219
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${MAILPILE_DOMAIN_NAME}.pem
220
-        fi
221
-
222
-        systemctl start mailpile
223
-    fi
125
+    echo -n ''
224 126
 }
225 127
 
226 128
 function remove_mailpile {
@@ -305,6 +207,11 @@ function install_mailpile {
305 207
     adduser mailpile www-data
306 208
     adduser mailpile mail
307 209
     adduser mailpile $MY_USERNAME
210
+    if [[ $ONION_ONLY == 'no' ]]; then
211
+        chgrp -R ssl-cert /etc/letsencrypt
212
+        chmod -R g=rX /etc/letsencrypt
213
+        usermod -a -G ssl-cert mailpile
214
+    fi
308 215
     chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
309 216
 
310 217
     # create folders and tags
@@ -440,6 +347,17 @@ function install_mailpile {
440 347
     pip install jinja2==2.9.6
441 348
     pip install pgpdump==1.5
442 349
 
350
+    # turn off ssl in dovecot
351
+    sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
352
+    sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
353
+
354
+    # set ssl certs, just in case we want to use them later
355
+    sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt|g" /etc/dovecot/conf.d/10-ssl.conf
356
+    sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt|g" /etc/dovecot/conf.d/10-ssl.conf
357
+    sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/dovecot/conf.d/10-ssl.conf
358
+    sed -i "s|ssl_key =.*|ssl_key = </etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/dovecot/conf.d/10-ssl.conf
359
+
360
+    systemctl restart dovecot
443 361
     systemctl enable mailpile
444 362
     systemctl daemon-reload
445 363
     systemctl start mailpile

+ 12
- 2
src/freedombone-app-matrix View File

@@ -64,7 +64,9 @@ matrix_variables=(ONION_ONLY
64 64
 
65 65
 function logging_on_matrix {
66 66
     if [ -f /var/lib/matrix/homeserver.yaml ]; then
67
-        sed -i 's|log_file:.*|log_file: /etc/matrix/homeserver.log|g' /var/lib/matrix/homeserver.yaml
67
+        if ! grep -q "log_file: /etc/matrix/homeserver.log" /var/lib/matrix/homeserver.yaml; then
68
+            sed -i 's|log_file:.*|log_file: /etc/matrix/homeserver.log|g' /var/lib/matrix/homeserver.yaml
69
+        fi
68 70
         if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then
69 71
             sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml
70 72
         fi
@@ -73,7 +75,9 @@ function logging_on_matrix {
73 75
 
74 76
 function logging_off_matrix {
75 77
     if [ -f /var/lib/matrix/homeserver.yaml ]; then
76
-        sed -i 's|log_file:.*|log_file: /dev/null|g' /var/lib/matrix/homeserver.yaml
78
+        if ! grep -q "log_file: /dev/null" /var/lib/matrix/homeserver.yaml; then
79
+            sed -i 's|log_file:.*|log_file: /dev/null|g' /var/lib/matrix/homeserver.yaml
80
+        fi
77 81
         if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then
78 82
             sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml
79 83
         fi
@@ -83,6 +87,12 @@ function logging_off_matrix {
83 87
         if [ -f /etc/matrix/homeserver.log.1 ]; then
84 88
             $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.1
85 89
         fi
90
+        if [ -f /etc/matrix/homeserver.log.2 ]; then
91
+            $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.2
92
+        fi
93
+        if [ -f /etc/matrix/homeserver.log.3 ]; then
94
+            $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.3
95
+        fi
86 96
     fi
87 97
 }
88 98
 

+ 2
- 1
src/freedombone-app-nextcloud View File

@@ -40,7 +40,7 @@ NEXTCLOUD_CODE=
40 40
 NEXTCLOUD_ONION_PORT=8112
41 41
 NEXTCLOUD_REPO="https://github.com/nextcloud/server"
42 42
 # Stable 12 branch
43
-NEXTCLOUD_COMMIT='5e22b330963d01feb636b24e7b1027b50b46e3c2'
43
+NEXTCLOUD_COMMIT='cd095bb0b85eed6a9a9f6f0f7d10f2366c4667a7'
44 44
 NEXTCLOUD_ADMIN_PASSWORD=
45 45
 
46 46
 nextcloud_variables=(ONION_ONLY
@@ -209,6 +209,7 @@ function upgrade_nextcloud {
209 209
     set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO
210 210
 
211 211
     upgrade_nextcloud_base
212
+    sudo -u www-data ./occ upgrade
212 213
 }
213 214
 
214 215
 

+ 1
- 0
src/freedombone-app-postactiv View File

@@ -315,6 +315,7 @@ function postactiv_set_expire_months {
315 315
 }
316 316
 
317 317
 function configure_interactive_postactiv {
318
+    read_config_param "POSTACTIV_EXPIRE_MONTHS"
318 319
     while true
319 320
     do
320 321
         data=$(tempfile 2>/dev/null)

+ 5
- 2
src/freedombone-app-xmpp View File

@@ -41,8 +41,8 @@ XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+
41 41
 XMPP_ECC_CURVE='"secp384r1"'
42 42
 
43 43
 prosody_latest_version='0.10'
44
-prosody_nightly=382
45
-prosody_nightly_hash='770f1a0466f2361184eebffac9f50c102ad842cd855190db6c7f42f2f09884f5'
44
+prosody_nightly=410
45
+prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb'
46 46
 prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
47 47
 prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
48 48
 
@@ -356,7 +356,9 @@ function update_prosody_modules {
356 356
                         mkdir -p /var/lib/prosody/prosody-modules
357 357
                     fi
358 358
                     cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/
359
+                    cp -r $INSTALL_DIR/prosody-modules/* /usr/lib/prosody/modules/
359 360
                     chown -R prosody:prosody /var/lib/prosody/prosody-modules
361
+                    chown -R prosody:prosody /usr/lib/prosody/modules
360 362
                     systemctl start prosody
361 363
                 else
362 364
                     echo $'Prosody modules not extracted'
@@ -1019,6 +1021,7 @@ function install_xmpp {
1019 1021
     if [ -d /etc/letsencrypt ]; then
1020 1022
         usermod -a -G ssl-cert prosody
1021 1023
     fi
1024
+    apt-mark -q hold prosody
1022 1025
     systemctl restart prosody
1023 1026
 
1024 1027
     if [[ $ONION_ONLY != 'no' ]]; then

+ 2
- 2
src/freedombone-base-email View File

@@ -1345,8 +1345,8 @@ function configure_imap {
1345 1345
         echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf'
1346 1346
         exit 83629
1347 1347
     fi
1348
-    sed -i 's|#ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
1349
-    sed -i 's|ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
1348
+    sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
1349
+    sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
1350 1350
     sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf
1351 1351
     sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf
1352 1352
     sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/dovecot.key|g" /etc/dovecot/conf.d/10-ssl.conf

+ 7
- 0
src/freedombone-base-tripwire View File

@@ -124,6 +124,13 @@ function install_tripwire {
124 124
     if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
125 125
         sed -i '\|/etc\t\t->.*|a\    !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
126 126
     fi
127
+    # Events here are likely due to USB HRNG activity
128
+    if ! grep -q '!/dev/char' /etc/tripwire/twpol.txt; then
129
+        sed -i '\|/dev\t\t->.*|a\    !/dev/char ;' /etc/tripwire/twpol.txt
130
+    fi
131
+    if ! grep -q '!/dev/bus/usb' /etc/tripwire/twpol.txt; then
132
+        sed -i '\|/dev\t\t->.*|a\    !/dev/bus/usb ;' /etc/tripwire/twpol.txt
133
+    fi
127 134
 
128 135
     # Not much is in /usr/local/bin other than project commands and avoiding it removes
129 136
     # problems with updates. This is a tradeoff, but not by much.

+ 38
- 3
src/freedombone-controlpanel View File

@@ -129,8 +129,43 @@ if [[ $USB_DRIVE == *"dev"* ]]; then
129 129
 fi
130 130
 
131 131
 function any_key {
132
-    echo ' '
133
-    read -n1 -r -p $"Press any key to continue..." key
132
+    echo ''
133
+    read -n1 -rsp $"Press any key to continue..." key
134
+}
135
+
136
+function any_key_verify {
137
+    echo ''
138
+    read -n1 -rsp $"Press any key to continue or C to check a hash..." key
139
+    if [[ "$key" != 'c' && "$key" != 'C' ]]; then
140
+        return
141
+    fi
142
+
143
+    data=$(tempfile 2>/dev/null)
144
+    trap "rm -f $data" 0 1 2 5 15
145
+    dialog --title $"Check tripwire hash" \
146
+           --backtitle $"Freedombone Control Panel" \
147
+           --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>$data
148
+    sel=$?
149
+    case $sel in
150
+        0)
151
+            GIVEN_HASH=$(<$data)
152
+            if [ ${#GIVEN_HASH} -gt 8 ]; then
153
+                if [[ "$GIVEN_HASH" == *' '* ]]; then
154
+                    dialog --title $"Check tripwire" \
155
+                           --msgbox $"\nThe hash should not contain any spaces" 10 40
156
+                else
157
+                    DBHASH=$(sha512sum  /var/lib/tripwire/${HOSTNAME}.twd | awk -F ' ' '{print $1}')
158
+                    if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
159
+                        dialog --title $"Check tripwire" \
160
+                               --msgbox $"\nSuccess\n\nThe hash you gave matches the current tripwire database" 10 40
161
+                    else
162
+                        dialog --title $"Check tripwire" \
163
+                               --msgbox $"\nFailed\n\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
164
+                    fi
165
+                fi
166
+            fi
167
+            ;;
168
+    esac
134 169
 }
135 170
 
136 171
 function get_app_icann_address {
@@ -2182,7 +2217,7 @@ function menu_top_level {
2182 2217
             3) menu_backup_restore;;
2183 2218
             4) show_firewall;;
2184 2219
             5) show_tripwire_verification_code
2185
-               any_key;;
2220
+               any_key_verify;;
2186 2221
             6) reset_tripwire;;
2187 2222
             7) menu_app_settings;;
2188 2223
             8) /usr/local/bin/addremove

+ 9
- 5
src/freedombone-utils-gnusocialtools View File

@@ -741,6 +741,9 @@ function expire_gnusocial_posts {
741 741
 
742 742
     expire_days=$((expire_months * 30))
743 743
 
744
+    # files are what take up most of the backup time, so don't keep them for very long
745
+    expire_days_files=7
746
+
744 747
     # To prevent the database size from growing endlessly this script expires posts
745 748
     # after a number of months
746 749
     if [ ! -d /var/www/${domain_name}/htdocs ]; then
@@ -788,15 +791,16 @@ function expire_gnusocial_posts {
788 791
     echo '$rowaff1 notices, $rowaff2 conversations, $rowaff3 replies, and $rowaff4 qvitter notifications deleted from database.\n";' >> $gnusocial_expire_posts_script
789 792
     chmod +x $gnusocial_expire_posts_script
790 793
 
791
-    gnusocial_expire_script=/usr/bin/${gnusocial_type}-expire
794
+    gnusocial_expire_script=/etc/cron.daily/${gnusocial_type}-expire
792 795
     echo '#!/bin/bash' > $gnusocial_expire_script
793
-    echo "find /var/www/${domain_name}/htdocs/file/* -mtime +${expire_days} -exec rm {} +" >> $gnusocial_expire_script
796
+    echo "find /var/www/${domain_name}/htdocs/file/* -mtime +${expire_days_files} -exec rm {} +" >> $gnusocial_expire_script
794 797
     echo "/usr/bin/php $gnusocial_expire_posts_script" >> $gnusocial_expire_script
795 798
     chmod +x $gnusocial_expire_script
796 799
 
797
-    # Add a cron job
798
-    if ! grep -q "${gnusocial_expire_script}" /etc/crontab; then
799
-        echo "10 3 5   *   *   root /usr/bin/timeout 500 ${gnusocial_expire_script}" >> /etc/crontab
800
+    # remove any old cron job
801
+    if grep -q "${gnusocial_type}-expire" /etc/crontab; then
802
+        sed -i "/${gnusocial_type}-expire/d" /etc/crontab
803
+        rm /usr/bin/${gnusocial_type}-expire
800 804
     fi
801 805
 
802 806
     # remove old expire script

+ 16
- 1
src/freedombone-utils-setup View File

@@ -286,10 +286,22 @@ function initial_setup {
286 286
     mark_completed $FUNCNAME
287 287
 }
288 288
 
289
+function turn_off_magic_sysrq {
290
+    if grep -q 'kernel.sysrq = 0' /etc/sysctl.conf; then
291
+        return
292
+    fi
293
+    if grep -q 'kernel.sysrq' /etc/sysctl.conf; then
294
+        sed -i 's|#kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
295
+        sed -i 's|kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
296
+    else
297
+        echo 'kernel.sysrq = 0' >> /etc/sysctl.conf
298
+    fi
299
+}
300
+
289 301
 function setup_grub {
290 302
     if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
291 303
         if ! grep -q 'ifnames=0' /etc/default/grub; then
292
-            sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1"|g' /etc/default/grub
304
+            sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1 panic=0"|g' /etc/default/grub
293 305
             update-grub
294 306
         fi
295 307
     fi
@@ -782,6 +794,9 @@ function setup_utils {
782 794
     function_check enable_predictable_device_names
783 795
     enable_predictable_device_names
784 796
 
797
+    function_check turn_off_magic_sysrq
798
+    turn_off_magic_sysrq
799
+
785 800
     function_check separate_tmp_filesystem
786 801
     separate_tmp_filesystem 150
787 802
 

+ 15
- 7
website/EN/app_nextcloud.html View File

@@ -3,7 +3,7 @@
3 3
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4 4
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
5 5
 <head>
6
-<!-- 2017-05-08 Mon 23:45 -->
6
+<!-- 2017-08-08 Tue 17:39 -->
7 7
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
8 8
 <meta name="viewport" content="width=device-width, initial-scale=1" />
9 9
 <title></title>
@@ -264,9 +264,17 @@ NextCloud is a system for file synchronisation and also has many other plugins f
264 264
 The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
265 265
 </p>
266 266
 
267
-<div id="outline-container-orge6cdeb1" class="outline-2">
268
-<h2 id="orge6cdeb1">Installation</h2>
269
-<div class="outline-text-2" id="text-orge6cdeb1">
267
+<div id="outline-container-orgb096beb" class="outline-2">
268
+<h2 id="orgb096beb">Operational considerations</h2>
269
+<div class="outline-text-2" id="text-orgb096beb">
270
+<p>
271
+If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and <a href="./app_syncthing.html">Syncthing</a> could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
272
+</p>
273
+</div>
274
+</div>
275
+<div id="outline-container-orgcac5c6a" class="outline-2">
276
+<h2 id="orgcac5c6a">Installation</h2>
277
+<div class="outline-text-2" id="text-orgcac5c6a">
270 278
 <p>
271 279
 Log into your system with:
272 280
 </p>
@@ -286,9 +294,9 @@ Select <b>Add/Remove Apps</b> then <b>nextcloud</b>. You will then be asked for
286 294
 </div>
287 295
 </div>
288 296
 
289
-<div id="outline-container-orgdf0be0a" class="outline-2">
290
-<h2 id="orgdf0be0a">Initial setup</h2>
291
-<div class="outline-text-2" id="text-orgdf0be0a">
297
+<div id="outline-container-org87dcfbd" class="outline-2">
298
+<h2 id="org87dcfbd">Initial setup</h2>
299
+<div class="outline-text-2" id="text-org87dcfbd">
292 300
 <p>
293 301
 Go to the <b>Administrator control panel</b> and select <b>Passwords</b> then <b>nextcloud</b>. This will give you the password to initially log in to the system and you can change it later from a client app if needed.
294 302
 </p>