Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/app_nextcloud.org

 
 The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
 
+* Operational considerations
+If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and [[./app_syncthing.html][Syncthing]] could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
 * Installation
 Log into your system with:
 

src/freedombone-app-gnusocial

 }
 
 function configure_interactive_gnusocial {
+    read_config_param GNUSOCIAL_EXPIRE_MONTHS
     while true
     do
         data=$(tempfile 2>/dev/null)

src/freedombone-app-mailpile

 # License
 # =======
 #
-# Copyright (C) 2016 Bob Mottram <bob@freedombone.net>
+# Copyright (C) 2016-2017 Bob Mottram <bob@freedombone.net>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 MAILPILE_CODE=
 MAILPILE_ONION_PORT=8103
 MAILPILE_REPO="https://github.com/mailpile/Mailpile"
-MAILPILE_COMMIT='6f56fe4ad736c8e385bea658454bed110d08c60d'
+MAILPILE_COMMIT='88ae8e5831dddc628c827c44224166dbdbed91f1'
 MAILPILE_PORT=33411
 
 mailpile_variables=(MAILPILE_REPO
                     MAILPILE_CODE
                     ONION_ONLY
                     DDNS_PROVIDER
+                    DEFAULT_DOMAIN_NAME
                     MY_USERNAME)
 
 function logging_on_mailpile {
 }
 
 function backup_local_mailpile {
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
-        return
-    fi
-    MAILPILE_DOMAIN_NAME='mailpile.local'
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
-    fi
-    source_directory=/var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
-    if [ -d $source_directory ]; then
-        systemctl stop mailpile
-
-        function_check backup_directory_to_usb
-        backup_directory_to_usb $source_directory mailpile
-
-        systemctl start mailpile
-    fi
+    echo -n ''
 }
 
 function restore_local_mailpile {
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
-        return
-    fi
-    MAILPILE_DOMAIN_NAME='mailpile.local'
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
-    fi
-    if [ $MAILPILE_DOMAIN_NAME ]; then
-        systemctl stop mailpile
-
-        temp_restore_dir=/root/tempmailpile
-        restore_directory_from_usb $temp_restore_dir mailpile
-        if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local ]; then
-            mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
-        fi
-        temp_source_dir=$(find ${temp_restore_dir} -name ".local")
-        cp -r ${temp_source_dir} /var/www/${MAILPILE_DOMAIN_NAME}/mail/
-        if [ ! "$?" = "0" ]; then
-            if [ -d mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
-                if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
-                    rm -rf /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
-                fi
-                mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
-            fi
-            backup_unmount_drive
-            exit 3685
-        fi
-        rm -rf ${temp_restore_dir}
-        chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
-
-        if [ -d /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME} ]; then
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${MAILPILE_DOMAIN_NAME}.key
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${MAILPILE_DOMAIN_NAME}.pem
-        fi
-
-        systemctl start mailpile
-    fi
+    echo -n ''
 }
 
 function backup_remote_mailpile {
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
-        return
-    fi
-    MAILPILE_DOMAIN_NAME='mailpile.local'
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
-    fi
-    source_directory=/var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
-    if [ -d $source_directory ]; then
-        systemctl stop mailpile
-
-        function_check backup_directory_to_usb
-        backup_directory_to_friend $source_directory mailpile
-
-        systemctl start mailpile
-    fi
+    echo -n ''
 }
 
 function restore_remote_mailpile {
-    if [ ! -f /etc/systemd/system/mailpile.service ]; then
-        return
-    fi
-    MAILPILE_DOMAIN_NAME='mailpile.local'
-    if grep -q "mailpile domain" $COMPLETION_FILE; then
-        MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
-    fi
-    if [ $MAILPILE_DOMAIN_NAME ]; then
-        systemctl stop mailpile
-
-        temp_restore_dir=/root/tempmailpile
-        restore_directory_from_friend $temp_restore_dir mailpile
-        if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local ]; then
-            mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
-        fi
-        temp_source_dir=$(find ${temp_restore_dir} -name ".local")
-        cp -r ${temp_source_dir} /var/www/${MAILPILE_DOMAIN_NAME}/mail/
-        if [ ! "$?" = "0" ]; then
-            if [ -d mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
-                mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
-            fi
-            backup_unmount_drive
-            exit 36732
-        fi
-        rm -rf ${temp_restore_dir}
-        chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
-
-        if [ -d /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME} ]; then
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${MAILPILE_DOMAIN_NAME}.key
-            ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${MAILPILE_DOMAIN_NAME}.pem
-        fi
-
-        systemctl start mailpile
-    fi
+    echo -n ''
 }
 
 function remove_mailpile {
     adduser mailpile www-data
     adduser mailpile mail
     adduser mailpile $MY_USERNAME
+    if [[ $ONION_ONLY == 'no' ]]; then
+        chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
+        usermod -a -G ssl-cert mailpile
+    fi
     chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
 
     # create folders and tags
     pip install jinja2==2.9.6
     pip install pgpdump==1.5
 
+    # turn off ssl in dovecot
+    sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
+    sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
+
+    # set ssl certs, just in case we want to use them later
+    sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt|g" /etc/dovecot/conf.d/10-ssl.conf
+    sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt|g" /etc/dovecot/conf.d/10-ssl.conf
+    sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/dovecot/conf.d/10-ssl.conf
+    sed -i "s|ssl_key =.*|ssl_key = </etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/dovecot/conf.d/10-ssl.conf
+
+    systemctl restart dovecot
     systemctl enable mailpile
     systemctl daemon-reload
     systemctl start mailpile

src/freedombone-app-matrix

 
 function logging_on_matrix {
     if [ -f /var/lib/matrix/homeserver.yaml ]; then
-        sed -i 's|log_file:.*|log_file: /etc/matrix/homeserver.log|g' /var/lib/matrix/homeserver.yaml
+        if ! grep -q "log_file: /etc/matrix/homeserver.log" /var/lib/matrix/homeserver.yaml; then
+            sed -i 's|log_file:.*|log_file: /etc/matrix/homeserver.log|g' /var/lib/matrix/homeserver.yaml
+        fi
         if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then
             sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml
         fi
 
 function logging_off_matrix {
     if [ -f /var/lib/matrix/homeserver.yaml ]; then
-        sed -i 's|log_file:.*|log_file: /dev/null|g' /var/lib/matrix/homeserver.yaml
+        if ! grep -q "log_file: /dev/null" /var/lib/matrix/homeserver.yaml; then
+            sed -i 's|log_file:.*|log_file: /dev/null|g' /var/lib/matrix/homeserver.yaml
+        fi
         if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then
             sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml
         fi
         if [ -f /etc/matrix/homeserver.log.1 ]; then
             $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.1
         fi
+        if [ -f /etc/matrix/homeserver.log.2 ]; then
+            $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.2
+        fi
+        if [ -f /etc/matrix/homeserver.log.3 ]; then
+            $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.3
+        fi
     fi
 }
 

src/freedombone-app-nextcloud

 NEXTCLOUD_ONION_PORT=8112
 NEXTCLOUD_REPO="https://github.com/nextcloud/server"
 # Stable 12 branch
-NEXTCLOUD_COMMIT='5e22b330963d01feb636b24e7b1027b50b46e3c2'
+NEXTCLOUD_COMMIT='cd095bb0b85eed6a9a9f6f0f7d10f2366c4667a7'
 NEXTCLOUD_ADMIN_PASSWORD=
 
 nextcloud_variables=(ONION_ONLY
     set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO
 
     upgrade_nextcloud_base
+    sudo -u www-data ./occ upgrade
 }
 
 

src/freedombone-app-postactiv

 }
 
 function configure_interactive_postactiv {
+    read_config_param "POSTACTIV_EXPIRE_MONTHS"
     while true
     do
         data=$(tempfile 2>/dev/null)

src/freedombone-app-xmpp

 XMPP_ECC_CURVE='"secp384r1"'
 
 prosody_latest_version='0.10'
-prosody_nightly=382
-prosody_nightly_hash='770f1a0466f2361184eebffac9f50c102ad842cd855190db6c7f42f2f09884f5'
+prosody_nightly=410
+prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb'
 prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
 prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
 
                         mkdir -p /var/lib/prosody/prosody-modules
                     fi
                     cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/
+                    cp -r $INSTALL_DIR/prosody-modules/* /usr/lib/prosody/modules/
                     chown -R prosody:prosody /var/lib/prosody/prosody-modules
+                    chown -R prosody:prosody /usr/lib/prosody/modules
                     systemctl start prosody
                 else
                     echo $'Prosody modules not extracted'
     if [ -d /etc/letsencrypt ]; then
         usermod -a -G ssl-cert prosody
     fi
+    apt-mark -q hold prosody
     systemctl restart prosody
 
     if [[ $ONION_ONLY != 'no' ]]; then

src/freedombone-base-email

         echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf'
         exit 83629
     fi
-    sed -i 's|#ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
-    sed -i 's|ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
+    sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
+    sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
     sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf
     sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf
     sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/dovecot.key|g" /etc/dovecot/conf.d/10-ssl.conf

src/freedombone-base-tripwire

     if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
         sed -i '\|/etc\t\t->.*|a\    !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
     fi
+    # Events here are likely due to USB HRNG activity
+    if ! grep -q '!/dev/char' /etc/tripwire/twpol.txt; then
+        sed -i '\|/dev\t\t->.*|a\    !/dev/char ;' /etc/tripwire/twpol.txt
+    fi
+    if ! grep -q '!/dev/bus/usb' /etc/tripwire/twpol.txt; then
+        sed -i '\|/dev\t\t->.*|a\    !/dev/bus/usb ;' /etc/tripwire/twpol.txt
+    fi
 
     # Not much is in /usr/local/bin other than project commands and avoiding it removes
     # problems with updates. This is a tradeoff, but not by much.

src/freedombone-controlpanel

 fi
 
 function any_key {
-    echo ' '
-    read -n1 -r -p $"Press any key to continue..." key
+    echo ''
+    read -n1 -rsp $"Press any key to continue..." key
+}
+
+function any_key_verify {
+    echo ''
+    read -n1 -rsp $"Press any key to continue or C to check a hash..." key
+    if [[ "$key" != 'c' && "$key" != 'C' ]]; then
+        return
+    fi
+
+    data=$(tempfile 2>/dev/null)
+    trap "rm -f $data" 0 1 2 5 15
+    dialog --title $"Check tripwire hash" \
+           --backtitle $"Freedombone Control Panel" \
+           --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>$data
+    sel=$?
+    case $sel in
+        0)
+            GIVEN_HASH=$(<$data)
+            if [ ${#GIVEN_HASH} -gt 8 ]; then
+                if [[ "$GIVEN_HASH" == *' '* ]]; then
+                    dialog --title $"Check tripwire" \
+                           --msgbox $"\nThe hash should not contain any spaces" 10 40
+                else
+                    DBHASH=$(sha512sum  /var/lib/tripwire/${HOSTNAME}.twd | awk -F ' ' '{print $1}')
+                    if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
+                        dialog --title $"Check tripwire" \
+                               --msgbox $"\nSuccess\n\nThe hash you gave matches the current tripwire database" 10 40
+                    else
+                        dialog --title $"Check tripwire" \
+                               --msgbox $"\nFailed\n\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
+                    fi
+                fi
+            fi
+            ;;
+    esac
 }
 
 function get_app_icann_address {
             3) menu_backup_restore;;
             4) show_firewall;;
             5) show_tripwire_verification_code
-               any_key;;
+               any_key_verify;;
             6) reset_tripwire;;
             7) menu_app_settings;;
             8) /usr/local/bin/addremove

src/freedombone-utils-gnusocialtools

 
     expire_days=$((expire_months * 30))
 
+    # files are what take up most of the backup time, so don't keep them for very long
+    expire_days_files=7
+
     # To prevent the database size from growing endlessly this script expires posts
     # after a number of months
     if [ ! -d /var/www/${domain_name}/htdocs ]; then
     echo '$rowaff1 notices, $rowaff2 conversations, $rowaff3 replies, and $rowaff4 qvitter notifications deleted from database.\n";' >> $gnusocial_expire_posts_script
     chmod +x $gnusocial_expire_posts_script
 
-    gnusocial_expire_script=/usr/bin/${gnusocial_type}-expire
+    gnusocial_expire_script=/etc/cron.daily/${gnusocial_type}-expire
     echo '#!/bin/bash' > $gnusocial_expire_script
-    echo "find /var/www/${domain_name}/htdocs/file/* -mtime +${expire_days} -exec rm {} +" >> $gnusocial_expire_script
+    echo "find /var/www/${domain_name}/htdocs/file/* -mtime +${expire_days_files} -exec rm {} +" >> $gnusocial_expire_script
     echo "/usr/bin/php $gnusocial_expire_posts_script" >> $gnusocial_expire_script
     chmod +x $gnusocial_expire_script
 
-    # Add a cron job
-    if ! grep -q "${gnusocial_expire_script}" /etc/crontab; then
-        echo "10 3 5   *   *   root /usr/bin/timeout 500 ${gnusocial_expire_script}" >> /etc/crontab
+    # remove any old cron job
+    if grep -q "${gnusocial_type}-expire" /etc/crontab; then
+        sed -i "/${gnusocial_type}-expire/d" /etc/crontab
+        rm /usr/bin/${gnusocial_type}-expire
     fi
 
     # remove old expire script

src/freedombone-utils-setup

     mark_completed $FUNCNAME
 }
 
+function turn_off_magic_sysrq {
+    if grep -q 'kernel.sysrq = 0' /etc/sysctl.conf; then
+        return
+    fi
+    if grep -q 'kernel.sysrq' /etc/sysctl.conf; then
+        sed -i 's|#kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
+        sed -i 's|kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
+    else
+        echo 'kernel.sysrq = 0' >> /etc/sysctl.conf
+    fi
+}
+
 function setup_grub {
     if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
         if ! grep -q 'ifnames=0' /etc/default/grub; then
-            sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1"|g' /etc/default/grub
+            sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1 panic=0"|g' /etc/default/grub
             update-grub
         fi
     fi
     function_check enable_predictable_device_names
     enable_predictable_device_names
 
+    function_check turn_off_magic_sysrq
+    turn_off_magic_sysrq
+
     function_check separate_tmp_filesystem
     separate_tmp_filesystem 150
 

website/EN/app_nextcloud.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-05-08 Mon 23:45 -->
+<!-- 2017-08-08 Tue 17:39 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title></title>
 The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
 </p>
 
-<div id="outline-container-orge6cdeb1" class="outline-2">
-<h2 id="orge6cdeb1">Installation</h2>
-<div class="outline-text-2" id="text-orge6cdeb1">
+<div id="outline-container-orgb096beb" class="outline-2">
+<h2 id="orgb096beb">Operational considerations</h2>
+<div class="outline-text-2" id="text-orgb096beb">
+<p>
+If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and <a href="./app_syncthing.html">Syncthing</a> could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
+</p>
+</div>
+</div>
+<div id="outline-container-orgcac5c6a" class="outline-2">
+<h2 id="orgcac5c6a">Installation</h2>
+<div class="outline-text-2" id="text-orgcac5c6a">
 <p>
 Log into your system with:
 </p>
 </div>
 </div>
 
-<div id="outline-container-orgdf0be0a" class="outline-2">
-<h2 id="orgdf0be0a">Initial setup</h2>
-<div class="outline-text-2" id="text-orgdf0be0a">
+<div id="outline-container-org87dcfbd" class="outline-2">
+<h2 id="org87dcfbd">Initial setup</h2>
+<div class="outline-text-2" id="text-org87dcfbd">
 <p>
 Go to the <b>Administrator control panel</b> and select <b>Passwords</b> then <b>nextcloud</b>. This will give you the password to initially log in to the system and you can change it later from a client app if needed.
 </p>