ソースを参照

Merge branch 'stretch' of https://github.com/bashrc/freedombone

Bob Mottram 7 年 前
コミット
a817de0d3b

+ 5
- 0
doc/EN/faq.org ファイルの表示

@@ -31,6 +31,7 @@
31 31
 | [[How is Tor integrated with Freedombone?]]                                                   |
32 32
 | [[Can I add a clearnet domain to an onion build?]]                                            |
33 33
 | [[Why use Github?]]                                                                           |
34
+| [[Should I upload my GPG keys to keybase.io?]]                                                |
34 35
 | [[Keys and emails should not be stored on servers. Why do you do that?]]                      |
35 36
 | [[Why can't I access my .onion site with a Tor browser?]]                                     |
36 37
 | [[What is the best hardware to run this system on?]]                                          |
@@ -118,6 +119,10 @@ At present Github is useful just because of the sheer number of eyeballs and the
118 119
 The source code for this project is experimentally independently hosted, and it is expected that in future the main development will shift over to an independent site, maybe with mirrors on Github if it still exists in a viable form.
119 120
 
120 121
 Currently many of the repositories used for applications which are not yet packaged for Debian are on Github, and to provide some degree of resilliance against depending too much upon that copies of them also exist within disk images.
122
+* Should I upload my GPG keys to keybase.io?
123
+It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the *private keys*, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
124
+
125
+Saying something resembling /"only noobs will use crackable private key passphrases"/ isn't good enough. A passphrase should not be considered to be a substitute for a private key.
121 126
 * Keys and emails should not be stored on servers. Why do you do that?
122 127
 Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:
123 128
 

+ 2
- 0
doc/EN/mesh.org ファイルの表示

@@ -32,6 +32,8 @@ If an internet connection is available then it can make use of that, but otherwi
32 32
 
33 33
 Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
34 34
 
35
+Like [[https://libremesh.org][LibreMesh]], this system uses a combination of [[https://en.wikipedia.org/wiki/B.A.T.M.A.N.][batman-adv]] on network layer 2 and [[http://bmx6.net][BMX]] on layer 3.
36
+
35 37
 #+BEGIN_CENTER
36 38
 This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion
37 39
 #+END_CENTER

+ 1
- 1
src/freedombone-app-gnusocial ファイルの表示

@@ -28,7 +28,7 @@
28 28
 # You should have received a copy of the GNU Affero General Public License
29 29
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
30 30
 
31
-VARIANTS='full full-vim media'
31
+VARIANTS='full full-vim social'
32 32
 
33 33
 IN_DEFAULT_INSTALL=0
34 34
 SHOW_ON_ABOUT=1

+ 5
- 5
src/freedombone-app-pleroma ファイルの表示

@@ -37,7 +37,7 @@
37 37
 # You should have received a copy of the GNU Affero General Public License
38 38
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
39 39
 
40
-VARIANTS=''
40
+VARIANTS='full full-vim social'
41 41
 
42 42
 IN_DEFAULT_INSTALL=0
43 43
 SHOW_ON_ABOUT=1
@@ -47,7 +47,7 @@ PLEROMA_CODE=
47 47
 PLEROMA_PORT=4000
48 48
 PLEROMA_ONION_PORT=8011
49 49
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
50
-PLEROMA_COMMIT='c1fa1e8844c8eae1ad7638a2d7f9d00e8cd07ce8'
50
+PLEROMA_COMMIT='80f6ac412a632da090be9f3d86971eac0b95a53d'
51 51
 PLEROMA_ADMIN_PASSWORD=
52 52
 PLEROMA_DIR=/etc/pleroma
53 53
 PLEROMA_SECRET_KEY=""
@@ -890,13 +890,13 @@ function install_pleroma {
890 890
     # lost during mix compile
891 891
     pleroma_secret=$PLEROMA_DIR/config/dev.secret.exs
892 892
     if ! grep -q 'watchers: [],' $pleroma_secret; then
893
-        sed -i 's|watchers: []|watchers: [],|g' $pleroma_secret
893
+        sed -i 's|watchers: \[\]|watchers: \[\],|g' $pleroma_secret
894 894
     fi
895 895
     if ! grep -q 'url:' $pleroma_secret; then
896 896
         if [[ $ONION_ONLY == 'no' ]]; then
897
-            sed -i "/watchers: []/a url: [host: \"$PLEROMA_DOMAIN_NAME\", scheme: \"https\", port: 443]" $pleroma_secret
897
+            sed -i "/watchers: /a url: [host: \"$PLEROMA_DOMAIN_NAME\", scheme: \"https\", port: 443]" $pleroma_secret
898 898
         else
899
-            sed -i "/watchers: []/a url: [host: \"$PLEROMA_ONION_HOSTNAME\", scheme: \"http\", port: 80]" $pleroma_secret
899
+            sed -i "/watchers: /a url: [host: \"$PLEROMA_ONION_HOSTNAME\", scheme: \"http\", port: 80]" $pleroma_secret
900 900
         fi
901 901
     fi
902 902
 

+ 4
- 0
src/freedombone-app-tox ファイルの表示

@@ -136,6 +136,10 @@ function mesh_tox_qtox {
136 136
     chroot "${rootdir}" apt-get -yq install build-essential libatk1.0-0 libbz2-1.0 libc6 libcairo2 libdbus-1-3 libegl1-mesa libfontconfig1 libfreetype6 libgcc1 libgdk-pixbuf2.0-0 libgl1-mesa-glx libglib2.0-0 libgtk2.0-0 libice6 libicu57 libjpeg62-turbo libmng1 libmtdev1 libopenal1 libopus0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpng16-16 libqrencode3 libsm6 libsodium18 libsqlite3-0 libssl1.1 libstdc++6 libtiff5 libudev1 libvpx4 libwayland-client0 libwayland-cursor0 libwayland-egl1-mesa libwebp6 libx11-6 libx11-xcb1 libxcb-glx0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-sync1 libxcb-xfixes0 libxcb-xinerama0 libxcb1 libxext6 libxfixes3 libxi6 libxrender1 libxss1 zlib1g libopus-dev libvpx-dev
137 137
     chroot "${rootdir}" apt-get -yq install build-essential qt5-qmake qt5-default qttools5-dev-tools libqt5opengl5-dev libqt5svg5-dev libopenal-dev libxss-dev qrencode libqrencode-dev libglib2.0-dev libgdk-pixbuf2.0-dev libgtk2.0-dev libsqlcipher-dev libopus-dev libvpx-dev libavformat-dev libavdevice-dev libswscale-dev libavutil-dev libavcodec-dev libavcodec57 libavfilter-dev libavfilter6
138 138
 
139
+    chroot "$rootdir" apt-get clean
140
+    chroot "$rootdir" /bin/rm -rf /var/lib/apt/lists/*
141
+    chroot "$rootdir" apt-get clean
142
+
139 143
     # ffmpeg
140 144
     chroot "${rootdir}" apt-get -yq install build-essential
141 145
     chroot "${rootdir}" apt-get -yq install ffmpeg libmp3lame-dev libvorbis-dev libtheora-dev

+ 1
- 1
src/freedombone-client ファイルの表示

@@ -281,7 +281,7 @@ function remove_known_hosts_entries {
281 281
 function setup_avahi_client {
282 282
     echo $'Configuring Avahi'
283 283
     if [ ! -f /usr/bin/pacman ]; then
284
-        sudo apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
284
+        sudo apt-get -yq install avahi-utils avahi-dnsconfd
285 285
     else
286 286
         sudo pacman -S --noconfirm avahi nss-mdns
287 287
         sudo sed -i 's|hosts:.*|hosts: files mdns_minimal [NOTFOUND=return] dns myhostname|g' /etc/nsswitch.conf

+ 2
- 1
src/freedombone-image ファイルの表示

@@ -165,6 +165,7 @@ function image_setup {
165 165
             sudo apt-get -yq install git python-docutils mktorrent xz-utils debootstrap
166 166
             sudo apt-get -yq install dosfstools btrfs-tools extlinux python-distro-info mbr
167 167
             sudo apt-get -yq install qemu-user-static binfmt-support u-boot-tools qemu
168
+            sudo apt-get -yq install python-cliapp
168 169
             ;;
169 170
         parabola|arch)
170 171
             sudo pacman -S --noconfirm libc++ git gcc gcc-libs python-docutils mktorrent patch
@@ -249,7 +250,7 @@ function image_setup {
249 250
                 return
250 251
             fi
251 252
             debian_script_hash=$(sha256sum /usr/share/debootstrap/scripts/${DEBIAN_VERSION} | awk -F ' ' '{print $1}')
252
-            expected_debian_script_hash='94e01603091748e8a6a9d2c3beefec29f2a174d989500f81be4ab767830f4489'
253
+            expected_debian_script_hash='620fa84c7ef64d10349aed38fa9cc2e7f00a6fcd1bc425f33ca2b57cc946fd0c'
253 254
             if [[ "$debian_script_hash" != "$expected_debian_script_hash" ]]; then
254 255
                 echo $"Invalid hash for debootstrap ${DEBIAN_VERSION} script"
255 256
                 return

+ 164
- 3
src/freedombone-image-customise ファイルの表示

@@ -13,6 +13,8 @@
13 13
 # License
14 14
 # =======
15 15
 #
16
+# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
17
+#
16 18
 # This program is free software: you can redistribute it and/or modify
17 19
 # it under the terms of the GNU Affero General Public License as published by
18 20
 # the Free Software Foundation, either version 3 of the License, or
@@ -123,6 +125,12 @@ ENABLE_ZERONET=
123 125
 
124 126
 MESH_TEXT_EDITOR='pluma'
125 127
 
128
+BMX6_REPO="https://github.com/bmx-routing/bmx6"
129
+BMX6_COMMIT='39dd1f2d99ac5a3fa28e92f8173c15039132e181'
130
+
131
+BMX7_REPO="https://github.com/bmx-routing/bmx7"
132
+BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
133
+
126 134
 PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
127 135
 
128 136
 function configure_backports {
@@ -639,13 +647,20 @@ EOF
639 647
 }
640 648
 
641 649
 mesh_shutdown_script() {
650
+    mesh_shutdown_script=$rootdir/usr/bin/meshshutdown
651
+    echo '#!/bin/bash' > $mesh_shutdown_script
652
+    echo 'batman stop' >> $mesh_shutdown_script
653
+    chroot "$rootdir" chmod +x /usr/bin/meshshutdown
654
+
642 655
     echo '[Unit]' > $rootdir/etc/systemd/system/meshshutdown.service
643 656
     echo 'Description=Shuts down the mesh' >> $rootdir/etc/systemd/system/meshshutdown.service
644 657
     echo 'Before=shutdown.target' >> $rootdir/etc/systemd/system/meshshutdown.service
645 658
     echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
646 659
     echo '[Service]' >> $rootdir/etc/systemd/system/meshshutdown.service
660
+    echo 'User=root' >> $rootdir/etc/systemd/system/meshshutdown.service
661
+    echo 'Group=root' >> $rootdir/etc/systemd/system/meshshutdown.service
647 662
     echo 'ExecStart=/bin/true' >> $rootdir/etc/systemd/system/meshshutdown.service
648
-    echo 'ExecStop=/bin/bash /usr/local/bin/batman stop' >> $rootdir/etc/systemd/system/meshshutdown.service
663
+    echo 'ExecStop=/bin/bash /usr/bin/meshshutdown' >> $rootdir/etc/systemd/system/meshshutdown.service
649 664
     echo 'RemainAfterExit=yes' >> $rootdir/etc/systemd/system/meshshutdown.service
650 665
     echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
651 666
     echo '[Install]' >> $rootdir/etc/systemd/system/meshshutdown.service
@@ -653,6 +668,135 @@ mesh_shutdown_script() {
653 668
     chroot "$rootdir" systemctl enable meshshutdown
654 669
 }
655 670
 
671
+install_bmx6() {
672
+    git clone $BMX6_REPO $rootdir/etc/bmx6
673
+
674
+    cat <<EOF > $rootdir/usr/bin/install_bmx6
675
+#!/bin/bash
676
+cd /etc/bmx6
677
+git checkout $BMX6_COMMIT -b $BMX6_COMMIT
678
+make
679
+make install
680
+
681
+cd /etc/bmx6/lib/bmx6_http_info
682
+make
683
+make install
684
+
685
+cd /etc/bmx6/lib/bmx6_json
686
+make
687
+make install
688
+
689
+cd /etc/bmx6/lib/bmx6_quagga
690
+make
691
+make install
692
+
693
+cd /etc/bmx6/lib/bmx6_sms
694
+make
695
+make install
696
+
697
+cd /etc/bmx6/lib/bmx6_table
698
+make
699
+make install
700
+
701
+cd /etc/bmx6/lib/bmx6_topology
702
+make
703
+make install
704
+EOF
705
+    chroot "$rootdir" chmod +x /usr/bin/install_bmx6
706
+    chroot "$rootdir" /usr/bin/install_bmx6
707
+
708
+    if [ ! -f $rootdir/usr/sbin/bmx6 ]; then
709
+        echo $'bmx6 was not installed'
710
+        exit 79835292
711
+    fi
712
+
713
+    rm $rootdir/usr/bin/install_bmx6
714
+
715
+    echo '[Unit]' > $rootdir/etc/systemd/system/bmx6.service
716
+    echo 'Description=BMX6 mesh routing protocol' >> $rootdir/etc/systemd/system/bmx6.service
717
+    echo 'Requires=network.target' >> $rootdir/etc/systemd/system/bmx6.service
718
+    echo 'After=network.target' >> $rootdir/etc/systemd/system/bmx6.service
719
+    echo '' >> $rootdir/etc/systemd/system/bmx6.service
720
+    echo '[Service]' >> $rootdir/etc/systemd/system/bmx6.service
721
+    echo 'Type=forking' >> $rootdir/etc/systemd/system/bmx6.service
722
+    echo 'User=root' >> $rootdir/etc/systemd/system/bmx6.service
723
+    echo 'Group=root' >> $rootdir/etc/systemd/system/bmx6.service
724
+    echo 'ExecStart=/usr/sbin/bmx6 dev=wlan0' >> $rootdir/etc/systemd/system/bmx6.service
725
+    echo 'ExecStop=/usr/bin/kill -15 $MAINPID' >> $rootdir/etc/systemd/system/bmx6.service
726
+    echo 'PIDFile=/var/run/bmx6/pid' >> $rootdir/etc/systemd/system/bmx6.service
727
+    echo 'Restart=on-failure' >> $rootdir/etc/systemd/system/bmx6.service
728
+    echo '' >> $rootdir/etc/systemd/system/bmx6.service
729
+    echo '[Install]' >> $rootdir/etc/systemd/system/bmx6.service
730
+    echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/bmx6.service
731
+}
732
+
733
+install_bmx7() {
734
+    chroot "$rootdir" apt-get -qy install libjson-c-dev zlib1g-dev libiw-dev
735
+
736
+    git clone $BMX7_REPO $rootdir/etc/bmx7
737
+
738
+    cat <<EOF > $rootdir/usr/bin/install_bmx7
739
+#!/bin/bash
740
+cd /etc
741
+wget https://polarssl.org/code/releases/polarssl-1.3.3-gpl.tgz
742
+tar xzvf polarssl-1.3.3-gpl.tgz
743
+cd /etc/polarssl-1.3.3
744
+make
745
+sudo make install
746
+
747
+cd /etc/bmx7
748
+git checkout $BMX7_COMMIT -b $BMX7_COMMIT
749
+make EXTRA_CFLAGS="-DCRYPTLIB=POLARSSL_1_3_3"
750
+make install
751
+
752
+cd /etc/bmx7/lib/bmx7_http_info
753
+make
754
+make install
755
+
756
+cd /etc/bmx7/lib/bmx7_json
757
+make
758
+make install
759
+
760
+cd /etc/bmx7/lib/bmx7_tun
761
+make
762
+make install
763
+
764
+cd /etc/bmx7/lib/bmx7_sms
765
+make
766
+make install
767
+
768
+cd /etc/bmx7/lib/bmx7_topology
769
+make
770
+make install
771
+EOF
772
+    chroot "$rootdir" chmod +x /usr/bin/install_bmx7
773
+    chroot "$rootdir" /usr/bin/install_bmx7
774
+
775
+    if [ ! -f $rootdir/usr/sbin/bmx7 ]; then
776
+        echo $'bmx7 was not installed'
777
+        exit 67836235
778
+    fi
779
+
780
+    rm $rootdir/usr/bin/install_bmx7
781
+
782
+    echo '[Unit]' > $rootdir/etc/systemd/system/bmx7.service
783
+    echo 'Description=BMX7 mesh routing protocol' >> $rootdir/etc/systemd/system/bmx7.service
784
+    echo 'Requires=network.target' >> $rootdir/etc/systemd/system/bmx7.service
785
+    echo 'After=network.target' >> $rootdir/etc/systemd/system/bmx7.service
786
+    echo '' >> $rootdir/etc/systemd/system/bmx7.service
787
+    echo '[Service]' >> $rootdir/etc/systemd/system/bmx7.service
788
+    echo 'Type=forking' >> $rootdir/etc/systemd/system/bmx7.service
789
+    echo 'User=root' >> $rootdir/etc/systemd/system/bmx7.service
790
+    echo 'Group=root' >> $rootdir/etc/systemd/system/bmx7.service
791
+    echo 'ExecStart=/usr/sbin/bmx7 dev=wlan0' >> $rootdir/etc/systemd/system/bmx7.service
792
+    echo 'ExecStop=/usr/bin/kill -15 $MAINPID' >> $rootdir/etc/systemd/system/bmx7.service
793
+    echo 'PIDFile=/var/run/bmx7/pid' >> $rootdir/etc/systemd/system/bmx7.service
794
+    echo 'Restart=on-failure' >> $rootdir/etc/systemd/system/bmx7.service
795
+    echo '' >> $rootdir/etc/systemd/system/bmx7.service
796
+    echo '[Install]' >> $rootdir/etc/systemd/system/bmx7.service
797
+    echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/bmx7.service
798
+}
799
+
656 800
 initialise_mesh() {
657 801
     if [[ $VARIANT != "mesh"* ]]; then
658 802
         return
@@ -689,9 +833,26 @@ initialise_mesh() {
689 833
     # dhcp daemon for hotspot on secondary wifi adapter
690 834
     chroot "$rootdir" apt-get -yq install dnsmasq
691 835
 
836
+    # for debugging
837
+    chroot "$rootdir" apt-get -yq install traceroute
838
+
839
+    # set the default protocol to be used
840
+    echo 'bmx6' > $rootdir$MESH_DEFAULT_PROTOCOL
841
+
842
+    sed -i 's|#net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding=1|g' $rootdir/etc/sysctl.conf
843
+    sed -i 's|net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding=1|g' $rootdir/etc/sysctl.conf
844
+
845
+    sed -i 's|#net.ipv6.conf.all.accept_redirects.*|net.ipv6.conf.all.accept_redirects=1|g' $rootdir/etc/sysctl.conf
846
+    sed -i 's|net.ipv6.conf.all.accept_redirects.*|net.ipv6.conf.all.accept_redirects=1|g' $rootdir/etc/sysctl.conf
847
+
848
+    sed -i 's|#net.ipv6.conf.all.accept_source_route.*|net.ipv6.conf.all.accept_source_route=1|g' $rootdir/etc/sysctl.conf
849
+    sed -i 's|net.ipv6.conf.all.accept_source_route.*|net.ipv6.conf.all.accept_source_route=1|g' $rootdir/etc/sysctl.conf
850
+
692 851
     configure_firewall
693 852
     install_avahi
694 853
     install_batman
854
+    install_bmx6
855
+    install_bmx7
695 856
     mesh_shutdown_script
696 857
     install_vpn
697 858
     install_tomb
@@ -1448,7 +1609,7 @@ function image_setup_utils {
1448 1609
     chroot "$rootdir" apt-get -yq install avahi-daemon avahi-utils avahi-discover
1449 1610
     chroot "$rootdir" apt-get -yq install connect-proxy openssh-server
1450 1611
     chroot "$rootdir" apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
1451
-    chroot "$rootdir" apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
1612
+    chroot "$rootdir" apt-get -yq install avahi-discover iptables dnsutils net-tools
1452 1613
     chroot "$rootdir" apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
1453 1614
     chroot "$rootdir" apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
1454 1615
     chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
@@ -1753,7 +1914,7 @@ if [[ $VARIANT != "mesh"* ]]; then
1753 1914
     chroot "$rootdir" apt-get install -y openssh-server
1754 1915
 fi
1755 1916
 chroot "$rootdir" apt-get install -y sudo git dialog build-essential
1756
-chroot "$rootdir" apt-get install -y avahi-daemon avahi-utils avahi-discover avahi-autoipd
1917
+chroot "$rootdir" apt-get install -y avahi-daemon avahi-utils avahi-discover
1757 1918
 chroot "$rootdir" apt-get install -y iptables dnsutils net-tools network-manager iputils-ping
1758 1919
 chroot "$rootdir" apt-get install -y libnss-mdns libnss-myhostname libnss-gw-name nano man ntp
1759 1920
 chroot "$rootdir" apt-get install -y locales locales-all debconf wireless-tools wpasupplicant usbutils

+ 1
- 1
src/freedombone-image-makefile ファイルの表示

@@ -43,7 +43,7 @@ IMAGE = $(NAME).img
43 43
 ARCHIVE = $(IMAGE).xz
44 44
 SIGNATURE = $(ARCHIVE).sig
45 45
 OWNER = 1000
46
-XZ = xz --no-warn --best --verbose --keep
46
+XZ = xz --no-warn --verbose --keep --threads=0 -3
47 47
 SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
48 48
 
49 49
 # settings for `make test`

+ 8
- 0
src/freedombone-image-mesh ファイルの表示

@@ -1415,6 +1415,14 @@ if [ -f $MESH_INSTALL_SETUP ]; then
1415 1415
     systemctl disable tor
1416 1416
     echo $'TOR disabled' >> $INSTALL_LOG
1417 1417
 
1418
+    systemctl stop bmx6
1419
+    systemctl disable bmx6
1420
+    echo $'BMX6 disabled' >> $INSTALL_LOG
1421
+
1422
+    systemctl stop bmx7
1423
+    systemctl disable bmx7
1424
+    echo $'BMX7 disabled' >> $INSTALL_LOG
1425
+
1418 1426
     #tomb slam all
1419 1427
     tmp_ram_disk 100
1420 1428
     enable_predictable_device_names

+ 49
- 297
src/freedombone-mesh-batman ファイルの表示

@@ -35,58 +35,9 @@ COMPLETION_FILE=/root/${PROJECT_NAME}-completed.txt
35 35
 HOTSPOT_PASSPHRASE="${PROJECT_NAME}"
36 36
 
37 37
 source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-wifi
38
+source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-mesh
38 39
 
39
-if [[ $1 == "start" ]]; then
40
-    # install avahi
41
-    sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
42
-    sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
43
-    sed -i "s|use-ipv4=.*|use-ipv4=yes|g" /etc/avahi/avahi-daemon.conf
44
-    sed -i "s|use-ipv6=.*|use-ipv6=no|g" /etc/avahi/avahi-daemon.conf
45
-    sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
46
-    sed -i "s|hosts:.*|hosts:          files mdns4_minimal dns mdns4 mdns|g" /etc/nsswitch.conf
47
-fi
48
-
49
-# Mesh definition
50
-WIFI_SSID='mesh'
51
-if [ -f $COMPLETION_FILE ]; then
52
-    if grep -q "WIFI_SSID:" $COMPLETION_FILE; then
53
-        WIFI_SSID=$(cat $COMPLETION_FILE | grep "WIFI_SSID:" | awk -F ':' '{print $2}')
54
-    fi
55
-    sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" $COMPLETION_FILE
56
-fi
57
-CELLID='any'
58
-
59
-CHANNEL=2
60
-HOTSPOT_CHANNEL=6
61
-if [ -f $COMPLETION_FILE ]; then
62
-    if grep -q "Wifi channel:" $COMPLETION_FILE; then
63
-        CHANNEL=$(cat $COMPLETION_FILE | grep "Wifi channel:" | awk -F ':' '{print $2}')
64
-    fi
65
-    sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" $COMPLETION_FILE
66
-fi
67
-
68
-ZERONET_PORT=15441
69
-IPFS_PORT=4001
70
-TOX_PORT=33445
71
-TRACKER_PORT=6969
72
-LIBREVAULT_PORT=42345
73
-TAHOELAFS_PORT=50213
74
-GIT_SSB_PORT=7718
75
-NGINX_GIT_SSB_PORT=7719
76
-
77
-# Ethernet bridge definition (bridged to bat0)
78
-BRIDGE=br-mesh
79
-BRIDGE_HOTSPOT=br-hotspot
80
-IFACE=
81
-IFACE_SECONDARY=
82
-EIFACE=eth0
83
-WLAN_ADAPTORS=$(count_wlan)
84
-
85
-if [ $WLAN_ADAPTORS -eq 0 ]; then
86
-    echo $'No wlan adaptors found'
87
-    exit 0
88
-fi
89
-
40
+mesh_protocol_init
90 41
 update_wifi_adaptors
91 42
 
92 43
 if [ ! $IFACE ]; then
@@ -98,33 +49,30 @@ if [ -e /etc/default/batctl ]; then
98 49
     . /etc/default/batctl
99 50
 fi
100 51
 
101
-function get_ipv4_wlan {
102
-    echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
103
-}
104
-
105
-function mesh_hotspot_ip_address {
106
-    echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
107
-}
52
+function status {
53
+    batctl o
108 54
 
109
-function global_rate_limit {
110
-    if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
111
-        echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
55
+    if grep -q "bmx6" $MESH_CURRENT_PROTOCOL; then
56
+        bmx6 -c show=originators
112 57
     else
113
-        sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
58
+        bmx7 -c show=originators
114 59
     fi
115
-    sysctl -p -q
116
-}
117
-
118
-function status {
119
-    batctl o
120 60
 }
121 61
 
122 62
 function stop {
63
+    if [ ! -f $MESH_CURRENT_PROTOCOL ]; then
64
+        return
65
+    fi
66
+
123 67
     if [ -z "$IFACE" ]; then
124 68
         echo 'error: unable to find wifi interface, not enabling batman-adv mesh'
125 69
         return
126 70
     fi
127 71
 
72
+    systemctl stop bmx6
73
+    systemctl stop bmx7
74
+    systemctl disable bmx6
75
+    systemctl disable bmx7
128 76
     systemctl stop dnsmasq
129 77
     systemctl disable dnsmasq
130 78
 
@@ -140,8 +88,6 @@ function stop {
140 88
         brctl delbr $BRIDGE
141 89
     fi
142 90
 
143
-    avahi-autoipd -k $BRIDGE
144
-    avahi-autoipd -k $IFACE
145 91
     ifconfig bat0 down -promisc
146 92
 
147 93
     batctl if del $IFACE
@@ -160,46 +106,13 @@ function stop {
160 106
 
161 107
     rmmod batman-adv
162 108
 
163
-    iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
164
-    iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
165
-    iptables -D INPUT -p tcp --dport 80 -j ACCEPT
166
-    iptables -D INPUT -p udp --dport 80 -j ACCEPT
167
-    iptables -D INPUT -p tcp --dport 548 -j ACCEPT
168
-    iptables -D INPUT -p udp --dport 548 -j ACCEPT
169
-    iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
170
-    iptables -D INPUT -p udp --dport 5353 -j ACCEPT
171
-    iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
172
-    iptables -D INPUT -p udp --dport 5354 -j ACCEPT
173
-    iptables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
174
-    iptables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
175
-    iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
176
-    iptables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
177
-    iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
178
-    iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
179
-    iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
180
-    iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
181
-    iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
182
-    # SSB/Scuttlebot/Patchwork
183
-    iptables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
184
-    iptables -D INPUT -p udp --dport 8008 -j ACCEPT
185
-    iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
186
-    iptables -D INPUT -p udp --dport 8010 -j ACCEPT
187
-    iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
188
-    # vpn over the internet
189
-    iptables -D INPUT -p tcp --dport 653 -j ACCEPT
190
-    iptables -D INPUT -p udp --dport 653 -j ACCEPT
191
-    iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
192
-    iptables -D INPUT -i tun+ -j ACCEPT
193
-    iptables -D FORWARD -i tun+ -j ACCEPT
194
-    iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
195
-    iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
196
-    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
197
-    iptables -D OUTPUT -o tun+ -j ACCEPT
198
-
199
-    echo 0 > /proc/sys/net/ipv4/ip_forward
200
-    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
109
+    disable_mesh_firewall
201 110
 
202 111
     systemctl restart network-manager
112
+
113
+    if [ -f $MESH_CURRENT_PROTOCOL ]; then
114
+        rm $MESH_CURRENT_PROTOCOL
115
+    fi
203 116
 }
204 117
 
205 118
 function verify {
@@ -215,21 +128,6 @@ function verify {
215 128
     rm $tempfile
216 129
 }
217 130
 
218
-function assign_peer_address {
219
-    for i in {1..6}; do
220
-        number=$RANDOM
221
-        let "number %= 255"
222
-        octet=$(echo "obase=16;$number" | bc)
223
-        if [ ${#octet} -lt 2 ]; then
224
-            octet="0${octet}"
225
-        fi
226
-        if [ $i -gt 1 ]; then
227
-            echo -n ":"
228
-        fi
229
-        echo -n "${octet}"
230
-    done
231
-}
232
-
233 131
 function add_wifi_interface {
234 132
     ifname=$1
235 133
     ifssid=$WIFI_SSID
@@ -261,53 +159,6 @@ function add_wifi_interface {
261 159
     ifconfig $ifname up
262 160
 }
263 161
 
264
-function mesh_create_app_downloads_page {
265
-    if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
266
-        return
267
-    fi
268
-    if [ ! -d /var/www/html ]; then
269
-        return
270
-    fi
271
-    # Don't go straight to cryptpad when navigating to the peer's IP address
272
-    if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
273
-        rm /etc/nginx/sites-enabled/cryptpad
274
-        ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
275
-        if [ -d /etc/cryptpad ]; then
276
-            systemctl stop cryptpad
277
-            systemctl disable cryptpad
278
-        fi
279
-        systemctl restart nginx
280
-    fi
281
-    # Don't show the cryptpad icon on the desktop
282
-    if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
283
-        mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
284
-    fi
285
-
286
-    cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
287
-    if [ ! -f /var/www/html/ssb.apk ]; then
288
-        cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
289
-    fi
290
-    if [ ! -f /var/www/html/trifa.apk ]; then
291
-        cp /root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk /var/www/html/trifa.apk
292
-    fi
293
-    if [ ! -d /var/www/html/images ]; then
294
-        mkdir /var/www/html/images
295
-    fi
296
-    if [ ! -f /var/www/html/images/logo.png ]; then
297
-        cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
298
-    fi
299
-    if [ ! -f /var/www/html/images/ssb.png ]; then
300
-        cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
301
-    fi
302
-    if [ ! -f /var/www/html/images/trifa.png ]; then
303
-        cp /root/$PROJECT_NAME/img/trifa.png /var/www/html/images/trifa.png
304
-    fi
305
-    if [ ! -f /var/www/html/freedombone.css ]; then
306
-        cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
307
-    fi
308
-    chown -R www-data:www-data /var/www/html/*
309
-}
310
-
311 162
 function start {
312 163
     update_wifi_adaptors
313 164
 
@@ -317,6 +168,7 @@ function start {
317 168
     fi
318 169
     echo "info: enabling batman-adv mesh network $WIFI_SSID on $IFACE"
319 170
 
171
+    stop
320 172
     systemctl stop network-manager
321 173
     sleep 5
322 174
 
@@ -348,8 +200,15 @@ function start {
348 200
 
349 201
     modprobe batman-adv
350 202
 
203
+    # avahi on ipv6
204
+    sed -i 's|use-ipv4=.*|use-ipv4=no|g' /etc/avahi/avahi-daemon.conf
205
+    sed -i 's|use-ipv6=.*|use-ipv6=yes|g' /etc/avahi/avahi-daemon.conf
206
+
207
+    sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx6 dev=${IFACE}|g" /etc/systemd/system/bmx6.service
208
+    sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx7 dev=${IFACE}|g" /etc/systemd/system/bmx7.service
209
+    systemctl daemon-reload
210
+
351 211
     add_wifi_interface $IFACE $WIFI_SSID ad-hoc $CHANNEL
352
-    avahi-autoipd --force-bind --daemonize --wait $IFACE
353 212
 
354 213
     # NOTE: Don't connect the secondary wifi device. hostapd will handle that by itself
355 214
 
@@ -367,6 +226,10 @@ function start {
367 226
             ifconfig $EIFACE 0.0.0.0
368 227
             ifconfig $EIFACE up promisc
369 228
             echo $'End of ethernet bridge'
229
+
230
+            sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx6 dev=${IFACE} dev=${EIFACE}|g" /etc/systemd/system/bmx6.service
231
+            sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx7 dev=${IFACE} dev=${EIFACE}|g" /etc/systemd/system/bmx7.service
232
+            systemctl daemon-reload
370 233
         else
371 234
             echo $"$EIFACE is not connected"
372 235
         fi
@@ -374,145 +237,34 @@ function start {
374 237
     ifconfig $BRIDGE up
375 238
     dhclient $BRIDGE
376 239
 
377
-    if [ $secondary_wifi_available ]; then
378
-        sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
379
-
380
-        mesh_hotspot_address=$(mesh_hotspot_ip_address)
381
-        if [[ "$mesh_hotspot_address" == *'.'* ]]; then
382
-            echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
383
-            echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
384
-            echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
385
-            echo "country_code=UK" >> /etc/hostapd/hostapd.conf
386
-            echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}" >> /etc/hostapd/hostapd.conf
387
-            echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
388
-            echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
389
-            echo 'wpa=2' >> /etc/hostapd/hostapd.conf
390
-            echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
391
-            echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
392
-            echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
393
-            echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
394
-            echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
395
-            echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
396
-
397
-            sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
398
-            sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
399
-            sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
400
-            sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
401
-            systemctl enable dnsmasq
402
-            systemctl restart dnsmasq
403
-
404
-            systemctl enable hostapd
405
-            systemctl restart hostapd
406
-            mesh_create_app_downloads_page
407
-        else
408
-            secondary_wifi_available=
409
-            echo $'WARNING: No IP address could be obtained for the hotspot'
410
-        fi
411
-    fi
412
-
413
-    if [ ! $secondary_wifi_available ]; then
414
-        systemctl stop hostapd
415
-        systemctl disable hostapd
240
+    enable_mesh_seconary_wifi
416 241
 
417
-        # Recreate the cryptpad symlink
418
-        if [ -f /etc/nginx/sites-available/cryptpad ]; then
419
-            if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
420
-                rm /etc/nginx/sites-enabled/default
421
-            fi
422
-            systemctl enable cryptpad
423
-            systemctl start cryptpad
242
+    enable_mesh_firewall
424 243
 
425
-            if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
426
-                ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad
427
-                systemctl restart nginx
428
-            fi
429
-        fi
430
-        if [ -f /home/fbone/.cryptpad.desktop ]; then
431
-            mv /home/fbone/.cryptpad.desktop /home/fbone/Desktop/cryptpad.desktop
432
-        fi
433
-    fi
244
+    enable_mesh_scuttlebot
245
+    enable_mesh_tor
434 246
 
435
-    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
436
-    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
437
-    iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
438
-    iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
439
-    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
440
-    iptables -A INPUT -p udp --dport 80 -j ACCEPT
441
-    iptables -A INPUT -p tcp --dport 548 -j ACCEPT
442
-    iptables -A INPUT -p udp --dport 548 -j ACCEPT
443
-    iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
444
-    iptables -A INPUT -p udp --dport 5353 -j ACCEPT
445
-    iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
446
-    iptables -A INPUT -p udp --dport 5354 -j ACCEPT
447
-    iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
448
-    iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
449
-    iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
450
-    iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
451
-    iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
452
-    iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
453
-    iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
454
-    iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
455
-    # SSB/Scuttlebot/Patchwork
456
-    iptables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
457
-    iptables -A INPUT -p udp --dport 8008 -j ACCEPT
458
-    iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
459
-    iptables -A INPUT -p udp --dport 8010 -j ACCEPT
460
-    iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
461
-    # vpn over the internet
462
-    # Note: the vpn firewall settings are needed in order for Patchwork
463
-    # to discover local peers
464
-    iptables -A INPUT -p tcp --dport 653 -j ACCEPT
465
-    iptables -A INPUT -p udp --dport 653 -j ACCEPT
466
-    iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
467
-    iptables -A INPUT -i tun+ -j ACCEPT
468
-    iptables -A FORWARD -i tun+ -j ACCEPT
469
-    iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
470
-    iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
471
-    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
472
-    iptables -A OUTPUT -o tun+ -j ACCEPT
473
-    echo 1 > /proc/sys/net/ipv4/ip_forward
474
-    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
475
-    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
476
-    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
247
+    sed -i "s|server_name .*|server_name ${HOSTNAME}.local;|g" /etc/nginx/sites-available/git_ssb
477 248
 
478
-    systemctl restart avahi-daemon
249
+    systemctl restart nginx
479 250
 
480
-    if [ -f /etc/scuttlebot/.ssb/config ]; then
481
-        ethernet_connected=$(cat /sys/class/net/eth0/carrier)
482
-        if [[ "$ethernet_connected" != "0" ]]; then
483
-            sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
484
-            systemctl restart scuttlebot
485
-        else
486
-            if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
487
-                systemctl stop scuttlebot
488
-            else
489
-                systemctl restart scuttlebot
490
-            fi
491
-        fi
251
+    if [ ! -f $MESH_DEFAULT_PROTOCOL ]; then
252
+        echo 'bmx6' > $MESH_DEFAULT_PROTOCOL
492 253
     fi
493 254
 
494
-    # if we have an ethernet connection to an internet router then create
495
-    # an onion address for this peer
496
-    if [[ "$ethernet_connected" != "0" ]]; then
497
-        systemctl enable tor
498
-        systemctl start tor
499
-        HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
500
-        if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
501
-            echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
502
-            echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
503
-            systemctl restart tor
504
-        fi
255
+    if grep -q "bmx6" $MESH_DEFAULT_PROTOCOL; then
256
+        systemctl enable bmx6
257
+        systemctl restart bmx6
505 258
     else
506
-        systemctl stop tor
507
-        systemctl disable tor
259
+        systemctl enable bmx7
260
+        systemctl restart bmx7
508 261
     fi
509 262
 
510
-    sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
511
-    sed -i "s|server_name .*|server_name ${HOSTNAME}.local;|g" /etc/nginx/sites-available/git_ssb
512
-    systemctl restart scuttlebot
513
-    systemctl restart nginx
263
+    systemctl restart avahi-daemon
514 264
 
515 265
     verify
266
+
267
+    echo "$(cat $MESH_DEFAULT_PROTOCOL)" > $MESH_CURRENT_PROTOCOL
516 268
 }
517 269
 
518 270
 function monitor {

+ 51
- 36
src/freedombone-mesh-install ファイルの表示

@@ -92,19 +92,19 @@ function show_help {
92 92
 }
93 93
 
94 94
 function mesh_avahi {
95
-    $CHROOT_PREFIX apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
95
+    $CHROOT_PREFIX apt-get -yq install avahi-utils avahi-dnsconfd
96 96
 
97 97
     decarray=( 1 2 3 4 5 6 7 8 9 0 )
98 98
     PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
99 99
     sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
100 100
 
101 101
     if [ ! -d $rootdir/etc/avahi/services ]; then
102
-    mkdir -p $rootdir/etc/avahi/services
102
+        mkdir -p $rootdir/etc/avahi/services
103 103
     fi
104 104
 
105 105
     # remove an avahi service which isn't used
106 106
     if [ -f $rootdir/etc/avahi/services/udisks.service ]; then
107
-    rm $rootdir/etc/avahi/services/udisks.service
107
+        rm $rootdir/etc/avahi/services/udisks.service
108 108
     fi
109 109
 
110 110
     # Add an ssh service
@@ -143,15 +143,15 @@ function install_batman {
143 143
     $CHROOT_PREFIX apt-get -yq install wireless-tools rfkill
144 144
 
145 145
     if ! grep -q "batman_adv" $rootdir/etc/modules; then
146
-    echo 'batman_adv' >> $rootdir/etc/modules
146
+        echo 'batman_adv' >> $rootdir/etc/modules
147 147
     fi
148 148
 
149 149
     BATMAN_SCRIPT=$rootdir/var/lib/batman
150 150
 
151 151
     if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
152
-    cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
152
+        cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
153 153
     else
154
-    cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
154
+        cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
155 155
     fi
156 156
 
157 157
     BATMAN_DAEMON=$rootdir/etc/systemd/system/batman.service
@@ -191,28 +191,43 @@ function mesh_firewall {
191 191
     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
192 192
     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
193 193
     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
194
+    echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
194 195
     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
196
+    echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
195 197
     echo '' >> $MESH_FIREWALL_SCRIPT
196 198
     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
197 199
     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
200
+    echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
198 201
     echo '' >> $MESH_FIREWALL_SCRIPT
199 202
     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
200 203
     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
204
+    echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
201 205
     echo '' >> $MESH_FIREWALL_SCRIPT
202 206
     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
203 207
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
208
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
204 209
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
210
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
205 211
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
212
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
206 213
     echo '' >> $MESH_FIREWALL_SCRIPT
207 214
     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
208 215
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
216
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
209 217
     echo '' >> $MESH_FIREWALL_SCRIPT
210 218
     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
211
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
212
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
213
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
214
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
215
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
219
+    echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
220
+
221
+    echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
222
+    echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
223
+    echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
224
+    echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
225
+    echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
226
+    echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
227
+    echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
228
+    echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
229
+    echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
230
+    echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
216 231
     chmod +x $MESH_FIREWALL_SCRIPT
217 232
 
218 233
     echo '[Unit]' > $FIREWALL_FILENAME
@@ -256,29 +271,29 @@ do
256 271
     key="$1"
257 272
 
258 273
     case $key in
259
-    -h|--help)
260
-        show_help
261
-        ;;
262
-    -f|--function)
263
-        shift
264
-        FN="$1"
265
-        ;;
266
-    -r|--rootdir)
267
-        shift
268
-        rootdir="$1"
269
-        CHROOT_PREFIX='chroot "${rootdir}"'
270
-        ;;
271
-    -w|--wifi|--interface)
272
-        shift
273
-        WIFI_INTERFACE="$1"
274
-        ;;
275
-    --remove)
276
-        shift
277
-        REMOVE="$1"
278
-        ;;
279
-    *)
280
-        # unknown option
281
-        ;;
274
+        -h|--help)
275
+            show_help
276
+            ;;
277
+        -f|--function)
278
+            shift
279
+            FN="$1"
280
+            ;;
281
+        -r|--rootdir)
282
+            shift
283
+            rootdir="$1"
284
+            CHROOT_PREFIX='chroot "${rootdir}"'
285
+            ;;
286
+        -w|--wifi|--interface)
287
+            shift
288
+            WIFI_INTERFACE="$1"
289
+            ;;
290
+        --remove)
291
+            shift
292
+            REMOVE="$1"
293
+            ;;
294
+        *)
295
+            # unknown option
296
+            ;;
282 297
 
283 298
     esac
284 299
     shift
@@ -292,9 +307,9 @@ if [[ $FN == 'firewall' ]]; then
292 307
 fi
293 308
 if [[ $FN == 'batman' ]]; then
294 309
     if [[ $REMOVE != 'yes' ]]; then
295
-    install_batman
310
+        install_batman
296 311
     else
297
-    install_batman_remove
312
+        install_batman_remove
298 313
     fi
299 314
 fi
300 315
 if [[ $FN == 'qtox' ]]; then

+ 4
- 0
src/freedombone-mesh-reset ファイルの表示

@@ -34,7 +34,9 @@ export TEXTDOMAINDIR="/usr/share/locale"
34 34
 MESH_INSTALL_COMPLETED=/root/.mesh_setup_completed
35 35
 
36 36
 if ! zenity --question --title=$'New Identity' --text=$"Do you want to reset your identity? This will reset ALL data for this peer, and you will not be able to recover it." --ok-label=No --cancel-label=Yes --width=300; then
37
+
37 38
     sudo batman stop
39
+
38 40
     sudo pkill qtox
39 41
     sudo pkill firefox
40 42
     sudo pkill iceweasel
@@ -42,7 +44,9 @@ if ! zenity --question --title=$'New Identity' --text=$"Do you want to reset you
42 44
     sudo pkill patchwork
43 45
     sudo rm -f $MESH_INSTALL_COMPLETED
44 46
     sudo ${PROJECT_NAME}-image-mesh $USER new
47
+
45 48
     sudo batman start
49
+
46 50
     if [ -f $HOME/mesh-desktop.sh ]; then
47 51
         $HOME/mesh-desktop.sh
48 52
     else

+ 19
- 1
src/freedombone-utils-avahi ファイルの表示

@@ -55,11 +55,29 @@ function create_avahi_service {
55 55
 }
56 56
 
57 57
 function mesh_avahi {
58
-    chroot "$rootdir" apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
58
+    chroot "$rootdir" apt-get -yq install avahi-utils avahi-dnsconfd
59 59
 
60 60
     decarray=( 1 2 3 4 5 6 7 8 9 0 )
61 61
     PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
62 62
     sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
63
+    sed -i "s|use-ipv4=.*|use-ipv4=no|g" $rootdir/etc/avahi/avahi-daemon.conf
64
+    sed -i "s|use-ipv6=.*|use-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
65
+    sed -i "s|#allow-interfaces=.*|allow-interfaces=wlan0, wlan1, wlan2, wlan3, wlan4, wlan5|g" $rootdir/etc/avahi/avahi-daemon.conf
66
+    sed -i "s|allow-interfaces=.*|allow-interfaces=wlan0, wlan1, wlan2, wlan3, wlan4, wlan5|g" $rootdir/etc/avahi/avahi-daemon.conf
67
+    sed -i "s|#deny-interfaces=.*|deny-interfaces=eth0, eth1, eth2, eth3, eth4, eth5|g" $rootdir/etc/avahi/avahi-daemon.conf
68
+    sed -i "s|deny-interfaces=.*|deny-interfaces=eth0, eth1, eth2, eth3, eth4, eth5|g" $rootdir/etc/avahi/avahi-daemon.conf
69
+    sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
70
+    sed -i "s|disallow-other-stacks=.*|disallow-other-stacks=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
71
+    sed -i "s|#publish_addresses=.*|publish_addresses=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
72
+    sed -i "s|publish_addresses=.*|publish_addresses=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
73
+    sed -i "s|#publish-hinfo=.*|publish-hinfo=no|g" $rootdir/etc/avahi/avahi-daemon.conf
74
+    sed -i "s|publish-hinfo=.*|publish-hinfo=no|g" $rootdir/etc/avahi/avahi-daemon.conf
75
+    sed -i "s|#publish-workstation=.*|publish-workstation=no|g" $rootdir/etc/avahi/avahi-daemon.conf
76
+    sed -i "s|publish-workstation=.*|publish-workstation=no|g" $rootdir/etc/avahi/avahi-daemon.conf
77
+    sed -i "s|#publish-domain=.*|publish-domain=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
78
+    sed -i "s|publish-domain=.*|publish-domain=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
79
+    sed -i "s|#publish-a-on-ipv6=.*|publish-a-on-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
80
+    sed -i "s|publish-a-on-ipv6=.*|publish-a-on-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
63 81
 
64 82
     if [ ! -d $rootdir/etc/avahi/services ]; then
65 83
         mkdir -p $rootdir/etc/avahi/services

+ 19
- 5
src/freedombone-utils-firewall ファイルの表示

@@ -350,28 +350,42 @@ function mesh_firewall {
350 350
     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
351 351
     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
352 352
     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
353
+    echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
353 354
     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
355
+    echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
354 356
     echo '' >> $MESH_FIREWALL_SCRIPT
355 357
     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
356 358
     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
359
+    echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
357 360
     echo '' >> $MESH_FIREWALL_SCRIPT
358 361
     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
359 362
     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
363
+    echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
360 364
     echo '' >> $MESH_FIREWALL_SCRIPT
361 365
     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
362 366
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
367
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
363 368
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
369
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
364 370
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
371
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
365 372
     echo '' >> $MESH_FIREWALL_SCRIPT
366 373
     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
367 374
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
375
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
368 376
     echo '' >> $MESH_FIREWALL_SCRIPT
369 377
     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
370
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
371
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
372
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
373
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
374
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
378
+    echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
379
+    echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
380
+    echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
381
+    echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
382
+    echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
383
+    echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
384
+    echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
385
+    echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
386
+    echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
387
+    echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
388
+    echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
375 389
     chmod +x $MESH_FIREWALL_SCRIPT
376 390
 
377 391
     echo '[Unit]' > $FIREWALL_FILENAME

+ 1
- 1
src/freedombone-utils-gnusocialtools ファイルの表示

@@ -33,7 +33,7 @@ QVITTER_THEME_REPO="https://github.com/bashrc/Qvitter"
33 33
 QVITTER_THEME_COMMIT='c6f09bda4e45be4290cf7409fa5efb4420538032'
34 34
 
35 35
 PLEROMA_FRONTEND_REPO="https://gitgud.io/lambadalambda/pleroma-fe"
36
-PLEROMA_FRONTEND_COMMIT='cbe652f2d94d81fa54a37378b7ff014c4391ca5e'
36
+PLEROMA_FRONTEND_COMMIT='3b3bbaab822b553f514a62d20d679acc5ce4414a'
37 37
 
38 38
 SHARINGS_REPO="http://github.com/bashrc/Sharings"
39 39
 SHARINGS_COMMIT='0d30fe7d153c7ab44e8459970b8f2b5dec06e43c'

+ 418
- 0
src/freedombone-utils-mesh ファイルの表示

@@ -0,0 +1,418 @@
1
+#!/bin/bash
2
+#
3
+# .---.                  .              .
4
+# |                      |              |
5
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
6
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
7
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
8
+#
9
+#                    Freedom in the Cloud
10
+#
11
+# mesh utilities used by the batman and bmx commands
12
+#
13
+# License
14
+# =======
15
+#
16
+# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
17
+#
18
+# This program is free software: you can redistribute it and/or modify
19
+# it under the terms of the GNU Affero General Public License as published by
20
+# the Free Software Foundation, either version 3 of the License, or
21
+# (at your option) any later version.
22
+#
23
+# This program is distributed in the hope that it will be useful,
24
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
25
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
26
+# GNU Affero General Public License for more details.
27
+#
28
+# You should have received a copy of the GNU Affero General Public License
29
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
30
+
31
+# File which contains the current protocol in use
32
+MESH_CURRENT_PROTOCOL=/root/.mesh_protocol
33
+MESH_DEFAULT_PROTOCOL=/root/.mesh_protocol_default
34
+
35
+function mesh_protocol_init {
36
+    if [[ $1 == "start" ]]; then
37
+        # install avahi
38
+        sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
39
+        sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
40
+        sed -i "s|use-ipv4=.*|use-ipv4=no|g" /etc/avahi/avahi-daemon.conf
41
+        sed -i "s|use-ipv6=.*|use-ipv6=yes|g" /etc/avahi/avahi-daemon.conf
42
+        sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
43
+        sed -i "s|hosts:.*|hosts:          files mdns4_minimal dns mdns4 mdns|g" /etc/nsswitch.conf
44
+    fi
45
+
46
+    # Mesh definition
47
+    WIFI_SSID='mesh'
48
+    if [ -f $COMPLETION_FILE ]; then
49
+        if grep -q "WIFI_SSID:" $COMPLETION_FILE; then
50
+            WIFI_SSID=$(cat $COMPLETION_FILE | grep "WIFI_SSID:" | awk -F ':' '{print $2}')
51
+        fi
52
+        sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" $COMPLETION_FILE
53
+    fi
54
+    CELLID='any'
55
+
56
+    CHANNEL=2
57
+    HOTSPOT_CHANNEL=6
58
+    if [ -f $COMPLETION_FILE ]; then
59
+        if grep -q "Wifi channel:" $COMPLETION_FILE; then
60
+            CHANNEL=$(cat $COMPLETION_FILE | grep "Wifi channel:" | awk -F ':' '{print $2}')
61
+        fi
62
+        sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" $COMPLETION_FILE
63
+    fi
64
+
65
+    ZERONET_PORT=15441
66
+    IPFS_PORT=4001
67
+    TOX_PORT=33445
68
+    TRACKER_PORT=6969
69
+    LIBREVAULT_PORT=42345
70
+    TAHOELAFS_PORT=50213
71
+    GIT_SSB_PORT=7718
72
+    NGINX_GIT_SSB_PORT=7719
73
+
74
+    # Ethernet bridge definition (bridged to bat0)
75
+    BRIDGE=br-mesh
76
+    BRIDGE_HOTSPOT=br-hotspot
77
+    IFACE=
78
+    IFACE_SECONDARY=
79
+    EIFACE=eth0
80
+    WLAN_ADAPTORS=$(count_wlan)
81
+
82
+    if [ $WLAN_ADAPTORS -eq 0 ]; then
83
+        echo $'No wlan adaptors found'
84
+        exit 0
85
+    fi
86
+}
87
+
88
+function get_ipv4_wlan {
89
+    echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
90
+}
91
+
92
+function mesh_hotspot_ip_address {
93
+    echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
94
+}
95
+
96
+function global_rate_limit {
97
+    if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
98
+        echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
99
+        echo 'net.ipv6.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
100
+    else
101
+        sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
102
+        sed -i 's|net.ipv6.tcp_challenge_ack_limit.*|net.ipv6.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
103
+    fi
104
+    sysctl -p -q
105
+}
106
+
107
+function assign_peer_address {
108
+    for i in {1..6}; do
109
+        number=$RANDOM
110
+        let "number %= 255"
111
+        octet=$(echo "obase=16;$number" | bc)
112
+        if [ ${#octet} -lt 2 ]; then
113
+            octet="0${octet}"
114
+        fi
115
+        if [ $i -gt 1 ]; then
116
+            echo -n ":"
117
+        fi
118
+        echo -n "${octet}"
119
+    done
120
+}
121
+
122
+function mesh_create_app_downloads_page {
123
+    if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
124
+        return
125
+    fi
126
+    if [ ! -d /var/www/html ]; then
127
+        return
128
+    fi
129
+    # Don't go straight to cryptpad when navigating to the peer's IP address
130
+    if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
131
+        rm /etc/nginx/sites-enabled/cryptpad
132
+        ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
133
+        if [ -d /etc/cryptpad ]; then
134
+            systemctl stop cryptpad
135
+            systemctl disable cryptpad
136
+        fi
137
+        systemctl restart nginx
138
+    fi
139
+    # Don't show the cryptpad icon on the desktop
140
+    if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
141
+        mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
142
+    fi
143
+
144
+    cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
145
+    if [ ! -f /var/www/html/ssb.apk ]; then
146
+        cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
147
+    fi
148
+    if [ ! -f /var/www/html/trifa.apk ]; then
149
+        cp /root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk /var/www/html/trifa.apk
150
+    fi
151
+    if [ ! -d /var/www/html/images ]; then
152
+        mkdir /var/www/html/images
153
+    fi
154
+    if [ ! -f /var/www/html/images/logo.png ]; then
155
+        cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
156
+    fi
157
+    if [ ! -f /var/www/html/images/ssb.png ]; then
158
+        cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
159
+    fi
160
+    if [ ! -f /var/www/html/images/trifa.png ]; then
161
+        cp /root/$PROJECT_NAME/img/trifa.png /var/www/html/images/trifa.png
162
+    fi
163
+    if [ ! -f /var/www/html/freedombone.css ]; then
164
+        cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
165
+    fi
166
+    chown -R www-data:www-data /var/www/html/*
167
+}
168
+
169
+function enable_mesh_firewall {
170
+    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
171
+    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
172
+    iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
173
+    iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
174
+    iptables -A INPUT -p udp --dport 6240 -j ACCEPT
175
+    iptables -A INPUT -p tcp --dport 6240 -j ACCEPT
176
+    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
177
+    iptables -A INPUT -p udp --dport 80 -j ACCEPT
178
+    iptables -A INPUT -p tcp --dport 548 -j ACCEPT
179
+    iptables -A INPUT -p udp --dport 548 -j ACCEPT
180
+    iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
181
+    iptables -A INPUT -p udp --dport 5353 -j ACCEPT
182
+    iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
183
+    iptables -A INPUT -p udp --dport 5354 -j ACCEPT
184
+    iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
185
+    iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
186
+    iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
187
+    iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
188
+    iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
189
+    iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
190
+    iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
191
+    iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
192
+    # SSB/Scuttlebot/Patchwork
193
+    iptables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
194
+    iptables -A INPUT -p udp --dport 8008 -j ACCEPT
195
+    iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
196
+    iptables -A INPUT -p udp --dport 8010 -j ACCEPT
197
+    iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
198
+
199
+
200
+    ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
201
+    ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
202
+    ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
203
+    ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
204
+    ip6tables -A INPUT -p udp --dport 6240 -j ACCEPT
205
+    ip6tables -A INPUT -p tcp --dport 6240 -j ACCEPT
206
+    ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
207
+    ip6tables -A INPUT -p udp --dport 80 -j ACCEPT
208
+    ip6tables -A INPUT -p tcp --dport 548 -j ACCEPT
209
+    ip6tables -A INPUT -p udp --dport 548 -j ACCEPT
210
+    ip6tables -A INPUT -p tcp --dport 5353 -j ACCEPT
211
+    ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
212
+    ip6tables -A INPUT -p tcp --dport 5354 -j ACCEPT
213
+    ip6tables -A INPUT -p udp --dport 5354 -j ACCEPT
214
+    ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
215
+    ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
216
+    ip6tables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
217
+    ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
218
+    ip6tables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
219
+    ip6tables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
220
+    ip6tables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
221
+    ip6tables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
222
+    # SSB/Scuttlebot/Patchwork
223
+    ip6tables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
224
+    ip6tables -A INPUT -p udp --dport 8008 -j ACCEPT
225
+    ip6tables -A INPUT -p tcp --dport 8008 -j ACCEPT
226
+    ip6tables -A INPUT -p udp --dport 8010 -j ACCEPT
227
+    ip6tables -A INPUT -p tcp --dport 8010 -j ACCEPT
228
+
229
+
230
+    # vpn over the internet
231
+    # Note: the vpn firewall settings are needed in order for Patchwork
232
+    # to discover local peers
233
+    iptables -A INPUT -p tcp --dport 653 -j ACCEPT
234
+    iptables -A INPUT -p udp --dport 653 -j ACCEPT
235
+    iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
236
+    iptables -A INPUT -i tun+ -j ACCEPT
237
+    iptables -A FORWARD -i tun+ -j ACCEPT
238
+    iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
239
+    iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
240
+    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
241
+    iptables -A OUTPUT -o tun+ -j ACCEPT
242
+    echo 1 > /proc/sys/net/ipv4/ip_forward
243
+    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
244
+    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
245
+    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
246
+}
247
+
248
+function disable_mesh_firewall {
249
+    iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
250
+    iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
251
+    iptables -D INPUT -p udp --dport 6240 -j ACCEPT
252
+    iptables -D INPUT -p tcp --dport 6240 -j ACCEPT
253
+    iptables -D INPUT -p tcp --dport 80 -j ACCEPT
254
+    iptables -D INPUT -p udp --dport 80 -j ACCEPT
255
+    iptables -D INPUT -p tcp --dport 548 -j ACCEPT
256
+    iptables -D INPUT -p udp --dport 548 -j ACCEPT
257
+    iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
258
+    iptables -D INPUT -p udp --dport 5353 -j ACCEPT
259
+    iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
260
+    iptables -D INPUT -p udp --dport 5354 -j ACCEPT
261
+    iptables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
262
+    iptables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
263
+    iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
264
+    iptables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
265
+    iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
266
+    iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
267
+    iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
268
+    iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
269
+    iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
270
+    # SSB/Scuttlebot/Patchwork
271
+    iptables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
272
+    iptables -D INPUT -p udp --dport 8008 -j ACCEPT
273
+    iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
274
+    iptables -D INPUT -p udp --dport 8010 -j ACCEPT
275
+    iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
276
+
277
+
278
+    ip6tables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
279
+    ip6tables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
280
+    ip6tables -D INPUT -p udp --dport 6240 -j ACCEPT
281
+    ip6tables -D INPUT -p tcp --dport 6240 -j ACCEPT
282
+    ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT
283
+    ip6tables -D INPUT -p udp --dport 80 -j ACCEPT
284
+    ip6tables -D INPUT -p tcp --dport 548 -j ACCEPT
285
+    ip6tables -D INPUT -p udp --dport 548 -j ACCEPT
286
+    ip6tables -D INPUT -p tcp --dport 5353 -j ACCEPT
287
+    ip6tables -D INPUT -p udp --dport 5353 -j ACCEPT
288
+    ip6tables -D INPUT -p tcp --dport 5354 -j ACCEPT
289
+    ip6tables -D INPUT -p udp --dport 5354 -j ACCEPT
290
+    ip6tables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
291
+    ip6tables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
292
+    ip6tables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
293
+    ip6tables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
294
+    ip6tables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
295
+    ip6tables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
296
+    ip6tables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
297
+    ip6tables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
298
+    ip6tables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
299
+    # SSB/Scuttlebot/Patchwork
300
+    ip6tables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
301
+    ip6tables -D INPUT -p udp --dport 8008 -j ACCEPT
302
+    ip6tables -D INPUT -p tcp --dport 8008 -j ACCEPT
303
+    ip6tables -D INPUT -p udp --dport 8010 -j ACCEPT
304
+    ip6tables -D INPUT -p tcp --dport 8010 -j ACCEPT
305
+
306
+
307
+    # vpn over the internet
308
+    iptables -D INPUT -p tcp --dport 653 -j ACCEPT
309
+    iptables -D INPUT -p udp --dport 653 -j ACCEPT
310
+    iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
311
+    iptables -D INPUT -i tun+ -j ACCEPT
312
+    iptables -D FORWARD -i tun+ -j ACCEPT
313
+    iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
314
+    iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
315
+    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
316
+    iptables -D OUTPUT -o tun+ -j ACCEPT
317
+
318
+    echo 0 > /proc/sys/net/ipv4/ip_forward
319
+    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
320
+}
321
+
322
+function enable_mesh_scuttlebot {
323
+    if [ -f /etc/scuttlebot/.ssb/config ]; then
324
+        ethernet_connected=$(cat /sys/class/net/eth0/carrier)
325
+        if [[ "$ethernet_connected" != "0" ]]; then
326
+            sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
327
+            systemctl restart scuttlebot
328
+        else
329
+            if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
330
+                systemctl stop scuttlebot
331
+            else
332
+                systemctl restart scuttlebot
333
+            fi
334
+        fi
335
+    fi
336
+    sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
337
+    systemctl restart scuttlebot
338
+}
339
+
340
+function enable_mesh_tor {
341
+    # if we have an ethernet connection to an internet router then create
342
+    # an onion address for this peer
343
+    if [[ "$ethernet_connected" != "0" ]]; then
344
+        systemctl enable tor
345
+        systemctl start tor
346
+        HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
347
+        if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
348
+            echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
349
+            echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
350
+            systemctl restart tor
351
+        fi
352
+    else
353
+        systemctl stop tor
354
+        systemctl disable tor
355
+    fi
356
+}
357
+
358
+function enable_mesh_seconary_wifi {
359
+    if [ $secondary_wifi_available ]; then
360
+        sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
361
+
362
+        mesh_hotspot_address=$(mesh_hotspot_ip_address)
363
+        if [[ "$mesh_hotspot_address" == *'.'* ]]; then
364
+            echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
365
+            echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
366
+            echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
367
+            echo "country_code=UK" >> /etc/hostapd/hostapd.conf
368
+            echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}" >> /etc/hostapd/hostapd.conf
369
+            echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
370
+            echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
371
+            echo 'wpa=2' >> /etc/hostapd/hostapd.conf
372
+            echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
373
+            echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
374
+            echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
375
+            echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
376
+            echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
377
+            echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
378
+
379
+            sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
380
+            sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
381
+            sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
382
+            sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
383
+            systemctl enable dnsmasq
384
+            systemctl restart dnsmasq
385
+
386
+            systemctl enable hostapd
387
+            systemctl restart hostapd
388
+            mesh_create_app_downloads_page
389
+        else
390
+            secondary_wifi_available=
391
+            echo $'WARNING: No IP address could be obtained for the hotspot'
392
+        fi
393
+    fi
394
+
395
+    if [ ! $secondary_wifi_available ]; then
396
+        systemctl stop hostapd
397
+        systemctl disable hostapd
398
+
399
+        # Recreate the cryptpad symlink
400
+        if [ -f /etc/nginx/sites-available/cryptpad ]; then
401
+            if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
402
+                rm /etc/nginx/sites-enabled/default
403
+            fi
404
+            systemctl enable cryptpad
405
+            systemctl start cryptpad
406
+
407
+            if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
408
+                ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad
409
+                systemctl restart nginx
410
+            fi
411
+        fi
412
+        if [ -f /home/fbone/.cryptpad.desktop ]; then
413
+            mv /home/fbone/.cryptpad.desktop /home/fbone/Desktop/cryptpad.desktop
414
+        fi
415
+    fi
416
+}
417
+
418
+# NOTE: deliberately there is no "exit 0"

+ 1
- 1
src/freedombone-utils-setup ファイルの表示

@@ -263,7 +263,7 @@ function initial_setup {
263 263
     apt-get -yq install cryptsetup libgfshare-bin duplicity sshpass wget avahi-daemon
264 264
     apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
265 265
     apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
266
-    apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
266
+    apt-get -yq install avahi-discover iptables dnsutils net-tools
267 267
     apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
268 268
     apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
269 269
     apt-get -yq install wireless-tools wpasupplicant usbutils zsh cpulimit screen

+ 1
- 1
src/freedombone-utils-wifi ファイルの表示

@@ -216,7 +216,7 @@ function update_wifi_adaptors {
216 216
     IFACE_SECONDARY=
217 217
 
218 218
     for i in $(seq 10 -1 0); do
219
-        ifdown --force wlan${i}
219
+        ifdown --force wlan${i} 2> /dev/null
220 220
     done
221 221
 
222 222
     for i in $(seq 10 -1 0); do

+ 144
- 128
website/EN/faq.html ファイルの表示

@@ -3,7 +3,7 @@
3 3
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4 4
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
5 5
 <head>
6
-<!-- 2017-12-30 Sat 15:48 -->
6
+<!-- 2018-01-11 Thu 20:57 -->
7 7
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
8 8
 <meta name="viewport" content="width=device-width, initial-scale=1" />
9 9
 <title>&lrm;</title>
@@ -264,139 +264,143 @@ for the JavaScript code in this tag.
264 264
 </colgroup>
265 265
 <tbody>
266 266
 <tr>
267
-<td class="org-left"><a href="#org416597b">What applications are supported?</a></td>
267
+<td class="org-left"><a href="#org3b9d551">What applications are supported?</a></td>
268 268
 </tr>
269 269
 
270 270
 <tr>
271
-<td class="org-left"><a href="#org719e222">I don't have a static IP address. Can I still install this system?</a></td>
271
+<td class="org-left"><a href="#orgdcdffc6">I don't have a static IP address. Can I still install this system?</a></td>
272 272
 </tr>
273 273
 
274 274
 <tr>
275
-<td class="org-left"><a href="#org997ae78">Why Freedombone and not FreedomBox?</a></td>
275
+<td class="org-left"><a href="#org04dca90">Why Freedombone and not FreedomBox?</a></td>
276 276
 </tr>
277 277
 
278 278
 <tr>
279
-<td class="org-left"><a href="#org0fe5706">Why not support building images for Raspberry Pi?</a></td>
279
+<td class="org-left"><a href="#org250c12d">Why not support building images for Raspberry Pi?</a></td>
280 280
 </tr>
281 281
 
282 282
 <tr>
283
-<td class="org-left"><a href="#orgf565b16">Why use Tor? I've heard it's used by bad people</a></td>
283
+<td class="org-left"><a href="#orgd5c1184">Why use Tor? I've heard it's used by bad people</a></td>
284 284
 </tr>
285 285
 
286 286
 <tr>
287
-<td class="org-left"><a href="#orgac61490">How is Tor integrated with Freedombone?</a></td>
287
+<td class="org-left"><a href="#org9591a28">How is Tor integrated with Freedombone?</a></td>
288 288
 </tr>
289 289
 
290 290
 <tr>
291
-<td class="org-left"><a href="#orgbe35250">Can I add a clearnet domain to an onion build?</a></td>
291
+<td class="org-left"><a href="#orgda2b251">Can I add a clearnet domain to an onion build?</a></td>
292 292
 </tr>
293 293
 
294 294
 <tr>
295
-<td class="org-left"><a href="#org1ea193b">Why use Github?</a></td>
295
+<td class="org-left"><a href="#org2fcade7">Why use Github?</a></td>
296 296
 </tr>
297 297
 
298 298
 <tr>
299
-<td class="org-left"><a href="#org7057def">Keys and emails should not be stored on servers. Why do you do that?</a></td>
299
+<td class="org-left"><a href="#orgc5b7d76">Should I upload my GPG keys to keybase.io?</a></td>
300 300
 </tr>
301 301
 
302 302
 <tr>
303
-<td class="org-left"><a href="#orge669711">Why can't I access my .onion site with a Tor browser?</a></td>
303
+<td class="org-left"><a href="#org1b54432">Keys and emails should not be stored on servers. Why do you do that?</a></td>
304 304
 </tr>
305 305
 
306 306
 <tr>
307
-<td class="org-left"><a href="#orgdb3b7a6">What is the best hardware to run this system on?</a></td>
307
+<td class="org-left"><a href="#orgd51af85">Why can't I access my .onion site with a Tor browser?</a></td>
308 308
 </tr>
309 309
 
310 310
 <tr>
311
-<td class="org-left"><a href="#orgf1c38a0">Can I add more users to the system?</a></td>
311
+<td class="org-left"><a href="#org4585a4a">What is the best hardware to run this system on?</a></td>
312 312
 </tr>
313 313
 
314 314
 <tr>
315
-<td class="org-left"><a href="#orgd32f191">Why not use Signal for mobile chat?</a></td>
315
+<td class="org-left"><a href="#org12ce8ec">Can I add more users to the system?</a></td>
316 316
 </tr>
317 317
 
318 318
 <tr>
319
-<td class="org-left"><a href="#org16a21bb">What is the most secure chat app to use on mobile?</a></td>
319
+<td class="org-left"><a href="#org6e6f0bd">Why not use Signal for mobile chat?</a></td>
320 320
 </tr>
321 321
 
322 322
 <tr>
323
-<td class="org-left"><a href="#org279eac7">How do I remove a user from the system?</a></td>
323
+<td class="org-left"><a href="#orgb8a6086">What is the most secure chat app to use on mobile?</a></td>
324 324
 </tr>
325 325
 
326 326
 <tr>
327
-<td class="org-left"><a href="#org12ac09e">Why is logging for web sites turned off by default?</a></td>
327
+<td class="org-left"><a href="#orgd46fade">How do I remove a user from the system?</a></td>
328 328
 </tr>
329 329
 
330 330
 <tr>
331
-<td class="org-left"><a href="#org5e9d3c7">How do I reset the tripwire?</a></td>
331
+<td class="org-left"><a href="#org7fc4d88">Why is logging for web sites turned off by default?</a></td>
332 332
 </tr>
333 333
 
334 334
 <tr>
335
-<td class="org-left"><a href="#org0613054">Is metadata protected?</a></td>
335
+<td class="org-left"><a href="#orge1a3788">How do I reset the tripwire?</a></td>
336 336
 </tr>
337 337
 
338 338
 <tr>
339
-<td class="org-left"><a href="#orgdf75721">How do I create email processing rules?</a></td>
339
+<td class="org-left"><a href="#org572f545">Is metadata protected?</a></td>
340 340
 </tr>
341 341
 
342 342
 <tr>
343
-<td class="org-left"><a href="#org5b21211">Why isn't dynamic DNS working?</a></td>
343
+<td class="org-left"><a href="#org733a91b">How do I create email processing rules?</a></td>
344 344
 </tr>
345 345
 
346 346
 <tr>
347
-<td class="org-left"><a href="#org929e4ae">How do I change my encryption settings?</a></td>
347
+<td class="org-left"><a href="#org78eef24">Why isn't dynamic DNS working?</a></td>
348 348
 </tr>
349 349
 
350 350
 <tr>
351
-<td class="org-left"><a href="#org087d147">How do I get a domain name?</a></td>
351
+<td class="org-left"><a href="#org2c06ab3">How do I change my encryption settings?</a></td>
352 352
 </tr>
353 353
 
354 354
 <tr>
355
-<td class="org-left"><a href="#org4bb381a">How do I get a "real" SSL/TLS/HTTPS certificate?</a></td>
355
+<td class="org-left"><a href="#org5afac46">How do I get a domain name?</a></td>
356 356
 </tr>
357 357
 
358 358
 <tr>
359
-<td class="org-left"><a href="#orgfbd420c">How do I renew a Let's Encrypt certificate?</a></td>
359
+<td class="org-left"><a href="#org438f36d">How do I get a "real" SSL/TLS/HTTPS certificate?</a></td>
360 360
 </tr>
361 361
 
362 362
 <tr>
363
-<td class="org-left"><a href="#orgdaf57b7">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</a></td>
363
+<td class="org-left"><a href="#orge32e913">How do I renew a Let's Encrypt certificate?</a></td>
364 364
 </tr>
365 365
 
366 366
 <tr>
367
-<td class="org-left"><a href="#org9fde76d">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
367
+<td class="org-left"><a href="#org44f909f">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</a></td>
368 368
 </tr>
369 369
 
370 370
 <tr>
371
-<td class="org-left"><a href="#org71ce92c">Why does my email keep getting rejected as spam by Gmail/etc?</a></td>
371
+<td class="org-left"><a href="#org27439c3">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
372 372
 </tr>
373 373
 
374 374
 <tr>
375
-<td class="org-left"><a href="#org1bd542d">Tor is censored/blocked in my area. What can I do?</a></td>
375
+<td class="org-left"><a href="#org00d41d3">Why does my email keep getting rejected as spam by Gmail/etc?</a></td>
376 376
 </tr>
377 377
 
378 378
 <tr>
379
-<td class="org-left"><a href="#orgcf6a401">I want to block a particular domain from getting its content into my social network sites</a></td>
379
+<td class="org-left"><a href="#org7ab9062">Tor is censored/blocked in my area. What can I do?</a></td>
380 380
 </tr>
381 381
 
382 382
 <tr>
383
-<td class="org-left"><a href="#org39004fe">The mesh system doesn't boot from USB drive</a></td>
383
+<td class="org-left"><a href="#org5cd6bab">I want to block a particular domain from getting its content into my social network sites</a></td>
384
+</tr>
385
+
386
+<tr>
387
+<td class="org-left"><a href="#orgafedf35">The mesh system doesn't boot from USB drive</a></td>
384 388
 </tr>
385 389
 </tbody>
386 390
 </table>
387 391
 </div>
388 392
 
389
-<div id="outline-container-org416597b" class="outline-2">
390
-<h2 id="org416597b">What applications are supported?</h2>
391
-<div class="outline-text-2" id="text-org416597b">
393
+<div id="outline-container-org3b9d551" class="outline-2">
394
+<h2 id="org3b9d551">What applications are supported?</h2>
395
+<div class="outline-text-2" id="text-org3b9d551">
392 396
 <p>
393 397
 <a href="./apps.html">See here</a> for the complete list of apps. In addition to those as part of the base install you get an email server.
394 398
 </p>
395 399
 </div>
396 400
 </div>
397
-<div id="outline-container-org719e222" class="outline-2">
398
-<h2 id="org719e222">I don't have a static IP address. Can I still install this system?</h2>
399
-<div class="outline-text-2" id="text-org719e222">
401
+<div id="outline-container-orgdcdffc6" class="outline-2">
402
+<h2 id="orgdcdffc6">I don't have a static IP address. Can I still install this system?</h2>
403
+<div class="outline-text-2" id="text-orgdcdffc6">
400 404
 <p>
401 405
 Yes. The minimum requirements are to have some hardware that you can install Debian onto and also that you have administrator access to your internet router so that you can forward ports to the system which has Freedombone installed.
402 406
 </p>
@@ -406,17 +410,17 @@ The lack of a static IP address can be worked around by using a dynamic DNS serv
406 410
 </p>
407 411
 </div>
408 412
 </div>
409
-<div id="outline-container-org997ae78" class="outline-2">
410
-<h2 id="org997ae78">Why Freedombone and not FreedomBox?</h2>
411
-<div class="outline-text-2" id="text-org997ae78">
413
+<div id="outline-container-org04dca90" class="outline-2">
414
+<h2 id="org04dca90">Why Freedombone and not FreedomBox?</h2>
415
+<div class="outline-text-2" id="text-org04dca90">
412 416
 <p>
413 417
 When the project began in late 2013 the FreedomBox project seemed to be going nowhere, and was only designed to work with the DreamPlug hardware. There was some new hardware out - the Beaglebone Black - which could run Debian and was also a free hardware design so seemed more appropriate. Hence the name "Freedombone", being like FreedomBox but on a Beaglebone. There are some similarities and differences between the two projects:
414 418
 </p>
415 419
 </div>
416 420
 
417
-<div id="outline-container-org33179aa" class="outline-3">
418
-<h3 id="org33179aa">Similarities</h3>
419
-<div class="outline-text-3" id="text-org33179aa">
421
+<div id="outline-container-org306add8" class="outline-3">
422
+<h3 id="org306add8">Similarities</h3>
423
+<div class="outline-text-3" id="text-org306add8">
420 424
 <ul class="org-ul">
421 425
 <li>Uses freedom-maker and vmdebootstrap to build debian images</li>
422 426
 <li>Supports the use of Tor onion addresses to access websites</li>
@@ -430,9 +434,9 @@ When the project began in late 2013 the FreedomBox project seemed to be going no
430 434
 </ul>
431 435
 </div>
432 436
 </div>
433
-<div id="outline-container-orgc193b4e" class="outline-3">
434
-<h3 id="orgc193b4e">Differences</h3>
435
-<div class="outline-text-3" id="text-orgc193b4e">
437
+<div id="outline-container-orge8d4938" class="outline-3">
438
+<h3 id="orge8d4938">Differences</h3>
439
+<div class="outline-text-3" id="text-orge8d4938">
436 440
 <ul class="org-ul">
437 441
 <li>FreedomBox is a Debian pure blend. Freedombone is not</li>
438 442
 <li>Freedombone only supports Free Software. FreedomBox includes some closed binary boot blobs for certain ARM boards</li>
@@ -447,9 +451,9 @@ When the project began in late 2013 the FreedomBox project seemed to be going no
447 451
 </div>
448 452
 </div>
449 453
 </div>
450
-<div id="outline-container-org0fe5706" class="outline-2">
451
-<h2 id="org0fe5706">Why not support building images for Raspberry Pi?</h2>
452
-<div class="outline-text-2" id="text-org0fe5706">
454
+<div id="outline-container-org250c12d" class="outline-2">
455
+<h2 id="org250c12d">Why not support building images for Raspberry Pi?</h2>
456
+<div class="outline-text-2" id="text-org250c12d">
453 457
 <p>
454 458
 The FreedomBox project supports Raspberry Pi builds, and the image build system for Freedombone is based on the same system. However, although the Raspberry Pi can run a version of Debian it requires a closed proprietary blob in order to boot the hardware. Who knows what that blob might contain or what exploits it could facilitate. From an adversarial point of view if you were trying to deliver "bulk equipment interference" then it doesn't get any better than piggybacking on something which has control of the boot process, and hence all subsequently run processes.
455 459
 </p>
@@ -459,9 +463,9 @@ So although the Raspberry Pi is cheap and hugely popular it's not supported by t
459 463
 </p>
460 464
 </div>
461 465
 </div>
462
-<div id="outline-container-orgf565b16" class="outline-2">
463
-<h2 id="orgf565b16">Why use Tor? I've heard it's used by bad people</h2>
464
-<div class="outline-text-2" id="text-orgf565b16">
466
+<div id="outline-container-orgd5c1184" class="outline-2">
467
+<h2 id="orgd5c1184">Why use Tor? I've heard it's used by bad people</h2>
468
+<div class="outline-text-2" id="text-orgd5c1184">
465 469
 <p>
466 470
 Years ago Tor was usually depicted in the mainstream media as something scary inhabited by cyberterrorists and other bad cybers, but today to a large extent Tor is accepted as just another way of routing data in a network. Depending upon where you live there may still be some amount of fearmongering about Tor, but it now seems clear that the trajectory is towards general acceptance.
467 471
 </p>
@@ -482,9 +486,9 @@ On the negative side it's a complex system which is not fully decentralized.
482 486
 </p>
483 487
 </div>
484 488
 </div>
485
-<div id="outline-container-orgac61490" class="outline-2">
486
-<h2 id="orgac61490">How is Tor integrated with Freedombone?</h2>
487
-<div class="outline-text-2" id="text-orgac61490">
489
+<div id="outline-container-org9591a28" class="outline-2">
490
+<h2 id="org9591a28">How is Tor integrated with Freedombone?</h2>
491
+<div class="outline-text-2" id="text-org9591a28">
488 492
 <p>
489 493
 Within this project Tor is used more to provide <i>accessibility</i> than the <i>anonymity</i> factor for which Tor is better known. The onion address system provides a way of being able to access sites even if you don't own a conventional domain name or don't have administrator access to your local internet router to be able to do port forwarding.
490 494
 </p>
@@ -502,17 +506,17 @@ Even if you're running the "onion only" build, this only means that sites are ac
502 506
 </p>
503 507
 </div>
504 508
 </div>
505
-<div id="outline-container-orgbe35250" class="outline-2">
506
-<h2 id="orgbe35250">Can I add a clearnet domain to an onion build?</h2>
507
-<div class="outline-text-2" id="text-orgbe35250">
509
+<div id="outline-container-orgda2b251" class="outline-2">
510
+<h2 id="orgda2b251">Can I add a clearnet domain to an onion build?</h2>
511
+<div class="outline-text-2" id="text-orgda2b251">
508 512
 <p>
509 513
 You could if you manually edited the relevant nginx configuration files and installed some dynamic DNS system yourself. If you already have sysadmin knowledge then that's probably not too hard. But the builds created with the <b>onion-addresses-only</b> option aren't really intended to support access via clearnet domains.
510 514
 </p>
511 515
 </div>
512 516
 </div>
513
-<div id="outline-container-org1ea193b" class="outline-2">
514
-<h2 id="org1ea193b">Why use Github?</h2>
515
-<div class="outline-text-2" id="text-org1ea193b">
517
+<div id="outline-container-org2fcade7" class="outline-2">
518
+<h2 id="org2fcade7">Why use Github?</h2>
519
+<div class="outline-text-2" id="text-org2fcade7">
516 520
 <p>
517 521
 Github is paradoxically a centralized, closed and proprietary system which happens to mostly host free and open source projects. Up until now it has been relatively benign, but at some point in the name of "growth" it will likely start becoming more evil, or just become like SourceForge - which was also once much loved by FOSS developers, but turned into a den of malvertizing.
518 522
 </p>
@@ -530,9 +534,21 @@ Currently many of the repositories used for applications which are not yet packa
530 534
 </p>
531 535
 </div>
532 536
 </div>
533
-<div id="outline-container-org7057def" class="outline-2">
534
-<h2 id="org7057def">Keys and emails should not be stored on servers. Why do you do that?</h2>
535
-<div class="outline-text-2" id="text-org7057def">
537
+<div id="outline-container-orgc5b7d76" class="outline-2">
538
+<h2 id="orgc5b7d76">Should I upload my GPG keys to keybase.io?</h2>
539
+<div class="outline-text-2" id="text-orgc5b7d76">
540
+<p>
541
+It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the <b>private keys</b>, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
542
+</p>
543
+
544
+<p>
545
+Saying something resembling <i>"only noobs will use crackable private key passphrases"</i> isn't good enough. A passphrase should not be considered to be a substitute for a private key.
546
+</p>
547
+</div>
548
+</div>
549
+<div id="outline-container-org1b54432" class="outline-2">
550
+<h2 id="org1b54432">Keys and emails should not be stored on servers. Why do you do that?</h2>
551
+<div class="outline-text-2" id="text-org1b54432">
536 552
 <p>
537 553
 Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:
538 554
 </p>
@@ -590,9 +606,9 @@ In the home environment a box with a good firewall and no GUI components install
590 606
 </div>
591 607
 </div>
592 608
 
593
-<div id="outline-container-orge669711" class="outline-2">
594
-<h2 id="orge669711">Why can't I access my .onion site with a Tor browser?</h2>
595
-<div class="outline-text-2" id="text-orge669711">
609
+<div id="outline-container-orgd51af85" class="outline-2">
610
+<h2 id="orgd51af85">Why can't I access my .onion site with a Tor browser?</h2>
611
+<div class="outline-text-2" id="text-orgd51af85">
596 612
 <p>
597 613
 Probably you need to add the site to the NoScript whitelist. Typically click/press on the noscript icon (or select from the menu on mobile) then select <i>whitelist</i> and add the site URL. You may also need to disable HTTPS Everywhere when using onion addresses, which don't use https.
598 614
 </p>
@@ -602,9 +618,9 @@ Another factor to be aware of is that it can take a while for the onion address
602 618
 </p>
603 619
 </div>
604 620
 </div>
605
-<div id="outline-container-orgdb3b7a6" class="outline-2">
606
-<h2 id="orgdb3b7a6">What is the best hardware to run this system on?</h2>
607
-<div class="outline-text-2" id="text-orgdb3b7a6">
621
+<div id="outline-container-org4585a4a" class="outline-2">
622
+<h2 id="org4585a4a">What is the best hardware to run this system on?</h2>
623
+<div class="outline-text-2" id="text-org4585a4a">
608 624
 <p>
609 625
 It was originally designed to run on the Beaglebone Black, but that should be regarded as the most minimal system, because it's single core and has by today's standards a small amount of memory. Obviously the more powerful the hardware is the faster things like web pages (blog, social networking, etc) will be served but the more electricity such a system will require if you're running it 24/7. A good compromise between performance and energy consumption is something like an old netbook. The battery of an old netbook or laptop even gives you <a href="https://en.wikipedia.org/wiki/Uninterruptible_power_supply">UPS capability</a> to keep the system going during brief power outages or cable re-arrangements, and that means using full disk encryption on the server also becomes more practical.
610 626
 </p>
@@ -614,9 +630,9 @@ It was originally designed to run on the Beaglebone Black, but that should be re
614 630
 </p>
615 631
 </div>
616 632
 </div>
617
-<div id="outline-container-orgf1c38a0" class="outline-2">
618
-<h2 id="orgf1c38a0">Can I add more users to the system?</h2>
619
-<div class="outline-text-2" id="text-orgf1c38a0">
633
+<div id="outline-container-org12ce8ec" class="outline-2">
634
+<h2 id="org12ce8ec">Can I add more users to the system?</h2>
635
+<div class="outline-text-2" id="text-org12ce8ec">
620 636
 <p>
621 637
 Yes. Freedombone can support a small number of users, for a "<i>friends and family</i>" type of home installation. This gives them access to an email account, XMPP, SIP phone and the blog (depending on whether the variant which you installed includes those).
622 638
 </p>
@@ -639,9 +655,9 @@ Another point is that Freedombone installations are not intended to support many
639 655
 </p>
640 656
 </div>
641 657
 </div>
642
-<div id="outline-container-orgd32f191" class="outline-2">
643
-<h2 id="orgd32f191">Why not use Signal for mobile chat?</h2>
644
-<div class="outline-text-2" id="text-orgd32f191">
658
+<div id="outline-container-org6e6f0bd" class="outline-2">
659
+<h2 id="org6e6f0bd">Why not use Signal for mobile chat?</h2>
660
+<div class="outline-text-2" id="text-org6e6f0bd">
645 661
 <p>
646 662
 Celebrities recommend Signal. It's Free Software so it must be good, right?
647 663
 </p>
@@ -664,9 +680,9 @@ To give credit where it's due Signal is good, but it could be a lot better. The
664 680
 </p>
665 681
 </div>
666 682
 </div>
667
-<div id="outline-container-org16a21bb" class="outline-2">
668
-<h2 id="org16a21bb">What is the most secure chat app to use on mobile?</h2>
669
-<div class="outline-text-2" id="text-org16a21bb">
683
+<div id="outline-container-orgb8a6086" class="outline-2">
684
+<h2 id="orgb8a6086">What is the most secure chat app to use on mobile?</h2>
685
+<div class="outline-text-2" id="text-orgb8a6086">
670 686
 <p>
671 687
 On mobile there are various options. The apps which are likely to be most secure are ones which have end-to-end encryption enabled by default and which can also be onion routed via Orbot. End-to-end encryption secures the content of the message and onion routing obscures the metadata, making it hard for a passive adversary to know who is communicating with who.
672 688
 </p>
@@ -676,13 +692,13 @@ The current safest way to chat is to use <a href="https://conversations.im">Conv
676 692
 </p>
677 693
 
678 694
 <p>
679
-There are many <a href="#orgd32f191">other fashionable chat apps</a> with end-to-end security, but often they are closed source, have a single central server or can't be onion routed. It's also important to remember that closed source chat apps should be assumed to be untrustworthy, since their security cannot be independently verified.
695
+There are many <a href="#org6e6f0bd">other fashionable chat apps</a> with end-to-end security, but often they are closed source, have a single central server or can't be onion routed. It's also important to remember that closed source chat apps should be assumed to be untrustworthy, since their security cannot be independently verified.
680 696
 </p>
681 697
 </div>
682 698
 </div>
683
-<div id="outline-container-org279eac7" class="outline-2">
684
-<h2 id="org279eac7">How do I remove a user from the system?</h2>
685
-<div class="outline-text-2" id="text-org279eac7">
699
+<div id="outline-container-orgd46fade" class="outline-2">
700
+<h2 id="orgd46fade">How do I remove a user from the system?</h2>
701
+<div class="outline-text-2" id="text-orgd46fade">
686 702
 <p>
687 703
 To remove a user:
688 704
 </p>
@@ -697,9 +713,9 @@ Select <i>Administrator controls</i> then <i>Manage Users</i> and then <i>Delete
697 713
 </p>
698 714
 </div>
699 715
 </div>
700
-<div id="outline-container-org12ac09e" class="outline-2">
701
-<h2 id="org12ac09e">Why is logging for web sites turned off by default?</h2>
702
-<div class="outline-text-2" id="text-org12ac09e">
716
+<div id="outline-container-org7fc4d88" class="outline-2">
717
+<h2 id="org7fc4d88">Why is logging for web sites turned off by default?</h2>
718
+<div class="outline-text-2" id="text-org7fc4d88">
703 719
 <p>
704 720
 If you're making profits out of the logs by running large server warehouses and then data mining what users click on - as is the business model of well known internet companies - then logging everything makes total sense. However, if you're running a home server then logging really only makes sense if you're trying to diagnose some specific problem with the system, and outside of that context logging everything becomes more of a liability than an asset.
705 721
 </p>
@@ -713,9 +729,9 @@ On the Freedombone system web logs containing IP addresses are turned off by def
713 729
 </p>
714 730
 </div>
715 731
 </div>
716
-<div id="outline-container-org5e9d3c7" class="outline-2">
717
-<h2 id="org5e9d3c7">How do I reset the tripwire?</h2>
718
-<div class="outline-text-2" id="text-org5e9d3c7">
732
+<div id="outline-container-orge1a3788" class="outline-2">
733
+<h2 id="orge1a3788">How do I reset the tripwire?</h2>
734
+<div class="outline-text-2" id="text-orge1a3788">
719 735
 <p>
720 736
 The tripwire will be automatically reset once per week. If you want to reset it earlier then do the following:
721 737
 </p>
@@ -730,9 +746,9 @@ Select <i>Administrator controls</i> then "reset tripwire" using cursors and spa
730 746
 </p>
731 747
 </div>
732 748
 </div>
733
-<div id="outline-container-org0613054" class="outline-2">
734
-<h2 id="org0613054">Is metadata protected?</h2>
735
-<div class="outline-text-2" id="text-org0613054">
749
+<div id="outline-container-org572f545" class="outline-2">
750
+<h2 id="org572f545">Is metadata protected?</h2>
751
+<div class="outline-text-2" id="text-org572f545">
736 752
 <blockquote>
737 753
 <p>
738 754
 "<i>We kill people based on metadata</i>"
@@ -748,9 +764,9 @@ Even when using Freedombone metadata analysis by third parties is still possible
748 764
 </p>
749 765
 </div>
750 766
 </div>
751
-<div id="outline-container-orgdf75721" class="outline-2">
752
-<h2 id="orgdf75721">How do I create email processing rules?</h2>
753
-<div class="outline-text-2" id="text-orgdf75721">
767
+<div id="outline-container-org733a91b" class="outline-2">
768
+<h2 id="org733a91b">How do I create email processing rules?</h2>
769
+<div class="outline-text-2" id="text-org733a91b">
754 770
 <div class="org-src-container">
755 771
 <pre class="src src-bash">ssh username@domainname -p 2222
756 772
 </pre>
@@ -806,9 +822,9 @@ Spamassassin is also available and within Mutt you can use the S (shift+s) key t
806 822
 </p>
807 823
 </div>
808 824
 </div>
809
-<div id="outline-container-org5b21211" class="outline-2">
810
-<h2 id="org5b21211">Why isn't dynamic DNS working?</h2>
811
-<div class="outline-text-2" id="text-org5b21211">
825
+<div id="outline-container-org78eef24" class="outline-2">
826
+<h2 id="org78eef24">Why isn't dynamic DNS working?</h2>
827
+<div class="outline-text-2" id="text-org78eef24">
812 828
 <p>
813 829
 If you run the command:
814 830
 </p>
@@ -831,9 +847,9 @@ https://www.privateinternetaccess.com/pages/whats-my-ip/
831 847
 </div>
832 848
 </div>
833 849
 
834
-<div id="outline-container-org929e4ae" class="outline-2">
835
-<h2 id="org929e4ae">How do I change my encryption settings?</h2>
836
-<div class="outline-text-2" id="text-org929e4ae">
850
+<div id="outline-container-org2c06ab3" class="outline-2">
851
+<h2 id="org2c06ab3">How do I change my encryption settings?</h2>
852
+<div class="outline-text-2" id="text-org2c06ab3">
837 853
 <p>
838 854
 Suppose that some new encryption vulnerability has been announced and that you need to change your encryption settings. Maybe an algorithm thought to be secure is now no longer so and you need to remove it. You can change your settings by doing the following:
839 855
 </p>
@@ -848,9 +864,9 @@ Select <i>Administrator controls</i> then select <i>Security Settings</i>. You w
848 864
 </p>
849 865
 </div>
850 866
 </div>
851
-<div id="outline-container-org087d147" class="outline-2">
852
-<h2 id="org087d147">How do I get a domain name?</h2>
853
-<div class="outline-text-2" id="text-org087d147">
867
+<div id="outline-container-org5afac46" class="outline-2">
868
+<h2 id="org5afac46">How do I get a domain name?</h2>
869
+<div class="outline-text-2" id="text-org5afac46">
854 870
 <p>
855 871
 Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead.
856 872
 </p>
@@ -914,9 +930,9 @@ You should now be able to send an email from <i>postmaster@mynewdomainname</i> a
914 930
 </div>
915 931
 </div>
916 932
 
917
-<div id="outline-container-org4bb381a" class="outline-2">
918
-<h2 id="org4bb381a">How do I get a "real" SSL/TLS/HTTPS certificate?</h2>
919
-<div class="outline-text-2" id="text-org4bb381a">
933
+<div id="outline-container-org438f36d" class="outline-2">
934
+<h2 id="org438f36d">How do I get a "real" SSL/TLS/HTTPS certificate?</h2>
935
+<div class="outline-text-2" id="text-org438f36d">
920 936
 <p>
921 937
 If you did the full install or selected the social variant then the system will have tried to obtain a Let's Encrypt certificate automatically during the install process. If this failed for any reason, or if you have created a new site which you need a certificate for then do the following:
922 938
 </p>
@@ -935,9 +951,9 @@ One thing to be aware of is that Let's Encrypt doesn't support many dynamic DNS
935 951
 </p>
936 952
 </div>
937 953
 </div>
938
-<div id="outline-container-orgfbd420c" class="outline-2">
939
-<h2 id="orgfbd420c">How do I renew a Let's Encrypt certificate?</h2>
940
-<div class="outline-text-2" id="text-orgfbd420c">
954
+<div id="outline-container-orge32e913" class="outline-2">
955
+<h2 id="orge32e913">How do I renew a Let's Encrypt certificate?</h2>
956
+<div class="outline-text-2" id="text-orge32e913">
941 957
 <p>
942 958
 Normally certificates will be automatically renewed once per month, so you don't need to be concerned about it. If anything goes wrong with the automatic renewal then you should receive a warning email.
943 959
 </p>
@@ -956,9 +972,9 @@ Select <i>Administrator controls</i> then <b>Security settings</b> then <b>Renew
956 972
 </p>
957 973
 </div>
958 974
 </div>
959
-<div id="outline-container-orgdaf57b7" class="outline-2">
960
-<h2 id="orgdaf57b7">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</h2>
961
-<div class="outline-text-2" id="text-orgdaf57b7">
975
+<div id="outline-container-org44f909f" class="outline-2">
976
+<h2 id="org44f909f">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</h2>
977
+<div class="outline-text-2" id="text-org44f909f">
962 978
 <p>
963 979
 Most likely it's because Let's Encrypt doesn't support your particular domain or subdomain. Currently free subdomains tend not to work. You'll need to buy a domain name, link it to your dynamic DNS account and then do:
964 980
 </p>
@@ -973,17 +989,17 @@ Select <i>Administrator controls</i> then <b>Security settings</b> then <b>Creat
973 989
 </p>
974 990
 </div>
975 991
 </div>
976
-<div id="outline-container-org9fde76d" class="outline-2">
977
-<h2 id="org9fde76d">Why not use the services of $company instead? They took the Seppuku pledge</h2>
978
-<div class="outline-text-2" id="text-org9fde76d">
992
+<div id="outline-container-org27439c3" class="outline-2">
993
+<h2 id="org27439c3">Why not use the services of $company instead? They took the Seppuku pledge</h2>
994
+<div class="outline-text-2" id="text-org27439c3">
979 995
 <p>
980 996
 <a href="https://cryptostorm.org/viewtopic.php?f=63&amp;t=2954&amp;sid=7de2d1e699cfde2f574e6a7f6ea5a173">That pledge</a> is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "<i>on our side</i>". Post-<a href="https://en.wikipedia.org/wiki/Nymwars">nymwars</a> and post-<a href="https://en.wikipedia.org/wiki/PRISM_(surveillance_program)">PRISM</a> we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
981 997
 </p>
982 998
 </div>
983 999
 </div>
984
-<div id="outline-container-org71ce92c" class="outline-2">
985
-<h2 id="org71ce92c">Why does my email keep getting rejected as spam by Gmail/etc?</h2>
986
-<div class="outline-text-2" id="text-org71ce92c">
1000
+<div id="outline-container-org00d41d3" class="outline-2">
1001
+<h2 id="org00d41d3">Why does my email keep getting rejected as spam by Gmail/etc?</h2>
1002
+<div class="outline-text-2" id="text-org00d41d3">
987 1003
 <p>
988 1004
 Welcome to the world of email. Email is really the archetypal decentralized service, developed during the early days of the internet. In principle anyone can run an email server, and that's exactly what you're doing with Freedombone. Email is very useful, but it has a big problem, and that's that the protocols are totally insecure. That made it easy for spammers to do their thing, and in response highly elaborate spam filtering and blocking systems were developed. Chances are that your emails are being blocked in this way. Sometimes the blocking is so indisciminate that entire countries are excluded. What can you do about it? Unless you control the block list at the receiving end you may not be able to do much unless you can find an email proxy server which is trusted by the receiving server.
989 1005
 </p>
@@ -1014,9 +1030,9 @@ So the situation with email presently is pretty bad, and there's a clear selecti
1014 1030
 </p>
1015 1031
 </div>
1016 1032
 </div>
1017
-<div id="outline-container-org1bd542d" class="outline-2">
1018
-<h2 id="org1bd542d">Tor is censored/blocked in my area. What can I do?</h2>
1019
-<div class="outline-text-2" id="text-org1bd542d">
1033
+<div id="outline-container-org7ab9062" class="outline-2">
1034
+<h2 id="org7ab9062">Tor is censored/blocked in my area. What can I do?</h2>
1035
+<div class="outline-text-2" id="text-org7ab9062">
1020 1036
 <p>
1021 1037
 If you can find some details for an obfs4 Tor bridge (its IP address, port number and key or nickname) then you can set up the system to use it to connect to the Tor network. Unlike relay nodes the IP addresses for bridges are not public information and so can't be easily known and added to block lists by authoritarian regimes or over-zealous ISPs.
1022 1038
 </p>
@@ -1047,9 +1063,9 @@ Return to the <a href="index.html">home page</a>
1047 1063
 </div>
1048 1064
 </div>
1049 1065
 
1050
-<div id="outline-container-orgcf6a401" class="outline-2">
1051
-<h2 id="orgcf6a401">I want to block a particular domain from getting its content into my social network sites</h2>
1052
-<div class="outline-text-2" id="text-orgcf6a401">
1066
+<div id="outline-container-org5cd6bab" class="outline-2">
1067
+<h2 id="org5cd6bab">I want to block a particular domain from getting its content into my social network sites</h2>
1068
+<div class="outline-text-2" id="text-org5cd6bab">
1053 1069
 <p>
1054 1070
 If you're being pestered by some domain which contains bad/illegal/harrassing content or irritating users you can block domains at the firewall level. Go to the administrator control panel and select <i>domain blocking</i>. You can then block, unblock and view the list of blocked domains.
1055 1071
 </p>
@@ -1064,9 +1080,9 @@ Select <i>Administrator controls</i> then <i>Domain blocking</i>.
1064 1080
 </div>
1065 1081
 </div>
1066 1082
 
1067
-<div id="outline-container-org39004fe" class="outline-2">
1068
-<h2 id="org39004fe">The mesh system doesn't boot from USB drive</h2>
1069
-<div class="outline-text-2" id="text-org39004fe">
1083
+<div id="outline-container-orgafedf35" class="outline-2">
1084
+<h2 id="orgafedf35">The mesh system doesn't boot from USB drive</h2>
1085
+<div class="outline-text-2" id="text-orgafedf35">
1070 1086
 <p>
1071 1087
 If the system doesn't boot and reports an error which includes <b>/dev/mapper/loop0p1</b> then reboot with <b>Ctrl-Alt-Del</b> and when you see the grub menu press <b>e</b> and manually change <b>/dev/mapper/loop0p1</b> to <b>/dev/sdb1</b>, then press <b>Ctrl-x</b>. If that doesn't work then reboot and try <b>/dev/sdc1</b> instead.
1072 1088
 </p>

+ 5
- 1
website/EN/mesh.html ファイルの表示

@@ -3,7 +3,7 @@
3 3
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4 4
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
5 5
 <head>
6
-<!-- 2017-12-29 Fri 22:58 -->
6
+<!-- 2018-01-15 Mon 20:17 -->
7 7
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
8 8
 <meta name="viewport" content="width=device-width, initial-scale=1" />
9 9
 <title>&lrm;</title>
@@ -278,6 +278,10 @@ If an internet connection is available then it can make use of that, but otherwi
278 278
 Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
279 279
 </p>
280 280
 
281
+<p>
282
+Like <a href="https://libremesh.org">LibreMesh</a>, this system uses a combination of <a href="https://en.wikipedia.org/wiki/B.A.T.M.A.N.">batman-adv</a> on network layer 2 and <a href="http://bmx6.net">BMX</a> on layer 3.
283
+</p>
284
+
281 285
 <div class="org-center">
282 286
 <p>
283 287
 This site can also be accessed via a Tor browser at <a href="http://pazyv7nkllp76hqr.onion">http://pazyv7nkllp76hqr.onion</a>