浏览代码

Merge branch 'stretch' of https://github.com/bashrc/freedombone

Bob Mottram 7 年前
父节点
当前提交
e909a996ef

+ 1
- 1
doc/EN/socialinstance.org 查看文件

@@ -10,7 +10,7 @@
10 10
 [[file:images/logo.png]]
11 11
 #+END_CENTER
12 12
 
13
-#+BEGIN_EXPORT html
13
+#+BEGIN_EXPORT HTML
14 14
 <center>
15 15
 <h1>Social Instance</h1>
16 16
 </center>

二进制
image_build/prosody-0.10-1nightly382.tar.gz 查看文件


二进制
image_build/prosody-0.10-1nightly410.tar.gz 查看文件


二进制
image_build/prosody-0.10-1nightly468.tar.gz 查看文件


二进制
image_build/prosody-modules-20180104.tar.gz 查看文件


二进制
image_build/prosody-modules-20180322.tar.gz 查看文件


+ 4
- 0
src/freedombone-app-gnusocial 查看文件

@@ -614,6 +614,10 @@ function remove_gnusocial {
614 614
     sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
615 615
     sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
616 616
 
617
+    if [ -f /usr/bin/gnusocial-firewall ]; then
618
+        rm /usr/bin/gnusocial-firewall
619
+    fi
620
+
617 621
     function_check remove_ddns_domain
618 622
     remove_ddns_domain "$GNUSOCIAL_DOMAIN_NAME"
619 623
 }

+ 24
- 11
src/freedombone-app-pleroma 查看文件

@@ -9,15 +9,6 @@
9 9
 #                    Freedom in the Cloud
10 10
 #
11 11
 # Pleroma backend application
12
-# https://git.pleroma.social/pleroma/pleroma/wikis/Installing-on-Debian-Based-Distributions
13
-#
14
-# Show stopper: This is dependent on https://placehold.it for avatar images,
15
-# so at present it's not usable until a first party placeholder image system
16
-# is included.
17
-#
18
-# There is also a possible issue with the chat system which uses an object called
19
-# "Agent" which may not be supported with the version of elixir within the
20
-# Debian package. This only applies if you're installing from the latest commit.
21 12
 #
22 13
 # License
23 14
 # =======
@@ -47,7 +38,7 @@ PLEROMA_CODE=
47 38
 PLEROMA_PORT=4000
48 39
 PLEROMA_ONION_PORT=8011
49 40
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
50
-PLEROMA_COMMIT='59a76ea464998476f8c4814324647f4ae4a7f2cb'
41
+PLEROMA_COMMIT='c50c7745bc8b8f52ba07c69c0d2505df54da0f59'
51 42
 PLEROMA_ADMIN_PASSWORD=
52 43
 PLEROMA_DIR=/etc/pleroma
53 44
 PLEROMA_SECRET_KEY=""
@@ -254,7 +245,6 @@ function pleroma_recompile {
254 245
     if [ -f /etc/systemd/system/pleroma.service ]; then
255 246
         systemctl restart pleroma
256 247
     fi
257
-
258 248
 }
259 249
 
260 250
 function logging_on_pleroma {
@@ -733,6 +723,11 @@ function upgrade_pleroma {
733 723
         return
734 724
     fi
735 725
 
726
+    pleroma_registrations=open
727
+    if grep -q 'registrations_open: false' $PLEROMA_DIR/config/config.exs; then
728
+        pleroma_registrations=
729
+    fi
730
+
736 731
     # make a copy of the configuration
737 732
     cp $PLEROMA_DIR/priv/static/static/config.json $PLEROMA_DIR/priv/static/static/config_prev.json
738 733
 
@@ -760,12 +755,19 @@ function upgrade_pleroma {
760 755
 
761 756
     sudo -u pleroma mix deps.get
762 757
 
758
+    if [ ! $pleroma_registrations ]; then
759
+        sed -i 's|registrations_open: true|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
760
+        sed -i 's|registrations_open: True|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
761
+    fi
762
+
763 763
     pleroma_recompile
764 764
 
765 765
     # migrate database
766 766
     sudo -u pleroma mix deps.clean --build mime
767 767
     sudo -u pleroma mix ecto.migrate
768 768
 
769
+    pleroma_custom_logo "$PLEROMA_DIR"
770
+
769 771
     expire_pleroma_posts "$PLEROMA_DOMAIN_NAME" "$PLEROMA_EXPIRE_MONTHS"
770 772
     create_pleroma_blocklist
771 773
 
@@ -934,6 +936,10 @@ function remove_pleroma {
934 936
     sed -i '/pleroma commit/d' "$COMPLETION_FILE"
935 937
     sed -i "/$blocking_script_file/d" /etc/crontab
936 938
 
939
+    if [ -f /usr/bin/pleroma-blocking ]; then
940
+        rm /usr/bin/pleroma-blocking
941
+    fi
942
+
937 943
     function_check remove_ddns_domain
938 944
     remove_ddns_domain "$PLEROMA_DOMAIN_NAME"
939 945
 }
@@ -1183,6 +1189,13 @@ function install_pleroma {
1183 1189
     sed -i 's|registrations_open:.*|registrations_open: true,|g' $PLEROMA_DIR/config/config.exs
1184 1190
     sed -i 's|"registrationOpen":.*|"registrationOpen": true,|g' $PLEROMA_DIR/priv/static/static/config.json
1185 1191
 
1192
+    if ! grep -q "media_proxy" $PLEROMA_DIR/priv/static/static/config.json; then
1193
+        sed -i '/"name":/a "media_proxy": false,' $PLEROMA_DIR/priv/static/static/config.json
1194
+        sed -i 's|"media_proxy"|  "media_proxy"|g' $PLEROMA_DIR/priv/static/static/config.json
1195
+    else
1196
+        sed -i 's|"media_proxy".*|"media_proxy": false,|g' $PLEROMA_DIR/priv/static/static/config.json
1197
+    fi
1198
+
1186 1199
     systemctl daemon-reload
1187 1200
     systemctl enable pleroma
1188 1201
     systemctl start pleroma

+ 4
- 0
src/freedombone-app-postactiv 查看文件

@@ -627,6 +627,10 @@ function remove_postactiv {
627 627
     sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
628 628
     sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
629 629
 
630
+    if [ -f /usr/bin/postactiv-firewall ]; then
631
+        rm /usr/bin/postactiv-firewall
632
+    fi
633
+
630 634
     function_check remove_ddns_domain
631 635
     remove_ddns_domain "$POSTACTIV_DOMAIN_NAME"
632 636
 }

+ 22
- 15
src/freedombone-app-xmpp 查看文件

@@ -45,14 +45,14 @@ XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+
45 45
 XMPP_ECC_CURVE='"secp384r1"'
46 46
 
47 47
 prosody_latest_version='0.10'
48
-prosody_nightly=410
49
-prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb'
48
+prosody_nightly=468
49
+prosody_nightly_hash='c72aaab1182a86090188284f443d2f819889ca242d4e955258ef60f4c7c9a1ba'
50 50
 prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
51 51
 prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
52 52
 
53 53
 # From https://hg.prosody.im/prosody-modules
54
-prosody_modules_filename='prosody-modules-20180104.tar.gz'
55
-prosody_modules_hash='7c81b4ed8a90130b4db5902dc1f299ad1c4dab57a0970552b71cb2042a490bc1'
54
+prosody_modules_filename='prosody-modules-20180322.tar.gz'
55
+prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072'
56 56
 
57 57
 xmpp_variables=(ONION_ONLY
58 58
                 INSTALLED_WITHIN_DOCKER
@@ -414,10 +414,16 @@ function prosody_daemon_restart_script {
414 414
     # On rare occasions the daemon appears to get stuck
415 415
     # i.e. still active, but not accepting connections
416 416
     # This ensures that it will unstick itself at least once per day
417
-    if [ ! -f /etc/cron.daily/prosody ]; then
418
-        echo '#!/bin/bash' > /etc/cron.daily/prosody
419
-        echo 'systemctl restart prosody' >> /etc/cron.daily/prosody
420
-        chmod +x /etc/cron.daily/prosody
417
+    if [ -f /etc/cron.daily/prosody ]; then
418
+        rm /etc/cron.daily/prosody
419
+    fi
420
+    if [ ! -f /etc/cron.hourly/prosody ]; then
421
+        { echo '#!/bin/bash';
422
+          echo "is_active=\$(systemctl is-active prosody)";
423
+          echo "if [[ \"\$is_active\" != 'active' ]]; then";
424
+          echo '  systemctl restart prosody'
425
+          echo 'fi'; } > /etc/cron.hourly/prosody
426
+        chmod +x /etc/cron.hourly/prosody
421 427
     fi
422 428
 }
423 429
 
@@ -667,13 +673,13 @@ function xmpp_contact_info {
667 673
         return
668 674
     fi
669 675
 
670
-    { 'contact_info = {';
671
-      "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
672
-      "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
673
-      "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
674
-      "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
675
-      "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
676
-      '};'; } >> "$filename"
676
+    { echo 'contact_info = {';
677
+      echo "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
678
+      echo "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
679
+      echo "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
680
+      echo "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
681
+      echo "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
682
+      echo '};'; } >> "$filename"
677 683
 }
678 684
 
679 685
 function xmpp_modules {
@@ -867,6 +873,7 @@ function xmpp_create_config {
867 873
       echo 'http_upload_file_size_limit = 307200';
868 874
       echo '';
869 875
       echo "Component \"chat.${DEFAULT_DOMAIN_NAME}\" \"muc\"";
876
+      echo '    restrict_room_creation = true';
870 877
       echo '    name = "Chatrooms"';
871 878
       echo '    modules_enabled = {';
872 879
       echo '        "muc_limits";';

+ 65
- 2
src/freedombone-base-email 查看文件

@@ -57,8 +57,6 @@ MY_GPG_PRIVATE_KEY=
57 57
 # optionally specify your public key ID
58 58
 MY_GPG_PUBLIC_KEY_ID=
59 59
 
60
-EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp"
61
-
62 60
 # automatic archiving of email
63 61
 CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir"
64 62
 CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86'
@@ -150,6 +148,71 @@ function configure_email_onion {
150 148
     set_completion_param "email onion domain" "${onion_address}"
151 149
     add_email_hostname "$onion_address"
152 150
 
151
+    apt-get -yq install tinycdb perl
152
+
153
+    # MX record should be:
154
+    # _onion-mx._tcp.$DEFAULT_DOMAIN_NAME. 3600 IN SRV 0 5 25 $onion_address
155
+
156
+    echo "$DEFAULT_DOMAIN_NAME $onion_address" > /etc/exim4/onionrelay.txt
157
+    cdb -m -c -t ~/onionrelay.tmp /etc/exim4/onionrelay.cdb /etc/exim4/onionrelay.txt
158
+
159
+    { echo "perl_startup = do '/etc/exim4/perl-routines.pl'";
160
+      echo "perl_at_start"; } > /etc/exim4/conf.d/main/perl
161
+
162
+    { echo "use Net::DNS::Resolver;";
163
+      echo "sub onionLookup {";
164
+      echo "  my \$hostname = shift;";
165
+      echo "  my \$res = Net::DNS::Resolver->new(nameservers => [qw(127.0.0.1)],);";
166
+      echo "  \$res->port(5300);";
167
+      echo "  my \$query = \$res->search(\$hostname);";
168
+      echo "  foreach my \$rr (\$query->answer) {";
169
+      echo "    next unless \$rr->type eq \"A\";";
170
+      echo "    return \$rr->address;";
171
+      echo "  }";
172
+      echo "  return 'no_such_host';";
173
+      echo "}"; } > /etc/exim4/perl-routines.pl
174
+
175
+    { echo "ONION_RELAYDB=/etc/exim4/onionrelay.cdb";
176
+      echo "domainlist onion_relays     = cdb;ONION_RELAYDB"; } > /etc/exim4/conf.d/domainlists
177
+
178
+    { echo "# send things over tor where we have an entry for it";
179
+      echo "onionrelays:";
180
+      echo "  driver    = manualroute";
181
+      echo "  domains   = +onion_relays";
182
+      echo "  transport = onion_relay";
183
+      echo "  # get the automap IP for the onion address from the tor daemon";
184
+      echo "  route_data = \${perl{onionLookup}{\${lookup{\$domain}cdb{ONION_RELAYDB}}}}";
185
+      echo "  no_more"; } > /etc/exim4/conf.d/router/50_exim4-config-onion
186
+
187
+    { echo "onion_relay:";
188
+      echo "  driver = smtp";
189
+      echo "  socks_proxy = 127.0.0.1 port=9050"; } > /etc/exim4/conf.d/transport/50_exim4-config_onion
190
+
191
+    if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
192
+        echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
193
+    else
194
+        sed -i 's|#AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
195
+        sed -i 's|AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
196
+    fi
197
+
198
+    if ! grep -q "DNSPort " /etc/tor/torrc; then
199
+        echo 'DNSPort 5300' >> /etc/tor/torrc
200
+    else
201
+        sed -i 's|#DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
202
+        sed -i 's|DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
203
+    fi
204
+
205
+    if ! grep -q "DNSListenAddress" /etc/tor/torrc; then
206
+        echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc
207
+    else
208
+        sed -i 's|#DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
209
+        sed -i 's|DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
210
+    fi
211
+
212
+    dpkg-reconfigure --frontend noninteractive exim4-config
213
+    systemctl restart tor
214
+    systemctl restart exim4
215
+
153 216
     mark_completed "${FUNCNAME[0]}"
154 217
 }
155 218
 

+ 112
- 432
src/freedombone-controlpanel 查看文件

@@ -129,129 +129,10 @@ fi
129 129
 
130 130
 function any_key {
131 131
     echo ''
132
+    # shellcheck disable=SC2034
132 133
     read -n1 -rsp $"Press any key to continue..." key
133 134
 }
134 135
 
135
-function any_key_verify {
136
-    echo ''
137
-    read -n1 -rsp $"Press any key to continue or C to check a hash..." key
138
-    if [[ "$key" != 'c' && "$key" != 'C' ]]; then
139
-        return
140
-    fi
141
-
142
-    data=$(mktemp 2>/dev/null)
143
-    dialog --title $"Check tripwire hash" \
144
-           --backtitle $"Freedombone Control Panel" \
145
-           --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
146
-    sel=$?
147
-    case $sel in
148
-        0)
149
-            GIVEN_HASH=$(<"$data")
150
-            if [ ${#GIVEN_HASH} -gt 8 ]; then
151
-                if [[ "$GIVEN_HASH" == *' '* ]]; then
152
-                    dialog --title $"Check tripwire" \
153
-                           --msgbox $"\\nThe hash should not contain any spaces" 10 40
154
-                else
155
-                    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
156
-                    if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
157
-                        dialog --title $"Check tripwire" \
158
-                               --msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
159
-                    else
160
-                        dialog --title $"Check tripwire" \
161
-                               --msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
162
-                    fi
163
-                fi
164
-            fi
165
-            ;;
166
-    esac
167
-    rm -f "$data"
168
-}
169
-
170
-function get_app_icann_address {
171
-    app_name="$1"
172
-    if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
173
-        grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
174
-        return
175
-    else
176
-        app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
177
-        if [ "$app_name_upper" ]; then
178
-            param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
179
-            if [ "${param_value}" ]; then
180
-                echo "${param_value}"
181
-                return
182
-            fi
183
-        fi
184
-    fi
185
-    echo "${DEFAULT_DOMAIN_NAME}"
186
-}
187
-
188
-function passwords_select_user {
189
-    SELECTED_USERNAME=
190
-
191
-    # shellcheck disable=SC2207
192
-    users_array=($(ls /home))
193
-
194
-    delete=(git)
195
-    # shellcheck disable=SC2068
196
-    for del in ${delete[@]}
197
-    do
198
-        # shellcheck disable=SC2206
199
-        users_array=(${users_array[@]/$del})
200
-    done
201
-
202
-    i=0
203
-    W=()
204
-    name=()
205
-    # shellcheck disable=SC2068
206
-    for u in ${users_array[@]}
207
-    do
208
-        if [[ $(is_valid_user "$u") == "1" ]]; then
209
-            i=$((i+1))
210
-            W+=("$i" "$u")
211
-            name+=("$u")
212
-        fi
213
-    done
214
-
215
-    if [ $i -eq 1 ]; then
216
-        SELECTED_USERNAME="${name[0]}"
217
-    else
218
-        # shellcheck disable=SC2068
219
-        user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
220
-
221
-        # shellcheck disable=SC2181
222
-        if [ $? -eq 0 ]; then
223
-            SELECTED_USERNAME="${name[$((user_index-1))]}"
224
-        fi
225
-    fi
226
-}
227
-
228
-function passwords_show_apps {
229
-    SELECTED_APP=
230
-    i=0
231
-    W=()
232
-    name=()
233
-    # shellcheck disable=SC2068
234
-    for a in ${APPS_AVAILABLE[@]}
235
-    do
236
-        if [[ $(function_exists "change_password_${a}") == "1" ]]; then
237
-            i=$((i+1))
238
-            W+=("$i" "$a")
239
-            name+=("$a")
240
-        fi
241
-    done
242
-    i=$((i+1))
243
-    W+=("$i" "mariadb")
244
-    name+=("mariadb")
245
-
246
-    # shellcheck disable=SC2068
247
-    selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
248
-
249
-    # shellcheck disable=SC2181
250
-    if [ $? -eq 0 ]; then
251
-        SELECTED_APP="${name[$((selected_app_index-1))]}"
252
-    fi
253
-}
254
-
255 136
 function reset_password_tries {
256 137
     passwords_select_user
257 138
     if [ ! "$SELECTED_USERNAME" ]; then
@@ -262,67 +143,6 @@ function reset_password_tries {
262 143
            --msgbox $"Password tries have been reset for $SELECTED_USERNAME" 6 60
263 144
 }
264 145
 
265
-function view_or_change_passwords {
266
-    passwords_select_user
267
-    if [ ! "$SELECTED_USERNAME" ]; then
268
-        return
269
-    fi
270
-    detect_installed_apps
271
-    passwords_show_apps
272
-    if [ ! "$SELECTED_APP" ]; then
273
-        return
274
-    fi
275
-
276
-    CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
277
-
278
-    icann_address=$(get_app_icann_address "${SELECTED_APP}")
279
-    onion_address=$(get_app_onion_address "${SELECTED_APP}")
280
-
281
-    titlestr=$"View or Change Password"
282
-    if [ ${#onion_address} -gt 0 ]; then
283
-        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
284
-    else
285
-        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
286
-    fi
287
-
288
-    if [ -f /root/.nostore ]; then
289
-        titlestr=$"Change Password"
290
-        if [ ${#onion_address} -gt 0 ]; then
291
-            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
292
-        else
293
-            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
294
-        fi
295
-    fi
296
-
297
-    if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
298
-        CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
299
-        dialog --title $"MariaDB database password" \
300
-               --msgbox "\\n            ${CURR_PASSWORD}" 7 40
301
-        return
302
-    fi
303
-
304
-    data=$(mktemp 2>/dev/null)
305
-    dialog --title "$titlestr" \
306
-           --backtitle $"Freedombone Control Panel" \
307
-           --inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
308
-    sel=$?
309
-    case $sel in
310
-        0)
311
-            CURR_PASSWORD=$(<"$data")
312
-            if [ ${#CURR_PASSWORD} -gt 8 ]; then
313
-                "${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
314
-                "change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
315
-                dialog --title $"Change password" \
316
-                       --msgbox $"The password was changed" 6 40
317
-            else
318
-                dialog --title $"Change password" \
319
-                       --msgbox $"The password given must be at least 8 characters" 6 40
320
-            fi
321
-            ;;
322
-    esac
323
-    rm -f "$data"
324
-}
325
-
326 146
 function check_for_updates {
327 147
     if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then
328 148
         dialog --title $"Check for updates" \
@@ -383,34 +203,59 @@ function pad_string {
383 203
     echo -n -e "$1" | sed -e :a -e 's/^.\{1,25\}$/& /;ta'
384 204
 }
385 205
 
206
+function show_tor_bridges {
207
+    if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
208
+        if grep -q "BridgeRelay 1" /etc/tor/torrc; then
209
+            read_config_param 'TOR_BRIDGE_PORT'
210
+            read_config_param 'TOR_BRIDGE_NICKNAME'
211
+            if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
212
+                W+=($"Your Tor Bridge" "$(get_ipv4_address):${TOR_BRIDGE_PORT} ${TOR_BRIDGE_NICKNAME}")
213
+            fi
214
+        fi
215
+    fi
216
+    bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
217
+    if [ ${#bridges_list} -gt 0 ]; then
218
+        for i in "${bridges_list[@]}"
219
+        do
220
+            bridgestr=$(i//Bridge /)
221
+            W+=($"Tor Bridge" "$bridgestr")
222
+        done
223
+    fi
224
+}
225
+
386 226
 function show_domains {
387 227
     read_config_param "DEFAULT_DOMAIN_NAME"
388 228
 
389
-    echo 'Domains'
390
-    echo '======='
391
-    echo ''
392
-    echo -n -e "$(pad_string 'Name')"
393
-    echo -n -e "$(pad_string 'ICANN')"
394
-    echo -n -e "$(pad_string 'Tor')"
395
-    echo ''
396
-    echo '--------------------------------------------------------------------------'
229
+    W=()
230
+
231
+    W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
232
+    ipv6_address="$(get_ipv6_address)"
233
+    if [ ${#ipv6_address} -gt 0 ]; then
234
+        W+=("IPv6" "${ipv6_address}")
235
+    fi
236
+
237
+
397 238
     if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
398
-        echo -n -e "$(pad_string 'ssh')"
399
-        echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")"
400
-        grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
239
+        domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
240
+        W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
401 241
     fi
402 242
     if grep -q "email onion domain" "$COMPLETION_FILE"; then
403
-        echo -n -e "$(pad_string 'Email')"
404
-        echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")"
405
-        grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
243
+        domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
244
+        W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
406 245
     fi
407 246
     if grep -q "sks onion domain" "$COMPLETION_FILE"; then
408 247
         read_config_param "KEYSERVER_DOMAIN_NAME"
409
-        echo -n -e "$(pad_string 'SKS')"
410
-        echo -n -e "$(pad_string "${KEYSERVER_DOMAIN_NAME}")"
411
-        grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
248
+        domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
249
+        W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
412 250
     fi
413 251
 
252
+    INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
253
+    if [ -f $INTRODUCER_FILENAME ]; then
254
+        W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
255
+    fi
256
+
257
+    show_tor_bridges
258
+
414 259
     # shellcheck disable=SC2068
415 260
     for app_name in ${APPS_INSTALLED_NAMES[@]}
416 261
     do
@@ -446,36 +291,43 @@ function show_domains {
446 291
                 onion_address="-"
447 292
             fi
448 293
 
449
-            echo -n -e "$(pad_string "${app_name}")"
450
-            echo -n -e "$(pad_string "${icann_address}")"
451
-            echo "${onion_address}"
294
+            if [[ "${icann_address}" != '-' ]]; then
295
+                if [[ "${onion_address}" != '-' ]]; then
296
+                    W+=("${app_name}" "${icann_address} / ${onion_address}")
297
+                else
298
+                    W+=("${app_name}" "${icann_address}")
299
+                fi
300
+            else
301
+                W+=("${app_name}" "${onion_address}")
302
+            fi
452 303
 
453 304
             if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
454 305
                 onion_address=$(get_app_onion_address "${app_name}" "mobile")
455
-                echo -n -e "$(pad_string "${app_name} (mobile)")"
456
-                echo -n -e "$(pad_string "${icann_address}")"
457
-                echo "${onion_address}"
306
+                if [[ "${icann_address}" != '-' ]]; then
307
+                    W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
308
+                else
309
+                    W+=("${app_name} (mobile)" "${onion_address}")
310
+                fi
458 311
             fi
459 312
         fi
460 313
     done
461 314
 
462 315
     if grep -q "rss reader domain" "$COMPLETION_FILE"; then
463 316
         if [ -d /var/lib/tor/hidden_service_ttrss ]; then
464
-            echo -n -e "$(pad_string 'RSS reader')"
465
-            RSSDOM='-'
466
-            echo -n -e "$(pad_string ${RSSDOM})"
467
-            echo -n "$(cat /var/lib/tor/hidden_service_ttrss/hostname)"
468
-            echo ''
317
+            domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
318
+            W+=("RSS Reader" "${domain_onion}")
469 319
         fi
470 320
         if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
471
-            echo -n -e "$(pad_string 'RSS mobile')"
472
-            RSSMOBILEDOM='-'
473
-            echo -n -e "$(pad_string ${RSSMOBILEDOM})"
474
-            echo -n "$(cat /var/lib/tor/hidden_service_mobilerss/hostname)"
475
-            echo ''
321
+            domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
322
+            W+=("RSS mobile" "${domain_onion}")
476 323
         fi
477 324
     fi
478
-    echo ''
325
+
326
+    width=$(tput cols)
327
+    height=$(tput lines)
328
+
329
+    # shellcheck disable=SC2068
330
+    dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
479 331
 }
480 332
 
481 333
 function show_users {
@@ -525,34 +377,6 @@ function show_ip_addresses {
525 377
     echo ''
526 378
 }
527 379
 
528
-function show_tor_bridges {
529
-    bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
530
-    if [ ${#bridges_list} -gt 0 ]; then
531
-        echo $'Tor Bridges'
532
-        echo '==========='
533
-        echo ''
534
-        echo "${bridges_list}"
535
-        echo ''
536
-        echo ''
537
-    fi
538
-    if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
539
-        if grep -q "BridgeRelay 1" /etc/tor/torrc; then
540
-            read_config_param 'TOR_BRIDGE_PORT'
541
-            read_config_param 'TOR_BRIDGE_NICKNAME'
542
-            if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
543
-                echo "Tor bridge on this system"
544
-                echo '========================='
545
-                echo ''
546
-                echo "IP Address: $(get_ipv4_address)"
547
-                echo "Port:       ${TOR_BRIDGE_PORT}"
548
-                echo "Nickname:   ${TOR_BRIDGE_NICKNAME}"
549
-                echo ''
550
-                echo ''
551
-            fi
552
-        fi
553
-    fi
554
-}
555
-
556 380
 function show_ssh_public_key {
557 381
     echo $'SSH Public Keys'
558 382
     echo '==============='
@@ -562,33 +386,18 @@ function show_ssh_public_key {
562 386
     echo ''
563 387
 }
564 388
 
565
-function show_tahoelafs_introducer {
566
-    INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
567
-    if [ ! -f $INTRODUCER_FILENAME ]; then
568
-        return
569
-    fi
570
-    echo $'Tahoe-LAFS introducer'
571
-    echo '====================='
572
-    echo ''
573
-    cat $INTRODUCER_FILENAME
574
-    echo ''
575
-    echo ''
576
-}
577
-
578 389
 function show_about {
579 390
     detect_apps
580 391
     get_apps_installed_names
581 392
 
582
-    clear
583
-    echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
584
-    echo ''
585
-    show_ip_addresses
586
-    show_tor_bridges
587
-    show_ssh_public_key
393
+    #clear
394
+    #echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
395
+    #echo ''
396
+    #show_ip_addresses
397
+    #show_ssh_public_key
588 398
     show_domains
589
-    show_tahoelafs
590
-    show_users
591
-    any_key
399
+    #show_users
400
+    #any_key
592 401
 }
593 402
 
594 403
 function select_user {
@@ -1265,30 +1074,6 @@ function restore_data_remote {
1265 1074
     rm -f "$data"
1266 1075
 }
1267 1076
 
1268
-function ping_enable_disable {
1269
-    ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
1270
-    enable_ping="no"
1271
-    dialog --title $"Enable Ping / ICMP" \
1272
-           --backtitle $"Freedombone Control Panel" \
1273
-           --defaultno \
1274
-           --yesno "$ping_str" 10 60
1275
-    sel=$?
1276
-    case $sel in
1277
-        0) enable_ping="yes";;
1278
-        255) return;;
1279
-    esac
1280
-
1281
-    if [[ $enable_ping == "yes" ]]; then
1282
-        iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
1283
-        iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
1284
-        echo "0" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
1285
-    else
1286
-        iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
1287
-        iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
1288
-        echo "1" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
1289
-    fi
1290
-}
1291
-
1292 1077
 function logging_on_off {
1293 1078
     logging="no"
1294 1079
     dialog --title $"Logging" \
@@ -1326,82 +1111,6 @@ function restore_gpg_key {
1326 1111
 
1327 1112
 function security_settings {
1328 1113
     "${PROJECT_NAME}-sec"
1329
-    any_key
1330
-}
1331
-
1332
-function show_tripwire_verification_code {
1333
-    if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
1334
-        return
1335
-    fi
1336
-    clear
1337
-    echo ''
1338
-    echo $'Tripwire Verification Code'
1339
-    echo ''
1340
-    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
1341
-    echo -n "$DBHASH" | qrencode -t UTF8
1342
-    echo ''
1343
-    echo "$DBHASH"
1344
-    echo ''
1345
-}
1346
-
1347
-function reset_tripwire {
1348
-    if [ ! -f /usr/bin/reset-tripwire ]; then
1349
-        echo $'Missing /usr/bin/reset-tripwire'
1350
-        any_key
1351
-        return
1352
-    fi
1353
-    if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
1354
-        if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
1355
-            # shellcheck disable=SC2086
1356
-            mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
1357
-            # shellcheck disable=SC2086
1358
-            mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
1359
-        else
1360
-            echo $'Error: missing local key'
1361
-            any_key
1362
-            return
1363
-        fi
1364
-    fi
1365
-    clear
1366
-    echo $'Turing off logging...'
1367
-    "${PROJECT_NAME}-logging" off
1368
-    echo $'Locking down permissions...'
1369
-    lockdown_permissions
1370
-    echo $'Creating configuration...'
1371
-    echo '
1372
-
1373
-       ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
1374
-    echo $'Resetting policy...'
1375
-    echo '
1376
-
1377
-       ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
1378
-    echo $'Creating tripwire database'
1379
-    echo '
1380
-
1381
-' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
1382
-    echo $'Resetting the Tripwire...'
1383
-    echo ''
1384
-    echo '
1385
-
1386
-                ' | reset-tripwire
1387
-    echo ''
1388
-
1389
-    # Sometimes nginx fails to restart if matrix is installed
1390
-    # Restart matrix first
1391
-    if [ -d /etc/matrix ]; then
1392
-        systemctl restart matrix
1393
-        systemctl restart nginx
1394
-    fi
1395
-
1396
-    if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
1397
-        show_tripwire_verification_code
1398
-        echo $'Tripwire is now reset. Take a note of the above hash, or record'
1399
-        echo $'the QR code using a mobile device. This will enable you to independently'
1400
-        echo $'verify the integrity of the tripwire.'
1401
-    else
1402
-        echo $'ERROR: tripwire database was not created'
1403
-    fi
1404
-    any_key
1405 1114
 }
1406 1115
 
1407 1116
 function format_drive {
@@ -1775,19 +1484,6 @@ function reinstall_mariadb {
1775 1484
            --msgbox $"MariaDB has been reinstalled" 6 40
1776 1485
 }
1777 1486
 
1778
-function show_firewall {
1779
-    clear
1780
-    echo $"Firewall Settings"
1781
-    echo ''
1782
-    while read -r line; do
1783
-        firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
1784
-        firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
1785
-        echo -n -e "$(pad_string "${firewall_name}")"
1786
-        echo "${firewall_port}"
1787
-    done < "$FIREWALL_CONFIG"
1788
-    any_key
1789
-}
1790
-
1791 1487
 function email_extra_domains {
1792 1488
     email_hostnames=$(grep "dc_other_hostnames" /etc/exim4/update-exim4.conf.conf | awk -F "'" '{print $2}')
1793 1489
 
@@ -2198,7 +1894,7 @@ function menu_wifi {
2198 1894
 function menu_app_settings {
2199 1895
     detect_installable_apps
2200 1896
 
2201
-    applist=""
1897
+    W=()
2202 1898
     appnames=()
2203 1899
     n=1
2204 1900
     app_index=0
@@ -2207,7 +1903,7 @@ function menu_app_settings {
2207 1903
     do
2208 1904
         if [[ ${APPS_INSTALLED[$app_index]} != "0" ]]; then
2209 1905
             if [[ $(function_exists "configure_interactive_${a}") == "1" ]]; then
2210
-                applist="$applist $n $a off"
1906
+                W+=("$n" "$a")
2211 1907
                 n=$((n+1))
2212 1908
                 appnames+=("$a")
2213 1909
             fi
@@ -2217,23 +1913,18 @@ function menu_app_settings {
2217 1913
     if [ $n -le 1 ]; then
2218 1914
         return
2219 1915
     fi
2220
-    backstr=$'Exit'
2221
-    applist="$applist $n $backstr on"
2222
-    appnames+=("Exit")
2223 1916
 
2224 1917
     # shellcheck disable=SC2086
2225
-    choice=$(dialog --stdout --backtitle $"Freedombone" \
1918
+    choice=$(dialog --backtitle $"Freedombone" \
2226 1919
                     --title $"Change settings for an App" \
2227
-                    --radiolist $'Choose:' \
2228
-                    26 40 30 $applist)
1920
+                    --menu $'Choose:' \
1921
+                    26 40 30 "${W[@]}" 3>&2 2>&1 1>&3)
2229 1922
 
2230 1923
     # shellcheck disable=SC2181
2231
-    if [ $? -eq 0 ]; then
1924
+    if [ "$choice" ]; then
2232 1925
         app_index=$((choice-1))
2233 1926
         chosen_app=${appnames[$app_index]}
2234
-        if [[ $chosen_app != "Exit" ]]; then
2235
-            "configure_interactive_${chosen_app}"
2236
-        fi
1927
+        "configure_interactive_${chosen_app}"
2237 1928
     fi
2238 1929
 }
2239 1930
 
@@ -2241,29 +1932,24 @@ function menu_top_level {
2241 1932
     while true
2242 1933
     do
2243 1934
         W=(1 $"About this system"
2244
-           2 $"Passwords"
2245
-           3 $"Backup and Restore"
2246
-           4 $"Show Firewall"
2247
-           5 $"Verify Tripwire Code"
2248
-           6 $"Reset Tripwire"
2249
-           7 $"App Settings"
2250
-           8 $"Add/Remove Apps"
2251
-           9 $"Logging on/off"
2252
-           10 $"Ping enable/disable"
2253
-           11 $"Manage Users"
2254
-           12 $"Email Menu"
2255
-           13 $"Domain or User Blocking"
2256
-           14 $"Security Settings"
2257
-           15 $"Change the name of this system"
2258
-           16 $"Set a static local IP address"
2259
-           17 $"Wifi menu"
2260
-           18 $"Add Clacks"
2261
-           19 $"Check for updates"
2262
-           20 $"Power off the system"
2263
-           21 $"Restart the system")
1935
+           2 $"Backup and Restore"
1936
+           3 $"App Settings"
1937
+           4 $"Add/Remove Apps"
1938
+           5 $"Logging on/off"
1939
+           6 $"Manage Users"
1940
+           7 $"Email Menu"
1941
+           8 $"Domain or User Blocking"
1942
+           9 $"Security Settings"
1943
+           10 $"Change the name of this system"
1944
+           11 $"Set a static local IP address"
1945
+           12 $"Wifi menu"
1946
+           13 $"Add Clacks"
1947
+           14 $"Check for updates"
1948
+           15 $"Power off the system"
1949
+           16 $"Restart the system")
2264 1950
 
2265 1951
         # shellcheck disable=SC2068
2266
-        selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 28 60 28 "${W[@]}" 3>&2 2>&1 1>&3)
1952
+        selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 24 60 24 "${W[@]}" 3>&2 2>&1 1>&3)
2267 1953
 
2268 1954
         if [ ! "$selection" ]; then
2269 1955
             break
@@ -2273,30 +1959,24 @@ function menu_top_level {
2273 1959
 
2274 1960
         case $selection in
2275 1961
             1) show_about;;
2276
-            2) view_or_change_passwords;;
2277
-            3) menu_backup_restore;;
2278
-            4) show_firewall;;
2279
-            5) show_tripwire_verification_code
2280
-               any_key_verify;;
2281
-            6) reset_tripwire;;
2282
-            7) menu_app_settings;;
2283
-            8) if ! /usr/local/bin/addremove; then
1962
+            2) menu_backup_restore;;
1963
+            3) menu_app_settings;;
1964
+            4) if ! /usr/local/bin/addremove; then
2284 1965
                    any_key
2285 1966
                fi
2286 1967
                ;;
2287
-            9) logging_on_off;;
2288
-            10) ping_enable_disable;;
2289
-            11) menu_users;;
2290
-            12) menu_email;;
2291
-            13) domain_blocking;;
2292
-            14) security_settings;;
2293
-            15) change_system_name;;
2294
-            16) set_static_IP;;
2295
-            17) menu_wifi;;
2296
-            18) add_clacks;;
2297
-            19) check_for_updates;;
2298
-            20) shut_down_system;;
2299
-            21) restart_system;;
1968
+            5) logging_on_off;;
1969
+            6) menu_users;;
1970
+            7) menu_email;;
1971
+            8) domain_blocking;;
1972
+            9) security_settings;;
1973
+            10) change_system_name;;
1974
+            11) set_static_IP;;
1975
+            12) menu_wifi;;
1976
+            13) add_clacks;;
1977
+            14) check_for_updates;;
1978
+            15) shut_down_system;;
1979
+            16) restart_system;;
2300 1980
         esac
2301 1981
     done
2302 1982
 }

+ 0
- 1
src/freedombone-controlpanel-user 查看文件

@@ -890,7 +890,6 @@ function menu_top_level {
890 890
         selection=$(dialog --backtitle $"Freedombone User Control Panel" --title $"User Control Panel" --menu $"Choose an operation, or ESC to log out:" 20 60 13 "${W[@]}" 3>&2 2>&1 1>&3)
891 891
         if [ ! "$selection" ]; then
892 892
             kill -HUP "$(pgrep -s 0 -o)"
893
-            break
894 893
         fi
895 894
 
896 895
         case $selection in

+ 287
- 34
src/freedombone-sec 查看文件

@@ -69,6 +69,240 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
69 69
 
70 70
 MY_USERNAME=
71 71
 
72
+function ping_enable_disable {
73
+    ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
74
+    enable_ping="no"
75
+    dialog --title $"Enable Ping / ICMP" \
76
+           --backtitle $"Freedombone Control Panel" \
77
+           --defaultno \
78
+           --yesno "$ping_str" 10 60
79
+    sel=$?
80
+    case $sel in
81
+        0) enable_ping="yes";;
82
+        255) return;;
83
+    esac
84
+
85
+    if [[ $enable_ping == "yes" ]]; then
86
+        iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
87
+        iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
88
+        echo "0" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
89
+    else
90
+        iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
91
+        iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
92
+        echo "1" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
93
+    fi
94
+}
95
+
96
+function any_key_verify {
97
+    echo ''
98
+    read -n1 -rsp $"Press any key to continue or C to check a hash..." key
99
+    if [[ "$key" != 'c' && "$key" != 'C' ]]; then
100
+        return
101
+    fi
102
+
103
+    data=$(mktemp 2>/dev/null)
104
+    dialog --title $"Check tripwire hash" \
105
+           --backtitle $"Freedombone Control Panel" \
106
+           --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
107
+    sel=$?
108
+    case $sel in
109
+        0)
110
+            GIVEN_HASH=$(<"$data")
111
+            if [ ${#GIVEN_HASH} -gt 8 ]; then
112
+                if [[ "$GIVEN_HASH" == *' '* ]]; then
113
+                    dialog --title $"Check tripwire" \
114
+                           --msgbox $"\\nThe hash should not contain any spaces" 10 40
115
+                else
116
+                    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
117
+                    if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
118
+                        dialog --title $"Check tripwire" \
119
+                               --msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
120
+                    else
121
+                        dialog --title $"Check tripwire" \
122
+                               --msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
123
+                    fi
124
+                fi
125
+            fi
126
+            ;;
127
+    esac
128
+    rm -f "$data"
129
+}
130
+
131
+function show_tripwire_verification_code {
132
+    if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
133
+        return
134
+    fi
135
+    clear
136
+    echo ''
137
+    echo $'Tripwire Verification Code'
138
+    echo ''
139
+    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
140
+    echo -n "$DBHASH" | qrencode -t UTF8
141
+    echo ''
142
+    echo "$DBHASH"
143
+    echo ''
144
+}
145
+
146
+function reset_tripwire {
147
+    if [ ! -f /usr/bin/reset-tripwire ]; then
148
+        echo $'Missing /usr/bin/reset-tripwire'
149
+        any_key
150
+        return
151
+    fi
152
+    if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
153
+        if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
154
+            # shellcheck disable=SC2086
155
+            mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
156
+            # shellcheck disable=SC2086
157
+            mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
158
+        else
159
+            echo $'Error: missing local key'
160
+            any_key
161
+            return
162
+        fi
163
+    fi
164
+    clear
165
+    echo $'Turing off logging...'
166
+    "${PROJECT_NAME}-logging" off
167
+    echo $'Locking down permissions...'
168
+    lockdown_permissions
169
+    echo $'Creating configuration...'
170
+    echo '
171
+
172
+       ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
173
+    echo $'Resetting policy...'
174
+    echo '
175
+
176
+       ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
177
+    echo $'Creating tripwire database'
178
+    echo '
179
+
180
+' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
181
+    echo $'Resetting the Tripwire...'
182
+    echo ''
183
+    echo '
184
+
185
+                ' | reset-tripwire
186
+    echo ''
187
+
188
+    # Sometimes nginx fails to restart if matrix is installed
189
+    # Restart matrix first
190
+    if [ -d /etc/matrix ]; then
191
+        systemctl restart matrix
192
+        systemctl restart nginx
193
+    fi
194
+
195
+    if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
196
+        show_tripwire_verification_code
197
+        echo $'Tripwire is now reset. Take a note of the above hash, or record'
198
+        echo $'the QR code using a mobile device. This will enable you to independently'
199
+        echo $'verify the integrity of the tripwire.'
200
+    else
201
+        echo $'ERROR: tripwire database was not created'
202
+    fi
203
+    any_key
204
+}
205
+
206
+function passwords_show_apps {
207
+    SELECTED_APP=
208
+    i=0
209
+    W=()
210
+    name=()
211
+    # shellcheck disable=SC2068
212
+    for a in ${APPS_AVAILABLE[@]}
213
+    do
214
+        if grep -q "change_password_" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${a}"; then
215
+            i=$((i+1))
216
+            W+=("$i" "$a")
217
+            name+=("$a")
218
+        fi
219
+    done
220
+    i=$((i+1))
221
+    W+=("$i" "mariadb")
222
+    name+=("mariadb")
223
+
224
+    # shellcheck disable=SC2068
225
+    selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"User $SELECTED_USERNAME: Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
226
+
227
+    # shellcheck disable=SC2181
228
+    if [ $? -eq 0 ]; then
229
+        SELECTED_APP="${name[$((selected_app_index-1))]}"
230
+    fi
231
+}
232
+
233
+function view_or_change_passwords {
234
+    passwords_select_user
235
+    if [ ! "$SELECTED_USERNAME" ]; then
236
+        return
237
+    fi
238
+    detect_installed_apps
239
+    passwords_show_apps
240
+    if [ ! "$SELECTED_APP" ]; then
241
+        return
242
+    fi
243
+
244
+    CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
245
+
246
+    icann_address=$(get_app_icann_address "${SELECTED_APP}")
247
+    onion_address=$(get_app_onion_address "${SELECTED_APP}")
248
+
249
+    titlestr=$"View or Change Password"
250
+    if [ ${#onion_address} -gt 0 ]; then
251
+        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
252
+    else
253
+        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
254
+    fi
255
+
256
+    if [ -f /root/.nostore ]; then
257
+        titlestr=$"Change Password"
258
+        if [ ${#onion_address} -gt 0 ]; then
259
+            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
260
+        else
261
+            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
262
+        fi
263
+    fi
264
+
265
+    if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
266
+        CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
267
+        dialog --title $"MariaDB database password" \
268
+               --msgbox "\\n            ${CURR_PASSWORD}" 7 40
269
+        return
270
+    fi
271
+
272
+    data=$(mktemp 2>/dev/null)
273
+    dialog --title "$titlestr" \
274
+           --backtitle $"Freedombone Control Panel" \
275
+           --inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
276
+    sel=$?
277
+    case $sel in
278
+        0)
279
+            CURR_PASSWORD=$(<"$data")
280
+            if [ ${#CURR_PASSWORD} -gt 8 ]; then
281
+                "${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
282
+                "change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
283
+                dialog --title $"Change password" \
284
+                       --msgbox $"The password was changed" 6 40
285
+            else
286
+                dialog --title $"Change password" \
287
+                       --msgbox $"The password given must be at least 8 characters" 6 40
288
+            fi
289
+            ;;
290
+    esac
291
+    rm -f "$data"
292
+}
293
+
294
+function show_firewall {
295
+    W=()
296
+    while read -r line; do
297
+        firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
298
+        firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
299
+        W+=("${firewall_name}" "${firewall_port}")
300
+    done < "$FIREWALL_CONFIG"
301
+
302
+    # shellcheck disable=SC2068
303
+    dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Firewall" --menu $"Press ESC to return to main menu" 28 50 28 "${W[@]}" 3>&2 2>&1 1>&3
304
+}
305
+
72 306
 function export_passwords {
73 307
     detect_usb_drive
74 308
     dialog --title $"Export passwords to USB drive $USB_DRIVE" \
@@ -962,24 +1196,27 @@ function menu_tor_bridges {
962 1196
 }
963 1197
 
964 1198
 function menu_security_settings {
965
-    W=(1 $"Run STIG tests"
966
-       2 $"Fix STIG test failures"
967
-       3 $"Show ssh host public key"
968
-       4 $"Tor bridges"
969
-       5 $"Password storage"
970
-       6 $"Export passwords"
971
-       7 $"Regenerate ssh host keys"
972
-       8 $"Regenerate Diffie-Hellman keys"
973
-       9 $"Update cipersuite"
974
-       10 $"Create a new Let's Encrypt certificate"
975
-       11 $"Renew Let's Encrypt certificate"
976
-       12 $"Delete a Let's Encrypt certificate"
977
-       13 $"Enable GPG based authentication (monkeysphere)"
978
-       14 $"Register a website with monkeysphere"
979
-       15 $"Allow ssh login with passwords")
1199
+    W=(1 $"Passwords"
1200
+       2 $"Run STIG tests"
1201
+       3 $"Fix STIG test failures"
1202
+       4 $"Show tripwire verification code"
1203
+       5 $"Reset tripwire"
1204
+       6 $"Enable or disable ping"
1205
+       7 $"Show ssh host public key"
1206
+       8 $"Tor bridges"
1207
+       9 $"Password storage"
1208
+       10 $"Export passwords"
1209
+       11 $"Regenerate ssh host keys"
1210
+       12 $"Regenerate Diffie-Hellman keys"
1211
+       13 $"Update cipersuite"
1212
+       14 $"Create a new Let's Encrypt certificate"
1213
+       15 $"Renew Let's Encrypt certificate"
1214
+       16 $"Delete a Let's Encrypt certificate"
1215
+       17 $"Allow ssh login with passwords"
1216
+       18 $"Show firewall")
980 1217
 
981 1218
     # shellcheck disable=SC2068
982
-    selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 23 76 23 "${W[@]}" 3>&2 2>&1 1>&3)
1219
+    selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 25 76 25 "${W[@]}" 3>&2 2>&1 1>&3)
983 1220
 
984 1221
     if [ ! "$selection" ]; then
985 1222
         exit 0
@@ -1001,13 +1238,17 @@ function menu_security_settings {
1001 1238
 
1002 1239
     case $selection in
1003 1240
         1)
1241
+            view_or_change_passwords
1242
+            exit 0;
1243
+            ;;
1244
+        2)
1004 1245
             clear
1005 1246
             echo $'Running STIG tests...'
1006 1247
             echo ''
1007 1248
             ${PROJECT_NAME}-tests --stig showall
1008 1249
             exit 0
1009 1250
             ;;
1010
-        2)
1251
+        3)
1011 1252
             clear
1012 1253
             echo $'Fixing any STIG failures...'
1013 1254
             echo ''
@@ -1015,53 +1256,65 @@ function menu_security_settings {
1015 1256
             echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.'
1016 1257
             exit 0
1017 1258
             ;;
1018
-        3)
1019
-            dialog --title $"SSH host public keys" \
1020
-                   --msgbox "\\n$(get_ssh_server_key)" 12 60
1021
-            exit 0
1022
-            ;;
1023 1259
         4)
1024
-            menu_tor_bridges
1260
+            show_tripwire_verification_code
1261
+            any_key_verify
1025 1262
             exit 0
1026 1263
             ;;
1027 1264
         5)
1028
-            store_passwords
1265
+            reset_tripwire
1029 1266
             exit 0
1030 1267
             ;;
1268
+
1031 1269
         6)
1032
-            export_passwords
1270
+            ping_enable_disable
1033 1271
             exit 0
1034 1272
             ;;
1035 1273
         7)
1036
-            regenerate_ssh_host_keys
1274
+            dialog --title $"SSH host public keys" \
1275
+                   --msgbox "\\n$(get_ssh_server_key)" 12 60
1276
+            exit 0
1037 1277
             ;;
1038 1278
         8)
1039
-            regenerate_dh_keys
1279
+            menu_tor_bridges
1280
+            exit 0
1040 1281
             ;;
1041 1282
         9)
1042
-            interactive_setup
1043
-            update_ciphersuite
1283
+            store_passwords
1284
+            exit 0
1044 1285
             ;;
1045 1286
         10)
1046
-            create_letsencrypt
1287
+            export_passwords
1288
+            exit 0
1047 1289
             ;;
1048 1290
         11)
1049
-            renew_letsencrypt
1291
+            regenerate_ssh_host_keys
1050 1292
             ;;
1051 1293
         12)
1052
-            delete_letsencrypt
1294
+            regenerate_dh_keys
1053 1295
             ;;
1054 1296
         13)
1055
-            enable_monkeysphere
1297
+            interactive_setup
1298
+            update_ciphersuite
1056 1299
             ;;
1057 1300
         14)
1058
-            register_website
1301
+            create_letsencrypt
1059 1302
             ;;
1060 1303
         15)
1304
+            renew_letsencrypt
1305
+            ;;
1306
+        16)
1307
+            delete_letsencrypt
1308
+            ;;
1309
+        17)
1061 1310
             allow_ssh_passwords
1062 1311
             change_ssh_settings
1063 1312
             exit 0
1064 1313
             ;;
1314
+        18)
1315
+            show_firewall
1316
+            exit 0
1317
+            ;;
1065 1318
     esac
1066 1319
 
1067 1320
     change_website_settings

+ 1
- 0
src/freedombone-upgrade 查看文件

@@ -95,6 +95,7 @@ if [ -d "$PROJECT_DIR" ]; then
95 95
         apt-get -yq -t stretch-backports install certbot
96 96
         email_install_tls
97 97
         email_disable_chunking
98
+        rm /etc/exim4/exim4.conf.template.bak*
98 99
         #defrag_filesystem
99 100
 
100 101
         # reinstall tor from backports

+ 23
- 16
src/freedombone-utils-gnusocialtools 查看文件

@@ -95,6 +95,28 @@ function qvitter_update_background {
95 95
     fi
96 96
 }
97 97
 
98
+function pleroma_custom_logo {
99
+    basedir="$1"
100
+    if [ "$2" ]; then
101
+        if [[ "$2" == *".png" ]]; then
102
+            cp "$2" "$basedir/priv/static/static/logo.png"
103
+            return
104
+        fi
105
+    fi
106
+
107
+    if [ -f "$basedir/priv/static/static/logo.png" ]; then
108
+        if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
109
+            cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
110
+            cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
111
+        else
112
+            if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
113
+                cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
114
+                cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
115
+            fi
116
+        fi
117
+    fi
118
+}
119
+
98 120
 function pleroma_set_background_image_from_url {
99 121
     basedir="$1"
100 122
     domain_name="$2"
@@ -157,22 +179,7 @@ function pleroma_set_background_image_from_url {
157 179
         return
158 180
     fi
159 181
 
160
-    # customise the logo
161
-    if [ -f "$basedir/static/logo.png" ]; then
162
-        if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
163
-            cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
164
-            if [ -d "$basedir/priv/static/static" ]; then
165
-                cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
166
-            fi
167
-        else
168
-            if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
169
-                cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
170
-                if [ -d "$basedir/priv/static/static" ]; then
171
-                    cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
172
-                fi
173
-            fi
174
-        fi
175
-    fi
182
+    pleroma_custom_logo "$basedir"
176 183
 
177 184
     # customise the title
178 185
     if [ -f "$basedir/static/config.json" ]; then

+ 18
- 0
src/freedombone-utils-network 查看文件

@@ -47,6 +47,24 @@ ROUTER_IP_ADDRESS="192.168.1.254"
47 47
 
48 48
 MESH_INSTALL_DIR=/var/lib
49 49
 
50
+function get_app_icann_address {
51
+    app_name="$1"
52
+    if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
53
+        grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
54
+        return
55
+    else
56
+        app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
57
+        if [ "$app_name_upper" ]; then
58
+            param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
59
+            if [ "${param_value}" ]; then
60
+                echo "${param_value}"
61
+                return
62
+            fi
63
+        fi
64
+    fi
65
+    echo "${DEFAULT_DOMAIN_NAME}"
66
+}
67
+
50 68
 function install_static_network {
51 69
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
52 70
         return

+ 41
- 0
src/freedombone-utils-passwords 查看文件

@@ -39,6 +39,47 @@ MINIMUM_PASSWORD_LENGTH=10
39 39
 # The default password length used in images
40 40
 DEFAULT_PASSWORD_LENGTH=20
41 41
 
42
+function passwords_select_user {
43
+    SELECTED_USERNAME=
44
+
45
+    # shellcheck disable=SC2207
46
+    users_array=($(ls /home))
47
+
48
+    delete=(git)
49
+    # shellcheck disable=SC2068
50
+    for del in ${delete[@]}
51
+    do
52
+        # shellcheck disable=SC2206
53
+        users_array=(${users_array[@]/$del})
54
+    done
55
+
56
+    i=0
57
+    W=()
58
+    name=()
59
+    # shellcheck disable=SC2068
60
+    for u in ${users_array[@]}
61
+    do
62
+        if [[ $(is_valid_user "$u") == "1" ]]; then
63
+            i=$((i+1))
64
+            W+=("$i" "$u")
65
+            name+=("$u")
66
+        fi
67
+    done
68
+
69
+    if [ $i -eq 1 ]; then
70
+        SELECTED_USERNAME="${name[0]}"
71
+    else
72
+        # shellcheck disable=SC2068
73
+        user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
74
+
75
+        # shellcheck disable=SC2181
76
+        if [ $? -eq 0 ]; then
77
+            # shellcheck disable=SC2034
78
+            SELECTED_USERNAME="${name[$((user_index-1))]}"
79
+        fi
80
+    fi
81
+}
82
+
42 83
 function enforce_good_passwords {
43 84
     # because humans are generally bad at choosing passwords
44 85
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then