Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/socialinstance.org

 [[file:images/logo.png]]
 #+END_CENTER
 
-#+BEGIN_EXPORT html
+#+BEGIN_EXPORT HTML
 <center>
 <h1>Social Instance</h1>
 </center>

src/freedombone-app-gnusocial

     sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
     sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
 
+    if [ -f /usr/bin/gnusocial-firewall ]; then
+        rm /usr/bin/gnusocial-firewall
+    fi
+
     function_check remove_ddns_domain
     remove_ddns_domain "$GNUSOCIAL_DOMAIN_NAME"
 }

src/freedombone-app-pleroma

 #                    Freedom in the Cloud
 #
 # Pleroma backend application
-# https://git.pleroma.social/pleroma/pleroma/wikis/Installing-on-Debian-Based-Distributions
-#
-# Show stopper: This is dependent on https://placehold.it for avatar images,
-# so at present it's not usable until a first party placeholder image system
-# is included.
-#
-# There is also a possible issue with the chat system which uses an object called
-# "Agent" which may not be supported with the version of elixir within the
-# Debian package. This only applies if you're installing from the latest commit.
 #
 # License
 # =======
 PLEROMA_PORT=4000
 PLEROMA_ONION_PORT=8011
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
-PLEROMA_COMMIT='59a76ea464998476f8c4814324647f4ae4a7f2cb'
+PLEROMA_COMMIT='c50c7745bc8b8f52ba07c69c0d2505df54da0f59'
 PLEROMA_ADMIN_PASSWORD=
 PLEROMA_DIR=/etc/pleroma
 PLEROMA_SECRET_KEY=""
     if [ -f /etc/systemd/system/pleroma.service ]; then
         systemctl restart pleroma
     fi
-
 }
 
 function logging_on_pleroma {
         return
     fi
 
+    pleroma_registrations=open
+    if grep -q 'registrations_open: false' $PLEROMA_DIR/config/config.exs; then
+        pleroma_registrations=
+    fi
+
     # make a copy of the configuration
     cp $PLEROMA_DIR/priv/static/static/config.json $PLEROMA_DIR/priv/static/static/config_prev.json
 
 
     sudo -u pleroma mix deps.get
 
+    if [ ! $pleroma_registrations ]; then
+        sed -i 's|registrations_open: true|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
+        sed -i 's|registrations_open: True|registrations_open: false|g' $PLEROMA_DIR/config/config.exs
+    fi
+
     pleroma_recompile
 
     # migrate database
     sudo -u pleroma mix deps.clean --build mime
     sudo -u pleroma mix ecto.migrate
 
+    pleroma_custom_logo "$PLEROMA_DIR"
+
     expire_pleroma_posts "$PLEROMA_DOMAIN_NAME" "$PLEROMA_EXPIRE_MONTHS"
     create_pleroma_blocklist
 
     sed -i '/pleroma commit/d' "$COMPLETION_FILE"
     sed -i "/$blocking_script_file/d" /etc/crontab
 
+    if [ -f /usr/bin/pleroma-blocking ]; then
+        rm /usr/bin/pleroma-blocking
+    fi
+
     function_check remove_ddns_domain
     remove_ddns_domain "$PLEROMA_DOMAIN_NAME"
 }
     sed -i 's|registrations_open:.*|registrations_open: true,|g' $PLEROMA_DIR/config/config.exs
     sed -i 's|"registrationOpen":.*|"registrationOpen": true,|g' $PLEROMA_DIR/priv/static/static/config.json
 
+    if ! grep -q "media_proxy" $PLEROMA_DIR/priv/static/static/config.json; then
+        sed -i '/"name":/a "media_proxy": false,' $PLEROMA_DIR/priv/static/static/config.json
+        sed -i 's|"media_proxy"|  "media_proxy"|g' $PLEROMA_DIR/priv/static/static/config.json
+    else
+        sed -i 's|"media_proxy".*|"media_proxy": false,|g' $PLEROMA_DIR/priv/static/static/config.json
+    fi
+
     systemctl daemon-reload
     systemctl enable pleroma
     systemctl start pleroma

src/freedombone-app-postactiv

     sed -i 's|mysqli.allow_persistent.*|mysqli.allow_persistent = On|g' /etc/php/7.0/cli/php.ini
     sed -i 's|mysqli.reconnect.*|mysqli.reconnect = Off|g' /etc/php/7.0/cli/php.ini
 
+    if [ -f /usr/bin/postactiv-firewall ]; then
+        rm /usr/bin/postactiv-firewall
+    fi
+
     function_check remove_ddns_domain
     remove_ddns_domain "$POSTACTIV_DOMAIN_NAME"
 }

src/freedombone-app-xmpp

 XMPP_ECC_CURVE='"secp384r1"'
 
 prosody_latest_version='0.10'
-prosody_nightly=410
-prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb'
+prosody_nightly=468
+prosody_nightly_hash='c72aaab1182a86090188284f443d2f819889ca242d4e955258ef60f4c7c9a1ba'
 prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
 prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
 
 # From https://hg.prosody.im/prosody-modules
-prosody_modules_filename='prosody-modules-20180104.tar.gz'
-prosody_modules_hash='7c81b4ed8a90130b4db5902dc1f299ad1c4dab57a0970552b71cb2042a490bc1'
+prosody_modules_filename='prosody-modules-20180322.tar.gz'
+prosody_modules_hash='982d0dfcef98e9cb9cee4cc3801b8ce9a503a32e44c32b99df6fe94545b90072'
 
 xmpp_variables=(ONION_ONLY
                 INSTALLED_WITHIN_DOCKER
     # On rare occasions the daemon appears to get stuck
     # i.e. still active, but not accepting connections
     # This ensures that it will unstick itself at least once per day
-    if [ ! -f /etc/cron.daily/prosody ]; then
-        echo '#!/bin/bash' > /etc/cron.daily/prosody
-        echo 'systemctl restart prosody' >> /etc/cron.daily/prosody
-        chmod +x /etc/cron.daily/prosody
+    if [ -f /etc/cron.daily/prosody ]; then
+        rm /etc/cron.daily/prosody
+    fi
+    if [ ! -f /etc/cron.hourly/prosody ]; then
+        { echo '#!/bin/bash';
+          echo "is_active=\$(systemctl is-active prosody)";
+          echo "if [[ \"\$is_active\" != 'active' ]]; then";
+          echo '  systemctl restart prosody'
+          echo 'fi'; } > /etc/cron.hourly/prosody
+        chmod +x /etc/cron.hourly/prosody
     fi
 }
 
         return
     fi
 
-    { 'contact_info = {';
-      "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
-      "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
-      "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
-      "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
-      "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
-      '};'; } >> "$filename"
+    { echo 'contact_info = {';
+      echo "abuse = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
+      echo "admin = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
+      echo "feedback = { \"mailto:${MY_EMAIL_ADDRESS}\", \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
+      echo "security = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
+      echo "support = { \"xmpp:${MY_USERNAME}@${HOSTNAME}\" };";
+      echo '};'; } >> "$filename"
 }
 
 function xmpp_modules {
       echo 'http_upload_file_size_limit = 307200';
       echo '';
       echo "Component \"chat.${DEFAULT_DOMAIN_NAME}\" \"muc\"";
+      echo '    restrict_room_creation = true';
       echo '    name = "Chatrooms"';
       echo '    modules_enabled = {';
       echo '        "muc_limits";';

src/freedombone-base-email

 # optionally specify your public key ID
 MY_GPG_PUBLIC_KEY_ID=
 
-EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp"
-
 # automatic archiving of email
 CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir"
 CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86'
     set_completion_param "email onion domain" "${onion_address}"
     add_email_hostname "$onion_address"
 
+    apt-get -yq install tinycdb perl
+
+    # MX record should be:
+    # _onion-mx._tcp.$DEFAULT_DOMAIN_NAME. 3600 IN SRV 0 5 25 $onion_address
+
+    echo "$DEFAULT_DOMAIN_NAME $onion_address" > /etc/exim4/onionrelay.txt
+    cdb -m -c -t ~/onionrelay.tmp /etc/exim4/onionrelay.cdb /etc/exim4/onionrelay.txt
+
+    { echo "perl_startup = do '/etc/exim4/perl-routines.pl'";
+      echo "perl_at_start"; } > /etc/exim4/conf.d/main/perl
+
+    { echo "use Net::DNS::Resolver;";
+      echo "sub onionLookup {";
+      echo "  my \$hostname = shift;";
+      echo "  my \$res = Net::DNS::Resolver->new(nameservers => [qw(127.0.0.1)],);";
+      echo "  \$res->port(5300);";
+      echo "  my \$query = \$res->search(\$hostname);";
+      echo "  foreach my \$rr (\$query->answer) {";
+      echo "    next unless \$rr->type eq \"A\";";
+      echo "    return \$rr->address;";
+      echo "  }";
+      echo "  return 'no_such_host';";
+      echo "}"; } > /etc/exim4/perl-routines.pl
+
+    { echo "ONION_RELAYDB=/etc/exim4/onionrelay.cdb";
+      echo "domainlist onion_relays     = cdb;ONION_RELAYDB"; } > /etc/exim4/conf.d/domainlists
+
+    { echo "# send things over tor where we have an entry for it";
+      echo "onionrelays:";
+      echo "  driver    = manualroute";
+      echo "  domains   = +onion_relays";
+      echo "  transport = onion_relay";
+      echo "  # get the automap IP for the onion address from the tor daemon";
+      echo "  route_data = \${perl{onionLookup}{\${lookup{\$domain}cdb{ONION_RELAYDB}}}}";
+      echo "  no_more"; } > /etc/exim4/conf.d/router/50_exim4-config-onion
+
+    { echo "onion_relay:";
+      echo "  driver = smtp";
+      echo "  socks_proxy = 127.0.0.1 port=9050"; } > /etc/exim4/conf.d/transport/50_exim4-config_onion
+
+    if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
+        echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
+    else
+        sed -i 's|#AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
+        sed -i 's|AutomapHostsOnResolve.*|AutomapHostsOnResolve 1|g' /etc/tor/torrc
+    fi
+
+    if ! grep -q "DNSPort " /etc/tor/torrc; then
+        echo 'DNSPort 5300' >> /etc/tor/torrc
+    else
+        sed -i 's|#DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
+        sed -i 's|DNSPort .*|DNSPort 5300|g' /etc/tor/torrc
+    fi
+
+    if ! grep -q "DNSListenAddress" /etc/tor/torrc; then
+        echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc
+    else
+        sed -i 's|#DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
+        sed -i 's|DNSListenAddress.*|DNSListenAddress 127.0.0.1|g' /etc/tor/torrc
+    fi
+
+    dpkg-reconfigure --frontend noninteractive exim4-config
+    systemctl restart tor
+    systemctl restart exim4
+
     mark_completed "${FUNCNAME[0]}"
 }
 

src/freedombone-controlpanel

 
 function any_key {
     echo ''
+    # shellcheck disable=SC2034
     read -n1 -rsp $"Press any key to continue..." key
 }
 
-function any_key_verify {
-    echo ''
-    read -n1 -rsp $"Press any key to continue or C to check a hash..." key
-    if [[ "$key" != 'c' && "$key" != 'C' ]]; then
-        return
-    fi
-
-    data=$(mktemp 2>/dev/null)
-    dialog --title $"Check tripwire hash" \
-           --backtitle $"Freedombone Control Panel" \
-           --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
-    sel=$?
-    case $sel in
-        0)
-            GIVEN_HASH=$(<"$data")
-            if [ ${#GIVEN_HASH} -gt 8 ]; then
-                if [[ "$GIVEN_HASH" == *' '* ]]; then
-                    dialog --title $"Check tripwire" \
-                           --msgbox $"\\nThe hash should not contain any spaces" 10 40
-                else
-                    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
-                    if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
-                        dialog --title $"Check tripwire" \
-                               --msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
-                    else
-                        dialog --title $"Check tripwire" \
-                               --msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
-                    fi
-                fi
-            fi
-            ;;
-    esac
-    rm -f "$data"
-}
-
-function get_app_icann_address {
-    app_name="$1"
-    if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
-        grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
-        return
-    else
-        app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
-        if [ "$app_name_upper" ]; then
-            param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
-            if [ "${param_value}" ]; then
-                echo "${param_value}"
-                return
-            fi
-        fi
-    fi
-    echo "${DEFAULT_DOMAIN_NAME}"
-}
-
-function passwords_select_user {
-    SELECTED_USERNAME=
-
-    # shellcheck disable=SC2207
-    users_array=($(ls /home))
-
-    delete=(git)
-    # shellcheck disable=SC2068
-    for del in ${delete[@]}
-    do
-        # shellcheck disable=SC2206
-        users_array=(${users_array[@]/$del})
-    done
-
-    i=0
-    W=()
-    name=()
-    # shellcheck disable=SC2068
-    for u in ${users_array[@]}
-    do
-        if [[ $(is_valid_user "$u") == "1" ]]; then
-            i=$((i+1))
-            W+=("$i" "$u")
-            name+=("$u")
-        fi
-    done
-
-    if [ $i -eq 1 ]; then
-        SELECTED_USERNAME="${name[0]}"
-    else
-        # shellcheck disable=SC2068
-        user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
-
-        # shellcheck disable=SC2181
-        if [ $? -eq 0 ]; then
-            SELECTED_USERNAME="${name[$((user_index-1))]}"
-        fi
-    fi
-}
-
-function passwords_show_apps {
-    SELECTED_APP=
-    i=0
-    W=()
-    name=()
-    # shellcheck disable=SC2068
-    for a in ${APPS_AVAILABLE[@]}
-    do
-        if [[ $(function_exists "change_password_${a}") == "1" ]]; then
-            i=$((i+1))
-            W+=("$i" "$a")
-            name+=("$a")
-        fi
-    done
-    i=$((i+1))
-    W+=("$i" "mariadb")
-    name+=("mariadb")
-
-    # shellcheck disable=SC2068
-    selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
-
-    # shellcheck disable=SC2181
-    if [ $? -eq 0 ]; then
-        SELECTED_APP="${name[$((selected_app_index-1))]}"
-    fi
-}
-
 function reset_password_tries {
     passwords_select_user
     if [ ! "$SELECTED_USERNAME" ]; then
            --msgbox $"Password tries have been reset for $SELECTED_USERNAME" 6 60
 }
 
-function view_or_change_passwords {
-    passwords_select_user
-    if [ ! "$SELECTED_USERNAME" ]; then
-        return
-    fi
-    detect_installed_apps
-    passwords_show_apps
-    if [ ! "$SELECTED_APP" ]; then
-        return
-    fi
-
-    CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
-
-    icann_address=$(get_app_icann_address "${SELECTED_APP}")
-    onion_address=$(get_app_onion_address "${SELECTED_APP}")
-
-    titlestr=$"View or Change Password"
-    if [ ${#onion_address} -gt 0 ]; then
-        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
-    else
-        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
-    fi
-
-    if [ -f /root/.nostore ]; then
-        titlestr=$"Change Password"
-        if [ ${#onion_address} -gt 0 ]; then
-            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
-        else
-            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
-        fi
-    fi
-
-    if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
-        CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
-        dialog --title $"MariaDB database password" \
-               --msgbox "\\n            ${CURR_PASSWORD}" 7 40
-        return
-    fi
-
-    data=$(mktemp 2>/dev/null)
-    dialog --title "$titlestr" \
-           --backtitle $"Freedombone Control Panel" \
-           --inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
-    sel=$?
-    case $sel in
-        0)
-            CURR_PASSWORD=$(<"$data")
-            if [ ${#CURR_PASSWORD} -gt 8 ]; then
-                "${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
-                "change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
-                dialog --title $"Change password" \
-                       --msgbox $"The password was changed" 6 40
-            else
-                dialog --title $"Change password" \
-                       --msgbox $"The password given must be at least 8 characters" 6 40
-            fi
-            ;;
-    esac
-    rm -f "$data"
-}
-
 function check_for_updates {
     if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then
         dialog --title $"Check for updates" \
     echo -n -e "$1" | sed -e :a -e 's/^.\{1,25\}$/& /;ta'
 }
 
+function show_tor_bridges {
+    if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
+        if grep -q "BridgeRelay 1" /etc/tor/torrc; then
+            read_config_param 'TOR_BRIDGE_PORT'
+            read_config_param 'TOR_BRIDGE_NICKNAME'
+            if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
+                W+=($"Your Tor Bridge" "$(get_ipv4_address):${TOR_BRIDGE_PORT} ${TOR_BRIDGE_NICKNAME}")
+            fi
+        fi
+    fi
+    bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
+    if [ ${#bridges_list} -gt 0 ]; then
+        for i in "${bridges_list[@]}"
+        do
+            bridgestr=$(i//Bridge /)
+            W+=($"Tor Bridge" "$bridgestr")
+        done
+    fi
+}
+
 function show_domains {
     read_config_param "DEFAULT_DOMAIN_NAME"
 
-    echo 'Domains'
-    echo '======='
-    echo ''
-    echo -n -e "$(pad_string 'Name')"
-    echo -n -e "$(pad_string 'ICANN')"
-    echo -n -e "$(pad_string 'Tor')"
-    echo ''
-    echo '--------------------------------------------------------------------------'
+    W=()
+
+    W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
+    ipv6_address="$(get_ipv6_address)"
+    if [ ${#ipv6_address} -gt 0 ]; then
+        W+=("IPv6" "${ipv6_address}")
+    fi
+
+
     if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
-        echo -n -e "$(pad_string 'ssh')"
-        echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")"
-        grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
+        domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
+        W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
     fi
     if grep -q "email onion domain" "$COMPLETION_FILE"; then
-        echo -n -e "$(pad_string 'Email')"
-        echo -n -e "$(pad_string "${DEFAULT_DOMAIN_NAME}")"
-        grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
+        domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
+        W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
     fi
     if grep -q "sks onion domain" "$COMPLETION_FILE"; then
         read_config_param "KEYSERVER_DOMAIN_NAME"
-        echo -n -e "$(pad_string 'SKS')"
-        echo -n -e "$(pad_string "${KEYSERVER_DOMAIN_NAME}")"
-        grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}'
+        domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
+        W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
     fi
 
+    INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
+    if [ -f $INTRODUCER_FILENAME ]; then
+        W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
+    fi
+
+    show_tor_bridges
+
     # shellcheck disable=SC2068
     for app_name in ${APPS_INSTALLED_NAMES[@]}
     do
                 onion_address="-"
             fi
 
-            echo -n -e "$(pad_string "${app_name}")"
-            echo -n -e "$(pad_string "${icann_address}")"
-            echo "${onion_address}"
+            if [[ "${icann_address}" != '-' ]]; then
+                if [[ "${onion_address}" != '-' ]]; then
+                    W+=("${app_name}" "${icann_address} / ${onion_address}")
+                else
+                    W+=("${app_name}" "${icann_address}")
+                fi
+            else
+                W+=("${app_name}" "${onion_address}")
+            fi
 
             if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
                 onion_address=$(get_app_onion_address "${app_name}" "mobile")
-                echo -n -e "$(pad_string "${app_name} (mobile)")"
-                echo -n -e "$(pad_string "${icann_address}")"
-                echo "${onion_address}"
+                if [[ "${icann_address}" != '-' ]]; then
+                    W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
+                else
+                    W+=("${app_name} (mobile)" "${onion_address}")
+                fi
             fi
         fi
     done
 
     if grep -q "rss reader domain" "$COMPLETION_FILE"; then
         if [ -d /var/lib/tor/hidden_service_ttrss ]; then
-            echo -n -e "$(pad_string 'RSS reader')"
-            RSSDOM='-'
-            echo -n -e "$(pad_string ${RSSDOM})"
-            echo -n "$(cat /var/lib/tor/hidden_service_ttrss/hostname)"
-            echo ''
+            domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
+            W+=("RSS Reader" "${domain_onion}")
         fi
         if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
-            echo -n -e "$(pad_string 'RSS mobile')"
-            RSSMOBILEDOM='-'
-            echo -n -e "$(pad_string ${RSSMOBILEDOM})"
-            echo -n "$(cat /var/lib/tor/hidden_service_mobilerss/hostname)"
-            echo ''
+            domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
+            W+=("RSS mobile" "${domain_onion}")
         fi
     fi
-    echo ''
+
+    width=$(tput cols)
+    height=$(tput lines)
+
+    # shellcheck disable=SC2068
+    dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
 }
 
 function show_users {
     echo ''
 }
 
-function show_tor_bridges {
-    bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
-    if [ ${#bridges_list} -gt 0 ]; then
-        echo $'Tor Bridges'
-        echo '==========='
-        echo ''
-        echo "${bridges_list}"
-        echo ''
-        echo ''
-    fi
-    if ! grep -q "#BridgeRelay" /etc/tor/torrc; then
-        if grep -q "BridgeRelay 1" /etc/tor/torrc; then
-            read_config_param 'TOR_BRIDGE_PORT'
-            read_config_param 'TOR_BRIDGE_NICKNAME'
-            if [ ${#TOR_BRIDGE_NICKNAME} -gt 0 ]; then
-                echo "Tor bridge on this system"
-                echo '========================='
-                echo ''
-                echo "IP Address: $(get_ipv4_address)"
-                echo "Port:       ${TOR_BRIDGE_PORT}"
-                echo "Nickname:   ${TOR_BRIDGE_NICKNAME}"
-                echo ''
-                echo ''
-            fi
-        fi
-    fi
-}
-
 function show_ssh_public_key {
     echo $'SSH Public Keys'
     echo '==============='
     echo ''
 }
 
-function show_tahoelafs_introducer {
-    INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
-    if [ ! -f $INTRODUCER_FILENAME ]; then
-        return
-    fi
-    echo $'Tahoe-LAFS introducer'
-    echo '====================='
-    echo ''
-    cat $INTRODUCER_FILENAME
-    echo ''
-    echo ''
-}
-
 function show_about {
     detect_apps
     get_apps_installed_names
 
-    clear
-    echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
-    echo ''
-    show_ip_addresses
-    show_tor_bridges
-    show_ssh_public_key
+    #clear
+    #echo "==== ${PROJECT_NAME} version ${VERSION} ($DEBIAN_VERSION) ===="
+    #echo ''
+    #show_ip_addresses
+    #show_ssh_public_key
     show_domains
-    show_tahoelafs
-    show_users
-    any_key
+    #show_users
+    #any_key
 }
 
 function select_user {
     rm -f "$data"
 }
 
-function ping_enable_disable {
-    ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
-    enable_ping="no"
-    dialog --title $"Enable Ping / ICMP" \
-           --backtitle $"Freedombone Control Panel" \
-           --defaultno \
-           --yesno "$ping_str" 10 60
-    sel=$?
-    case $sel in
-        0) enable_ping="yes";;
-        255) return;;
-    esac
-
-    if [[ $enable_ping == "yes" ]]; then
-        iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-        iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-        echo "0" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
-    else
-        iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
-        iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-        echo "1" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
-    fi
-}
-
 function logging_on_off {
     logging="no"
     dialog --title $"Logging" \
 
 function security_settings {
     "${PROJECT_NAME}-sec"
-    any_key
-}
-
-function show_tripwire_verification_code {
-    if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
-        return
-    fi
-    clear
-    echo ''
-    echo $'Tripwire Verification Code'
-    echo ''
-    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
-    echo -n "$DBHASH" | qrencode -t UTF8
-    echo ''
-    echo "$DBHASH"
-    echo ''
-}
-
-function reset_tripwire {
-    if [ ! -f /usr/bin/reset-tripwire ]; then
-        echo $'Missing /usr/bin/reset-tripwire'
-        any_key
-        return
-    fi
-    if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
-        if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
-            # shellcheck disable=SC2086
-            mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
-            # shellcheck disable=SC2086
-            mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
-        else
-            echo $'Error: missing local key'
-            any_key
-            return
-        fi
-    fi
-    clear
-    echo $'Turing off logging...'
-    "${PROJECT_NAME}-logging" off
-    echo $'Locking down permissions...'
-    lockdown_permissions
-    echo $'Creating configuration...'
-    echo '
-
-       ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
-    echo $'Resetting policy...'
-    echo '
-
-       ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
-    echo $'Creating tripwire database'
-    echo '
-
-' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
-    echo $'Resetting the Tripwire...'
-    echo ''
-    echo '
-
-                ' | reset-tripwire
-    echo ''
-
-    # Sometimes nginx fails to restart if matrix is installed
-    # Restart matrix first
-    if [ -d /etc/matrix ]; then
-        systemctl restart matrix
-        systemctl restart nginx
-    fi
-
-    if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
-        show_tripwire_verification_code
-        echo $'Tripwire is now reset. Take a note of the above hash, or record'
-        echo $'the QR code using a mobile device. This will enable you to independently'
-        echo $'verify the integrity of the tripwire.'
-    else
-        echo $'ERROR: tripwire database was not created'
-    fi
-    any_key
 }
 
 function format_drive {
            --msgbox $"MariaDB has been reinstalled" 6 40
 }
 
-function show_firewall {
-    clear
-    echo $"Firewall Settings"
-    echo ''
-    while read -r line; do
-        firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
-        firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
-        echo -n -e "$(pad_string "${firewall_name}")"
-        echo "${firewall_port}"
-    done < "$FIREWALL_CONFIG"
-    any_key
-}
-
 function email_extra_domains {
     email_hostnames=$(grep "dc_other_hostnames" /etc/exim4/update-exim4.conf.conf | awk -F "'" '{print $2}')
 
 function menu_app_settings {
     detect_installable_apps
 
-    applist=""
+    W=()
     appnames=()
     n=1
     app_index=0
     do
         if [[ ${APPS_INSTALLED[$app_index]} != "0" ]]; then
             if [[ $(function_exists "configure_interactive_${a}") == "1" ]]; then
-                applist="$applist $n $a off"
+                W+=("$n" "$a")
                 n=$((n+1))
                 appnames+=("$a")
             fi
     if [ $n -le 1 ]; then
         return
     fi
-    backstr=$'Exit'
-    applist="$applist $n $backstr on"
-    appnames+=("Exit")
 
     # shellcheck disable=SC2086
-    choice=$(dialog --stdout --backtitle $"Freedombone" \
+    choice=$(dialog --backtitle $"Freedombone" \
                     --title $"Change settings for an App" \
-                    --radiolist $'Choose:' \
-                    26 40 30 $applist)
+                    --menu $'Choose:' \
+                    26 40 30 "${W[@]}" 3>&2 2>&1 1>&3)
 
     # shellcheck disable=SC2181
-    if [ $? -eq 0 ]; then
+    if [ "$choice" ]; then
         app_index=$((choice-1))
         chosen_app=${appnames[$app_index]}
-        if [[ $chosen_app != "Exit" ]]; then
-            "configure_interactive_${chosen_app}"
-        fi
+        "configure_interactive_${chosen_app}"
     fi
 }
 
     while true
     do
         W=(1 $"About this system"
-           2 $"Passwords"
-           3 $"Backup and Restore"
-           4 $"Show Firewall"
-           5 $"Verify Tripwire Code"
-           6 $"Reset Tripwire"
-           7 $"App Settings"
-           8 $"Add/Remove Apps"
-           9 $"Logging on/off"
-           10 $"Ping enable/disable"
-           11 $"Manage Users"
-           12 $"Email Menu"
-           13 $"Domain or User Blocking"
-           14 $"Security Settings"
-           15 $"Change the name of this system"
-           16 $"Set a static local IP address"
-           17 $"Wifi menu"
-           18 $"Add Clacks"
-           19 $"Check for updates"
-           20 $"Power off the system"
-           21 $"Restart the system")
+           2 $"Backup and Restore"
+           3 $"App Settings"
+           4 $"Add/Remove Apps"
+           5 $"Logging on/off"
+           6 $"Manage Users"
+           7 $"Email Menu"
+           8 $"Domain or User Blocking"
+           9 $"Security Settings"
+           10 $"Change the name of this system"
+           11 $"Set a static local IP address"
+           12 $"Wifi menu"
+           13 $"Add Clacks"
+           14 $"Check for updates"
+           15 $"Power off the system"
+           16 $"Restart the system")
 
         # shellcheck disable=SC2068
-        selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 28 60 28 "${W[@]}" 3>&2 2>&1 1>&3)
+        selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 24 60 24 "${W[@]}" 3>&2 2>&1 1>&3)
 
         if [ ! "$selection" ]; then
             break
 
         case $selection in
             1) show_about;;
-            2) view_or_change_passwords;;
-            3) menu_backup_restore;;
-            4) show_firewall;;
-            5) show_tripwire_verification_code
-               any_key_verify;;
-            6) reset_tripwire;;
-            7) menu_app_settings;;
-            8) if ! /usr/local/bin/addremove; then
+            2) menu_backup_restore;;
+            3) menu_app_settings;;
+            4) if ! /usr/local/bin/addremove; then
                    any_key
                fi
                ;;
-            9) logging_on_off;;
-            10) ping_enable_disable;;
-            11) menu_users;;
-            12) menu_email;;
-            13) domain_blocking;;
-            14) security_settings;;
-            15) change_system_name;;
-            16) set_static_IP;;
-            17) menu_wifi;;
-            18) add_clacks;;
-            19) check_for_updates;;
-            20) shut_down_system;;
-            21) restart_system;;
+            5) logging_on_off;;
+            6) menu_users;;
+            7) menu_email;;
+            8) domain_blocking;;
+            9) security_settings;;
+            10) change_system_name;;
+            11) set_static_IP;;
+            12) menu_wifi;;
+            13) add_clacks;;
+            14) check_for_updates;;
+            15) shut_down_system;;
+            16) restart_system;;
         esac
     done
 }

src/freedombone-controlpanel-user

         selection=$(dialog --backtitle $"Freedombone User Control Panel" --title $"User Control Panel" --menu $"Choose an operation, or ESC to log out:" 20 60 13 "${W[@]}" 3>&2 2>&1 1>&3)
         if [ ! "$selection" ]; then
             kill -HUP "$(pgrep -s 0 -o)"
-            break
         fi
 
         case $selection in

src/freedombone-sec

 
 MY_USERNAME=
 
+function ping_enable_disable {
+    ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
+    enable_ping="no"
+    dialog --title $"Enable Ping / ICMP" \
+           --backtitle $"Freedombone Control Panel" \
+           --defaultno \
+           --yesno "$ping_str" 10 60
+    sel=$?
+    case $sel in
+        0) enable_ping="yes";;
+        255) return;;
+    esac
+
+    if [[ $enable_ping == "yes" ]]; then
+        iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+        iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+        echo "0" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
+    else
+        iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
+        iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+        echo "1" >  /proc/sys/net/ipv4/icmp_echo_ignore_all
+    fi
+}
+
+function any_key_verify {
+    echo ''
+    read -n1 -rsp $"Press any key to continue or C to check a hash..." key
+    if [[ "$key" != 'c' && "$key" != 'C' ]]; then
+        return
+    fi
+
+    data=$(mktemp 2>/dev/null)
+    dialog --title $"Check tripwire hash" \
+           --backtitle $"Freedombone Control Panel" \
+           --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
+    sel=$?
+    case $sel in
+        0)
+            GIVEN_HASH=$(<"$data")
+            if [ ${#GIVEN_HASH} -gt 8 ]; then
+                if [[ "$GIVEN_HASH" == *' '* ]]; then
+                    dialog --title $"Check tripwire" \
+                           --msgbox $"\\nThe hash should not contain any spaces" 10 40
+                else
+                    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
+                    if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
+                        dialog --title $"Check tripwire" \
+                               --msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
+                    else
+                        dialog --title $"Check tripwire" \
+                               --msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
+                    fi
+                fi
+            fi
+            ;;
+    esac
+    rm -f "$data"
+}
+
+function show_tripwire_verification_code {
+    if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
+        return
+    fi
+    clear
+    echo ''
+    echo $'Tripwire Verification Code'
+    echo ''
+    DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
+    echo -n "$DBHASH" | qrencode -t UTF8
+    echo ''
+    echo "$DBHASH"
+    echo ''
+}
+
+function reset_tripwire {
+    if [ ! -f /usr/bin/reset-tripwire ]; then
+        echo $'Missing /usr/bin/reset-tripwire'
+        any_key
+        return
+    fi
+    if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
+        if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
+            # shellcheck disable=SC2086
+            mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
+            # shellcheck disable=SC2086
+            mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
+        else
+            echo $'Error: missing local key'
+            any_key
+            return
+        fi
+    fi
+    clear
+    echo $'Turing off logging...'
+    "${PROJECT_NAME}-logging" off
+    echo $'Locking down permissions...'
+    lockdown_permissions
+    echo $'Creating configuration...'
+    echo '
+
+       ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
+    echo $'Resetting policy...'
+    echo '
+
+       ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
+    echo $'Creating tripwire database'
+    echo '
+
+' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
+    echo $'Resetting the Tripwire...'
+    echo ''
+    echo '
+
+                ' | reset-tripwire
+    echo ''
+
+    # Sometimes nginx fails to restart if matrix is installed
+    # Restart matrix first
+    if [ -d /etc/matrix ]; then
+        systemctl restart matrix
+        systemctl restart nginx
+    fi
+
+    if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
+        show_tripwire_verification_code
+        echo $'Tripwire is now reset. Take a note of the above hash, or record'
+        echo $'the QR code using a mobile device. This will enable you to independently'
+        echo $'verify the integrity of the tripwire.'
+    else
+        echo $'ERROR: tripwire database was not created'
+    fi
+    any_key
+}
+
+function passwords_show_apps {
+    SELECTED_APP=
+    i=0
+    W=()
+    name=()
+    # shellcheck disable=SC2068
+    for a in ${APPS_AVAILABLE[@]}
+    do
+        if grep -q "change_password_" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${a}"; then
+            i=$((i+1))
+            W+=("$i" "$a")
+            name+=("$a")
+        fi
+    done
+    i=$((i+1))
+    W+=("$i" "mariadb")
+    name+=("mariadb")
+
+    # shellcheck disable=SC2068
+    selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"User $SELECTED_USERNAME: Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
+
+    # shellcheck disable=SC2181
+    if [ $? -eq 0 ]; then
+        SELECTED_APP="${name[$((selected_app_index-1))]}"
+    fi
+}
+
+function view_or_change_passwords {
+    passwords_select_user
+    if [ ! "$SELECTED_USERNAME" ]; then
+        return
+    fi
+    detect_installed_apps
+    passwords_show_apps
+    if [ ! "$SELECTED_APP" ]; then
+        return
+    fi
+
+    CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
+
+    icann_address=$(get_app_icann_address "${SELECTED_APP}")
+    onion_address=$(get_app_onion_address "${SELECTED_APP}")
+
+    titlestr=$"View or Change Password"
+    if [ ${#onion_address} -gt 0 ]; then
+        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
+    else
+        viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
+    fi
+
+    if [ -f /root/.nostore ]; then
+        titlestr=$"Change Password"
+        if [ ${#onion_address} -gt 0 ]; then
+            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
+        else
+            viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
+        fi
+    fi
+
+    if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
+        CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
+        dialog --title $"MariaDB database password" \
+               --msgbox "\\n            ${CURR_PASSWORD}" 7 40
+        return
+    fi
+
+    data=$(mktemp 2>/dev/null)
+    dialog --title "$titlestr" \
+           --backtitle $"Freedombone Control Panel" \
+           --inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
+    sel=$?
+    case $sel in
+        0)
+            CURR_PASSWORD=$(<"$data")
+            if [ ${#CURR_PASSWORD} -gt 8 ]; then
+                "${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
+                "change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
+                dialog --title $"Change password" \
+                       --msgbox $"The password was changed" 6 40
+            else
+                dialog --title $"Change password" \
+                       --msgbox $"The password given must be at least 8 characters" 6 40
+            fi
+            ;;
+    esac
+    rm -f "$data"
+}
+
+function show_firewall {
+    W=()
+    while read -r line; do
+        firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
+        firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
+        W+=("${firewall_name}" "${firewall_port}")
+    done < "$FIREWALL_CONFIG"
+
+    # shellcheck disable=SC2068
+    dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Firewall" --menu $"Press ESC to return to main menu" 28 50 28 "${W[@]}" 3>&2 2>&1 1>&3
+}
+
 function export_passwords {
     detect_usb_drive
     dialog --title $"Export passwords to USB drive $USB_DRIVE" \
 }
 
 function menu_security_settings {
-    W=(1 $"Run STIG tests"
-       2 $"Fix STIG test failures"
-       3 $"Show ssh host public key"
-       4 $"Tor bridges"
-       5 $"Password storage"
-       6 $"Export passwords"
-       7 $"Regenerate ssh host keys"
-       8 $"Regenerate Diffie-Hellman keys"
-       9 $"Update cipersuite"
-       10 $"Create a new Let's Encrypt certificate"
-       11 $"Renew Let's Encrypt certificate"
-       12 $"Delete a Let's Encrypt certificate"
-       13 $"Enable GPG based authentication (monkeysphere)"
-       14 $"Register a website with monkeysphere"
-       15 $"Allow ssh login with passwords")
+    W=(1 $"Passwords"
+       2 $"Run STIG tests"
+       3 $"Fix STIG test failures"
+       4 $"Show tripwire verification code"
+       5 $"Reset tripwire"
+       6 $"Enable or disable ping"
+       7 $"Show ssh host public key"
+       8 $"Tor bridges"
+       9 $"Password storage"
+       10 $"Export passwords"
+       11 $"Regenerate ssh host keys"
+       12 $"Regenerate Diffie-Hellman keys"
+       13 $"Update cipersuite"
+       14 $"Create a new Let's Encrypt certificate"
+       15 $"Renew Let's Encrypt certificate"
+       16 $"Delete a Let's Encrypt certificate"
+       17 $"Allow ssh login with passwords"
+       18 $"Show firewall")
 
     # shellcheck disable=SC2068
-    selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 23 76 23 "${W[@]}" 3>&2 2>&1 1>&3)
+    selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 25 76 25 "${W[@]}" 3>&2 2>&1 1>&3)
 
     if [ ! "$selection" ]; then
         exit 0
 
     case $selection in
         1)
+            view_or_change_passwords
+            exit 0;
+            ;;
+        2)
             clear
             echo $'Running STIG tests...'
             echo ''
             ${PROJECT_NAME}-tests --stig showall
             exit 0
             ;;
-        2)
+        3)
             clear
             echo $'Fixing any STIG failures...'
             echo ''
             echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.'
             exit 0
             ;;
-        3)
-            dialog --title $"SSH host public keys" \
-                   --msgbox "\\n$(get_ssh_server_key)" 12 60
-            exit 0
-            ;;
         4)
-            menu_tor_bridges
+            show_tripwire_verification_code
+            any_key_verify
             exit 0
             ;;
         5)
-            store_passwords
+            reset_tripwire
             exit 0
             ;;
+
         6)
-            export_passwords
+            ping_enable_disable
             exit 0
             ;;
         7)
-            regenerate_ssh_host_keys
+            dialog --title $"SSH host public keys" \
+                   --msgbox "\\n$(get_ssh_server_key)" 12 60
+            exit 0
             ;;
         8)
-            regenerate_dh_keys
+            menu_tor_bridges
+            exit 0
             ;;
         9)
-            interactive_setup
-            update_ciphersuite
+            store_passwords
+            exit 0
             ;;
         10)
-            create_letsencrypt
+            export_passwords
+            exit 0
             ;;
         11)
-            renew_letsencrypt
+            regenerate_ssh_host_keys
             ;;
         12)
-            delete_letsencrypt
+            regenerate_dh_keys
             ;;
         13)
-            enable_monkeysphere
+            interactive_setup
+            update_ciphersuite
             ;;
         14)
-            register_website
+            create_letsencrypt
             ;;
         15)
+            renew_letsencrypt
+            ;;
+        16)
+            delete_letsencrypt
+            ;;
+        17)
             allow_ssh_passwords
             change_ssh_settings
             exit 0
             ;;
+        18)
+            show_firewall
+            exit 0
+            ;;
     esac
 
     change_website_settings

src/freedombone-upgrade

         apt-get -yq -t stretch-backports install certbot
         email_install_tls
         email_disable_chunking
+        rm /etc/exim4/exim4.conf.template.bak*
         #defrag_filesystem
 
         # reinstall tor from backports

src/freedombone-utils-gnusocialtools

     fi
 }
 
+function pleroma_custom_logo {
+    basedir="$1"
+    if [ "$2" ]; then
+        if [[ "$2" == *".png" ]]; then
+            cp "$2" "$basedir/priv/static/static/logo.png"
+            return
+        fi
+    fi
+
+    if [ -f "$basedir/priv/static/static/logo.png" ]; then
+        if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
+            cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
+            cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
+        else
+            if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
+                cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
+                cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
+            fi
+        fi
+    fi
+}
+
 function pleroma_set_background_image_from_url {
     basedir="$1"
     domain_name="$2"
         return
     fi
 
-    # customise the logo
-    if [ -f "$basedir/static/logo.png" ]; then
-        if [ -f "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
-            cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
-            if [ -d "$basedir/priv/static/static" ]; then
-                cp "$HOME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
-            fi
-        else
-            if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" ]; then
-                cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/static/logo.png"
-                if [ -d "$basedir/priv/static/static" ]; then
-                    cp "/home/$MY_USERNAME/${PROJECT_NAME}/img/logo_fbone3.png" "$basedir/priv/static/static/logo.png"
-                fi
-            fi
-        fi
-    fi
+    pleroma_custom_logo "$basedir"
 
     # customise the title
     if [ -f "$basedir/static/config.json" ]; then

src/freedombone-utils-network

 
 MESH_INSTALL_DIR=/var/lib
 
+function get_app_icann_address {
+    app_name="$1"
+    if grep -q "${app_name} domain" "$COMPLETION_FILE"; then
+        grep "${app_name} domain" "${COMPLETION_FILE}" | head -n 1 | awk -F ':' '{print $2}'
+        return
+    else
+        app_name_upper="$(echo "$app_name" | tr '[:lower:]' '[:upper:]')_DOMAIN_NAME"
+        if [ "$app_name_upper" ]; then
+            param_value=$(grep "${app_name_upper}=" "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
+            if [ "${param_value}" ]; then
+                echo "${param_value}"
+                return
+            fi
+        fi
+    fi
+    echo "${DEFAULT_DOMAIN_NAME}"
+}
+
 function install_static_network {
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
         return

src/freedombone-utils-passwords

 # The default password length used in images
 DEFAULT_PASSWORD_LENGTH=20
 
+function passwords_select_user {
+    SELECTED_USERNAME=
+
+    # shellcheck disable=SC2207
+    users_array=($(ls /home))
+
+    delete=(git)
+    # shellcheck disable=SC2068
+    for del in ${delete[@]}
+    do
+        # shellcheck disable=SC2206
+        users_array=(${users_array[@]/$del})
+    done
+
+    i=0
+    W=()
+    name=()
+    # shellcheck disable=SC2068
+    for u in ${users_array[@]}
+    do
+        if [[ $(is_valid_user "$u") == "1" ]]; then
+            i=$((i+1))
+            W+=("$i" "$u")
+            name+=("$u")
+        fi
+    done
+
+    if [ $i -eq 1 ]; then
+        SELECTED_USERNAME="${name[0]}"
+    else
+        # shellcheck disable=SC2068
+        user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
+
+        # shellcheck disable=SC2181
+        if [ $? -eq 0 ]; then
+            # shellcheck disable=SC2034
+            SELECTED_USERNAME="${name[$((user_index-1))]}"
+        fi
+    fi
+}
+
 function enforce_good_passwords {
     # because humans are generally bad at choosing passwords
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then