Merge branch 'stretch' of https://github.com/bashrc/freedombone

src/freedombone-adduser

 
 # add user menu on ssh login
 if ! grep -q 'controluser' "/home/$ADD_USERNAME/.bashrc"; then
+    echo 'export PS1="\W \$"' >> "/home/$ADD_USERNAME/.bashrc"
     echo 'controluser' >> "/home/$ADD_USERNAME/.bashrc"
 fi
 

src/freedombone-app-pleroma

 PLEROMA_PORT=4000
 PLEROMA_ONION_PORT=8011
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
-PLEROMA_COMMIT='7130e9ddb16286efd7d01088e816f05e82cfa2a1'
+PLEROMA_COMMIT='303289d7daac3a51f991bb8603f36628a5d944c1'
 PLEROMA_ADMIN_PASSWORD=
 PLEROMA_DIR=/etc/pleroma
 PLEROMA_SECRET_KEY=""

src/freedombone-base-email

 }
 
 function create_email_onion_address {
+    email_hostname='/var/lib/tor/hidden_service_email/hostname'
     if ! grep -q "hidden_service_email" /etc/tor/torrc; then
         { echo 'HiddenServiceDir /var/lib/tor/hidden_service_email/';
           echo 'HiddenServiceVersion 3';
         function_check wait_for_onion_service
         wait_for_onion_service email
 
-        if [ ! -f /var/lib/tor/hidden_service_email/hostname ]; then
+        if [ ! -f $email_hostname ]; then
             echo $"email onion site hostname not found"
             systemctl restart tor
             exit 782352
         fi
 
-        onion_address=$(cat /var/lib/tor/hidden_service_email/hostname)
+        onion_address=$(cat $email_hostname)
         set_completion_param "email onion domain" "${onion_address}"
         add_email_hostname "$onion_address"
     else
-        onion_address=$(cat /var/lib/tor/hidden_service_email/hostname)
+        onion_address=$(cat $email_hostname)
     fi
+    cp $email_hostname /etc/skel/.email_onion_domain
+    cp $email_hostname "/home/$MY_USERNAME/.email_onion_domain"
+    chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.email_onion_domain"
 }
 
 function configure_email_onion {
 
     create_email_onion_address
 
-    #apt-get -yq install tinycdb perl
+    apt-get -yq install perl
 
     # MX record should be:
     # _onion-mx._tcp
     # 20:$onion_address
     # 3600 IN SRV 0 5 25 $onion_address
 
-    # Test with: exim -d -bt username@$onion_address
-
-    #echo "$DEFAULT_DOMAIN_NAME $onion_address" > /etc/exim4/onionrelay.txt
-    #cdb -m -c -t ~/onionrelay.tmp /etc/exim4/onionrelay.cdb /etc/exim4/onionrelay.txt
+    # To test the system, on receiving server:
+    #   exim -bd -d -oX 25
+    # On the sensing server:
+    #   exim -d -oX 25 -bt username@$onion_address
 
     { echo "perl_startup = do '/etc/exim4/perl-routines.pl'";
       echo "perl_at_start"; } > /etc/exim4/conf.d/main/00_exim4-config_perl
       echo "  return 'no_such_host';";
       echo "}"; } > /etc/exim4/perl-routines.pl
 
-    #{ echo "ONION_RELAYDB=/etc/exim4/onionrelay.cdb";
-    #  echo "domainlist onion_relays     = cdb;ONION_RELAYDB"; } > /etc/exim4/conf.d/main/48_exim4-config_onion_relays
-
     { echo "riseup:";
       echo "  driver    = manualroute";
       echo "  domains   = riseup.net";
       echo "  transport = onion_relay";
+      echo "  headers_remove = Received:Message-ID:X-Mailer:User-Agent";
+      echo "  headers_add = Message-ID: <\${lc:\${sha1:\$message_id}}@\$sender_address_domain>";
       echo "  route_data = \${perl{onionLookup}{$RISEUP_EMAIL_ONION}}"
-      echo "  no_more"; } > /etc/exim4/conf.d/router/049_exim4-config-riseup
+      echo "  no_more"; } > /etc/exim4/conf.d/router/905_exim4-config-riseup
+
+    if ! grep -q "*.onion" /etc/exim4/conf.d/router/200_exim4-config_primary; then
+       sed -i 's|domains = ! +local_domains|domains = ! +local_domains : ! *.onion : ! riseup.net|g' /etc/exim4/conf.d/router/200_exim4-config_primary
+    fi
 
     { echo "onionrelays:";
       echo "  driver    = manualroute";
       echo "  domains   = *.onion";
       echo "  transport = onion_relay";
-      #echo "  route_data = \${lookup dnsdb{a=\$domain}}";
+      echo "  headers_remove = Received:Message-ID:X-Mailer:User-Agent";
+      echo "  headers_add = Message-ID: <\${lc:\${sha1:\$message_id}}@\$sender_address_domain>";
       echo "  route_data = \${perl{onionLookup}{\$domain}}"
-      echo "  no_more"; } > /etc/exim4/conf.d/router/050_exim4-config-onionrelays
+      echo "  no_more"; } > /etc/exim4/conf.d/router/910_exim4-config-onionrelays
 
     { echo "onion_relay:";
       echo "  driver = smtp";
+      echo "  helo_data = \"\$address_data \$original_domain\"";
+      echo "  hosts_avoid_tls = *";
       echo "  socks_proxy = 127.0.0.1 port=9050"; } > /etc/exim4/conf.d/transport/050_exim4-config_onion_relay
 
     if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then
 
     if [[ $ONION_ONLY != 'no' ]]; then
         my_email=$onion_address
-        MY_EMAIL_ADDRESS=$onion_address
+        MY_EMAIL_ADDRESS="${MY_USERNAME}@$onion_address"
         write_config_param "MY_EMAIL_ADDRESS" "$MY_EMAIL_ADDRESS"
     fi
 }
       echo '# Optional relay of SMTP via ISP';
       echo '#set smtp_url="smtps://username:password@isp_mail_domain:465/"'; } > /etc/Muttrc
 
+    if [[ "$ONION_ONLY" != 'no' ]]; then
+        # On onion only systems email is onion router anyway, with its
+        # own encryption system, so we don't need the additional pgp layer
+        # except perhaps for some additional confidence
+        sed -i 's|set pgp_autoencrypt|unset pgp_autoencrypt|g' /etc/Muttrc
+        sed -i 's|set pgp_autosign|unset pgp_autosign|g' /etc/Muttrc
+    fi
+
     # For viewing long URLs
     echo 'REGEXP (((http|https|ftp|gopher)|mailto)[.:][^ >"\t]*|www\.[-a-z0-9.]+)[^ .,;\t>">\):]' > "/home/$MY_USERNAME/.urlview"
     echo 'COMMAND lynx -dump -width=78 -nolist %s' >> "/home/$MY_USERNAME/.urlview"
     # This configuration is based on https://wiki.debian.org/DebianSpamAssassin
     sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
     sed -i '/domains = +local_domains : +relay_to_domains/a\    set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
-    sed -i "s/accept/accept condition = \${if eq{\$acl_m0}{rfcnames} {1}{0}}/g" /etc/exim4/conf.d/acl/40_exim4-config_check_data
+    # This prevents .onion domains from being accepted
+    #sed -i "s/accept/accept condition = \${if eq{\$acl_m0}{rfcnames} {1}{0}}/g" /etc/exim4/conf.d/acl/40_exim4-config_check_data
 
     { echo "warn  message = X-Spam-Score: \$spam_score (\$spam_bar)";
       echo '      spam = nobody:true';

src/freedombone-controlpanel-user

 function show_your_email_address {
     GPG_FINGERPRINT=$(gpg --fingerprint "$GPG_ID" | sed -n '2p' | sed 's/^[ \t]*//')
     GPG_DATE=$(gpg --fingerprint "$GPG_ID" | grep -i "pub" | head -n 1 | awk -F ' ' '{print $3}')
-    if [ ! -f ~/.mutt/bdsmail ]; then
-        dialog --title $"Show your Email Address" \
-               --backtitle $"Freedombone User Control Panel" \
-               --msgbox $"Email Address: $MY_EMAIL_ADDRESS\\n\\nKey ID: $GPG_ID\\n\\nFingerprint: $GPG_FINGERPRINT\\n\\nCreated: $GPG_DATE" 12 70
-    else
+    onion_domain=
+    if [ -f "$HOME/.email_onion_domain" ]; then
+        onion_domain=$(cat "$HOME/.email_onion_domain")
+    fi
+    dialog_height=14
+    onionemailstr=
+    if [[ "$HOSTNAME" != *'.onion' && "$onion_domain" ]]; then
+        onionemailstr="\\n\\nOnion Email: ${USER}@${onion_domain}"
+        dialog_height=$((dialog_height+3))
+    fi
+    msgstrbase=$"\\nYou can press SHIFT and then drag the mouse and right click to copy.\\n\\nEmail Address: ${MY_EMAIL_ADDRESS}${onionemailstr}\\n\\nKey ID: ${GPG_ID}\\n\\nFingerprint: ${GPG_FINGERPRINT}\\n\\nCreated: ${GPG_DATE}"
+    bdsmail_address=
+    bdsmailstr=
+    if [ -f ~/.mutt/bdsmail ]; then
         bdsmail_address=$(grep 'set from=' ~/.mutt/bdsmail | awk -F '=' '{print $2}')
-        dialog --title $"Show your Email Address" \
-               --backtitle $"Freedombone User Control Panel" \
-               --msgbox $"\\nYou can press SHIFT and then drag the mouse and right click to copy.\\n\\nEmail Address: $MY_EMAIL_ADDRESS\\n\\nKey ID: $GPG_ID\\n\\nFingerprint: $GPG_FINGERPRINT\\n\\nCreated: $GPG_DATE\\n\\nI2P Address: ${bdsmail_address}" 17 90
+        bdsmailstr="\\n\\nI2P Address: ${bdsmail_address}"
+        dialog_height=$((dialog_height+3))
+    fi
+
+    dialog --title $"Show your Email Address" \
+           --backtitle $"Freedombone User Control Panel" \
+           --msgbox "${msgstrbase}${bdsmailstr}" $dialog_height 100
+
+    if [ "$onion_domain" ]; then
         clear
         echo ''
-        echo $'Your bdsmail address as a QR code'
+        echo $'Your onion email address:'
         echo ''
-        echo -n "${bdsmail_address}" | qrencode -t UTF8
+        echo -n "${USER}@${onion_domain}" | qrencode -t UTF8
         echo ''
-        echo "${bdsmail_address}"
+        any_key
+    fi
+    if [ "${bdsmail_address}" ]; then
+        clear
+        echo ''
+        echo $'Your bdsmail address:'
+        echo ''
+        echo -n "${bdsmail_address}" | qrencode -t UTF8
         echo ''
         any_key
     fi
 clear
 # shellcheck disable=SC1090
 . ~/.bashrc
+cat /etc/motd
+echo -e $'Type "sudo su" for root access, or "control" to restart\nthe control panel.'
+echo ''
 exit 0

src/freedombone-image-customise

 
     if [[ "$VARIANT" == "usb" ]]; then
         # tor
-        chroot "$rootdir" apt-get -yq install tor
+        chroot "$rootdir" apt-get -yq -t stretch-backports install tor
 
         # xmpp client
         chroot "$rootdir" echo "deb ftp://ftp.gajim.org/debian unstable main" > /etc/apt/sources.list.d/gajim.list
     chroot "$rootdir" apt-get -yq install vim-common python3 unattended-upgrades
 
     # Tor and ssh over tor
-    chroot "$rootdir" apt-get -yq install tor connect-proxy
+    chroot "$rootdir" apt-get -yq -t stretch-backports install tor
+    chroot "$rootdir" apt-get -yq install connect-proxy
     chroot "$rootdir" connect-proxy
     sed -i 's|#Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
     sed -i 's|Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"

src/freedombone-upgrade

         email_install_tls
         email_disable_chunking
         rm /etc/exim4/exim4.conf.template.bak*
+        email_update_onion_domain
         #defrag_filesystem
 
         # reinstall tor from backports

src/freedombone-utils-final

 
     # add user menu on ssh login
     if ! grep -q 'controluser' "/home/$MY_USERNAME/.bashrc"; then
+        echo 'export PS1="\W \$"' >> "/home/$MY_USERNAME/.bashrc"
         echo 'controluser' >> "/home/$MY_USERNAME/.bashrc"
     fi
     if [ ! -f "$IMAGE_PASSWORD_FILE" ]; then
     systemctl enable firststart
 }
 
+function final_set_onion_hostname {
+    if [[ "$ONION_ONLY" == 'no' ]]; then
+        return
+    fi
+
+    if [ ! -f /var/lib/tor/hidden_service_email/hostname ]; then
+        echo $'No onion domain for email was found'
+        exit 368365
+    fi
+    onion_domain=$(cat /var/lib/tor/hidden_service_email/hostname)
+
+    echo "$onion_domain" > /etc/hostname
+    hostname "$onion_domain"
+
+    echo "127.0.1.1  $onion_domain" >> /etc/hosts
+
+    echo "$onion_domain" > /etc/mailname
+}
+
 function setup_final {
     function_check update_installed_apps_list
     update_installed_apps_list
     function_check create_default_user_removal_daemon
     create_default_user_removal_daemon
 
+    function_check final_set_onion_hostname
+    final_set_onion_hostname
+
     function_check install_tripwire
     install_tripwire
 

src/freedombone-utils-onion

     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
         return
     fi
-    apt-get -yq install tor connect-proxy
+    echo 'N' | apt-get -yq -t stretch-backports install tor
+    apt-get -yq install connect-proxy
     if ! grep -q 'Host *.onion' "/home/$MY_USERNAME/.ssh/config"; then
         if [ ! -d "/home/$MY_USERNAME/.ssh" ]; then
             mkdir "/home/$MY_USERNAME/.ssh"
     if [[ $ROUTE_THROUGH_TOR != "yes" ]]; then
         return
     fi
-    apt-get -yq install tor tor-arm
+    echo 'N' | apt-get -yq -t stretch-backports install tor
+    echo 'N' | apt-get -yq -t stretch-backports install tor-arm
 
     ### set variables
     # Destinations you don't want routed through Tor

src/freedombone-utils-web

     systemctl restart exim4
 }
 
+function email_update_onion_domain {
+    email_hostname='/var/lib/tor/hidden_service_email/hostname'
+
+    cp $email_hostname /etc/skel/.email_onion_domain
+
+    for d in /home/*/ ; do
+        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
+            cp $email_hostname "/home/$USERNAME/.email_onion_domain"
+            chown "$USERNAME":"$USERNAME" "/home/$USERNAME/.email_onion_domain"
+        fi
+    done
+}
+
 function email_install_tls {
     tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions
     tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples