free
/
freedombone
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Activity
7252 Incheckningar
5 Grenar
Träd: 12f35d5b29
Grenar Taggar
${ item.name }
Create branch ${ searchTerm }
from '12f35d5b29'
${ noResults }
freedombone/src/freedombone-app-keyserver

freedombone-app-keyserver 33KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # SKS Keyserver

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2017 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. VARIANTS='full full-vim'

  32. 

  33. IN_DEFAULT_INSTALL=0

  34. SHOW_ON_ABOUT=1

  35. 

  36. KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"

  37. KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'

  38. KEYSERVER_PORT=11371

  39. KEYSERVER_ONION_PORT=8122

  40. KEYSERVER_DOMAIN_NAME=

  41. KEYSERVER_CODE=

  42. 

  43. keyserver_variables=(ONION_ONLY

  44.                      MY_USERNAME

  45.                      DEFAULT_DOMAIN_NAME

  46.                      KEYSERVER_DOMAIN_NAME

  47.                      KEYSERVER_CODE)

  48. 

  49. function check_keyserver_directory_size {

  50.     dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')

  51.     # 500M

  52.     if [ $dirsize -gt 500000 ]; then

  53.         echo "1"

  54.         return

  55.     fi

  56.     echo "0"

  57. }

  58. 

  59. function keyserver_watchdog {

  60.     ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')

  61.     ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}

  62.     keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"

  63.     keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server. You may need to restore the keyserver from backup."

  64.     keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"

  65.     keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"

  66.     read_config_param KEYSERVER_DOMAIN_NAME

  67. 

  68.     # check database size hourly

  69.     keyserver_watchdog_script=/tmp/keyserver-watchdog

  70.     echo '#!/bin/bash' > $keyserver_watchdog_script

  71.     echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script

  72.     echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script

  73. 

  74.     echo "  echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script

  75. 

  76.     echo '  if [ $dirsize -gt 500000 ]; then' >> $keyserver_watchdog_script

  77.     echo "    nginx_dissite $KEYSERVER_DOMAIN_NAME" >> $keyserver_watchdog_script

  78.     echo '    systemctl stop sks' >> $keyserver_watchdog_script

  79.     echo '    systemctl disable sks' >> $keyserver_watchdog_script

  80.     echo "    echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script

  81.     echo '  fi' >> $keyserver_watchdog_script

  82.     echo 'fi' >> $keyserver_watchdog_script

  83.     chmod +x $keyserver_watchdog_script

  84. 

  85.     if [ ! -f /etc/cron.hourly/keyserver-watchdog ]; then

  86.         cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog

  87.     else

  88.         HASH1=$(sha256sum $keyserver_watchdog_script | awk -F ' ' '{print $1}')

  89.         HASH2=$(sha256sum /etc/cron.hourly/keyserver-watchdog | awk -F ' ' '{print $1}')

  90.         if [[ "$HASH1" != "$HASH2" ]]; then

  91.             cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog

  92.         fi

  93.     fi

  94.     rm $keyserver_watchdog_script

  95. }

  96. 

  97. 

  98. function configure_firewall_for_keyserver {

  99.     if [[ $ONION_ONLY != "no" ]]; then

  100.         return

  101.     fi

  102.     firewall_add keyserver 11370 tcp

  103.     firewall_add keyserver 11371 tcp

  104.     firewall_add keyserver 11372 tcp

  105.     mark_completed $FUNCNAME

  106. }

  107. 

  108. function keyserver_reset_database {

  109.     if [ -d /var/lib/sks/DB ]; then

  110.         rm -rf /var/lib/sks/DB

  111.     fi

  112.     sks build

  113.     chown -Rc debian-sks: /var/lib/sks

  114.     systemctl restart sks

  115. }

  116. 

  117. function logging_on_keyserver {

  118.     echo -n ''

  119. }

  120. 

  121. function logging_off_keyserver {

  122.     echo -n ''

  123. }

  124. 

  125. function reconfigure_keyserver {

  126.     echo -n ''

  127. }

  128. 

  129. function upgrade_keyserver {

  130.     keyserver_watchdog

  131. 

  132.     CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")

  133.     if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then

  134.         return

  135.     fi

  136. 

  137.     if grep -q "keyserver domain" $COMPLETION_FILE; then

  138.         KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")

  139.     fi

  140. 

  141.     # update to the next commit

  142.     function_check set_repo_commit

  143.     set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO

  144. 

  145.     read_config_param MY_USERNAME

  146.     USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME

  147.     GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)

  148.     if [ ! $GPG_ID ]; then

  149.         echo $'No GPG ID for admin user'

  150.         exit 846336

  151.     fi

  152.     if [ ${#GPG_ID} -lt 5 ]; then

  153.         echo $'GPG ID not retrieved for admin user'

  154.         exit 835292

  155.     fi

  156.     if [[ "$GPG_ID" == *"error"* ]]; then

  157.         echo $'GPG ID not retrieved for admin user due to error'

  158.         exit 74825

  159.     fi

  160.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  161.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  162.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  163.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  164. 

  165.     chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  166. }

  167. 

  168. function backup_local_keyserver {

  169.     # remove any unused log files

  170.     cd /var/lib/sks/DB

  171.     db_archive -d

  172. 

  173.     source_directory=/etc/sks

  174.     if [ -d $source_directory ]; then

  175.         systemctl stop sks

  176.         dest_directory=keyserverconfig

  177.         function_check backup_directory_to_usb

  178.         backup_directory_to_usb $source_directory $dest_directory

  179.         systemctl start sks

  180.     fi

  181.     if [[ "$(check_keyserver_directory_size)" != "0" ]]; then

  182.         echo $'WARNING: Keyserver database size is too large to backup'

  183.         return

  184.     fi

  185.     source_directory=/var/lib/sks/DB

  186.     if [ -d $source_directory ]; then

  187.         systemctl stop sks

  188.         dest_directory=keyserver

  189.         function_check backup_directory_to_usb

  190.         backup_directory_to_usb $source_directory $dest_directory

  191.         systemctl start sks

  192.     fi

  193. }

  194. 

  195. function restore_local_keyserver {

  196.     if [ ! -d /var/lib/sks/DB ]; then

  197.         return

  198.     fi

  199.     echo $"Restoring SKS Keyserver"

  200.     systemctl stop sks

  201. 

  202.     temp_restore_dir=/root/tempkeyserverconfig

  203.     function_check restore_directory_from_usb

  204.     restore_directory_from_usb $temp_restore_dir keyserverconfig

  205.     cp -r $temp_restore_dir/etc/sks/* /etc/sks/

  206.     rm -rf $temp_restore_dir

  207.     chown -Rc debian-sks: /etc/sks/sksconf

  208.     chown -Rc debian-sks: /etc/sks/mailsync

  209. 

  210.     temp_restore_dir=/root/tempkeyserver

  211.     function_check restore_directory_from_usb

  212.     restore_directory_from_usb $temp_restore_dir keyserver

  213.     mv /var/lib/sks/DB /var/lib/sks/DB_prev

  214.     cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB

  215.     if [ ! "$?" = "0" ]; then

  216.         # restore the old database

  217.         rm -rf /var/lib/sks/DB

  218.         mv /var/lib/sks/DB_prev /var/lib/sks/DB

  219. 

  220.         rm -rf $temp_restore_dir

  221.         function_check set_user_permissions

  222.         set_user_permissions

  223.         function_check backup_unmount_drive

  224.         backup_unmount_drive

  225.         exit 5627294

  226.     fi

  227.     rm -rf $temp_restore_dir

  228.     chown -Rc debian-sks: /var/lib/sks

  229. 

  230.     # remove the old database

  231.     rm -rf /var/lib/sks/DB_prev

  232. 

  233.     systemctl enable sks

  234.     systemctl start sks

  235.     nginx_ensite $KEYSERVER_DOMAIN_NAME

  236. }

  237. 

  238. function backup_remote_keyserver {

  239.     # remove any unused log files

  240.     cd /var/lib/sks/DB

  241.     db_archive -d

  242. 

  243.     source_directory=/etc/sks

  244.     if [ -d $source_directory ]; then

  245.         systemctl stop sks

  246.         dest_directory=keyserverconfig

  247.         function_check backup_directory_to_friend

  248.         backup_directory_to_friend $source_directory $dest_directory

  249.         systemctl start sks

  250.     fi

  251.     if [[ "$(check_keyserver_directory_size)" != "0" ]]; then

  252.         echo $'WARNING: Keyserver database size is too large to backup'

  253.         return

  254.     fi

  255.     source_directory=/var/lib/sks/DB

  256.     if [ -d $source_directory ]; then

  257.         systemctl stop sks

  258.         dest_directory=keyserver

  259.         function_check backup_directory_to_friend

  260.         backup_directory_to_friend $source_directory $dest_directory

  261.         systemctl start sks

  262.     fi

  263. }

  264. 

  265. function restore_remote_keyserver {

  266.     if [ ! -d /var/lib/sks/DB ]; then

  267.         return

  268.     fi

  269.     echo $"Restoring SKS Keyserver"

  270.     systemctl stop sks

  271. 

  272.     temp_restore_dir=/root/tempkeyserverconfig

  273.     function_check restore_directory_from_friend

  274.     restore_directory_from_friend $temp_restore_dir keyserverconfig

  275.     cp -r $temp_restore_dir/etc/sks/* /etc/sks/

  276.     rm -rf $temp_restore_dir

  277.     chown -Rc debian-sks: /etc/sks/sksconf

  278.     chown -Rc debian-sks: /etc/sks/mailsync

  279. 

  280.     temp_restore_dir=/root/tempkeyserver

  281.     function_check restore_directory_from_friend

  282.     restore_directory_from_friend $temp_restore_dir keyserver

  283.     mv /var/lib/sks/DB /var/lib/sks/DB_prev

  284.     cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB

  285.     if [ ! "$?" = "0" ]; then

  286.         # restore the old database

  287.         rm -rf /var/lib/sks/DB

  288.         mv /var/lib/sks/DB_prev /var/lib/sks/DB

  289. 

  290.         rm -rf $temp_restore_dir

  291.         function_check set_user_permissions

  292.         set_user_permissions

  293.         return

  294.     fi

  295.     rm -rf $temp_restore_dir

  296.     chown -Rc debian-sks: /var/lib/sks

  297. 

  298.     # remove the old database

  299.     rm -rf /var/lib/sks/DB_prev

  300. 

  301.     systemctl enable sks

  302.     systemctl start sks

  303.     nginx_ensite $KEYSERVER_DOMAIN_NAME

  304. }

  305. 

  306. function remove_keyserver {

  307.     systemctl stop sks

  308.     if [ -f /etc/cron.hourly/keyserver-watchdog ]; then

  309.         rm /etc/cron.hourly/keyserver-watchdog

  310.     fi

  311.     apt-get -qy remove sks dirmngr

  312. 

  313.     read_config_param "KEYSERVER_DOMAIN_NAME"

  314.     nginx_dissite $KEYSERVER_DOMAIN_NAME

  315.     remove_certs ${KEYSERVER_DOMAIN_NAME}

  316.     if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then

  317.         rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME

  318.     fi

  319.     if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then

  320.         rm -rf /var/www/$KEYSERVER_DOMAIN_NAME

  321.     fi

  322.     function_check remove_ddns_domain

  323.     remove_ddns_domain $KEYSERVER_DOMAIN_NAME

  324. 

  325.     remove_config_param KEYSERVER_DOMAIN_NAME

  326.     remove_config_param KEYSERVER_CODE

  327.     function_check remove_onion_service

  328.     remove_onion_service keyserver ${KEYSERVER_ONION_PORT}

  329.     remove_onion_service sks 11370 11371 11372

  330.     remove_completion_param "install_keyserver"

  331. 

  332.     firewall_remove 11370 tcp

  333.     firewall_remove 11371 tcp

  334.     firewall_remove 11372 tcp

  335. 

  336.     sed -i '/keyserver/d' $COMPLETION_FILE

  337.     sed -i '/sks onion/d' $COMPLETION_FILE

  338.     if [ -d /var/lib/sks ]; then

  339.         rm -rf /var/lib/sks

  340.     fi

  341. }

  342. 

  343. function install_interactive_keyserver {

  344.     if [ ! $ONION_ONLY ]; then

  345.         ONION_ONLY='no'

  346.     fi

  347. 

  348.     if [[ $ONION_ONLY != "no" ]]; then

  349.         KEYSERVER_DOMAIN_NAME='keyserver.local'

  350.         write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"

  351.     else

  352.         function_check interactive_site_details

  353.         interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"

  354.     fi

  355.     APP_INSTALLED=1

  356. }

  357. 

  358. function keyserver_create_mailsync {

  359.     echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync

  360.     echo '' >> /etc/sks/mailsync

  361.     chown -Rc debian-sks: /etc/sks/mailsync

  362. }

  363. 

  364. function keyserver_create_membership {

  365.     if [ -f /etc/sks/membership ]; then

  366.         return

  367.     fi

  368.     systemctl stop sks

  369.     echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership

  370.     echo '#' >> /etc/sks/membership

  371.     echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership

  372.     echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership

  373.     echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership

  374.     echo '' >> /etc/sks/membership

  375.     chown -Rc debian-sks: /etc/sks/membership

  376.     systemctl start sks

  377. }

  378. 

  379. function keyserver_import_keys {

  380.     # NOTE: this function isn't used, but kept for reference

  381.     dialog --title $"Import public keys database" \

  382.            --backtitle $"Freedombone Control Panel" \

  383.            --defaultno \

  384.            --yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60

  385.     sel=$?

  386.     case $sel in

  387.         1) return;;

  388.         255) return;;

  389.     esac

  390.     if [ ! -d /var/lib/sks/dump ]; then

  391.         mkdir -p /var/lib/sks/dump

  392.     fi

  393.     cd /var/lib/sks/dump

  394.     echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'

  395.     rm -rf /var/lib/sks/dump/*

  396.     KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"

  397.     wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \

  398.          -A pgp,txt $KEYSERVER_DUMP_URL

  399. 

  400.     cd /var/lib/sks

  401.     echo $'Building the keyserver database from the downloaded dump'

  402.     keyserver_reset_database

  403. }

  404. 

  405. function keyserver_sync {

  406.     data=$(tempfile 2>/dev/null)

  407.     trap "rm -f $data" 0 1 2 5 15

  408.     dialog --backtitle $"Freedombone Control Panel" \

  409.            --title $"Sync with other keyserver" \

  410.            --form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \

  411.            $"Domain:" 1 1 "" 1 25 32 64 \

  412.            $"Port:" 2 1 "11370" 2 25 6 6 \

  413.            $"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \

  414.            2> $data

  415.     sel=$?

  416.     case $sel in

  417.         1) return;;

  418.         255) return;;

  419.     esac

  420.     other_keyserver_domain=$(cat $data | sed -n 1p)

  421.     other_keyserver_port=$(cat $data | sed -n 2p)

  422.     other_keyserver_email=$(cat $data | sed -n 3p)

  423.     if [[ "$other_keyserver_domain" != *'.'* ]]; then

  424.         return

  425.     fi

  426.     if [[ "$other_keyserver_domain" == *' '* ]]; then

  427.         return

  428.     fi

  429.     if [[ "$other_keyserver_port" == *'.'* ]]; then

  430.         return

  431.     fi

  432.     if [[ "$other_keyserver_port" == *' '* ]]; then

  433.         return

  434.     fi

  435.     if [ ${#other_keyserver_domain} -lt 4 ]; then

  436.         return

  437.     fi

  438.     if [ ${#other_keyserver_port} -lt 4 ]; then

  439.         return

  440.     fi

  441. 

  442.     # Warn if trying to sync

  443.     if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then

  444.         dialog --title $"Sync with other keyserver" \

  445.                --msgbox $"\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60

  446.         return

  447.     fi

  448. 

  449.     if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then

  450.         if [[ "$other_keyserver_email" == *"@"* ]]; then

  451.             if [[ "$other_keyserver_email" == *"."* ]]; then

  452.                 keyserver_create_mailsync

  453.                 if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then

  454.                     echo "$other_keyserver_email" >> /etc/sks/mailsync

  455.                     chown -Rc debian-sks: /etc/sks/mailsync

  456.                 fi

  457.             else

  458.                 dialog --title $"Sync with other keyserver" \

  459.                        --msgbox $"Email doesn't look right: $other_keyserver_email" 6 60

  460.                 return

  461.             fi

  462.         fi

  463.     fi

  464.     keyserver_create_membership

  465.     if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then

  466.         return

  467.     fi

  468.     if grep -q "$other_keyserver_domain " /etc/sks/membership; then

  469.         sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership

  470.     else

  471.         echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership

  472.     fi

  473.     chown -Rc debian-sks: /etc/sks/membership

  474.     systemctl restart sks

  475.     dialog --title $"Sync with other keyserver" \

  476.            --msgbox $"Keyserver added" 6 40

  477. }

  478. 

  479. function keyserver_edit {

  480.     if [ ! -f /etc/sks/membership ]; then

  481.         return

  482.     fi

  483.     editor /etc/sks/membership

  484.     chown -Rc debian-sks: /etc/sks/membership

  485.     systemctl restart sks

  486. }

  487. 

  488. function keyserver_remove_key {

  489.     data=$(tempfile 2>/dev/null)

  490.     trap "rm -f $data" 0 1 2 5 15

  491.     dialog --title $"Remove a key" \

  492.            --backtitle $"Freedombone Control Panel" \

  493.            --inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>$data

  494.     sel=$?

  495.     case $sel in

  496.         0)

  497.             remove_key_id=$(<$data)

  498.             if [ ${#remove_key_id} -gt 8 ]; then

  499.                 sks drop $remove_key_id

  500.                 dialog --title $"Remove a key" \

  501.                        --msgbox $"The key was removed" 6 40

  502.             fi

  503.             ;;

  504.     esac

  505. }

  506. 

  507. function configure_interactive_keyserver {

  508.     while true

  509.     do

  510.         data=$(tempfile 2>/dev/null)

  511.         trap "rm -f $data" 0 1 2 5 15

  512.         dialog --backtitle $"Freedombone Control Panel" \

  513.                --title $"SKS Keyserver" \

  514.                --radiolist $"Choose an operation:" 12 70 4 \

  515.                1 $"Remove a key" off \

  516.                2 $"Sync with other keyserver" off \

  517.                3 $"Edit sync keyservers" off \

  518.                4 $"Exit" on 2> $data

  519.         sel=$?

  520.         case $sel in

  521.             1) return;;

  522.             255) return;;

  523.         esac

  524.         case $(cat $data) in

  525.             1) keyserver_remove_key;;

  526.             2) keyserver_sync;;

  527.             3) keyserver_edit;;

  528.             4) break;;

  529.         esac

  530.     done

  531. }

  532. 

  533. function install_keyserver {

  534.     apt-get -qy install build-essential gcc ocaml libdb-dev wget sks

  535.     keyserver_reset_database

  536.     sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks

  537.     apt-get -qy install dirmngr

  538.     systemctl restart sks

  539. 

  540.     if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then

  541.         mkdir /var/www/$KEYSERVER_DOMAIN_NAME

  542.     fi

  543. 

  544.     cd /var/www/$KEYSERVER_DOMAIN_NAME

  545.     if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then

  546.         rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  547.     fi

  548. 

  549.     if [ -d /repos/keyserverweb ]; then

  550.         mkdir htdocs

  551.         cp -r -p /repos/keyserverweb/. htdocs

  552.         cd htdocs

  553.         git pull

  554.     else

  555.         git_clone $KEYSERVER_WEB_REPO htdocs

  556.     fi

  557.     if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then

  558.         echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"

  559.         exit 6539230

  560.     fi

  561. 

  562.     cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  563.     git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT

  564.     set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"

  565. 

  566. 

  567.     USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME

  568.     GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)

  569.     if [ ! $GPG_ID ]; then

  570.         echo $'No GPG ID for admin user'

  571.         exit 846336

  572.     fi

  573.     if [ ${#GPG_ID} -lt 5 ]; then

  574.         echo $'GPG ID not retrieved for admin user'

  575.         exit 835292

  576.     fi

  577.     if [[ "$GPG_ID" == *"error"* ]]; then

  578.         echo $'GPG ID not retrieved for admin user due to error'

  579.         exit 74825

  580.     fi

  581.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  582.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  583.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  584.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  585. 

  586.     sksconf_file=/etc/sks/sksconf

  587.     sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file

  588.     sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file

  589.     sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file

  590.     sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file

  591.     sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file

  592.     sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file

  593.     sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file

  594.     sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file

  595.     sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file

  596.     sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file

  597.     sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file

  598.     sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file

  599.     sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file

  600. 

  601.     if ! grep -q "#disable_mailsync" $sksconf_file; then

  602.         echo '#disable_mailsync:' >> $sksconf_file

  603.     else

  604.         sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file

  605.     fi

  606.     if ! grep -q "membership_reload_interval:" $sksconf_file; then

  607.         echo 'membership_reload_interval:     1' >> $sksconf_file

  608.     else

  609.         sed -i 's|#membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file

  610.         sed -i 's|membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file

  611.     fi

  612.     if ! grep -q "max_matches:" $sksconf_file; then

  613.         echo 'max_matches: 50' >> $sksconf_file

  614.     else

  615.         sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file

  616.         sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file

  617.     fi

  618.     if ! grep -q "stat_hour:" $sksconf_file; then

  619.         echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file

  620.     else

  621.         sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file

  622.         sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file

  623.     fi

  624.     if ! grep -q "disable_log_diffs:" $sksconf_file; then

  625.         echo "disable_log_diffs:" >> $sksconf_file

  626.     else

  627.         sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file

  628.         sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file

  629.     fi

  630.     if ! grep -q "debuglevel:" $sksconf_file; then

  631.         echo "debuglevel: 0" >> $sksconf_file

  632.     else

  633.         sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file

  634.         sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file

  635.     fi

  636. 

  637.     chown debian-sks: $sksconf_file

  638. 

  639.     if ! grep -q "hidden_service_sks" /etc/tor/torrc; then

  640.         echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc

  641.         echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc

  642.         echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc

  643.         echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc

  644.         echo $'Added onion site for sks'

  645.     fi

  646. 

  647.     onion_update

  648.     wait_for_onion_service 'sks'

  649. 

  650.     if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then

  651.         echo $'sks onion site hostname not found'

  652.         exit 8352982

  653.     fi

  654.     SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)

  655. 

  656.     KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})

  657. 

  658.     keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME

  659.     if [[ $ONION_ONLY == "no" ]]; then

  660.         # NOTE: without http active on port 80 the keyserver doesn't work

  661.         #       from the commandline

  662.         echo 'server {' > $keyserver_nginx_site

  663.         echo '  listen 80;' >> $keyserver_nginx_site

  664.         echo '  listen 0.0.0.0:11371;' >> $keyserver_nginx_site

  665.         echo '  listen [::]:80;' >> $keyserver_nginx_site

  666.         echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site

  667.         echo '' >> $keyserver_nginx_site

  668.         echo '  # Logs' >> $keyserver_nginx_site

  669.         echo '  access_log /dev/null;' >> $keyserver_nginx_site

  670.         echo '  error_log /dev/null;' >> $keyserver_nginx_site

  671.         echo '' >> $keyserver_nginx_site

  672.         echo '  # Root' >> $keyserver_nginx_site

  673.         echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site

  674.         echo '' >> $keyserver_nginx_site

  675.         echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site

  676.         echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  677.         echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  678.         echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  679.         echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  680.         echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  681.         echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  682.         echo '' >> $keyserver_nginx_site

  683.         echo '  location / {' >> $keyserver_nginx_site

  684.         function_check nginx_limits

  685.         nginx_limits $KEYSERVER_DOMAIN_NAME '128k'

  686.         echo '  }' >> $keyserver_nginx_site

  687.         echo '' >> $keyserver_nginx_site

  688.         echo '  location /pks {' >> $keyserver_nginx_site

  689.         echo '    proxy_pass         http://127.0.0.1:11373;' >> $keyserver_nginx_site

  690.         echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site

  691.         echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site

  692.         echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site

  693.         echo '    client_max_body_size 8m;' >> $keyserver_nginx_site

  694.         echo '    client_body_buffer_size 128k;' >> $keyserver_nginx_site

  695.         echo '  }' >> $keyserver_nginx_site

  696.         echo '}' >> $keyserver_nginx_site

  697.         echo '' >> $keyserver_nginx_site

  698.         echo 'server {' >> $keyserver_nginx_site

  699.         echo '  listen 443 ssl;' >> $keyserver_nginx_site

  700.         echo '  listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site

  701.         echo '  listen [::]:443 ssl;' >> $keyserver_nginx_site

  702.         echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site

  703.         echo '' >> $keyserver_nginx_site

  704.         echo '  error_page 404 /404.html;' >> $keyserver_nginx_site

  705.         echo '' >> $keyserver_nginx_site

  706.         echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site

  707.         echo '    deny all;' >> $keyserver_nginx_site

  708.         echo '    return 404;' >> $keyserver_nginx_site

  709.         echo '  }' >> $keyserver_nginx_site

  710.         echo '' >> $keyserver_nginx_site

  711.         echo '  # Security' >> $keyserver_nginx_site

  712.         function_check nginx_ssl

  713.         nginx_ssl $KEYSERVER_DOMAIN_NAME

  714. 

  715.         function_check nginx_disable_sniffing

  716.         nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME

  717. 

  718.         echo '  add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site

  719.         echo '' >> $keyserver_nginx_site

  720.         echo '  # Logs' >> $keyserver_nginx_site

  721.         echo '  access_log /dev/null;' >> $keyserver_nginx_site

  722.         echo '  error_log /dev/null;' >> $keyserver_nginx_site

  723.         echo '' >> $keyserver_nginx_site

  724.         echo '  # Root' >> $keyserver_nginx_site

  725.         echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site

  726.         echo '' >> $keyserver_nginx_site

  727. 

  728.         echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site

  729.         echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  730.         echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  731.         echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  732.         echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  733.         echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  734.         echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  735.         echo '' >> $keyserver_nginx_site

  736.         echo '  location / {' >> $keyserver_nginx_site

  737.         function_check nginx_limits

  738.         nginx_limits $KEYSERVER_DOMAIN_NAME '128k'

  739.         echo '  }' >> $keyserver_nginx_site

  740.         echo '' >> $keyserver_nginx_site

  741.         echo '  location /pks {' >> $keyserver_nginx_site

  742.         echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site

  743.         echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site

  744.         echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site

  745.         echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site

  746.         echo '    client_max_body_size 8m;' >> $keyserver_nginx_site

  747.         echo '    client_body_buffer_size 128k;' >> $keyserver_nginx_site

  748.         echo '  }' >> $keyserver_nginx_site

  749.         echo '}' >> $keyserver_nginx_site

  750.         echo '' >> $keyserver_nginx_site

  751.     else

  752.         echo -n '' > $keyserver_nginx_site

  753.     fi

  754.     echo 'server {' >> $keyserver_nginx_site

  755.     echo "  listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site

  756.     echo "  server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site

  757.     echo '' >> $keyserver_nginx_site

  758.     echo '  error_page 404 /404.html;' >> $keyserver_nginx_site

  759.     echo '' >> $keyserver_nginx_site

  760.     echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site

  761.     echo '    deny all;' >> $keyserver_nginx_site

  762.     echo '    return 404;' >> $keyserver_nginx_site

  763.     echo '  }' >> $keyserver_nginx_site

  764.     echo '' >> $keyserver_nginx_site

  765.     function_check nginx_disable_sniffing

  766.     nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME

  767.     echo '' >> $keyserver_nginx_site

  768.     echo '  # Logs' >> $keyserver_nginx_site

  769.     echo '  access_log /dev/null;' >> $keyserver_nginx_site

  770.     echo '  error_log /dev/null;' >> $keyserver_nginx_site

  771.     echo '' >> $keyserver_nginx_site

  772.     echo '  # Root' >> $keyserver_nginx_site

  773.     echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site

  774.     echo '' >> $keyserver_nginx_site

  775.     echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site

  776.     echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  777.     echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  778.     echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  779.     echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  780.     echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  781.     echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  782.     echo '' >> $keyserver_nginx_site

  783.     echo '  location / {' >> $keyserver_nginx_site

  784.     function_check nginx_limits

  785.     nginx_limits $KEYSERVER_DOMAIN_NAME '128k'

  786.     echo '  }' >> $keyserver_nginx_site

  787.     echo '' >> $keyserver_nginx_site

  788.     echo '  location /pks {' >> $keyserver_nginx_site

  789.     echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site

  790.     echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site

  791.     echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site

  792.     echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site

  793.     echo '    client_max_body_size 8m;' >> $keyserver_nginx_site

  794.     echo '    client_body_buffer_size 128k;' >> $keyserver_nginx_site

  795.     echo '  }' >> $keyserver_nginx_site

  796.     echo '}' >> $keyserver_nginx_site

  797. 

  798.     function_check create_site_certificate

  799.     if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then

  800.         create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'

  801.     fi

  802. 

  803.     if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then

  804.         mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem

  805.     fi

  806.     if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then

  807.         chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem

  808.         sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}

  809.     fi

  810.     if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then

  811.         chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key

  812.     fi

  813. 

  814.     chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  815. 

  816.     function_check nginx_ensite

  817.     nginx_ensite $KEYSERVER_DOMAIN_NAME

  818. 

  819.     configure_firewall_for_keyserver

  820. 

  821.     # remove membership file - don't try to sync with other keyservers

  822.     if [ -f /etc/sks/membership ]; then

  823.         rm /etc/sks/membership

  824.     fi

  825. 

  826.     if ! grep -q "pgp-public-keys" /etc/aliases; then

  827.         echo 'pgp-public-keys:      "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases

  828.     fi

  829.     chown -Rc debian-sks: /etc/sks/mailsync

  830. 

  831.     systemctl enable sks

  832.     systemctl restart sks

  833.     systemctl restart nginx

  834. 

  835.     set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"

  836.     set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"

  837.     set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"

  838. 

  839.     keyserver_watchdog

  840. 

  841.     APP_INSTALLED=1

  842. }

  843. 

  844. # NOTE: deliberately no exit 0