freedombone/src/freedombone-utils-setup

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# Setup functions
#
# License
# =======
#
# Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

if [ ! $PROJECT_NAME ]; then
    PROJECT_NAME='freedombone'
fi

if [ ! $LOCAL_NAME ]; then
    LOCAL_NAME=${PROJECT_NAME}
fi

DEFAULT_DOMAIN_NAME=
DEFAULT_DOMAIN_CODE=
MY_USERNAME=
if [ ! $SYSTEM_TYPE ]; then
    SYSTEM_TYPE="full"
fi

# An optional configuration file which overrides some of these variables
if [ ! $CONFIGURATION_FILE ]; then
    CONFIGURATION_FILE="$HOME/${PROJECT_NAME}.cfg"
fi

# Directory where source code is downloaded and compiled
INSTALL_DIR=$HOME/build

# device name for an attached usb drive
USB_DRIVE=/dev/sda1

# Location where the USB drive is mounted to
USB_MOUNT=/mnt/usb

# Number of days to keep backups for
BACKUP_MAX_DAYS=30

# file containing a list of remote locations to backup to
# Format: [username@friendsdomain//home/username] [ssh_password]
# With the only space character being between the server and the password
FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list

export DEBIAN_FRONTEND=noninteractive

# used to limit CPU usage
CPULIMIT='/usr/bin/cpulimit -l 20 -e'

# command to create a git repository
CREATE_GIT_PROJECT_COMMAND='create-project'

# File which keeps track of what has already been installed
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

# log file where details of remote backups are stored
REMOTE_BACKUPS_LOG=/var/log/remotebackups.log

# message if something fails to install
CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolvconf/resolv.conf.d/head, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."

# Default diffie-hellman key length in bits
DH_KEYLENGTH=2048

function support_256_colours {
    if ! grep 'xterm-256color' /etc/skel/.profile; then
        echo '' >> /etc/skel/.profile
        echo 'export TERM=xterm-256color' >> /etc/skel/.profile
    fi

    if ! grep 'xterm-256color' /home/$MY_USERNAME/.profile; then
        echo '' >> /home/$MY_USERNAME/.profile
        echo 'export TERM=xterm-256color' >> /home/$MY_USERNAME/.profile
        chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.profile
    fi
}

function detect_usb_drive {
    # sets to the highest available drive letter
    # which is likely to be the last drive connected
    read_config_param USB_DRIVE
    partition_number='1'
    if [[ "$1" == "nopath" ]]; then
        partition_number=''
    fi
    if [ -b /dev/sda${partition_number} ]; then
        USB_DRIVE=/dev/sda${partition_number}
    fi
    if [ -b /dev/sdb${partition_number} ]; then
        USB_DRIVE=/dev/sdb${partition_number}
    fi
    if [ -b /dev/sdc${partition_number} ]; then
        USB_DRIVE=/dev/sdc${partition_number}
    fi
    if [ -b /dev/sdd${partition_number} ]; then
        USB_DRIVE=/dev/sdd${partition_number}
    fi
    if [ -b /dev/sde${partition_number} ]; then
        USB_DRIVE=/dev/sde${partition_number}
    fi
    if [ -b /dev/sdf${partition_number} ]; then
        USB_DRIVE=/dev/sdf${partition_number}
    fi
    if [ -b /dev/sdg${partition_number} ]; then
        USB_DRIVE=/dev/sdg${partition_number}
    fi
    if [ -b /dev/sdh${partition_number} ]; then
        USB_DRIVE=/dev/sdh${partition_number}
    fi
    write_config_param USB_DRIVE "$USB_DRIVE"
}

function separate_tmp_filesystem {
    tmp_filesystem_size_mb=$1
    if [ ! -d /tmp ]; then
        mkdir -p /tmp
    fi
    if ! grep -q '/tmp' /etc/fstab; then
        mount -t tmpfs -o size=${tmp_filesystem_size_mb}m tmpfs /tmp
        echo "tmpfs       /tmp tmpfs   nodev,nosuid,noexec,nodiratime,size=${tmp_filesystem_size_mb}M   0 0" >> /etc/fstab
    fi
}

function proc_filesystem_settings {
    if ! grep -q "proc proc defaults,nodev,nosuid " /etc/fstab; then
       sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab
    fi
}

function remove_bluetooth {
    bluetooth_changed=
    bnep_exists=$(lsmod | grep bnep)
    if [[ "$bnep_exists" == "bnep"* ]]; then
        rmmod -f bnep
        bluetooth_changed=1
    fi
    bluetooth_exists=$(lsmod | grep bluetooth)
    if [[ "$bluetooth_exists" == "bluetooth"* ]]; then
        rmmod -f bluetooth
        bluetooth_changed=1
    fi
    if [ -f /etc/default/bluetooth ]; then
        if grep -q "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then
            sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth
        else
            echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth
        fi
        bluetooth_changed=1
    fi
    if ! grep -q 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then
        echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf
        bluetooth_changed=1
    fi
    if ! grep -q 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then
        echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf
        bluetooth_changed=1
    fi
    if ! grep -q 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then
        echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf
        bluetooth_changed=1
    fi
    if [ $bluetooth_changed ]; then
        update-initramfs -u -k `uname -r` -v
        update-rc.d bluetooth remove
    fi
}

function running_as_root {
    if [[ $EUID != 0 ]] ; then
        echo "0"
    else
        echo "1"
    fi
}

function reset_usb_devices {
    for xhci in /sys/bus/pci/drivers/?hci-pci ; do

        if ! cd $xhci ; then
            return
        fi

        echo "Resetting devices from $xhci..."

        for i in ????:??:??.? ; do
            echo -n "$i" > unbind
            echo -n "$i" > bind
        done
    done
    udevadm control --reload-rules
}

function install_backports_kernel {
    # install backports kernel if possible
    architecture_type=$(uname -a)

    if [[ "$architecture_type" == *"amd64"* ]]; then
        package_installed=$(dpkg-query -W -f='${Package}\n' linux-image-amd64 2>/dev/null)
        if [ ! $package_installed ]; then
            apt-get -yq install linux-image-amd64
        fi
    fi
}

function turn_off_rsys_logging {
    if grep -q '/dev/null' /etc/rsyslog.conf; then
        return
    fi
    sed -i 's|mail,news.none.*|mail,news.none      /dev/null|g' /etc/rsyslog.conf
    sed -i 's|auth,authpriv.\*.*|auth,authpriv.\*         /dev/null|g' /etc/rsyslog.conf
    sed -i 's|mail.info.*|mail.info            /dev/null|g' /etc/rsyslog.conf
    sed -i 's|mail.warn.*|mail.warn            /dev/null|g' /etc/rsyslog.conf
    sed -i 's|mail.err.*|mail.err            /dev/null|g' /etc/rsyslog.conf
    sed -i 's|daemon.\*.*|daemon.\*              /dev/null|g' /etc/rsyslog.conf
    sed -i 's|mail.\*.*|mail.\*              /dev/null|g' /etc/rsyslog.conf
    sed -i 's|user.\*.*|user.\*              /dev/null|g' /etc/rsyslog.conf
    sed -i 's|news.none;mail.none.*|news.none;mail.none /dev/null|g' /etc/rsyslog.conf
    sed -i 's|\*.\*;auth,authpriv.none.*|\*.\*;auth,authpriv.none      /dev/null|g' /etc/rsyslog.conf
    sed -i 's|#cron.\*|cron.\*|g' /etc/rsyslog.conf
    sed -i 's|cron.\*.*|cron.\*             /dev/null|g' /etc/rsyslog.conf
    shred -zu /var/log/wtmp*
    shred -zu /var/log/debug*
    shred -zu /var/log/cron.*
    shred -zu /var/log/auth.*
    shred -zu /var/log/mail.*
    shred -zu /var/log/daemon.*
    shred -zu /var/log/user.*
    shred -zu /var/log/messages*
}

function initial_setup {
    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
        return
    fi

    apt-get -yq remove --purge apache2-bin*
    apt-get -yq dist-upgrade
    apt-get -yq install ca-certificates
    apt-get -yq install apt-utils
    apt-get -yq install cryptsetup libgfshare-bin duplicity sshpass wget avahi-daemon
    apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
    apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
    apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
    apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
    apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
    apt-get -yq install wireless-tools wpasupplicant usbutils zsh cpulimit screen
    apt-get -yq install pinentry-curses eatmydata iotop bc hostapd

    # With some VMs, the hardware cycles counter is emulated and deterministic,
    # and thus predictible, so havege should not be used
    if [[ $ARCHITECTURE != 'qemu'* ]]; then
        apt-get -yq install haveged
    fi

    if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
        apt-get -yq install grub2 lvm2
    fi

    if [ ! -d $INSTALL_DIR ]; then
        mkdir -p $INSTALL_DIR
    fi

    mark_completed $FUNCNAME
}

function turn_off_magic_sysrq {
    if grep -q 'kernel.sysrq = 0' /etc/sysctl.conf; then
        return
    fi
    if grep -q 'kernel.sysrq' /etc/sysctl.conf; then
        sed -i 's|#kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
        sed -i 's|kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
    else
        echo 'kernel.sysrq = 0' >> /etc/sysctl.conf
    fi
}

function setup_grub {
    if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
        if ! grep -q 'ifnames=0' /etc/default/grub; then
            sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1 panic=0"|g' /etc/default/grub
            update-grub
        fi
    fi
}

function admin_user_sudo {
    if ! grep -q "$MY_USERNAME  ALL=(ALL) ALL" $rootdir/etc/sudoers; then
        echo "$MY_USERNAME  ALL=(ALL) ALL" >> $rootdir/etc/sudoers
    fi
}

function search_for_attached_usb_drive {
    # If a USB drive is attached then search for email,
    # gpg, ssh keys and emacs configuration
    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
        return
    fi
    detect_usb_drive
    if [ -b $USB_DRIVE ]; then
        if [ ! -d $USB_MOUNT ]; then
            echo $'Mounting USB drive'
            mkdir $USB_MOUNT
            mount $USB_DRIVE $USB_MOUNT
        fi
        if [ -d $USB_MOUNT/.gnupg ]; then
            echo $'Importing GPG keyring'
            cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME
            chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
            if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then
                echo $'GPG files did not copy'
                exit 73529
            fi
        fi

        if [ -f $USB_MOUNT/private_key.gpg ]; then
            echo $'GPG private key found on USB drive'
            MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
        fi
        if [ -f $USB_MOUNT/public_key.gpg ]; then
            echo $'GPG public key found on USB drive'
            MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
        fi

        if [ -f $USB_MOUNT/letsencrypt ]; then
            echo $'Copying letsencrypt keys"'
            cp -r $USB_MOUNT/letsencrypt /etc
        fi

        if [ -d $USB_MOUNT/.ssh ]; then
            echo $'Importing ssh keys'
            cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME
            chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
            # for security delete the ssh keys from the usb drive
            if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then
                echo $'ssh files did not copy'
                exit 8
            fi
        fi
        if [ -f $USB_MOUNT/.emacs ]; then
            echo $'Importing .emacs file'
            cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs
            chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
        fi
        if [ -d $USB_MOUNT/.emacs.d ]; then
            echo $'Importing .emacs.d directory'
            cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME
            chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d
        fi
        if [ -d $USB_MOUNT/ssl ]; then
            echo $'Importing SSL certificates'
            cp -r $USB_MOUNT/ssl/* /etc/ssl
            chmod 640 /etc/ssl/certs/*
            chmod 400 /etc/ssl/private/*
            # change ownership of some certificates
            if [ -d /etc/prosody ]; then
                chown prosody:prosody /etc/ssl/private/xmpp.*
                chown prosody:prosody /etc/ssl/certs/xmpp.*
            fi
            if [ -d /etc/dovecot ]; then
                chown root:dovecot /etc/ssl/certs/dovecot.*
                chown root:dovecot /etc/ssl/private/dovecot.*
            fi
            if [ -f /etc/ssl/private/exim.key ]; then
                cp /etc/ssl/private/exim.key /etc/exim4
                cp /etc/ssl/certs/exim.crt /etc/exim4
                cp /etc/ssl/certs/exim.dhparam /etc/exim4
                chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
                chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
            fi
        fi
        if [ -d $USB_MOUNT/personal ]; then
            echo $'Importing personal directory'
            cp -r $USB_MOUNT/personal /home/$MY_USERNAME
            chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal
        fi
    else
        if [ -d $USB_MOUNT ]; then
            umount $USB_MOUNT
            rm -rf $USB_MOUNT
        fi
        echo $'No USB drive attached'
    fi
    mark_completed $FUNCNAME
}

function mark_admin_user_account {
    set_completion_param "Admin user" "$MY_USERNAME"
}

function remove_instructions_from_motd {
    if grep -q "## " /etc/motd; then
        sed -i '/## /d' /etc/motd
    fi
}

function remove_default_user {
    # make sure you don't use the default user account
    if [[ $MY_USERNAME == "debian" ]]; then
        echo 'Do not use the default debian user account. Create a different user with: adduser [username]'
        exit 68
    fi
    # remove the default debian user to prevent it from becoming an attack vector
    if [ -d /home/debian ]; then
        userdel -r debian
        echo 'Default debian user account removed'
    fi
}

function create_completion_file {
    if [ ! -f $COMPLETION_FILE ]; then
        touch $COMPLETION_FILE
    fi
}

function remove_management_engine_interface {
    # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
    # Disabling this interface doesn't cure the problems of ME, but it
    # might stop an adversary in control of AMT from using the command
    # interface to control the operating system.
    if [ -f /dev/mei0 ]; then
        rmmod mei_me
        rmmod mei0
    fi

    blacklist_changed=
    if [ ! -f /etc/modprobe.d/blacklist.conf ]; then
        touch /etc/modprobe.d/blacklist.conf
        blacklist_changed=1
    fi
    if ! grep -q "blacklist mei" /etc/modprobe.d/blacklist.conf; then
        echo "blacklist mei" >> /etc/modprobe.d/blacklist.conf
        blacklist_changed=1
    fi
    if ! grep -q "blacklist mei_me" /etc/modprobe.d/blacklist.conf; then
        echo "blacklist mei_me" >> /etc/modprobe.d/blacklist.conf
        blacklist_changed=1
    fi

    if [ $blacklist_changed ]; then
        depmod -ae -E
        update-initramfs -u
    fi
}

function set_login_umask {
    logindefs_umask=$(cat /etc/login.defs | grep UMASK | grep -v '#')
    if [[ "$logindefs_umask" != *'077' ]]; then
        sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
    fi
}

function disable_deferred_execution {
    systemctl stop atd
    systemctl disable atd
}

function set_shadow_permissions {
    chown root:root /etc/shadow
    chmod 0000 /etc/shadow
    chown root:root /etc/gshadow
    chmod 0000 /etc/gshadow
}

function set_max_login_tries {
    max_tries=$1

    if ! grep -q ' deny=' /etc/pam.d/common-auth; then
        sed -i "/pam_deny.so/a auth    required\t\t\tpam_tally.so    onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
    else
        if ! grep -q " deny=$max_tries" /etc/pam.d/common-auth; then
            sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
        fi
    fi

    if ! grep -q 'pam_tally.so' /etc/pam.d/common-account; then
        sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account
    fi
}

function limit_user_logins {
    # overall max logins
    if ! grep -q '* hard maxsyslogins' /etc/security/limits.conf; then
        echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
    else
        if ! grep -q '* hard maxsyslogins 10' /etc/security/limits.conf; then
            sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
        fi
    fi

    # Max logins for each user
    if ! grep -q '* hard maxlogins' /etc/security/limits.conf; then
        echo '* hard maxlogins 2' >> /etc/security/limits.conf
    else
        if ! grep -q '* hard maxlogins 2' /etc/security/limits.conf; then
            sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
        fi
    fi
}

function remove_serial_logins {
    if grep -q 'ttyS' /etc/securetty; then
        cp /etc/securetty /etc/securetty_old
        sed -i '/ttyS/d' /etc/securetty
    fi
}

function set_sticky_bits {
    world_writable=$(find / -xdev -type d -perm -002 \! -perm -1000)
    for w in $world_writable; do
        echo "Setting sticky bit on $w"
        chmod +t $w
    done
}

function disable_ctrl_alt_del {
    ctrl_alt_del=$(ls -l /etc/systemd/system/ctrl-alt-del.target)
    if [[ "$ctrl_alt_del" !=  *'/dev/null' ]]; then
        ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
    fi
}

function lockdown_permissions {
    if [ -d /root/.npm ]; then
        find /root/.npm -name package.json -exec chmod 700 {} \;
    fi

    # All commands owned by root
    if [ -d /root/.cache/yarn ]; then
        rm -rf /root/.cache/yarn
    fi
    if [ -d /usr/local/share/.cache/yarn ]; then
        rm -rf /usr/local/share/.cache/yarn
    fi
    if [ -f /usr/lib/ssl/certs/ssl-cert-snakeoil.pem ]; then
        chown root:root /usr/lib/ssl/certs/ssl-cert-snake*
    fi
    if [ -d /bin ]; then
        chown root:root /bin/*
    fi
    if [ -d /usr/bin ]; then
        chown root:root /usr/bin/*
    fi
    if [ -d /usr/local/bin ]; then
        chown root:root /usr/local/bin/*
    fi
    if [ -d /sbin ]; then
        chown root:root /sbin/*
    fi
    if [ -d /usr/sbin ]; then
        chown root:root /usr/sbin/*
    fi
    if [ -d /usr/local/sbin ]; then
        chown root:root /usr/local/sbin/*
    fi
    if [ -d /usr/share/${PROJECT_NAME} ]; then
        chown -R root:root /usr/share/${PROJECT_NAME}
        chmod -R +r /usr/share/${PROJECT_NAME}
    fi

    # All libraries owned by root
    if [ -d /lib ]; then
        chown -R root:root /lib/*
    fi
    if [ -d /lib64 ]; then
        chown -R root:root /lib64/*
    fi
    if [ -d /usr/lib ]; then
        chown -R root:root /usr/lib/*
        if [ -d /usr/lib/node_modules ]; then
            chmod -R 750 /usr/lib/node_modules/*
        fi
    fi
    if [ -d /usr/lib64 ]; then
        chown -R root:root /usr/lib64/*
    fi

    # sudo permissions
    chmod 4755 /usr/bin/sudo
    chmod 4755 /usr/lib/sudo/sudoers.so
    chown root:root /etc/sudoers

    # permissions on email commands
    if [ -f /usr/bin/procmail ]; then
        chmod 6755 /usr/bin/procmail
    fi
    if [ -f /usr/sbin/exim ]; then
        chmod u+s /usr/sbin/exim
    fi
    if [ -f /usr/sbin/exim4 ]; then
        chmod u+s /usr/sbin/exim4
    fi

    set_sticky_bits

    # Create some directories to correspond with users in passwords file
    if [ ! -d /var/spool/lpd ]; then
        mkdir /var/spool/lpd
    fi
    if [ ! -d /var/spool/news ]; then
        mkdir /var/spool/news
    fi
    if [ ! -d /var/spool/uucp ]; then
        mkdir /var/spool/uucp
    fi
    if [ ! -d /var/list ]; then
        mkdir /var/list
    fi
    if [ ! -d /var/lib/gnats ]; then
        mkdir /var/lib/gnats
    fi
    if [ ! -d /var/lib/saned ]; then
        mkdir /var/lib/saned
    fi
    if [ -d /etc/prosody ]; then
        chown -R prosody /etc/prosody
        chmod -R 700 /etc/prosody/conf.d
    fi
    if [ -d /var/lib/prosody ]; then
        chown -R prosody /var/lib/prosody
    fi
    if [ -d /etc/letsencrypt ]; then
        chmod -R 600 /etc/letsencrypt
        chmod -R g=rX /etc/letsencrypt
    fi
    chown -f root:root /etc/motd /etc/issue*
    chmod -f 0444 /etc/motd /etc/issue*
}

function disable_core_dumps {
    if ! grep -q '* hard core' /etc/security/limits.conf; then
        echo '* hard core 0' >> /etc/security/limits.conf
    else
        if ! grep -q '* hard core 0' /etc/security/limits.conf; then
            sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
        fi
    fi
}

function dummy_nologin_command {
    if [ ! -f /sbin/nologin ]; then
        echo '#!/bin/bash' > /sbin/nologin
        chmod +x /sbin/nologin
    fi
}

function disable_null_passwords {
    if grep -q ' nullok_secure' /etc/pam.d/common-auth; then
        sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
    fi
}

function create_usb_canary {
    if [[ $SYSTEM_TYPE == "mesh"* ]]; then
        return
    fi
    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
        return
    fi

    echo "ACTION==\"add\", KERNEL==\"sd*[!0-9]\", RUN+=\"/usr/local/bin/${PROJECT_NAME}-usb-canary\"" > /etc/udev/rules.d/00-usb-canary.rules
    udevadm control --reload-rules

    mark_completed $FUNCNAME
}

function setup_firewall {
    function_check create_completion_file
    create_completion_file

    function_check configure_firewall
    configure_firewall

    function_check configure_firewall_ping
    configure_firewall_ping

    function_check firewall_drop_telnet
    firewall_drop_telnet

    function_check firewall_drop_spoofed_packets
    firewall_drop_spoofed_packets

    function_check firewall_rate_limits
    firewall_rate_limits

    function_check configure_firewall_for_dns
    configure_firewall_for_dns

    function_check configure_firewall_for_avahi
    configure_firewall_for_avahi

    function_check global_rate_limit
    global_rate_limit

    function_check firewall_block_bad_ip_ranges
    firewall_block_bad_ip_ranges
}

function setup_powerline {
    if [ -f ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
        if [ ! -f ~/.powerline.bash ]; then
            cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
        else
            HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
            HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
            if [[ "$HASH1" != "$HASH2" ]]; then
                cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
            fi
        fi
        if [ ! -f /etc/skel/.powerline.bash ]; then
            cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
        else
            HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
            HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
            if [[ "$HASH1" != "$HASH2" ]]; then
                cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
            fi
        fi
    else
        if [ -f /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
            if [ ! -f ~/.powerline.bash ]; then
                cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
            else
                HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
                HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
                if [[ "$HASH1" != "$HASH2" ]]; then
                    cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
                fi
            fi

            if [ ! -f /etc/skel/.powerline.bash ]; then
                cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
            else
                HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
                HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
                if [[ "$HASH1" != "$HASH2" ]]; then
                    cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
                fi
            fi
        fi
    fi
    if ! grep -q "powerline" ~/.bashrc; then
        if [ -f ~/.powerline.bash ]; then
            echo 'source ~/.powerline.bash' >> ~/.bashrc
        fi
    fi
    if ! grep -q "powerline" /etc/skel/.bashrc; then
        if [ -f /etc/skel/.powerline.bash ]; then
            echo 'source ~/.powerline.bash' >> /etc/skel/.bashrc
        fi
    fi
}

function congestion_control {
    # see /proc/sys/net/ipv4/tcp_congestion_control
    if [ ! -f /etc/sysctl.d/10-custom-kernel-bbr.conf ]; then
        echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf
        echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf
        sysctl --system
    fi
}

function setup_utils {
    read_config_param "PROJECT_REPO"
    write_config_param "PROJECT_REPO" "$PROJECT_REPO"

    function_check remove_management_engine_interface
    remove_management_engine_interface

    function_check support_256_colours
    support_256_colours

    function_check congestion_control
    congestion_control

    function_check enable_predictable_device_names
    enable_predictable_device_names

    function_check turn_off_magic_sysrq
    turn_off_magic_sysrq

    function_check separate_tmp_filesystem
    separate_tmp_filesystem 150

    function_check proc_filesystem_settings
    proc_filesystem_settings

    function_check optimise_filesystem
    optimise_filesystem

    function_check disable_null_passwords
    disable_null_passwords

    function_check disable_ctrl_alt_del
    disable_ctrl_alt_del

    function_check dummy_nologin_command
    dummy_nologin_command

    function_check disable_core_dumps
    disable_core_dumps

    function_check remove_serial_logins
    remove_serial_logins

    function_check set_max_login_tries
    set_max_login_tries 10

    function_check set_shadow_permissions
    set_shadow_permissions

    function_check remove_bluetooth
    remove_bluetooth

    function_check set_login_umask
    set_login_umask

    function_check disable_deferred_execution
    disable_deferred_execution

    function_check turn_off_rsys_logging
    turn_off_rsys_logging

    function_check install_backports_kernel
    install_backports_kernel

    function_check create_completion_file
    create_completion_file

    function_check read_configuration
    read_configuration

    function_check check_system_type
    check_system_type

    function_check set_default_onion_domains
    set_default_onion_domains

    function_check locale_setup
    locale_setup

    function_check parse_args
    parse_args

    function_check check_domains
    check_domains

    function_check install_static_network
    install_static_network

    function_check remove_default_user
    remove_default_user

    function_check setup_firewall
    setup_firewall

    function_check create_repo_sources
    create_repo_sources

    function_check configure_dns
    configure_dns

    function_check initial_setup
    initial_setup

    function_check setup_grub
    setup_grub

    function_check install_tor
    install_tor

    #function_check resolve_dns_via_tor
    #resolve_dns_via_tor

    function_check install_command_line_browser
    install_command_line_browser

    function_check enable_ssh_via_onion
    enable_ssh_via_onion

    function_check check_date
    check_date

    function_check install_dynamicdns
    install_dynamicdns

    function_check randomize_cron
    randomize_cron

    function_check create_freedns_updater
    create_freedns_updater

    function_check mark_admin_user_account
    mark_admin_user_account

    function_check enforce_good_passwords
    enforce_good_passwords

    function_check change_login_message
    change_login_message

    function_check enable_zram
    enable_zram

    function_check random_number_generator
    random_number_generator

    function_check set_your_domain_name
    set_your_domain_name

    function_check configure_internet_protocol
    configure_internet_protocol

    function_check create_git_project
    create_git_project

    function_check setup_wifi
    setup_wifi

    function_check configure_ssh
    configure_ssh

    function_check configure_ssh_onion
    configure_ssh_onion

    function_check allow_ssh_to_onion_address
    allow_ssh_to_onion_address

    function_check remove_instructions_from_motd
    remove_instructions_from_motd

    function_check check_hwrng
    check_hwrng

    function_check search_for_attached_usb_drive
    search_for_attached_usb_drive

    function_check regenerate_ssh_keys
    regenerate_ssh_keys

    function_check create_upgrade_script
    create_upgrade_script

    function_check letsencrypt_renewals
    letsencrypt_renewals

    function_check install_watchdog_script
    install_watchdog_script

    function_check install_avahi
    install_avahi

    function_check create_avahi_onion_domains
    create_avahi_onion_domains

    #function_check install_atheros_wifi
    #install_atheros_wifi

    function_check route_outgoing_traffic_through_tor
    route_outgoing_traffic_through_tor

    function_check upgrade_golang
    upgrade_golang

    function_check install_tomb
    install_tomb

    function_check admin_user_sudo
    admin_user_sudo

    function_check limit_user_logins
    limit_user_logins

    function_check schedule_stig_tests
    schedule_stig_tests

    function_check create_usb_canary
    create_usb_canary

    function_check setup_powerline
    setup_powerline
}

function setup_email {
    function_check create_completion_file
    create_completion_file

    function_check install_email
    install_email

    function_check create_procmail
    create_procmail

    function_check handle_admin_emails
    handle_admin_emails

    function_check spam_filtering
    spam_filtering

    function_check configure_imap
    configure_imap

    #function_check configure_imap_client_certs
    #configure_imap_client_certs

    function_check configure_gpg
    configure_gpg

    function_check refresh_gpg_keys
    refresh_gpg_keys

    function_check configure_backup_key
    configure_backup_key

    #function_check install_monkeysphere
    #install_monkeysphere

    function_check email_client
    email_client

    function_check encrypt_incoming_email
    encrypt_incoming_email

    function_check encrypt_outgoing_email
    encrypt_outgoing_email

    function_check email_archiving
    email_archiving

    function_check email_from_address
    email_from_address

    function_check create_public_mailing_list
    #create_public_mailing_list

    #function check create_private_mailing_list
    #create_private_mailing_list

    function_check encrypt_all_email
    encrypt_all_email

    function_check import_email
    import_email
}

function setup_web {
    function_check create_completion_file
    create_completion_file

    function_check install_web_server
    install_web_server

    function_check install_web_server_access_control
    install_web_server_access_control
}

function upgrade_apps {
    function_check create_completion_file
    create_completion_file

    APPS_COMPLETED=()
    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*

    # for all the app scripts
    for filename in $FILES
    do
        app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')

        item_in_array "${app_name}" "${APPS_COMPLETED[@]}"
        if [[ $? != 0 ]]; then
            function_check app_is_installed
            if [[ "$(app_is_installed $app_name)" == "1" ]]; then
                echo ''
                echo ''
                echo $"Upgrading $app_name"
                app_load_variables ${app_name}
                APPS_COMPLETED+=("${app_name}")
                function_check upgrade_${app_name}
                upgrade_${app_name}
            fi
        fi
    done
}

function setup_apps {
    is_interactive=$1

    function_check create_completion_file
    create_completion_file

    function_check detect_installable_apps
    detect_installable_apps

    function_check choose_apps_for_variant
    choose_apps_for_variant "$SYSTEM_TYPE"

    echo $"System variant: $SYSTEM_TYPE"
    #echo $'The following apps have been selected'
    #echo ''
    #function_check list_chosen_apps
    #list_chosen_apps
    #echo ''

    function_check upgrade_apps
    upgrade_apps

    if [[ $is_interactive == "noninteractive" || $is_interactive == "headless" ]]; then
        function_check install_apps
        install_apps
        if [ ! $APP_INSTALLED_SUCCESS ]; then
            echo $'One or more apps failed to install'
        fi
    fi
}

function combine_all_scripts {
    combined_filename=$1

    # initial variables
    cp $PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars $combined_filename

    # utilities
    UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
    for f in $UTILS_FILES
    do
        # this removes the first line, which is #!/bin/bash
        tail -n +2 "$f" >> $combined_filename
    done

    # base system
    BASE_SYSTEM_FILES=/usr/share/${PROJECT_NAME}/base/${PROJECT_NAME}-base-*
    for f in $BASE_SYSTEM_FILES
    do
        tail -n +2 "$f" >> $combined_filename
    done

    # apps
    APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
    for f in $APP_FILES
    do
        tail -n +2 "$f" >> $combined_filename
    done
}

function check_ram_availability {
    minimum_ram_MB="$1"
    minimum_ram_bytes=$((minimum_ram_MB * 1024))

    ram_available=$(grep MemTotal /proc/meminfo | awk '{print $2}')
    if [ $ram_available -lt $minimum_ram_bytes ]; then
        echo $"Need at least ${minimum_ram_gb}MB RAM to install this app"
        exit 783524
    fi
}

# NOTE: deliberately no exit 0