free
/
freedombone
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Activity
7137 Commitit
5 Branchit
Puu: 43a44a1186
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '43a44a1186'
${ noResults }
freedombone/src/freedombone-app-keyserver

freedombone-app-keyserver 31KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # SKS Keyserver

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2017 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. VARIANTS='full full-vim'

  32. 

  33. IN_DEFAULT_INSTALL=0

  34. SHOW_ON_ABOUT=1

  35. 

  36. KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"

  37. KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'

  38. KEYSERVER_PORT=11371

  39. KEYSERVER_ONION_PORT=8122

  40. KEYSERVER_DOMAIN_NAME=

  41. KEYSERVER_CODE=

  42. 

  43. keyserver_variables=(ONION_ONLY

  44.                      MY_USERNAME

  45.                      DEFAULT_DOMAIN_NAME

  46.                      KEYSERVER_DOMAIN_NAME

  47.                      KEYSERVER_CODE)

  48. 

  49. function check_keyserver_directory_size {

  50.     dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')

  51.     # 500M

  52.     if [ $dirsize -gt 500000 ]; then

  53.         echo "1"

  54.         return

  55.     fi

  56.     echo "0"

  57. }

  58. 

  59. function keyserver_watchdog {

  60.     ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')

  61.     ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}

  62.     keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"

  63.     keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server."

  64.     keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"

  65.     keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"

  66.     read_config_param KEYSERVER_DOMAIN_NAME

  67.     keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog

  68.     echo '#!/bin/bash' > $keyserver_watchdog_script

  69.     echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script

  70.     echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script

  71. 

  72.     echo "  echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script

  73. 

  74.     echo '  if [ $dirsize -gt 500000 ]; then' >> $keyserver_watchdog_script

  75.     echo "    nginx_dissite $KEYSERVER_DOMAIN_NAME" >> $keyserver_watchdog_script

  76.     echo '    systemctl stop sks' >> $keyserver_watchdog_script

  77.     echo '    systemctl disable sks' >> $keyserver_watchdog_script

  78.     echo "    echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script

  79.     echo '  fi' >> $keyserver_watchdog_script

  80.     echo 'fi' >> $keyserver_watchdog_script

  81. 

  82.     chmod +x $keyserver_watchdog_script

  83. }

  84. 

  85. 

  86. function configure_firewall_for_keyserver {

  87.     if [[ $ONION_ONLY != "no" ]]; then

  88.         return

  89.     fi

  90.     firewall_add keyserver 11370 tcp

  91.     firewall_add keyserver 11371 tcp

  92.     firewall_add keyserver 11372 tcp

  93.     mark_completed $FUNCNAME

  94. }

  95. 

  96. function keyserver_reset_database {

  97.     if [ -d /var/lib/sks/DB ]; then

  98.         rm -rf /var/lib/sks/DB

  99.     fi

  100.     sks build

  101.     chown -Rc debian-sks: /var/lib/sks

  102.     systemctl restart sks

  103. }

  104. 

  105. function logging_on_keyserver {

  106.     echo -n ''

  107. }

  108. 

  109. function logging_off_keyserver {

  110.     echo -n ''

  111. }

  112. 

  113. function reconfigure_keyserver {

  114.     echo -n ''

  115. }

  116. 

  117. function upgrade_keyserver {

  118.     keyserver_watchdog

  119. 

  120.     CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")

  121.     if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then

  122.         return

  123.     fi

  124. 

  125.     if grep -q "keyserver domain" $COMPLETION_FILE; then

  126.         KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")

  127.     fi

  128. 

  129.     # update to the next commit

  130.     function_check set_repo_commit

  131.     set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO

  132. 

  133.     read_config_param MY_USERNAME

  134.     USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME

  135.     GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)

  136.     if [ ! $GPG_ID ]; then

  137.         echo $'No GPG ID for admin user'

  138.         exit 846336

  139.     fi

  140.     if [ ${#GPG_ID} -lt 5 ]; then

  141.         echo $'GPG ID not retrieved for admin user'

  142.         exit 835292

  143.     fi

  144.     if [[ "$GPG_ID" == *"error"* ]]; then

  145.         echo $'GPG ID not retrieved for admin user due to error'

  146.         exit 74825

  147.     fi

  148.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  149.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  150.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  151.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  152. 

  153.     chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  154. }

  155. 

  156. function backup_local_keyserver {

  157.     # remove any unused log files

  158.     cd /var/lib/sks/DB

  159.     db_archive -d

  160. 

  161.     source_directory=/etc/sks

  162.     if [ -d $source_directory ]; then

  163.         systemctl stop sks

  164.         dest_directory=keyserverconfig

  165.         function_check backup_directory_to_usb

  166.         backup_directory_to_usb $source_directory $dest_directory

  167.         systemctl start sks

  168.     fi

  169.     if [[ "$(check_keyserver_directory_size)" != "0" ]]; then

  170.         echo $'WARNING: Keyserver database size is too large to backup'

  171.         return

  172.     fi

  173.     source_directory=/var/lib/sks/DB

  174.     if [ -d $source_directory ]; then

  175.         systemctl stop sks

  176.         dest_directory=keyserver

  177.         function_check backup_directory_to_usb

  178.         backup_directory_to_usb $source_directory $dest_directory

  179.         systemctl start sks

  180.     fi

  181. }

  182. 

  183. function restore_local_keyserver {

  184.     if [ ! -d /var/lib/sks/DB ]; then

  185.         return

  186.     fi

  187.     echo $"Restoring SKS Keyserver"

  188.     systemctl stop sks

  189. 

  190.     temp_restore_dir=/root/tempkeyserverconfig

  191.     function_check restore_directory_from_usb

  192.     restore_directory_from_usb $temp_restore_dir keyserverconfig

  193.     cp -r $temp_restore_dir/etc/sks/* /etc/sks/

  194.     rm -rf $temp_restore_dir

  195.     chown -Rc debian-sks: /etc/sks/sksconf

  196.     chown -Rc debian-sks: /etc/sks/mailsync

  197. 

  198.     temp_restore_dir=/root/tempkeyserver

  199.     function_check restore_directory_from_usb

  200.     restore_directory_from_usb $temp_restore_dir keyserver

  201.     mv /var/lib/sks/DB /var/lib/sks/DB_prev

  202.     cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB

  203.     if [ ! "$?" = "0" ]; then

  204.         # restore the old database

  205.         rm -rf /var/lib/sks/DB

  206.         mv /var/lib/sks/DB_prev /var/lib/sks/DB

  207. 

  208.         rm -rf $temp_restore_dir

  209.         function_check set_user_permissions

  210.         set_user_permissions

  211.         function_check backup_unmount_drive

  212.         backup_unmount_drive

  213.         exit 5627294

  214.     fi

  215.     rm -rf $temp_restore_dir

  216.     chown -Rc debian-sks: /var/lib/sks

  217. 

  218.     # remove the old database

  219.     rm -rf /var/lib/sks/DB_prev

  220. 

  221.     systemctl start sks

  222. }

  223. 

  224. function backup_remote_keyserver {

  225.     # remove any unused log files

  226.     cd /var/lib/sks/DB

  227.     db_archive -d

  228. 

  229.     source_directory=/etc/sks

  230.     if [ -d $source_directory ]; then

  231.         systemctl stop sks

  232.         dest_directory=keyserverconfig

  233.         function_check backup_directory_to_friend

  234.         backup_directory_to_friend $source_directory $dest_directory

  235.         systemctl start sks

  236.     fi

  237.     if [[ "$(check_keyserver_directory_size)" != "0" ]]; then

  238.         echo $'WARNING: Keyserver database size is too large to backup'

  239.         return

  240.     fi

  241.     source_directory=/var/lib/sks/DB

  242.     if [ -d $source_directory ]; then

  243.         systemctl stop sks

  244.         dest_directory=keyserver

  245.         function_check backup_directory_to_friend

  246.         backup_directory_to_friend $source_directory $dest_directory

  247.         systemctl start sks

  248.     fi

  249. }

  250. 

  251. function restore_remote_keyserver {

  252.     if [ ! -d /var/lib/sks/DB ]; then

  253.         return

  254.     fi

  255.     echo $"Restoring SKS Keyserver"

  256.     systemctl stop sks

  257. 

  258.     temp_restore_dir=/root/tempkeyserverconfig

  259.     function_check restore_directory_from_friend

  260.     restore_directory_from_friend $temp_restore_dir keyserverconfig

  261.     cp -r $temp_restore_dir/etc/sks/* /etc/sks/

  262.     rm -rf $temp_restore_dir

  263.     chown -Rc debian-sks: /etc/sks/sksconf

  264.     chown -Rc debian-sks: /etc/sks/mailsync

  265. 

  266.     temp_restore_dir=/root/tempkeyserver

  267.     function_check restore_directory_from_friend

  268.     restore_directory_from_friend $temp_restore_dir keyserver

  269.     mv /var/lib/sks/DB /var/lib/sks/DB_prev

  270.     cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB

  271.     if [ ! "$?" = "0" ]; then

  272.         # restore the old database

  273.         rm -rf /var/lib/sks/DB

  274.         mv /var/lib/sks/DB_prev /var/lib/sks/DB

  275. 

  276.         rm -rf $temp_restore_dir

  277.         function_check set_user_permissions

  278.         set_user_permissions

  279.         return

  280.     fi

  281.     rm -rf $temp_restore_dir

  282.     chown -Rc debian-sks: /var/lib/sks

  283. 

  284.     # remove the old database

  285.     rm -rf /var/lib/sks/DB_prev

  286. 

  287.     systemctl start sks

  288. }

  289. 

  290. function remove_keyserver {

  291.     systemctl stop sks

  292.     if [ -f /etc/cron.hourly/keyserver-watchdog ]; then

  293.         rm /etc/cron.hourly/keyserver-watchdog

  294.     fi

  295.     apt-get -qy remove sks dirmngr

  296. 

  297.     read_config_param "KEYSERVER_DOMAIN_NAME"

  298.     nginx_dissite $KEYSERVER_DOMAIN_NAME

  299.     remove_certs ${KEYSERVER_DOMAIN_NAME}

  300.     if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then

  301.         rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME

  302.     fi

  303.     if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then

  304.         rm -rf /var/www/$KEYSERVER_DOMAIN_NAME

  305.     fi

  306.     function_check remove_ddns_domain

  307.     remove_ddns_domain $KEYSERVER_DOMAIN_NAME

  308. 

  309.     remove_config_param KEYSERVER_DOMAIN_NAME

  310.     remove_config_param KEYSERVER_CODE

  311.     function_check remove_onion_service

  312.     remove_onion_service keyserver ${KEYSERVER_ONION_PORT}

  313.     remove_onion_service sks 11370 11371 11372

  314.     remove_completion_param "install_keyserver"

  315. 

  316.     firewall_remove 11370 tcp

  317.     firewall_remove 11371 tcp

  318.     firewall_remove 11372 tcp

  319. 

  320.     sed -i '/keyserver/d' $COMPLETION_FILE

  321.     sed -i '/sks onion/d' $COMPLETION_FILE

  322.     if [ -d /var/lib/sks ]; then

  323.         rm -rf /var/lib/sks

  324.     fi

  325. }

  326. 

  327. function install_interactive_keyserver {

  328.     if [ ! $ONION_ONLY ]; then

  329.         ONION_ONLY='no'

  330.     fi

  331. 

  332.     if [[ $ONION_ONLY != "no" ]]; then

  333.         KEYSERVER_DOMAIN_NAME='keyserver.local'

  334.         write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"

  335.     else

  336.         function_check interactive_site_details

  337.         interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"

  338.     fi

  339.     APP_INSTALLED=1

  340. }

  341. 

  342. function keyserver_create_mailsync {

  343.     echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync

  344.     echo '' >> /etc/sks/mailsync

  345.     chown -Rc debian-sks: /etc/sks/mailsync

  346. }

  347. 

  348. function keyserver_create_membership {

  349.     if [ -f /etc/sks/membership ]; then

  350.         return

  351.     fi

  352.     systemctl stop sks

  353.     echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership

  354.     echo '#' >> /etc/sks/membership

  355.     echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership

  356.     echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership

  357.     echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership

  358.     echo '' >> /etc/sks/membership

  359.     chown -Rc debian-sks: /etc/sks/membership

  360.     systemctl start sks

  361. }

  362. 

  363. function keyserver_import_keys {

  364.     # NOTE: this function isn't used, but kept for reference

  365.     dialog --title $"Import public keys database" \

  366.            --backtitle $"Freedombone Control Panel" \

  367.            --defaultno \

  368.            --yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60

  369.     sel=$?

  370.     case $sel in

  371.         1) return;;

  372.         255) return;;

  373.     esac

  374.     if [ ! -d /var/lib/sks/dump ]; then

  375.         mkdir -p /var/lib/sks/dump

  376.     fi

  377.     cd /var/lib/sks/dump

  378.     echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'

  379.     rm -rf /var/lib/sks/dump/*

  380.     KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"

  381.     wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \

  382.          -A pgp,txt $KEYSERVER_DUMP_URL

  383. 

  384.     cd /var/lib/sks

  385.     echo $'Building the keyserver database from the downloaded dump'

  386.     keyserver_reset_database

  387. }

  388. 

  389. function keyserver_sync {

  390.     data=$(tempfile 2>/dev/null)

  391.     trap "rm -f $data" 0 1 2 5 15

  392.     dialog --backtitle $"Freedombone Control Panel" \

  393.            --title $"Sync with other keyserver" \

  394.            --form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \

  395.            $"Domain:" 1 1 "" 1 25 32 64 \

  396.            $"Port:" 2 1 "11370" 2 25 6 6 \

  397.            $"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \

  398.            2> $data

  399.     sel=$?

  400.     case $sel in

  401.         1) return;;

  402.         255) return;;

  403.     esac

  404.     other_keyserver_domain=$(cat $data | sed -n 1p)

  405.     other_keyserver_port=$(cat $data | sed -n 2p)

  406.     other_keyserver_email=$(cat $data | sed -n 3p)

  407.     if [[ "$other_keyserver_domain" != *'.'* ]]; then

  408.         return

  409.     fi

  410.     if [[ "$other_keyserver_domain" == *' '* ]]; then

  411.         return

  412.     fi

  413.     if [[ "$other_keyserver_port" == *'.'* ]]; then

  414.         return

  415.     fi

  416.     if [[ "$other_keyserver_port" == *' '* ]]; then

  417.         return

  418.     fi

  419.     if [ ${#other_keyserver_domain} -lt 4 ]; then

  420.         return

  421.     fi

  422.     if [ ${#other_keyserver_port} -lt 4 ]; then

  423.         return

  424.     fi

  425. 

  426.     # Warn if trying to sync

  427.     if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then

  428.         dialog --title $"Sync with other keyserver" \

  429.                --msgbox $"\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60

  430.         return

  431.     fi

  432. 

  433.     if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then

  434.         if [[ "$other_keyserver_email" == *"@"* ]]; then

  435.             if [[ "$other_keyserver_email" == *"."* ]]; then

  436.                 keyserver_create_mailsync

  437.                 if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then

  438.                     echo "$other_keyserver_email" >> /etc/sks/mailsync

  439.                     chown -Rc debian-sks: /etc/sks/mailsync

  440.                 fi

  441.             else

  442.                 dialog --title $"Sync with other keyserver" \

  443.                        --msgbox $"Email doesn't look right: $other_keyserver_email" 6 60

  444.                 return

  445.             fi

  446.         fi

  447.     fi

  448.     keyserver_create_membership

  449.     if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then

  450.         return

  451.     fi

  452.     if grep -q "$other_keyserver_domain " /etc/sks/membership; then

  453.         sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership

  454.     else

  455.         echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership

  456.     fi

  457.     chown -Rc debian-sks: /etc/sks/membership

  458.     systemctl restart sks

  459.     dialog --title $"Sync with other keyserver" \

  460.            --msgbox $"Keyserver added" 6 40

  461. }

  462. 

  463. function keyserver_edit {

  464.     if [ ! -f /etc/sks/membership ]; then

  465.         return

  466.     fi

  467.     editor /etc/sks/membership

  468.     chown -Rc debian-sks: /etc/sks/membership

  469.     systemctl restart sks

  470. }

  471. 

  472. function keyserver_remove_key {

  473.     data=$(tempfile 2>/dev/null)

  474.     trap "rm -f $data" 0 1 2 5 15

  475.     dialog --title $"Remove a key" \

  476.            --backtitle $"Freedombone Control Panel" \

  477.            --inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>$data

  478.     sel=$?

  479.     case $sel in

  480.         0)

  481.             remove_key_id=$(<$data)

  482.             if [ ${#remove_key_id} -gt 8 ]; then

  483.                 sks drop $remove_key_id

  484.                 dialog --title $"Remove a key" \

  485.                        --msgbox $"The key was removed" 6 40

  486.             fi

  487.             ;;

  488.     esac

  489. }

  490. 

  491. function configure_interactive_keyserver {

  492.     while true

  493.     do

  494.         data=$(tempfile 2>/dev/null)

  495.         trap "rm -f $data" 0 1 2 5 15

  496.         dialog --backtitle $"Freedombone Control Panel" \

  497.                --title $"SKS Keyserver" \

  498.                --radiolist $"Choose an operation:" 12 70 4 \

  499.                1 $"Remove a key" off \

  500.                2 $"Sync with other keyserver" off \

  501.                3 $"Edit sync keyservers" off \

  502.                4 $"Exit" on 2> $data

  503.         sel=$?

  504.         case $sel in

  505.             1) return;;

  506.             255) return;;

  507.         esac

  508.         case $(cat $data) in

  509.             1) keyserver_remove_key;;

  510.             2) keyserver_sync;;

  511.             3) keyserver_edit;;

  512.             4) break;;

  513.         esac

  514.     done

  515. }

  516. 

  517. function install_keyserver {

  518.     apt-get -qy install build-essential gcc ocaml libdb-dev wget sks

  519.     keyserver_reset_database

  520.     sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks

  521.     apt-get -qy install dirmngr

  522.     systemctl restart sks

  523. 

  524.     if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then

  525.         mkdir /var/www/$KEYSERVER_DOMAIN_NAME

  526.     fi

  527. 

  528.     cd /var/www/$KEYSERVER_DOMAIN_NAME

  529.     if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then

  530.         rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  531.     fi

  532. 

  533.     if [ -d /repos/keyserverweb ]; then

  534.         mkdir htdocs

  535.         cp -r -p /repos/keyserverweb/. htdocs

  536.         cd htdocs

  537.         git pull

  538.     else

  539.         git_clone $KEYSERVER_WEB_REPO htdocs

  540.     fi

  541.     if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then

  542.         echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"

  543.         exit 6539230

  544.     fi

  545. 

  546.     cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  547.     git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT

  548.     set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"

  549. 

  550. 

  551.     USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME

  552.     GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)

  553.     if [ ! $GPG_ID ]; then

  554.         echo $'No GPG ID for admin user'

  555.         exit 846336

  556.     fi

  557.     if [ ${#GPG_ID} -lt 5 ]; then

  558.         echo $'GPG ID not retrieved for admin user'

  559.         exit 835292

  560.     fi

  561.     if [[ "$GPG_ID" == *"error"* ]]; then

  562.         echo $'GPG ID not retrieved for admin user due to error'

  563.         exit 74825

  564.     fi

  565.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  566.     sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  567.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html

  568.     sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

  569. 

  570.     sksconf_file=/etc/sks/sksconf

  571.     sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file

  572.     sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file

  573.     sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file

  574.     sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file

  575.     sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file

  576.     sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file

  577.     sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file

  578.     sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file

  579.     sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file

  580.     sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file

  581.     sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file

  582.     sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file

  583.     sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file

  584. 

  585.     if ! grep -q "#disable_mailsync" $sksconf_file; then

  586.         echo '#disable_mailsync:' >> $sksconf_file

  587.     else

  588.         sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file

  589.     fi

  590.     if ! grep -q "membership_reload_interval:" $sksconf_file; then

  591.         echo 'membership_reload_interval:     1' >> $sksconf_file

  592.     else

  593.         sed -i 's|#membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file

  594.         sed -i 's|membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file

  595.     fi

  596.     if ! grep -q "max_matches:" $sksconf_file; then

  597.         echo 'max_matches: 50' >> $sksconf_file

  598.     else

  599.         sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file

  600.         sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file

  601.     fi

  602.     if ! grep -q "stat_hour:" $sksconf_file; then

  603.         echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file

  604.     else

  605.         sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file

  606.         sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file

  607.     fi

  608.     if ! grep -q "disable_log_diffs:" $sksconf_file; then

  609.         echo "disable_log_diffs:" >> $sksconf_file

  610.     else

  611.         sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file

  612.         sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file

  613.     fi

  614.     if ! grep -q "debuglevel:" $sksconf_file; then

  615.         echo "debuglevel: 0" >> $sksconf_file

  616.     else

  617.         sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file

  618.         sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file

  619.     fi

  620. 

  621.     chown debian-sks: $sksconf_file

  622. 

  623.     if ! grep -q "hidden_service_sks" /etc/tor/torrc; then

  624.         echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc

  625.         echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc

  626.         echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc

  627.         echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc

  628.         echo $'Added onion site for sks'

  629.     fi

  630. 

  631.     onion_update

  632.     wait_for_onion_service 'sks'

  633. 

  634.     if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then

  635.         echo $'sks onion site hostname not found'

  636.         exit 8352982

  637.     fi

  638.     SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)

  639. 

  640.     KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})

  641. 

  642.     keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME

  643.     if [[ $ONION_ONLY == "no" ]]; then

  644.         # NOTE: without http active on port 80 the keyserver doesn't work

  645.         #       from the commandline

  646.         echo 'server {' > $keyserver_nginx_site

  647.         echo '  listen 80;' >> $keyserver_nginx_site

  648.         echo '  listen 0.0.0.0:11371;' >> $keyserver_nginx_site

  649.         echo '  listen [::]:80;' >> $keyserver_nginx_site

  650.         echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site

  651.         echo '' >> $keyserver_nginx_site

  652.         echo '  # Logs' >> $keyserver_nginx_site

  653.         echo '  access_log /dev/null;' >> $keyserver_nginx_site

  654.         echo '  error_log /dev/null;' >> $keyserver_nginx_site

  655.         echo '' >> $keyserver_nginx_site

  656.         echo '  # Root' >> $keyserver_nginx_site

  657.         echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site

  658.         echo '' >> $keyserver_nginx_site

  659.         echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site

  660.         echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  661.         echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  662.         echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  663.         echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  664.         echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  665.         echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  666.         echo '' >> $keyserver_nginx_site

  667.         echo '  location /pks {' >> $keyserver_nginx_site

  668.         echo '    proxy_pass         http://127.0.0.1:11373;' >> $keyserver_nginx_site

  669.         echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site

  670.         echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site

  671.         echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site

  672.         echo '    client_max_body_size 8m;' >> $keyserver_nginx_site

  673.         echo '  }' >> $keyserver_nginx_site

  674.         echo '}' >> $keyserver_nginx_site

  675.         echo '' >> $keyserver_nginx_site

  676.         echo 'server {' >> $keyserver_nginx_site

  677.         echo '  listen 443 ssl;' >> $keyserver_nginx_site

  678.         echo '  listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site

  679.         echo '  listen [::]:443 ssl;' >> $keyserver_nginx_site

  680.         echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site

  681.         echo '' >> $keyserver_nginx_site

  682.         echo '  error_page 404 /404.html;' >> $keyserver_nginx_site

  683.         echo '' >> $keyserver_nginx_site

  684.         echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site

  685.         echo '    deny all;' >> $keyserver_nginx_site

  686.         echo '    return 404;' >> $keyserver_nginx_site

  687.         echo '  }' >> $keyserver_nginx_site

  688.         echo '' >> $keyserver_nginx_site

  689.         echo '  # Security' >> $keyserver_nginx_site

  690.         function_check nginx_ssl

  691.         nginx_ssl $KEYSERVER_DOMAIN_NAME

  692. 

  693.         function_check nginx_disable_sniffing

  694.         nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME

  695. 

  696.         echo '  add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site

  697.         echo '' >> $keyserver_nginx_site

  698.         echo '  # Logs' >> $keyserver_nginx_site

  699.         echo '  access_log /dev/null;' >> $keyserver_nginx_site

  700.         echo '  error_log /dev/null;' >> $keyserver_nginx_site

  701.         echo '' >> $keyserver_nginx_site

  702.         echo '  # Root' >> $keyserver_nginx_site

  703.         echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site

  704.         echo '' >> $keyserver_nginx_site

  705. 

  706.         echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site

  707.         echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  708.         echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  709.         echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  710.         echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  711.         echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  712.         echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  713.         echo '' >> $keyserver_nginx_site

  714.         echo '  location /pks {' >> $keyserver_nginx_site

  715.         echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site

  716.         echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site

  717.         echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site

  718.         echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site

  719.         echo '    client_max_body_size 8m;' >> $keyserver_nginx_site

  720.         echo '  }' >> $keyserver_nginx_site

  721.         echo '}' >> $keyserver_nginx_site

  722.         echo '' >> $keyserver_nginx_site

  723.     else

  724.         echo -n '' > $keyserver_nginx_site

  725.     fi

  726.     echo 'server {' >> $keyserver_nginx_site

  727.     echo "  listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site

  728.     echo "  server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site

  729.     echo '' >> $keyserver_nginx_site

  730.     echo '  error_page 404 /404.html;' >> $keyserver_nginx_site

  731.     echo '' >> $keyserver_nginx_site

  732.     echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site

  733.     echo '    deny all;' >> $keyserver_nginx_site

  734.     echo '    return 404;' >> $keyserver_nginx_site

  735.     echo '  }' >> $keyserver_nginx_site

  736.     echo '' >> $keyserver_nginx_site

  737.     function_check nginx_disable_sniffing

  738.     nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME

  739.     echo '' >> $keyserver_nginx_site

  740.     echo '  # Logs' >> $keyserver_nginx_site

  741.     echo '  access_log /dev/null;' >> $keyserver_nginx_site

  742.     echo '  error_log /dev/null;' >> $keyserver_nginx_site

  743.     echo '' >> $keyserver_nginx_site

  744.     echo '  # Root' >> $keyserver_nginx_site

  745.     echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site

  746.     echo '' >> $keyserver_nginx_site

  747.     echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site

  748.     echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  749.     echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site

  750.     echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  751.     echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site

  752.     echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  753.     echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site

  754.     echo '' >> $keyserver_nginx_site

  755.     echo '  location /pks {' >> $keyserver_nginx_site

  756.     echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site

  757.     echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site

  758.     echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site

  759.     echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site

  760.     echo '    client_max_body_size 8m;' >> $keyserver_nginx_site

  761.     echo '  }' >> $keyserver_nginx_site

  762.     echo '}' >> $keyserver_nginx_site

  763. 

  764.     function_check create_site_certificate

  765.     if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then

  766.         create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'

  767.     fi

  768. 

  769.     if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then

  770.         mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem

  771.     fi

  772.     if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then

  773.         chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem

  774.         sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}

  775.     fi

  776.     if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then

  777.         chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key

  778.     fi

  779. 

  780.     chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

  781. 

  782.     function_check nginx_ensite

  783.     nginx_ensite $KEYSERVER_DOMAIN_NAME

  784. 

  785.     configure_firewall_for_keyserver

  786. 

  787.     # remove membership file - don't try to sync with other keyservers

  788.     if [ -f /etc/sks/membership ]; then

  789.         rm /etc/sks/membership

  790.     fi

  791. 

  792.     if ! grep -q "pgp-public-keys" /etc/aliases; then

  793.         echo 'pgp-public-keys:      "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases

  794.     fi

  795.     chown -Rc debian-sks: /etc/sks/mailsync

  796. 

  797.     systemctl enable sks

  798.     systemctl restart sks

  799.     systemctl restart nginx

  800. 

  801.     set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"

  802.     set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"

  803.     set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"

  804. 

  805.     keyserver_watchdog

  806. 

  807.     APP_INSTALLED=1

  808. }

  809. 

  810. # NOTE: deliberately no exit 0