freedombone-app-keyserver 31KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # SKS Keyserver
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2017 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. VARIANTS='full full-vim'
  31. IN_DEFAULT_INSTALL=0
  32. SHOW_ON_ABOUT=1
  33. KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"
  34. KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'
  35. KEYSERVER_PORT=11371
  36. KEYSERVER_ONION_PORT=8122
  37. KEYSERVER_DOMAIN_NAME=
  38. KEYSERVER_CODE=
  39. keyserver_variables=(ONION_ONLY
  40. MY_USERNAME
  41. DEFAULT_DOMAIN_NAME
  42. KEYSERVER_DOMAIN_NAME
  43. KEYSERVER_CODE)
  44. function check_keyserver_directory_size {
  45. dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
  46. # 500M
  47. if [ $dirsize -gt 500000 ]; then
  48. echo "1"
  49. return
  50. fi
  51. echo "0"
  52. }
  53. function keyserver_watchdog {
  54. ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
  55. ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
  56. keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"
  57. keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server."
  58. keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"
  59. keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"
  60. read_config_param KEYSERVER_DOMAIN_NAME
  61. keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog
  62. echo '#!/bin/bash' > $keyserver_watchdog_script
  63. echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script
  64. echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script
  65. echo " echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
  66. echo ' if [ $dirsize -gt 500000 ]; then' >> $keyserver_watchdog_script
  67. echo " nginx_dissite $KEYSERVER_DOMAIN_NAME" >> $keyserver_watchdog_script
  68. echo ' systemctl stop sks' >> $keyserver_watchdog_script
  69. echo ' systemctl disable sks' >> $keyserver_watchdog_script
  70. echo " echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
  71. echo ' fi' >> $keyserver_watchdog_script
  72. echo 'fi' >> $keyserver_watchdog_script
  73. chmod +x $keyserver_watchdog_script
  74. }
  75. function configure_firewall_for_keyserver {
  76. if [[ $ONION_ONLY != "no" ]]; then
  77. return
  78. fi
  79. firewall_add keyserver 11370 tcp
  80. firewall_add keyserver 11371 tcp
  81. firewall_add keyserver 11372 tcp
  82. mark_completed $FUNCNAME
  83. }
  84. function keyserver_reset_database {
  85. if [ -d /var/lib/sks/DB ]; then
  86. rm -rf /var/lib/sks/DB
  87. fi
  88. sks build
  89. chown -Rc debian-sks: /var/lib/sks
  90. systemctl restart sks
  91. }
  92. function logging_on_keyserver {
  93. echo -n ''
  94. }
  95. function logging_off_keyserver {
  96. echo -n ''
  97. }
  98. function reconfigure_keyserver {
  99. echo -n ''
  100. }
  101. function upgrade_keyserver {
  102. keyserver_watchdog
  103. CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
  104. if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
  105. return
  106. fi
  107. if grep -q "keyserver domain" $COMPLETION_FILE; then
  108. KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")
  109. fi
  110. # update to the next commit
  111. function_check set_repo_commit
  112. set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO
  113. read_config_param MY_USERNAME
  114. USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
  115. GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
  116. if [ ! $GPG_ID ]; then
  117. echo $'No GPG ID for admin user'
  118. exit 846336
  119. fi
  120. if [ ${#GPG_ID} -lt 5 ]; then
  121. echo $'GPG ID not retrieved for admin user'
  122. exit 835292
  123. fi
  124. if [[ "$GPG_ID" == *"error"* ]]; then
  125. echo $'GPG ID not retrieved for admin user due to error'
  126. exit 74825
  127. fi
  128. sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
  129. sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
  130. sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
  131. sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
  132. chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
  133. }
  134. function backup_local_keyserver {
  135. # remove any unused log files
  136. cd /var/lib/sks/DB
  137. db_archive -d
  138. source_directory=/etc/sks
  139. if [ -d $source_directory ]; then
  140. systemctl stop sks
  141. dest_directory=keyserverconfig
  142. function_check backup_directory_to_usb
  143. backup_directory_to_usb $source_directory $dest_directory
  144. systemctl start sks
  145. fi
  146. if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
  147. echo $'WARNING: Keyserver database size is too large to backup'
  148. return
  149. fi
  150. source_directory=/var/lib/sks/DB
  151. if [ -d $source_directory ]; then
  152. systemctl stop sks
  153. dest_directory=keyserver
  154. function_check backup_directory_to_usb
  155. backup_directory_to_usb $source_directory $dest_directory
  156. systemctl start sks
  157. fi
  158. }
  159. function restore_local_keyserver {
  160. if [ ! -d /var/lib/sks/DB ]; then
  161. return
  162. fi
  163. echo $"Restoring SKS Keyserver"
  164. systemctl stop sks
  165. temp_restore_dir=/root/tempkeyserverconfig
  166. function_check restore_directory_from_usb
  167. restore_directory_from_usb $temp_restore_dir keyserverconfig
  168. cp -r $temp_restore_dir/etc/sks/* /etc/sks/
  169. rm -rf $temp_restore_dir
  170. chown -Rc debian-sks: /etc/sks/sksconf
  171. chown -Rc debian-sks: /etc/sks/mailsync
  172. temp_restore_dir=/root/tempkeyserver
  173. function_check restore_directory_from_usb
  174. restore_directory_from_usb $temp_restore_dir keyserver
  175. mv /var/lib/sks/DB /var/lib/sks/DB_prev
  176. cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
  177. if [ ! "$?" = "0" ]; then
  178. # restore the old database
  179. rm -rf /var/lib/sks/DB
  180. mv /var/lib/sks/DB_prev /var/lib/sks/DB
  181. rm -rf $temp_restore_dir
  182. function_check set_user_permissions
  183. set_user_permissions
  184. function_check backup_unmount_drive
  185. backup_unmount_drive
  186. exit 5627294
  187. fi
  188. rm -rf $temp_restore_dir
  189. chown -Rc debian-sks: /var/lib/sks
  190. # remove the old database
  191. rm -rf /var/lib/sks/DB_prev
  192. systemctl start sks
  193. }
  194. function backup_remote_keyserver {
  195. # remove any unused log files
  196. cd /var/lib/sks/DB
  197. db_archive -d
  198. source_directory=/etc/sks
  199. if [ -d $source_directory ]; then
  200. systemctl stop sks
  201. dest_directory=keyserverconfig
  202. function_check backup_directory_to_friend
  203. backup_directory_to_friend $source_directory $dest_directory
  204. systemctl start sks
  205. fi
  206. if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
  207. echo $'WARNING: Keyserver database size is too large to backup'
  208. return
  209. fi
  210. source_directory=/var/lib/sks/DB
  211. if [ -d $source_directory ]; then
  212. systemctl stop sks
  213. dest_directory=keyserver
  214. function_check backup_directory_to_friend
  215. backup_directory_to_friend $source_directory $dest_directory
  216. systemctl start sks
  217. fi
  218. }
  219. function restore_remote_keyserver {
  220. if [ ! -d /var/lib/sks/DB ]; then
  221. return
  222. fi
  223. echo $"Restoring SKS Keyserver"
  224. systemctl stop sks
  225. temp_restore_dir=/root/tempkeyserverconfig
  226. function_check restore_directory_from_friend
  227. restore_directory_from_friend $temp_restore_dir keyserverconfig
  228. cp -r $temp_restore_dir/etc/sks/* /etc/sks/
  229. rm -rf $temp_restore_dir
  230. chown -Rc debian-sks: /etc/sks/sksconf
  231. chown -Rc debian-sks: /etc/sks/mailsync
  232. temp_restore_dir=/root/tempkeyserver
  233. function_check restore_directory_from_friend
  234. restore_directory_from_friend $temp_restore_dir keyserver
  235. mv /var/lib/sks/DB /var/lib/sks/DB_prev
  236. cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
  237. if [ ! "$?" = "0" ]; then
  238. # restore the old database
  239. rm -rf /var/lib/sks/DB
  240. mv /var/lib/sks/DB_prev /var/lib/sks/DB
  241. rm -rf $temp_restore_dir
  242. function_check set_user_permissions
  243. set_user_permissions
  244. return
  245. fi
  246. rm -rf $temp_restore_dir
  247. chown -Rc debian-sks: /var/lib/sks
  248. # remove the old database
  249. rm -rf /var/lib/sks/DB_prev
  250. systemctl start sks
  251. }
  252. function remove_keyserver {
  253. systemctl stop sks
  254. if [ -f /etc/cron.hourly/keyserver-watchdog ]; then
  255. rm /etc/cron.hourly/keyserver-watchdog
  256. fi
  257. apt-get -qy remove sks dirmngr
  258. read_config_param "KEYSERVER_DOMAIN_NAME"
  259. nginx_dissite $KEYSERVER_DOMAIN_NAME
  260. remove_certs ${KEYSERVER_DOMAIN_NAME}
  261. if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then
  262. rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
  263. fi
  264. if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
  265. rm -rf /var/www/$KEYSERVER_DOMAIN_NAME
  266. fi
  267. function_check remove_ddns_domain
  268. remove_ddns_domain $KEYSERVER_DOMAIN_NAME
  269. remove_config_param KEYSERVER_DOMAIN_NAME
  270. remove_config_param KEYSERVER_CODE
  271. function_check remove_onion_service
  272. remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
  273. remove_onion_service sks 11370 11371 11372
  274. remove_completion_param "install_keyserver"
  275. firewall_remove 11370 tcp
  276. firewall_remove 11371 tcp
  277. firewall_remove 11372 tcp
  278. sed -i '/keyserver/d' $COMPLETION_FILE
  279. sed -i '/sks onion/d' $COMPLETION_FILE
  280. if [ -d /var/lib/sks ]; then
  281. rm -rf /var/lib/sks
  282. fi
  283. }
  284. function install_interactive_keyserver {
  285. if [ ! $ONION_ONLY ]; then
  286. ONION_ONLY='no'
  287. fi
  288. if [[ $ONION_ONLY != "no" ]]; then
  289. KEYSERVER_DOMAIN_NAME='keyserver.local'
  290. write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"
  291. else
  292. function_check interactive_site_details
  293. interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"
  294. fi
  295. APP_INSTALLED=1
  296. }
  297. function keyserver_create_mailsync {
  298. echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
  299. echo '' >> /etc/sks/mailsync
  300. chown -Rc debian-sks: /etc/sks/mailsync
  301. }
  302. function keyserver_create_membership {
  303. if [ -f /etc/sks/membership ]; then
  304. return
  305. fi
  306. systemctl stop sks
  307. echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership
  308. echo '#' >> /etc/sks/membership
  309. echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership
  310. echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership
  311. echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership
  312. echo '' >> /etc/sks/membership
  313. chown -Rc debian-sks: /etc/sks/membership
  314. systemctl start sks
  315. }
  316. function keyserver_import_keys {
  317. # NOTE: this function isn't used, but kept for reference
  318. dialog --title $"Import public keys database" \
  319. --backtitle $"Freedombone Control Panel" \
  320. --defaultno \
  321. --yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60
  322. sel=$?
  323. case $sel in
  324. 1) return;;
  325. 255) return;;
  326. esac
  327. if [ ! -d /var/lib/sks/dump ]; then
  328. mkdir -p /var/lib/sks/dump
  329. fi
  330. cd /var/lib/sks/dump
  331. echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'
  332. rm -rf /var/lib/sks/dump/*
  333. KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"
  334. wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \
  335. -A pgp,txt $KEYSERVER_DUMP_URL
  336. cd /var/lib/sks
  337. echo $'Building the keyserver database from the downloaded dump'
  338. keyserver_reset_database
  339. }
  340. function keyserver_sync {
  341. data=$(tempfile 2>/dev/null)
  342. trap "rm -f $data" 0 1 2 5 15
  343. dialog --backtitle $"Freedombone Control Panel" \
  344. --title $"Sync with other keyserver" \
  345. --form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
  346. $"Domain:" 1 1 "" 1 25 32 64 \
  347. $"Port:" 2 1 "11370" 2 25 6 6 \
  348. $"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
  349. 2> $data
  350. sel=$?
  351. case $sel in
  352. 1) return;;
  353. 255) return;;
  354. esac
  355. other_keyserver_domain=$(cat $data | sed -n 1p)
  356. other_keyserver_port=$(cat $data | sed -n 2p)
  357. other_keyserver_email=$(cat $data | sed -n 3p)
  358. if [[ "$other_keyserver_domain" != *'.'* ]]; then
  359. return
  360. fi
  361. if [[ "$other_keyserver_domain" == *' '* ]]; then
  362. return
  363. fi
  364. if [[ "$other_keyserver_port" == *'.'* ]]; then
  365. return
  366. fi
  367. if [[ "$other_keyserver_port" == *' '* ]]; then
  368. return
  369. fi
  370. if [ ${#other_keyserver_domain} -lt 4 ]; then
  371. return
  372. fi
  373. if [ ${#other_keyserver_port} -lt 4 ]; then
  374. return
  375. fi
  376. # Warn if trying to sync
  377. if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then
  378. dialog --title $"Sync with other keyserver" \
  379. --msgbox $"\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60
  380. return
  381. fi
  382. if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
  383. if [[ "$other_keyserver_email" == *"@"* ]]; then
  384. if [[ "$other_keyserver_email" == *"."* ]]; then
  385. keyserver_create_mailsync
  386. if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
  387. echo "$other_keyserver_email" >> /etc/sks/mailsync
  388. chown -Rc debian-sks: /etc/sks/mailsync
  389. fi
  390. else
  391. dialog --title $"Sync with other keyserver" \
  392. --msgbox $"Email doesn't look right: $other_keyserver_email" 6 60
  393. return
  394. fi
  395. fi
  396. fi
  397. keyserver_create_membership
  398. if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
  399. return
  400. fi
  401. if grep -q "$other_keyserver_domain " /etc/sks/membership; then
  402. sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
  403. else
  404. echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
  405. fi
  406. chown -Rc debian-sks: /etc/sks/membership
  407. systemctl restart sks
  408. dialog --title $"Sync with other keyserver" \
  409. --msgbox $"Keyserver added" 6 40
  410. }
  411. function keyserver_edit {
  412. if [ ! -f /etc/sks/membership ]; then
  413. return
  414. fi
  415. editor /etc/sks/membership
  416. chown -Rc debian-sks: /etc/sks/membership
  417. systemctl restart sks
  418. }
  419. function keyserver_remove_key {
  420. data=$(tempfile 2>/dev/null)
  421. trap "rm -f $data" 0 1 2 5 15
  422. dialog --title $"Remove a key" \
  423. --backtitle $"Freedombone Control Panel" \
  424. --inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>$data
  425. sel=$?
  426. case $sel in
  427. 0)
  428. remove_key_id=$(<$data)
  429. if [ ${#remove_key_id} -gt 8 ]; then
  430. sks drop $remove_key_id
  431. dialog --title $"Remove a key" \
  432. --msgbox $"The key was removed" 6 40
  433. fi
  434. ;;
  435. esac
  436. }
  437. function configure_interactive_keyserver {
  438. while true
  439. do
  440. data=$(tempfile 2>/dev/null)
  441. trap "rm -f $data" 0 1 2 5 15
  442. dialog --backtitle $"Freedombone Control Panel" \
  443. --title $"SKS Keyserver" \
  444. --radiolist $"Choose an operation:" 12 70 4 \
  445. 1 $"Remove a key" off \
  446. 2 $"Sync with other keyserver" off \
  447. 3 $"Edit sync keyservers" off \
  448. 4 $"Exit" on 2> $data
  449. sel=$?
  450. case $sel in
  451. 1) return;;
  452. 255) return;;
  453. esac
  454. case $(cat $data) in
  455. 1) keyserver_remove_key;;
  456. 2) keyserver_sync;;
  457. 3) keyserver_edit;;
  458. 4) break;;
  459. esac
  460. done
  461. }
  462. function install_keyserver {
  463. apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
  464. keyserver_reset_database
  465. sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
  466. apt-get -qy install dirmngr
  467. systemctl restart sks
  468. if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
  469. mkdir /var/www/$KEYSERVER_DOMAIN_NAME
  470. fi
  471. cd /var/www/$KEYSERVER_DOMAIN_NAME
  472. if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
  473. rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
  474. fi
  475. if [ -d /repos/keyserverweb ]; then
  476. mkdir htdocs
  477. cp -r -p /repos/keyserverweb/. htdocs
  478. cd htdocs
  479. git pull
  480. else
  481. git_clone $KEYSERVER_WEB_REPO htdocs
  482. fi
  483. if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
  484. echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"
  485. exit 6539230
  486. fi
  487. cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
  488. git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT
  489. set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"
  490. USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
  491. GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
  492. if [ ! $GPG_ID ]; then
  493. echo $'No GPG ID for admin user'
  494. exit 846336
  495. fi
  496. if [ ${#GPG_ID} -lt 5 ]; then
  497. echo $'GPG ID not retrieved for admin user'
  498. exit 835292
  499. fi
  500. if [[ "$GPG_ID" == *"error"* ]]; then
  501. echo $'GPG ID not retrieved for admin user due to error'
  502. exit 74825
  503. fi
  504. sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
  505. sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
  506. sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
  507. sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
  508. sksconf_file=/etc/sks/sksconf
  509. sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
  510. sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
  511. sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
  512. sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
  513. sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
  514. sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
  515. sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
  516. sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
  517. sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
  518. sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
  519. sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
  520. sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
  521. sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file
  522. if ! grep -q "#disable_mailsync" $sksconf_file; then
  523. echo '#disable_mailsync:' >> $sksconf_file
  524. else
  525. sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
  526. fi
  527. if ! grep -q "membership_reload_interval:" $sksconf_file; then
  528. echo 'membership_reload_interval: 1' >> $sksconf_file
  529. else
  530. sed -i 's|#membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
  531. sed -i 's|membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
  532. fi
  533. if ! grep -q "max_matches:" $sksconf_file; then
  534. echo 'max_matches: 50' >> $sksconf_file
  535. else
  536. sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
  537. sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
  538. fi
  539. if ! grep -q "stat_hour:" $sksconf_file; then
  540. echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
  541. else
  542. sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
  543. sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
  544. fi
  545. if ! grep -q "disable_log_diffs:" $sksconf_file; then
  546. echo "disable_log_diffs:" >> $sksconf_file
  547. else
  548. sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
  549. sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
  550. fi
  551. if ! grep -q "debuglevel:" $sksconf_file; then
  552. echo "debuglevel: 0" >> $sksconf_file
  553. else
  554. sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file
  555. sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file
  556. fi
  557. chown debian-sks: $sksconf_file
  558. if ! grep -q "hidden_service_sks" /etc/tor/torrc; then
  559. echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc
  560. echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc
  561. echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc
  562. echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc
  563. echo $'Added onion site for sks'
  564. fi
  565. onion_update
  566. wait_for_onion_service 'sks'
  567. if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
  568. echo $'sks onion site hostname not found'
  569. exit 8352982
  570. fi
  571. SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)
  572. KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})
  573. keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
  574. if [[ $ONION_ONLY == "no" ]]; then
  575. # NOTE: without http active on port 80 the keyserver doesn't work
  576. # from the commandline
  577. echo 'server {' > $keyserver_nginx_site
  578. echo ' listen 80;' >> $keyserver_nginx_site
  579. echo ' listen 0.0.0.0:11371;' >> $keyserver_nginx_site
  580. echo ' listen [::]:80;' >> $keyserver_nginx_site
  581. echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
  582. echo '' >> $keyserver_nginx_site
  583. echo ' # Logs' >> $keyserver_nginx_site
  584. echo ' access_log /dev/null;' >> $keyserver_nginx_site
  585. echo ' error_log /dev/null;' >> $keyserver_nginx_site
  586. echo '' >> $keyserver_nginx_site
  587. echo ' # Root' >> $keyserver_nginx_site
  588. echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
  589. echo '' >> $keyserver_nginx_site
  590. echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
  591. echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
  592. echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
  593. echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
  594. echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
  595. echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
  596. echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
  597. echo '' >> $keyserver_nginx_site
  598. echo ' location /pks {' >> $keyserver_nginx_site
  599. echo ' proxy_pass http://127.0.0.1:11373;' >> $keyserver_nginx_site
  600. echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
  601. echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site
  602. echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
  603. echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
  604. echo ' }' >> $keyserver_nginx_site
  605. echo '}' >> $keyserver_nginx_site
  606. echo '' >> $keyserver_nginx_site
  607. echo 'server {' >> $keyserver_nginx_site
  608. echo ' listen 443 ssl;' >> $keyserver_nginx_site
  609. echo ' listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site
  610. echo ' listen [::]:443 ssl;' >> $keyserver_nginx_site
  611. echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
  612. echo '' >> $keyserver_nginx_site
  613. echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
  614. echo '' >> $keyserver_nginx_site
  615. echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
  616. echo ' deny all;' >> $keyserver_nginx_site
  617. echo ' return 404;' >> $keyserver_nginx_site
  618. echo ' }' >> $keyserver_nginx_site
  619. echo '' >> $keyserver_nginx_site
  620. echo ' # Security' >> $keyserver_nginx_site
  621. function_check nginx_ssl
  622. nginx_ssl $KEYSERVER_DOMAIN_NAME
  623. function_check nginx_disable_sniffing
  624. nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
  625. echo ' add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site
  626. echo '' >> $keyserver_nginx_site
  627. echo ' # Logs' >> $keyserver_nginx_site
  628. echo ' access_log /dev/null;' >> $keyserver_nginx_site
  629. echo ' error_log /dev/null;' >> $keyserver_nginx_site
  630. echo '' >> $keyserver_nginx_site
  631. echo ' # Root' >> $keyserver_nginx_site
  632. echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
  633. echo '' >> $keyserver_nginx_site
  634. echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
  635. echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
  636. echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
  637. echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
  638. echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
  639. echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
  640. echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
  641. echo '' >> $keyserver_nginx_site
  642. echo ' location /pks {' >> $keyserver_nginx_site
  643. echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
  644. echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
  645. echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site
  646. echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
  647. echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
  648. echo ' }' >> $keyserver_nginx_site
  649. echo '}' >> $keyserver_nginx_site
  650. echo '' >> $keyserver_nginx_site
  651. else
  652. echo -n '' > $keyserver_nginx_site
  653. fi
  654. echo 'server {' >> $keyserver_nginx_site
  655. echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
  656. echo " server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
  657. echo '' >> $keyserver_nginx_site
  658. echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
  659. echo '' >> $keyserver_nginx_site
  660. echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
  661. echo ' deny all;' >> $keyserver_nginx_site
  662. echo ' return 404;' >> $keyserver_nginx_site
  663. echo ' }' >> $keyserver_nginx_site
  664. echo '' >> $keyserver_nginx_site
  665. function_check nginx_disable_sniffing
  666. nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
  667. echo '' >> $keyserver_nginx_site
  668. echo ' # Logs' >> $keyserver_nginx_site
  669. echo ' access_log /dev/null;' >> $keyserver_nginx_site
  670. echo ' error_log /dev/null;' >> $keyserver_nginx_site
  671. echo '' >> $keyserver_nginx_site
  672. echo ' # Root' >> $keyserver_nginx_site
  673. echo " root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site
  674. echo '' >> $keyserver_nginx_site
  675. echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
  676. echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
  677. echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
  678. echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
  679. echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
  680. echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
  681. echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
  682. echo '' >> $keyserver_nginx_site
  683. echo ' location /pks {' >> $keyserver_nginx_site
  684. echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
  685. echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
  686. echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site
  687. echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
  688. echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
  689. echo ' }' >> $keyserver_nginx_site
  690. echo '}' >> $keyserver_nginx_site
  691. function_check create_site_certificate
  692. if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
  693. create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'
  694. fi
  695. if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then
  696. mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
  697. fi
  698. if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
  699. chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
  700. sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}
  701. fi
  702. if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then
  703. chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key
  704. fi
  705. chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
  706. function_check nginx_ensite
  707. nginx_ensite $KEYSERVER_DOMAIN_NAME
  708. configure_firewall_for_keyserver
  709. # remove membership file - don't try to sync with other keyservers
  710. if [ -f /etc/sks/membership ]; then
  711. rm /etc/sks/membership
  712. fi
  713. if ! grep -q "pgp-public-keys" /etc/aliases; then
  714. echo 'pgp-public-keys: "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
  715. fi
  716. chown -Rc debian-sks: /etc/sks/mailsync
  717. systemctl enable sks
  718. systemctl restart sks
  719. systemctl restart nginx
  720. set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
  721. set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
  722. set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"
  723. keyserver_watchdog
  724. APP_INSTALLED=1
  725. }
  726. # NOTE: deliberately no exit 0