free
/
freedombone
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
9299 Revīzijas
5 Atzari
Koks: 45e1e83e63
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '45e1e83e63'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 45KB
Vēsture Neapstrādāts

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # Web related functions

  10. #

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. # default search engine for command line browser

  30. DEFAULT_SEARCH='https://searx.laquadrature.net'

  31. 

  32. # onion port for the default domain

  33. DEFAULT_DOMAIN_ONION_PORT=8099

  34. 

  35. # Whether Let's Encrypt is enabled for all sites

  36. LETSENCRYPT_ENABLED="yes"

  37. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  38. 

  39. # list of encryption protocols

  40. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  41. 

  42. # Mozilla recommended default ciphers. These work better on Android

  43. # See https://wiki.mozilla.org/Security/Server_Side_TLS

  44. SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

  45. 

  46. # some mobile apps (eg. NextCloud) have not very good cipher compatibility.

  47. # These ciphers can be used for those cases

  48. SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"

  49. 

  50. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  51. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  52. 

  53. # memory limit for php in MB

  54. MAX_PHP_MEMORY=64

  55. 

  56. # logging level for Nginx

  57. WEBSERVER_LOG_LEVEL='warn'

  58. 

  59. # test a domain name to see if it's valid

  60. function validate_domain_name {

  61.     # count the number of dots in the domain name

  62.     dots=${TEST_DOMAIN_NAME//[^.]}

  63.     no_of_dots=${#dots}

  64.     if (( no_of_dots > 3 )); then

  65.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  66.     fi

  67.     if (( no_of_dots == 0 )); then

  68.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  69.     fi

  70. }

  71. 

  72. function nginx_security_options {

  73.     domain_name=$1

  74.     filename=/etc/nginx/sites-available/$domain_name

  75.     { echo '    add_header X-Frame-Options DENY;';

  76.       echo '    add_header X-Content-Type-Options nosniff;';

  77.       echo '    add_header X-XSS-Protection "1; mode=block";';

  78.       echo '    add_header X-Robots-Tag none;';

  79.       echo '    add_header X-Download-Options noopen;';

  80.       echo '    add_header X-Permitted-Cross-Domain-Policies none;';

  81.       echo ''; } >> "$filename"

  82. }

  83. 

  84. function nginx_limits {

  85.     domain_name=$1

  86.     max_body='20m'

  87.     if [ "$2" ]; then

  88.         max_body=$2

  89.     fi

  90.     filename=/etc/nginx/sites-available/$domain_name

  91.     { echo "        client_max_body_size ${max_body};";

  92.       echo '        client_body_buffer_size 128k;';

  93.       echo '';

  94.       echo '        limit_conn conn_limit_per_ip 10;';

  95.       echo '        limit_req zone=req_limit_per_ip burst=10 nodelay;';

  96.       echo ''; } >> "$filename"

  97. }

  98. 

  99. function nginx_stapling {

  100.     domain_name="$1"

  101.     filename=/etc/nginx/sites-available/$domain_name

  102.     { echo "    ssl_stapling on;";

  103.       echo '    ssl_stapling_verify on;';

  104.       echo "    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;";

  105.       echo ''; } >> "$filename"

  106. }

  107. 

  108. function nginx_http_redirect {

  109.     # redirect port 80 to https

  110.     domain_name=$1

  111.     filename=/etc/nginx/sites-available/$domain_name

  112.     { echo 'server {';

  113.       echo '    listen 80;';

  114.       echo '    listen [::]:80;';

  115.       echo "    server_name ${domain_name};";

  116.       echo "    root /var/www/${domain_name}/htdocs;";

  117.       echo '    access_log /dev/null;';

  118.       echo "    error_log /dev/null;"; } > "$filename"

  119.     function_check nginx_limits

  120.     nginx_limits "$domain_name"

  121.     if [ ${#2} -gt 0 ]; then

  122.         echo "    $2;" >> "$filename"

  123.     fi

  124.     { echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";

  125.       echo '}';

  126.       echo ''; } >> "$filename"

  127. }

  128. 

  129. function nginx_compress {

  130.     domain_name=$1

  131.     filename=/etc/nginx/sites-available/$domain_name

  132. 

  133.     { echo '    gzip            on;';

  134.       echo '    gzip_min_length 1000;';

  135.       echo '    gzip_proxied    expired no-cache no-store private auth;';

  136.       echo '    gzip_types      text/plain application/xml;'; } >> "$filename"

  137. }

  138. 

  139. function nginx_ssl {

  140.     # creates the SSL/TLS section for a website

  141.     domain_name=$1

  142.     mobile_ciphers=$2

  143.     filename=/etc/nginx/sites-available/$domain_name

  144. 

  145.     { echo '    ssl_stapling off;';

  146.       echo '    ssl_stapling_verify off;';

  147.       echo '    ssl on;';

  148.       echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;";

  149.       echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;";

  150.       echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;";

  151.       echo '';

  152.       echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';

  153.       echo '    ssl_session_timeout 60m;';

  154.       echo '    ssl_prefer_server_ciphers on;';

  155.       echo "    ssl_protocols $SSL_PROTOCOLS;"; } >> "$filename"

  156.     if [ "$mobile_ciphers" ]; then

  157.         echo "    # Mobile compatible ciphers" >> "$filename"

  158.         echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> "$filename"

  159.     else

  160.         echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"

  161.     fi

  162.     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> "$filename"

  163. 

  164.     #nginx_stapling $1

  165. }

  166. 

  167. # check an individual domain name

  168. function test_domain_name {

  169.     if [ "$1" ]; then

  170.         TEST_DOMAIN_NAME=$1

  171.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  172.             function_check validate_domain_name

  173.             validate_domain_name

  174.             if [[ "$TEST_DOMAIN_NAME" != "$1" ]]; then

  175.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  176.                 exit 8528

  177.             fi

  178.         fi

  179.     fi

  180. }

  181. 

  182. # Checks whether certificates were generated for the given hostname

  183. function check_certificates {

  184.     if [ ! "$1" ]; then

  185.         echo $'No certificate name provided'

  186.         exit 3568736585683

  187.     fi

  188.     USE_LETSENCRYPT='no'

  189.     if [ "$2" ]; then

  190.         USE_LETSENCRYPT="$2"

  191.     fi

  192.     if [[ $USE_LETSENCRYPT == 'no' || "$ONION_ONLY" != 'no' ]]; then

  193.         if [ ! -f "/etc/ssl/private/${1}.key" ]; then

  194.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  195.             exit 63959

  196.         fi

  197.         if [ ! -f "/etc/ssl/certs/${1}.crt" ]; then

  198.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  199.             exit 7679

  200.         fi

  201. 

  202.         if grep -q "${1}.pem" "/etc/nginx/sites-available/${1}"; then

  203.             sed -i "s|${1}.pem|${1}.crt|g" "/etc/nginx/sites-available/${1}"

  204.         fi

  205.     else

  206.         if [ ! -f "/etc/letsencrypt/live/${1}/privkey.pem" ]; then

  207.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  208.             exit 6282

  209.         fi

  210.         if [ ! -f "/etc/letsencrypt/live/${1}/fullchain.pem" ]; then

  211.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  212.             exit 5328

  213.         fi

  214.         if grep -q "${1}.crt" "/etc/nginx/sites-available/${1}"; then

  215.             sed -i "s|${1}.crt|${1}.pem|g" "/etc/nginx/sites-available/${1}"

  216.         fi

  217.     fi

  218.     if [ ! -f "/etc/ssl/certs/${1}.dhparam" ]; then

  219.         echo $"DiffieHellman parameters for ${CHECK_HOSTNAME} were not created"

  220.         exit 5989

  221.     fi

  222. }

  223. 

  224. function cert_exists {

  225.     cert_type='dhparam'

  226.     if [ "$2" ]; then

  227.         cert_type="$2"

  228.     fi

  229.     if [ -f "/etc/ssl/certs/${1}.${cert_type}" ]; then

  230.         echo "1"

  231.     else

  232.         if [ -f "/etc/letsencrypt/live/${1}/fullchain.${cert_type}" ]; then

  233.             echo "1"

  234.         else

  235.             echo "0"

  236.         fi

  237.     fi

  238. }

  239. 

  240. function create_self_signed_cert {

  241.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  242.         echo $'No site domain specified for self signed cert'

  243.         exit 4638565385

  244.     fi

  245.     "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  246.     function_check check_certificates

  247.     check_certificates "${SITE_DOMAIN_NAME}"

  248. }

  249. 

  250. function create_letsencrypt_cert {

  251.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  252.         echo $'No site domain specified for letsencrypt cert'

  253.         exit 246824624

  254.     fi

  255. 

  256.     if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then

  257.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  258.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  259.             "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  260.             function_check check_certificates

  261.             CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  262.             check_certificates "${SITE_DOMAIN_NAME}"

  263.         else

  264.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  265.             if [ -f "/etc/nginx/sites-available/$SITE_DOMAIN_NAME" ]; then

  266.                 nginx_dissite "$SITE_DOMAIN_NAME"

  267.                 systemctl restart nginx

  268.             fi

  269.             exit 682529

  270.         fi

  271.         return

  272.     fi

  273. 

  274.     function_check check_certificates

  275.     CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  276.     check_certificates "${SITE_DOMAIN_NAME}" 'yes'

  277. }

  278. 

  279. function create_site_certificate {

  280.     SITE_DOMAIN_NAME="$1"

  281. 

  282.     # if yes then only "valid" certs are allowed, not self-signed

  283.     NO_SELF_SIGNED='no'

  284.     if [ "$2" ]; then

  285.         NO_SELF_SIGNED="$2"

  286.     fi

  287. 

  288.     if [[ $ONION_ONLY == "no" ]]; then

  289.         if [[ "$(cert_exists "${SITE_DOMAIN_NAME}")" == "0" ]]; then

  290.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  291.                 create_self_signed_cert

  292.             else

  293.                 create_letsencrypt_cert

  294.             fi

  295.         else

  296.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  297.                 if [[ "$(cert_exists "${SITE_DOMAIN_NAME}" pem)" == "0" ]]; then

  298.                     create_letsencrypt_cert

  299.                 fi

  300.             fi

  301.         fi

  302.     fi

  303. }

  304. 

  305. # script to automatically renew any Let's Encrypt certificates

  306. function letsencrypt_renewals {

  307.     if [[ $ONION_ONLY != "no" ]]; then

  308.         return

  309.     fi

  310. 

  311.     renewals_script=/tmp/renewals_letsencrypt

  312.     renewals_retry_script=/tmp/renewals_retry_letsencrypt

  313.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  314.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  315. 

  316.     # the main script tries to renew once per month

  317.     { echo '#!/bin/bash';

  318.       echo '';

  319.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  320.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  321.       echo '';

  322.       echo 'if [ -d /etc/letsencrypt ]; then';

  323.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  324.       echo '        rm ~/letsencrypt_failed';

  325.       echo '    fi';

  326.       echo -n "    ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  327.       echo -n "awk -F ':' '{print ";

  328.       echo -n "\$2";

  329.       echo "}')";

  330.       echo "    ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  331.       echo '    for d in /etc/letsencrypt/live/*/ ; do';

  332.       echo -n "        LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  333.       echo -n "awk -F '/' '{print ";

  334.       echo -n "\$5";

  335.       echo "}')";

  336.       echo "        if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  337.       echo "            \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  338.       echo '            if [ ! "$?" = "0" ]; then';

  339.       echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  340.       echo '                echo "" >> ~/temp_renewletsencrypt.txt';

  341.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  342.       echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  343.       echo "\$ADMIN_EMAIL_ADDRESS";

  344.       echo '                rm ~/temp_renewletsencrypt.txt';

  345.       echo '                if [ ! -f ~/letsencrypt_failed ]; then';

  346.       echo '                    touch ~/letsencrypt_failed';

  347.       echo '                fi';

  348.       echo '            fi';

  349.       echo '        fi';

  350.       echo '    done';

  351.       echo 'fi'; } > "$renewals_script"

  352.     chmod +x "$renewals_script"

  353. 

  354.     if [ ! -f /etc/cron.monthly/letsencrypt ]; then

  355.         cp $renewals_script /etc/cron.monthly/letsencrypt

  356.     else

  357.         HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')

  358.         HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')

  359.         if [[ "$HASH1" != "$HASH2" ]]; then

  360.             cp $renewals_script /etc/cron.monthly/letsencrypt

  361.         fi

  362.     fi

  363.     rm $renewals_script

  364. 

  365.     # a secondary script keeps trying to renew after a failure

  366.     { echo '#!/bin/bash';

  367.       echo '';

  368.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  369.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  370.       echo '';

  371.       echo 'if [ -d /etc/letsencrypt ]; then';

  372.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  373.       echo '        rm ~/letsencrypt_failed';

  374.       echo -n "        ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  375.       echo -n "awk -F ':' '{print ";

  376.       echo -n "\$2";

  377.       echo "}')";

  378.       echo "        ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  379.       echo '        for d in /etc/letsencrypt/live/*/ ; do';

  380.       echo -n "            LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  381.       echo -n "awk -F '/' '{print ";

  382.       echo -n "\$5";

  383.       echo "}')";

  384.       echo "            if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  385.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  386.       echo '                if [ ! "$?" = "0" ]; then';

  387.       echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  388.       echo '                    echo "" >> ~/temp_renewletsencrypt.txt';

  389.       echo "                    \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  390.       echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  391.       echo "\$ADMIN_EMAIL_ADDRESS";

  392.       echo '                    rm ~/temp_renewletsencrypt.txt';

  393.       echo '                    if [ ! -f ~/letsencrypt_failed ]; then';

  394.       echo '                        touch ~/letsencrypt_failed';

  395.       echo '                    fi';

  396.       echo '                fi';

  397.       echo '            fi';

  398.       echo '        done';

  399.       echo '    fi';

  400.       echo 'fi'; } > "$renewals_retry_script"

  401.     chmod +x "$renewals_retry_script"

  402. 

  403.     if [ ! -f /etc/cron.daily/letsencrypt ]; then

  404.         cp $renewals_retry_script /etc/cron.daily/letsencrypt

  405.     else

  406.         HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')

  407.         HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')

  408.         if [[ "$HASH1" != "$HASH2" ]]; then

  409.             cp $renewals_retry_script /etc/cron.daily/letsencrypt

  410.         fi

  411.     fi

  412.     rm $renewals_retry_script

  413. }

  414. 

  415. function configure_php {

  416.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini

  417.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini

  418.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini

  419.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini

  420.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/cli/php.ini

  421.     sed -i "s/post_max_size =.*/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini

  422. }

  423. 

  424. function install_web_server_access_control {

  425.     if [ ! -f /etc/pam.d/nginx ]; then

  426.         { echo '#%PAM-1.0';

  427.           echo '@include common-auth';

  428.           echo '@include common-account';

  429.           echo '@include common-session'; } > /etc/pam.d/nginx

  430.     fi

  431. }

  432. 

  433. function upgrade_inadyn_config {

  434.     if [ ! -f "${INADYN_CONFIG_FILE}" ]; then

  435.         return

  436.     fi

  437. 

  438.     if [ ! -f /usr/sbin/inadyn ]; then

  439.         return

  440.     fi

  441. 

  442.     if grep -q "{" "${INADYN_CONFIG_FILE}"; then

  443.         return

  444.     fi

  445. 

  446.     read_config_param DDNS_PROVIDER

  447.     read_config_param DDNS_USERNAME

  448.     read_config_param DDNS_PASSWORD

  449. 

  450.     grep "alias " "${INADYN_CONFIG_FILE}" | sed 's| alias ||g' > ~/.inadyn_existing_sites

  451.     DDNS_HOSTNAMES=

  452.     while read -r host; do

  453.         if [ "$DDNS_HOSTNAMES" ]; then

  454.             DDNS_HOSTNAMES="$DDNS_HOSTNAMES, $host"

  455.         else

  456.             DDNS_HOSTNAMES="$host"

  457.         fi

  458.     done <~/.inadyn_existing_sites

  459. 

  460.     if [ ! "$DDNS_HOSTNAMES" ]; then

  461.         return

  462.     fi

  463. 

  464.     { echo 'period          = 300';

  465.       echo 'user-agent      = Mozilla/5.0';

  466.       echo '';

  467.       echo "provider $DDNS_PROVIDER {";

  468.       echo "    ssl            = true";

  469.       echo "    checkip-ssl    = false";

  470.       echo "    checkip-server = $GET_IP_ADDRESS_URL";

  471.       echo "    username       = $DDNS_USERNAME";

  472.       echo "    password       = $DDNS_PASSWORD";

  473.       echo "    hostname       = { $DDNS_HOSTNAMES }";

  474.       echo '}'; } > "${INADYN_CONFIG_FILE}"

  475. }

  476. 

  477. function install_dynamicdns {

  478.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  479.         return

  480.     fi

  481.     if [[ $ONION_ONLY != "no" ]]; then

  482.         return

  483.     fi

  484. 

  485.     CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")

  486.     if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then

  487.         return

  488.     fi

  489. 

  490.     if [ -f /usr/local/sbin/inadyn ]; then

  491.         if [ -d "$INSTALL_DIR/inadyn" ]; then

  492.             rm -rf "$INSTALL_DIR/inadyn"

  493.         fi

  494.     else

  495.         # update to the next commit

  496.         function_check set_repo_commit

  497.         set_repo_commit "$INSTALL_DIR/inadyn" "inadyn commit" "$INADYN_COMMIT" "$INADYN_REPO"

  498.     fi

  499. 

  500.     # Here we compile from source because the current package

  501.     # doesn't support https, which could result in passwords

  502.     # being leaked

  503.     # Debian version 1.99.4-1

  504.     # https version 1.99.8

  505. 

  506.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  507.     apt-get -yq install gnutls-dev libconfuse-dev

  508. 

  509.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  510.         if [ -d /repos/inadyn ]; then

  511.             mkdir "$INSTALL_DIR/inadyn"

  512.             cp -r -p /repos/inadyn/. "$INSTALL_DIR/inadyn"

  513.             cd "$INSTALL_DIR/inadyn" || exit 2462874684

  514.             git pull

  515.         else

  516.             git_clone "$INADYN_REPO" "$INSTALL_DIR/inadyn"

  517.         fi

  518.     fi

  519.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  520.         echo 'inadyn repo not cloned'

  521.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  522.         exit 6785

  523.     fi

  524.     cd "$INSTALL_DIR/inadyn" || exit 246824684

  525.     git checkout "$INADYN_COMMIT" -b "$INADYN_COMMIT"

  526.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  527. 

  528.     ./autogen.sh

  529. 

  530.     if ! ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-openssl; then

  531.         exit 74890

  532.     fi

  533.     if ! make -j5; then

  534.         exit 74858

  535.     fi

  536.     if ! make install-strip; then

  537.         exit 3785

  538.     fi

  539. 

  540.     # create a configuration file

  541.     if [ ! -f "${INADYN_CONFIG_FILE}" ]; then

  542.         { echo 'period          = 300';

  543.           echo 'user-agent      = Mozilla/5.0';

  544.           echo ''; } > "${INADYN_CONFIG_FILE}"

  545.     fi

  546.     chmod 600 "${INADYN_CONFIG_FILE}"

  547. 

  548.     { echo '[Unit]';

  549.       echo 'Description=inadyn (DynDNS updater)';

  550.       echo 'After=network.target';

  551.       echo '';

  552.       echo '[Service]';

  553.       echo "ExecStart=/usr/sbin/inadyn --config ${INADYN_CONFIG_FILE}";

  554.       echo 'Restart=always';

  555.       echo 'Type=forking';

  556.       echo '';

  557.       echo '[Install]';

  558.       echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/inadyn.service

  559.     systemctl daemon-reload

  560.     systemctl enable inadyn

  561.     systemctl start inadyn

  562. 

  563.     # Remove old version of inadyn

  564.     if [ -f /usr/local/sbin/inadyn ]; then

  565.         rm /usr/local/sbin/inadyn

  566.         upgrade_inadyn_config

  567.     fi

  568. }

  569. 

  570. function update_default_search_engine {

  571.     for d in /home/*/ ; do

  572.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  573.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  574.             if ! grep -q "WWW_HOME" "/home/$USERNAME/.bashrc"; then

  575.                 if ! grep -q 'controluser' "/home/$USERNAME/.bashrc"; then

  576.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  577.                         echo "export WWW_HOME=$DEFAULT_SEARCH" >> "/home/$USERNAME/.bashrc"

  578.                     else

  579.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  580.                     fi

  581.                 else

  582.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  583.                         sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" "/home/$USERNAME/.bashrc"

  584.                     else

  585.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  586.                     fi

  587.                 fi

  588.             fi

  589.         fi

  590.     done

  591. }

  592. 

  593. function install_command_line_browser {

  594.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  595.         return

  596.     fi

  597.     apt-get -yq install elinks

  598.     update_default_search_engine

  599. 

  600.     mark_completed "${FUNCNAME[0]}"

  601. }

  602. 

  603. function mesh_web_server {

  604.     if [ -d /etc/apache2 ]; then

  605.         # shellcheck disable=SC2154

  606.         chroot "$rootdir" apt-get -yq remove --purge apache2

  607.         chroot "$rootdir" rm -rf /etc/apache2

  608.     fi

  609. 

  610.     chroot "$rootdir" apt-get -yq install nginx

  611. 

  612.     if [ ! -d "$rootdir/etc/nginx" ]; then

  613.         echo $'Unable to install web server'

  614.         exit 346825

  615.     fi

  616. }

  617. 

  618. function install_web_server {

  619.     if [ "$INSTALLING_MESH" ]; then

  620.         mesh_web_server

  621.         return

  622.     fi

  623. 

  624.     # update to the next commit

  625.     function_check set_repo_commit

  626.     set_repo_commit "$INSTALL_DIR/nginx_ensite" "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  627. 

  628.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  629.         return

  630.     fi

  631.     # remove apache

  632.     apt-get -yq remove --purge apache2

  633.     if [ -d /etc/apache2 ]; then

  634.         rm -rf /etc/apache2

  635.     fi

  636.     # install nginx

  637.     apt-get -yq install nginx

  638.     apt-get -yq install php-fpm git

  639. 

  640.     # Turn off logs by default

  641.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  642.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  643. 

  644.     # limit the number of php processes

  645.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf

  646.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf

  647.     sed -i 's|;systemd_interval.*|systemd_interval = 10|g' /etc/php/7.0/fpm/php-fpm.conf

  648.     sed -i 's|;emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  649.     sed -i 's|emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  650.     sed -i 's|;emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  651.     sed -i 's|emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  652.     sed -i 's|;process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  653.     sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  654. 

  655.     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then

  656.         { echo 'pm = static';

  657.           echo 'pm.max_children = 10';

  658.           echo 'pm.start_servers = 2';

  659.           echo 'pm.min_spare_servers = 2';

  660.           echo 'pm.max_spare_servers = 5';

  661.           echo 'pm.max_requests = 10'; } >> /etc/php/7.0/fpm/php-fpm.conf

  662.     fi

  663.     if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then

  664.         echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf

  665.     else

  666.         sed -i 's|request_terminate_timeout =.*|request_terminate_timeout = 30|g'  >> /etc/php/7.0/fpm/php-fpm.conf

  667.     fi

  668.     sed -i 's|max_execution_time =.*|max_execution_time = 30|g' /etc/php/7.0/fpm/php.ini

  669. 

  670.     if [ ! -d /etc/nginx ]; then

  671.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  672.         exit 51

  673.     fi

  674. 

  675.     # Nginx settings

  676.     { echo 'user www-data;';

  677.       #echo "worker_processes; $CPU_CORES";

  678.       echo 'pid /run/nginx.pid;';

  679.       echo '';

  680.       echo 'events {';

  681.       echo '        worker_connections 50;';

  682.       echo '        # multi_accept on;';

  683.       echo '}';

  684.       echo '';

  685.       echo 'http {';

  686.       echo '        # limit the number of connections per single IP';

  687.       echo "        limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;";

  688.       echo '';

  689.       echo '        # limit the number of requests for a given session';

  690.       echo "        limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;";

  691.       echo '';

  692.       echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file';

  693.       echo '        client_body_buffer_size  128k;';

  694.       echo '';

  695.       echo '        # headerbuffer size for the request header from client, its set for testing purpose';

  696.       echo '        client_header_buffer_size 3m;';

  697.       echo '';

  698.       echo '        # maximum number and size of buffers for large headers to read from client request';

  699.       echo '        large_client_header_buffers 4 256k;';

  700.       echo '';

  701.       echo '        # read timeout for the request body from client, its set for testing purpose';

  702.       echo '        client_body_timeout   3m;';

  703.       echo '';

  704.       echo '        # how long to wait for the client to send a request header, its set for testing purpose';

  705.       echo '        client_header_timeout 3m;';

  706.       echo '';

  707.       echo '        ##';

  708.       echo '        # Basic Settings';

  709.       echo '        ##';

  710.       echo '';

  711.       echo '        sendfile on;';

  712.       echo '        tcp_nopush on;';

  713.       echo '        tcp_nodelay on;';

  714.       echo '        keepalive_timeout 65;';

  715.       echo '        types_hash_max_size 2048;';

  716.       echo '        server_tokens off;';

  717.       echo '';

  718.       echo '        # server_names_hash_bucket_size 64;';

  719.       echo '        # server_name_in_redirect off;';

  720.       echo '';

  721.       echo '        include /etc/nginx/mime.types;';

  722.       echo '        default_type application/octet-stream;';

  723.       echo '';

  724.       echo '        ##';

  725.       echo '        # Logging Settings';

  726.       echo '        ##';

  727.       echo '';

  728.       echo '        access_log /dev/null;';

  729.       echo '        error_log /dev/null;';

  730.       echo '';

  731.       echo '        ###';

  732.       echo '        # Gzip Settings';

  733.       echo '        ##';

  734.       echo '        gzip on;';

  735.       echo '        gzip_disable "msie6";';

  736.       echo '';

  737.       echo '        # gzip_vary on;';

  738.       echo '        # gzip_proxied any;';

  739.       echo '        # gzip_comp_level 6;';

  740.       echo '        # gzip_buffers 16 8k;';

  741.       echo '        # gzip_http_version 1.1;';

  742.       echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;';

  743.       echo '';

  744.       echo '        ##';

  745.       echo '        # Virtual Host Configs';

  746.       echo '        ##';

  747.       echo '';

  748.       echo '        include /etc/nginx/conf.d/*.conf;';

  749.       echo '        include /etc/nginx/sites-enabled/*;';

  750.       echo '}'; } > /etc/nginx/nginx.conf

  751. 

  752.     # install a script to easily enable and disable nginx virtual hosts

  753.     if [ ! -d "$INSTALL_DIR" ]; then

  754.         mkdir "$INSTALL_DIR"

  755.     fi

  756.     cd "$INSTALL_DIR" || exit 2798462846827

  757.     function_check git_clone

  758.     git_clone "$NGINX_ENSITE_REPO" "$INSTALL_DIR/nginx_ensite"

  759.     cd "$INSTALL_DIR/nginx_ensite" || exit 2468748223

  760.     git checkout "$NGINX_ENSITE_COMMIT" -b "$NGINX_ENSITE_COMMIT"

  761. 

  762.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  763. 

  764.     make install

  765.     nginx_dissite default

  766. 

  767.     function_check configure_firewall_for_web_access

  768.     configure_firewall_for_web_access

  769. 

  770.     mark_completed "${FUNCNAME[0]}"

  771. }

  772. 

  773. function remove_certs {

  774.     domain_name=$1

  775. 

  776.     if [ ! "$domain_name" ]; then

  777.         return

  778.     fi

  779. 

  780.     if [ -f "/etc/ssl/certs/${domain_name}.dhparam" ]; then

  781.         rm "/etc/ssl/certs/${domain_name}.dhparam"

  782.     fi

  783. 

  784.     if [ -f "/etc/ssl/certs/${domain_name}.pem" ]; then

  785.         rm "/etc/ssl/certs/${domain_name}.pem"

  786.     fi

  787. 

  788.     if [ -f "/etc/ssl/certs/${domain_name}.crt" ]; then

  789.         rm "/etc/ssl/certs/${domain_name}.crt"

  790.     fi

  791. 

  792.     if [ -f "/etc/ssl/private/${domain_name}.key" ]; then

  793.         rm "/etc/ssl/private/${domain_name}.key"

  794.     fi

  795. }

  796. 

  797. function configure_firewall_for_web_access {

  798.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  799.         return

  800.     fi

  801.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  802.         # docker does its own firewalling

  803.         return

  804.     fi

  805.     if [[ $ONION_ONLY != "no" ]]; then

  806.         return

  807.     fi

  808.     firewall_add HTTP 80 tcp

  809.     firewall_add HTTPS 443 tcp

  810.     mark_completed "${FUNCNAME[0]}"

  811. }

  812. 

  813. function update_default_domain {

  814.     echo $'Updating default domain'

  815.     if [[ $ONION_ONLY == 'no' ]]; then

  816.         if [ -f /etc/mumble-server.ini ]; then

  817.             if [ ! -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  818.                 if ! grep -q "mumble.pem" /etc/mumble-server.ini; then

  819.                     sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini

  820.                     sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini

  821.                     systemctl restart mumble

  822.                 fi

  823.             else

  824.                 if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then

  825.                     usermod -a -G ssl-cert mumble-server

  826.                     sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini

  827.                     sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini

  828.                     systemctl restart mumble

  829.                 fi

  830.             fi

  831.         fi

  832. 

  833.         if [ -d /etc/prosody ]; then

  834.             if [ ! -d /etc/prosody/certs ]; then

  835.                 mkdir /etc/prosody/certs

  836.             fi

  837.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  838.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  839.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  840.                 usermod -a -G ssl-cert prosody

  841.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  842.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  843.                 fi

  844.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  845.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  846.                 fi

  847. 

  848.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then

  849.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  850.                 fi

  851.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then

  852.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  853.                 fi

  854. 

  855.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  856.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  857.                 fi

  858. 

  859.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  860.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  861.                 fi

  862. 

  863.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then

  864.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  865.                 fi

  866. 

  867.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then

  868.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  869.                 fi

  870.             fi

  871. 

  872.             chown -R prosody:default /etc/prosody

  873.             chmod -R 700 /etc/prosody/certs/*

  874.             chmod 600 /etc/prosody/prosody.cfg.lua

  875.             if [ -d "$INSTALL_DIR/prosody-modules" ]; then

  876.                 cp -r "$INSTALL_DIR/prosody-modules/"* /var/lib/prosody/prosody-modules/

  877.                 cp -r "$INSTALL_DIR/prosody-modules/"* /usr/lib/prosody/modules/

  878.             fi

  879.             chown -R prosody:prosody /var/lib/prosody/prosody-modules

  880.             chown -R prosody:prosody /usr/lib/prosody/modules

  881.             systemctl reload prosody

  882.         fi

  883. 

  884.         if [ -d /home/znc/.znc ]; then

  885.             echo $'znc found'

  886.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  887.                 pkill znc

  888.                 cat "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" > /home/znc/.znc/znc.pem

  889.                 chown znc:znc /home/znc/.znc/znc.pem

  890.                 chmod 700 /home/znc/.znc/znc.pem

  891. 

  892.                 sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf

  893.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  894.                 sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf

  895.                 echo $'irc certificates updated'

  896. 

  897.                 systemctl restart ngircd

  898.                 su -c 'znc' - znc

  899.             fi

  900.         fi

  901. 

  902.         if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  903.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  904.                 if [ -d /etc/dovecot ]; then

  905.                     if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  906.                         sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  907.                         sed -i "s|ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  908.                         systemctl restart dovecot

  909.                     fi

  910.                 fi

  911. 

  912.                 if [ -d /etc/exim4 ]; then

  913.                     # Unfortunately there doesn't appear to be any other way than copying certs here

  914.                     cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem" /etc/exim4/

  915.                     chown root:Debian-exim /etc/exim4/*.pem

  916.                     chmod 640 /etc/exim4/*.pem

  917. 

  918.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  919.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template

  920.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  921.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template

  922. 

  923.                     systemctl restart exim4

  924.                 fi

  925.             fi

  926.         fi

  927.     fi

  928. }

  929. 

  930. function create_default_web_site {

  931.     if [ ! -f "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}" ]; then

  932.         # create a web site for the default domain

  933.         if [ ! -d "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs" ]; then

  934.             mkdir -p "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  935.             if [ -d "/root/${PROJECT_NAME}" ]; then

  936.                 cd "/root/${PROJECT_NAME}/website" || exit 24687246468

  937.                 ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  938.             else

  939.                 if [ -d "/home/${MY_USERNAME}/${PROJECT_NAME}" ]; then

  940.                     cd "/home/${MY_USERNAME}/${PROJECT_NAME}" || exit 2462874624

  941.                     ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  942.                 fi

  943.             fi

  944.         fi

  945. 

  946.         # add a config for the default domain

  947.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  948.         if [[ $ONION_ONLY == "no" ]]; then

  949.             function_check nginx_http_redirect

  950.             nginx_http_redirect "$DEFAULT_DOMAIN_NAME"

  951.             { echo 'server {';

  952.               echo '  listen 443 ssl;';

  953.               echo '  #listen [::]:443 ssl;';

  954.               echo "  server_name $DEFAULT_DOMAIN_NAME;";

  955.               echo '';

  956.               echo '  # Security'; } >> "$nginx_site"

  957.             function_check nginx_ssl

  958.             nginx_ssl "$DEFAULT_DOMAIN_NAME" mobile

  959. 

  960.             function_check nginx_security_options

  961.             nginx_security_options "$DEFAULT_DOMAIN_NAME"

  962. 

  963.             { echo '  add_header Strict-Transport-Security max-age=15768000;';

  964.               echo '';

  965.               echo '  # Logs';

  966.               echo '  access_log /dev/null;';

  967.               echo '  error_log /dev/null;';

  968.               echo '';

  969.               echo '  # Root';

  970.               echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  971.               echo '';

  972.               echo '  # Index';

  973.               echo '  index index.html;';

  974.               echo '';

  975.               echo '  # Location';

  976.               echo '  location / {'; } >> "$nginx_site"

  977.             function_check nginx_limits

  978.             nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  979.             { echo '  }';

  980.               echo '';

  981.               echo '  # Restrict access that is unnecessary anyway';

  982.               echo '  location ~ /\.(ht|git) {';

  983.               echo '    deny all;';

  984.               echo '  }';

  985.               echo '}'; } >> "$nginx_site"

  986.         else

  987.             echo -n '' > "$nginx_site"

  988.         fi

  989.         { echo 'server {';

  990.           echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;";

  991.           echo "    server_name $DEFAULT_DOMAIN_NAME;";

  992.           echo ''; } >> "$nginx_site"

  993.         function_check nginx_security_options

  994.         nginx_security_options "$DEFAULT_DOMAIN_NAME"

  995.         { echo '';

  996.           echo '  # Logs';

  997.           echo '  access_log /dev/null;';

  998.           echo '  error_log /dev/null;';

  999.           echo '';

  1000.           echo '  # Root';

  1001.           echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  1002.           echo '';

  1003.           echo '  # Location';

  1004.           echo '  location / {'; } >> "$nginx_site"

  1005.         function_check nginx_limits

  1006.         nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  1007.         { echo '  }';

  1008.           echo '';

  1009.           echo '  # Restrict access that is unnecessary anyway';

  1010.           echo '  location ~ /\.(ht|git) {';

  1011.           echo '    deny all;';

  1012.           echo '  }';

  1013.           echo '}'; } >> "$nginx_site"

  1014. 

  1015.         if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1016.             function_check create_site_certificate

  1017.             create_site_certificate "$DEFAULT_DOMAIN_NAME" 'yes'

  1018.         fi

  1019. 

  1020.         nginx_ensite "$DEFAULT_DOMAIN_NAME"

  1021.     fi

  1022. }

  1023. 

  1024. function install_composer {

  1025.     # curl -sS https://getcomposer.org/installer | php

  1026.     if [ -f "${HOME}/${PROJECT_NAME}/image_build/composer_install" ]; then

  1027.         php < "${HOME}/${PROJECT_NAME}/image_build/composer_install"

  1028.     else

  1029.         if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install" ]; then

  1030.             php < "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install"

  1031.         fi

  1032.     fi

  1033.     if [ -f composer.phar ]; then

  1034.         cp composer.phar composer

  1035.     fi

  1036.     if ! php composer.phar install; then

  1037.         echo $'Unable to run composer install'

  1038.         exit 7252198

  1039.     fi

  1040. }

  1041. 

  1042. function email_disable_chunking {

  1043.     if [ -f /etc/exim4/conf.d/main/04_exim4-config_chunking ]; then

  1044.         return

  1045.     fi

  1046.     echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking

  1047.     update-exim4.conf

  1048.     dpkg-reconfigure --frontend noninteractive exim4-config

  1049.     systemctl restart exim4

  1050. }

  1051. 

  1052. function email_update_onion_domain {

  1053.     email_hostname='/var/lib/tor/hidden_service_email/hostname'

  1054. 

  1055.     cp $email_hostname /etc/skel/.email_onion_domain

  1056. 

  1057.     for d in /home/*/ ; do

  1058.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1059.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1060.             cp $email_hostname "/home/$USERNAME/.email_onion_domain"

  1061.             chown "$USERNAME":"$USERNAME" "/home/$USERNAME/.email_onion_domain"

  1062.         fi

  1063.     done

  1064. }

  1065. 

  1066. function email_install_tls {

  1067.     tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  1068.     tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples

  1069.     email_config_changed=

  1070. 

  1071.     if [ ! -f $tls_config_file ]; then

  1072.         tls_config_file=/etc/exim4/exim4.conf.template

  1073.         tls_auth_config_file=$tls_config_file

  1074.     fi

  1075.     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then

  1076.         "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"

  1077.         CHECK_HOSTNAME=exim

  1078.         check_certificates exim

  1079.         cp /etc/ssl/certs/exim.dhparam /etc/exim4

  1080.         chown root:Debian-exim /etc/exim4/exim.dhparam

  1081.         chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam

  1082.         email_config_changed=1

  1083.     fi

  1084.     if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then

  1085.         sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\\MAIN_HARDCODE_PRIMARY_HOSTNAME =\\nMAIN_TLS_ENABLE = true" "$tls_config_file"

  1086.         email_config_changed=1

  1087.     fi

  1088.     if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then

  1089.         sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file

  1090.         email_config_changed=1

  1091.     fi

  1092.     if grep -q '# login_saslauthd_server' $tls_auth_config_file; then

  1093.         sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file

  1094.         email_config_changed=1

  1095.     fi

  1096.     if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1097.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/exim4/

  1098.         chown root:Debian-exim /etc/exim4/*.pem

  1099.         chmod 640 /etc/exim4/*.pem

  1100. 

  1101.         if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then

  1102.             sed -i "/.ifdef MAIN_TLS_CERTKEY/i\\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file

  1103.             email_config_changed=1

  1104.         fi

  1105.     fi

  1106.     if [ -f "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" ]; then

  1107.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/exim4/

  1108.         chown root:Debian-exim /etc/exim4/*.pem

  1109.         chmod 640 /etc/exim4/*.pem

  1110. 

  1111.         if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then

  1112.             sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file

  1113.             email_config_changed=1

  1114.         fi

  1115.     fi

  1116.     if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then

  1117.         sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4

  1118.         email_config_changed=1

  1119.     fi

  1120.     if [ $email_config_changed ]; then

  1121.         systemctl restart saslauthd

  1122.         systemctl restart exim4

  1123.     fi

  1124. }

  1125. 

  1126. function install_web_local_user_interface {

  1127.     # TODO

  1128.     # This is intended as a placeholder for a potential local web user interface

  1129.     # similar to Plinth or the yunohost admin interface

  1130.     local_hostname=$(grep 'host-name' /etc/avahi/avahi-daemon.conf | awk -F '=' '{print $2}').local

  1131. 

  1132.     mkdir -p "/var/www/${local_hostname}/htdocs"

  1133.     { echo '<html>';

  1134.       echo '  <body>';

  1135.       echo "  This is a test on $local_hostname";

  1136.       echo '  </body>';

  1137.       echo '</html>'; } > "/var/www/${local_hostname}/htdocs/index.html"

  1138.     chown -R www-data:www-data "/var/www/${local_hostname}/htdocs"

  1139. 

  1140.     nginx_file=/etc/nginx/sites-available/$local_hostname

  1141.     { echo 'server {';

  1142.       echo '  listen 80;';

  1143.       echo '  listen [::]:80;';

  1144.       echo "  server_name ${local_hostname};";

  1145.       echo "  root /var/www/${local_hostname}/htdocs;";

  1146.       echo '  index index.html;';

  1147.       echo '}'; } > "$nginx_file"

  1148.     nginx_ensite "$local_hostname"

  1149. }

  1150. 

  1151. # NOTE: deliberately no exit 0