free
/
freedombone
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Activity
9437 Revize
5 Větve
Strom: 5776a4bb93
Větve Značky
${ item.name }
Create branch ${ searchTerm }
from '5776a4bb93'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 48KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # Web related functions

  10. #

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. # default search engine for command line browser

  30. DEFAULT_SEARCH='https://searx.laquadrature.net'

  31. 

  32. # onion port for the default domain

  33. DEFAULT_DOMAIN_ONION_PORT=8099

  34. 

  35. # Whether Let's Encrypt is enabled for all sites

  36. LETSENCRYPT_ENABLED="yes"

  37. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  38. 

  39. # list of encryption protocols

  40. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  41. 

  42. # Mozilla recommended default ciphers. These work better on Android

  43. # See https://wiki.mozilla.org/Security/Server_Side_TLS

  44. SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

  45. 

  46. # some mobile apps (eg. NextCloud) have not very good cipher compatibility.

  47. # These ciphers can be used for those cases

  48. SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"

  49. 

  50. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  51. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  52. 

  53. # memory limit for php in MB

  54. MAX_PHP_MEMORY=64

  55. 

  56. # logging level for Nginx

  57. WEBSERVER_LOG_LEVEL='warn'

  58. 

  59. # test a domain name to see if it's valid

  60. function validate_domain_name {

  61.     # count the number of dots in the domain name

  62.     dots=${TEST_DOMAIN_NAME//[^.]}

  63.     no_of_dots=${#dots}

  64.     if (( no_of_dots > 3 )); then

  65.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  66.     fi

  67.     if (( no_of_dots == 0 )); then

  68.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  69.     fi

  70. }

  71. 

  72. function nginx_security_options {

  73.     domain_name=$1

  74.     filename=/etc/nginx/sites-available/$domain_name

  75.     { echo '    add_header X-Frame-Options DENY;';

  76.       echo '    add_header X-Content-Type-Options nosniff;';

  77.       echo '    add_header X-XSS-Protection "1; mode=block";';

  78.       echo '    add_header X-Robots-Tag none;';

  79.       echo '    add_header X-Download-Options noopen;';

  80.       echo '    add_header X-Permitted-Cross-Domain-Policies none;';

  81.       echo ''; } >> "$filename"

  82. }

  83. 

  84. function nginx_limits {

  85.     domain_name=$1

  86.     max_body='20m'

  87.     if [ "$2" ]; then

  88.         max_body=$2

  89.     fi

  90.     filename=/etc/nginx/sites-available/$domain_name

  91.     { echo "        client_max_body_size ${max_body};";

  92.       echo '        client_body_buffer_size 128k;';

  93.       echo '';

  94.       echo '        limit_conn conn_limit_per_ip 10;';

  95.       echo '        limit_req zone=req_limit_per_ip burst=10 nodelay;';

  96.       echo ''; } >> "$filename"

  97. }

  98. 

  99. function nginx_stapling {

  100.     domain_name="$1"

  101.     filename=/etc/nginx/sites-available/$domain_name

  102.     { echo "    ssl_stapling on;";

  103.       echo '    ssl_stapling_verify on;';

  104.       echo "    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;";

  105.       echo ''; } >> "$filename"

  106. }

  107. 

  108. function nginx_http_redirect {

  109.     # redirect port 80 to https

  110.     domain_name=$1

  111.     filename=/etc/nginx/sites-available/$domain_name

  112.     { echo 'server {';

  113.       echo '    listen 80;';

  114.       echo '    listen [::]:80;';

  115.       echo "    server_name ${domain_name};";

  116.       echo "    root /var/www/${domain_name}/htdocs;";

  117.       echo '    access_log /dev/null;';

  118.       echo "    error_log /dev/null;"; } > "$filename"

  119.     function_check nginx_limits

  120.     nginx_limits "$domain_name"

  121.     if [ ${#2} -gt 0 ]; then

  122.         echo "    $2;" >> "$filename"

  123.     fi

  124.     { echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";

  125.       echo '}';

  126.       echo ''; } >> "$filename"

  127. }

  128. 

  129. function nginx_compress {

  130.     domain_name=$1

  131.     filename=/etc/nginx/sites-available/$domain_name

  132. 

  133.     { echo '    gzip            on;';

  134.       echo '    gzip_min_length 1000;';

  135.       echo '    gzip_proxied    expired no-cache no-store private auth;';

  136.       echo '    gzip_types      text/plain application/xml;'; } >> "$filename"

  137. }

  138. 

  139. function nginx_ssl {

  140.     # creates the SSL/TLS section for a website

  141.     domain_name=$1

  142.     mobile_ciphers=$2

  143.     filename=/etc/nginx/sites-available/$domain_name

  144. 

  145.     { echo '    ssl_stapling off;';

  146.       echo '    ssl_stapling_verify off;';

  147.       echo '    ssl on;';

  148.       echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;";

  149.       echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;";

  150.       echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;";

  151.       echo '';

  152.       echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';

  153.       echo '    ssl_session_timeout 60m;';

  154.       echo '    ssl_prefer_server_ciphers on;';

  155.       echo "    ssl_protocols $SSL_PROTOCOLS;"; } >> "$filename"

  156.     if [ "$mobile_ciphers" ]; then

  157.         echo "    # Mobile compatible ciphers" >> "$filename"

  158.         echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> "$filename"

  159.     else

  160.         echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"

  161.     fi

  162.     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> "$filename"

  163. 

  164.     #nginx_stapling $1

  165. }

  166. 

  167. # check an individual domain name

  168. function test_domain_name {

  169.     if [ "$1" ]; then

  170.         TEST_DOMAIN_NAME=$1

  171.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  172.             function_check validate_domain_name

  173.             validate_domain_name

  174.             if [[ "$TEST_DOMAIN_NAME" != "$1" ]]; then

  175.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  176.                 exit 8528

  177.             fi

  178.         fi

  179.     fi

  180. }

  181. 

  182. # Checks whether certificates were generated for the given hostname

  183. function check_certificates {

  184.     if [ ! "$1" ]; then

  185.         echo $'No certificate name provided'

  186.         exit 3568736585683

  187.     fi

  188.     USE_LETSENCRYPT='no'

  189.     if [ "$2" ]; then

  190.         USE_LETSENCRYPT="$2"

  191.     fi

  192.     if [[ $USE_LETSENCRYPT == 'no' || "$ONION_ONLY" != 'no' ]]; then

  193.         if [ ! -f "/etc/ssl/private/${1}.key" ]; then

  194.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  195.             exit 63959

  196.         fi

  197.         if [ ! -f "/etc/ssl/certs/${1}.crt" ]; then

  198.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  199.             exit 7679

  200.         fi

  201. 

  202.         if grep -q "${1}.pem" "/etc/nginx/sites-available/${1}"; then

  203.             sed -i "s|${1}.pem|${1}.crt|g" "/etc/nginx/sites-available/${1}"

  204.         fi

  205.     else

  206.         if [ ! -f "/etc/letsencrypt/live/${1}/privkey.pem" ]; then

  207.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  208.             exit 6282

  209.         fi

  210.         if [ ! -f "/etc/letsencrypt/live/${1}/fullchain.pem" ]; then

  211.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  212.             exit 5328

  213.         fi

  214.         if grep -q "${1}.crt" "/etc/nginx/sites-available/${1}"; then

  215.             sed -i "s|${1}.crt|${1}.pem|g" "/etc/nginx/sites-available/${1}"

  216.         fi

  217.     fi

  218.     if [ ! -f "/etc/ssl/certs/${1}.dhparam" ]; then

  219.         echo $"DiffieHellman parameters for ${CHECK_HOSTNAME} were not created"

  220.         exit 5989

  221.     fi

  222. }

  223. 

  224. function cert_exists {

  225.     cert_type='dhparam'

  226.     if [ "$2" ]; then

  227.         cert_type="$2"

  228.     fi

  229.     if [ -f "/etc/ssl/certs/${1}.${cert_type}" ]; then

  230.         echo "1"

  231.     else

  232.         if [ -f "/etc/letsencrypt/live/${1}/fullchain.${cert_type}" ]; then

  233.             echo "1"

  234.         else

  235.             echo "0"

  236.         fi

  237.     fi

  238. }

  239. 

  240. function create_self_signed_cert {

  241.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  242.         echo $'No site domain specified for self signed cert'

  243.         exit 4638565385

  244.     fi

  245.     "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  246.     function_check check_certificates

  247.     check_certificates "${SITE_DOMAIN_NAME}"

  248. }

  249. 

  250. function create_letsencrypt_cert {

  251.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  252.         echo $'No site domain specified for letsencrypt cert'

  253.         exit 246824624

  254.     fi

  255. 

  256.     if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then

  257.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  258.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  259.             "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  260.             function_check check_certificates

  261.             CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  262.             check_certificates "${SITE_DOMAIN_NAME}"

  263.         else

  264.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  265.             if [ -f "/etc/nginx/sites-available/$SITE_DOMAIN_NAME" ]; then

  266.                 nginx_dissite "$SITE_DOMAIN_NAME"

  267.                 systemctl restart nginx

  268.             fi

  269.             exit 682529

  270.         fi

  271.         return

  272.     fi

  273. 

  274.     function_check check_certificates

  275.     CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  276.     check_certificates "${SITE_DOMAIN_NAME}" 'yes'

  277. }

  278. 

  279. function create_site_certificate {

  280.     SITE_DOMAIN_NAME="$1"

  281. 

  282.     # if yes then only "valid" certs are allowed, not self-signed

  283.     NO_SELF_SIGNED='no'

  284.     if [ "$2" ]; then

  285.         NO_SELF_SIGNED="$2"

  286.     fi

  287. 

  288.     if [[ $ONION_ONLY == "no" ]]; then

  289.         if [[ "$(cert_exists "${SITE_DOMAIN_NAME}")" == "0" ]]; then

  290.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  291.                 create_self_signed_cert

  292.             else

  293.                 create_letsencrypt_cert

  294.             fi

  295.         else

  296.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  297.                 if [[ "$(cert_exists "${SITE_DOMAIN_NAME}" pem)" == "0" ]]; then

  298.                     create_letsencrypt_cert

  299.                 fi

  300.             fi

  301.         fi

  302.     fi

  303. }

  304. 

  305. # script to automatically renew any Let's Encrypt certificates

  306. function letsencrypt_renewals {

  307.     if [[ $ONION_ONLY != "no" ]]; then

  308.         return

  309.     fi

  310. 

  311.     renewals_script=/tmp/renewals_letsencrypt

  312.     renewals_retry_script=/tmp/renewals_retry_letsencrypt

  313.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  314.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  315. 

  316.     # the main script tries to renew once per month

  317.     { echo '#!/bin/bash';

  318.       echo '';

  319.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  320.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  321.       echo '';

  322.       echo 'if [ -d /etc/letsencrypt ]; then';

  323.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  324.       echo '        rm ~/letsencrypt_failed';

  325.       echo '    fi';

  326.       echo -n "    ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  327.       echo -n "awk -F ':' '{print ";

  328.       echo -n "\$2";

  329.       echo "}')";

  330.       echo "    ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  331.       echo '    for d in /etc/letsencrypt/live/*/ ; do';

  332.       echo -n "        LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  333.       echo -n "awk -F '/' '{print ";

  334.       echo -n "\$5";

  335.       echo "}')";

  336.       echo "        if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  337.       echo "            \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  338.       echo '            if [ ! "$?" = "0" ]; then';

  339.       echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  340.       echo '                echo "" >> ~/temp_renewletsencrypt.txt';

  341.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  342.       echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  343.       echo "\$ADMIN_EMAIL_ADDRESS";

  344.       echo '                rm ~/temp_renewletsencrypt.txt';

  345.       echo '                if [ ! -f ~/letsencrypt_failed ]; then';

  346.       echo '                    touch ~/letsencrypt_failed';

  347.       echo '                fi';

  348.       echo '            fi';

  349.       echo '        fi';

  350.       echo '    done';

  351.       echo 'fi'; } > "$renewals_script"

  352.     chmod +x "$renewals_script"

  353. 

  354.     if [ ! -f /etc/cron.monthly/letsencrypt ]; then

  355.         cp $renewals_script /etc/cron.monthly/letsencrypt

  356.     else

  357.         HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')

  358.         HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')

  359.         if [[ "$HASH1" != "$HASH2" ]]; then

  360.             cp $renewals_script /etc/cron.monthly/letsencrypt

  361.         fi

  362.     fi

  363.     rm $renewals_script

  364. 

  365.     # a secondary script keeps trying to renew after a failure

  366.     { echo '#!/bin/bash';

  367.       echo '';

  368.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  369.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  370.       echo '';

  371.       echo 'if [ -d /etc/letsencrypt ]; then';

  372.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  373.       echo '        rm ~/letsencrypt_failed';

  374.       echo -n "        ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  375.       echo -n "awk -F ':' '{print ";

  376.       echo -n "\$2";

  377.       echo "}')";

  378.       echo "        ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  379.       echo '        for d in /etc/letsencrypt/live/*/ ; do';

  380.       echo -n "            LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  381.       echo -n "awk -F '/' '{print ";

  382.       echo -n "\$5";

  383.       echo "}')";

  384.       echo "            if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  385.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  386.       echo '                if [ ! "$?" = "0" ]; then';

  387.       echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  388.       echo '                    echo "" >> ~/temp_renewletsencrypt.txt';

  389.       echo "                    \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  390.       echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  391.       echo "\$ADMIN_EMAIL_ADDRESS";

  392.       echo '                    rm ~/temp_renewletsencrypt.txt';

  393.       echo '                    if [ ! -f ~/letsencrypt_failed ]; then';

  394.       echo '                        touch ~/letsencrypt_failed';

  395.       echo '                    fi';

  396.       echo '                fi';

  397.       echo '            fi';

  398.       echo '        done';

  399.       echo '    fi';

  400.       echo 'fi'; } > "$renewals_retry_script"

  401.     chmod +x "$renewals_retry_script"

  402. 

  403.     if [ ! -f /etc/cron.daily/letsencrypt ]; then

  404.         cp $renewals_retry_script /etc/cron.daily/letsencrypt

  405.     else

  406.         HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')

  407.         HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')

  408.         if [[ "$HASH1" != "$HASH2" ]]; then

  409.             cp $renewals_retry_script /etc/cron.daily/letsencrypt

  410.         fi

  411.     fi

  412.     rm $renewals_retry_script

  413. }

  414. 

  415. function configure_php {

  416.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini

  417.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini

  418.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini

  419.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini

  420.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/cli/php.ini

  421.     sed -i "s/post_max_size =.*/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini

  422. }

  423. 

  424. function install_web_server_access_control {

  425.     if [ ! -f /etc/pam.d/nginx ]; then

  426.         { echo '#%PAM-1.0';

  427.           echo '@include common-auth';

  428.           echo '@include common-account';

  429.           echo '@include common-session'; } > /etc/pam.d/nginx

  430.     fi

  431. }

  432. 

  433. function upgrade_inadyn_config {

  434.     if [ ! -f "${INADYN_CONFIG_FILE}" ]; then

  435.         return

  436.     fi

  437. 

  438.     if [ ! -f /usr/sbin/inadyn ]; then

  439.         return

  440.     fi

  441. 

  442.     if grep -q "{" "${INADYN_CONFIG_FILE}"; then

  443.         return

  444.     fi

  445. 

  446.     read_config_param DDNS_PROVIDER

  447.     read_config_param DDNS_USERNAME

  448.     read_config_param DDNS_PASSWORD

  449.     read_config_param DEFAULT_DOMAIN_NAME

  450. 

  451.     grep "alias " "${INADYN_CONFIG_FILE}" | sed 's| alias ||g' > ~/.inadyn_existing_sites

  452. 

  453.     if [[ "$DDNS_PROVIDER" == "default@freedns.afraid.org" ]]; then

  454.         DDNS_PROVIDER='freedns'

  455.         write_config_param DDNS_PROVIDER "$DDNS_PROVIDER"

  456.     fi

  457. 

  458.     { echo 'period          = 300';

  459.       echo '';

  460.       echo "provider $DDNS_PROVIDER {";

  461.       echo "    ssl            = true";

  462.       echo "    username       = $DDNS_USERNAME";

  463.       echo "    password       = $DDNS_PASSWORD";

  464.       echo '    wildcard       = true';

  465.       echo "    hostname       = $DEFAULT_DOMAIN_NAME";

  466.       echo '}'; } > "${INADYN_CONFIG_FILE}"

  467. }

  468. 

  469. function install_dynamicdns {

  470.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  471.         return

  472.     fi

  473. 

  474.     if [[ $ONION_ONLY != "no" ]]; then

  475.         return

  476.     fi

  477. 

  478.     if grep -q "INADYN_REPO" "$CONFIGURATION_FILE"; then

  479.         sed -i '/INADYN_REPO/d' "$CONFIGURATION_FILE"

  480.     fi

  481.     if grep -q "INADYN_COMMIT" "$CONFIGURATION_FILE"; then

  482.         sed -i '/INADYN_COMMIT/d' "$CONFIGURATION_FILE"

  483.     fi

  484. 

  485.     if [ -f /usr/local/sbin/inadyn ]; then

  486.         if grep -q "inadyn commit" "$COMPLETION_FILE"; then

  487.             sed -i '/inadyn commit/d' "$COMPLETION_FILE"

  488.         fi

  489.     else

  490.         CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")

  491.         if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then

  492.             return

  493.         fi

  494.     fi

  495. 

  496.     if [ -f /usr/local/sbin/inadyn ]; then

  497.         if [ -d "$INSTALL_DIR/inadyn" ]; then

  498.             rm -rf "$INSTALL_DIR/inadyn"

  499.         fi

  500.         if [ -d /repos/inadyn ]; then

  501.             rm -rf /repos/inadyn

  502.         fi

  503.     else

  504.         # update to the next commit

  505.         function_check set_repo_commit

  506.         set_repo_commit "$INSTALL_DIR/inadyn" "inadyn commit" "$INADYN_COMMIT" "$INADYN_REPO"

  507.     fi

  508. 

  509.     # Here we compile from source because the current package

  510.     # doesn't support https, which could result in passwords

  511.     # being leaked

  512.     # Debian version 1.99.4-1

  513.     # https version 1.99.8

  514. 

  515.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  516.     apt-get -yq install gnutls-dev libconfuse-dev pkg-config libtool

  517. 

  518.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  519.         if [ -d /repos/inadyn ]; then

  520.             mkdir "$INSTALL_DIR/inadyn"

  521.             cp -r -p /repos/inadyn/. "$INSTALL_DIR/inadyn"

  522.             cd "$INSTALL_DIR/inadyn" || exit 2462874684

  523.             git pull

  524.         else

  525.             git_clone "$INADYN_REPO" "$INSTALL_DIR/inadyn"

  526.         fi

  527.     fi

  528.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  529.         echo 'inadyn repo not cloned'

  530.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  531.         exit 6785

  532.     fi

  533.     cd "$INSTALL_DIR/inadyn" || exit 246824684

  534.     git checkout "$INADYN_COMMIT" -b "$INADYN_COMMIT"

  535.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  536. 

  537.     ./autogen.sh

  538. 

  539.     if ! ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var; then

  540.         exit 74890

  541.     fi

  542.     if ! make -j5; then

  543.         exit 74858

  544.     fi

  545.     if ! make install-strip; then

  546.         exit 3785

  547.     fi

  548. 

  549.     # create a configuration file

  550.     if [ ! -f "${INADYN_CONFIG_FILE}" ]; then

  551.         { echo 'period          = 300';

  552.           echo ''; } > "${INADYN_CONFIG_FILE}"

  553.     fi

  554.     chmod 600 "${INADYN_CONFIG_FILE}"

  555. 

  556.     { echo '[Unit]';

  557.       echo 'Description=Internet Dynamic DNS Client';

  558.       echo 'Documentation=man:inadyn';

  559.       echo 'Documentation=man:inadyn.conf';

  560.       echo 'Documentation=https://github.com/troglobit/inadyn';

  561.       echo 'ConditionPathExists=/etc/inadyn.conf';

  562.       echo 'After=network-online.target';

  563.       echo 'Requires=network-online.target';

  564.       echo '';

  565.       echo '[Service]';

  566.       echo 'Type=simple';

  567.       echo "ExecStart=/usr/sbin/inadyn -C -n -s --loglevel=err --config ${INADYN_CONFIG_FILE}";

  568.       echo 'Restart=on-failure';

  569.       echo 'RestartSec=10';

  570.       echo '';

  571.       echo '[Install]';

  572.       echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/inadyn.service

  573.     systemctl daemon-reload

  574.     systemctl enable inadyn

  575.     systemctl start inadyn

  576. 

  577.     # Remove old version of inadyn

  578.     if [ -f /usr/local/sbin/inadyn ]; then

  579.         rm /usr/local/sbin/inadyn

  580.         upgrade_inadyn_config

  581.     fi

  582. }

  583. 

  584. function update_default_search_engine {

  585.     for d in /home/*/ ; do

  586.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  587.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  588.             if ! grep -q "WWW_HOME" "/home/$USERNAME/.bashrc"; then

  589.                 if ! grep -q 'controluser' "/home/$USERNAME/.bashrc"; then

  590.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  591.                         echo "export WWW_HOME=$DEFAULT_SEARCH" >> "/home/$USERNAME/.bashrc"

  592.                     else

  593.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  594.                     fi

  595.                 else

  596.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  597.                         sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" "/home/$USERNAME/.bashrc"

  598.                     else

  599.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  600.                     fi

  601.                 fi

  602.             fi

  603.         fi

  604.     done

  605. }

  606. 

  607. function install_command_line_browser {

  608.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  609.         return

  610.     fi

  611.     apt-get -yq install elinks

  612.     update_default_search_engine

  613. 

  614.     mark_completed "${FUNCNAME[0]}"

  615. }

  616. 

  617. function mesh_web_server {

  618.     if [ -d /etc/apache2 ]; then

  619.         # shellcheck disable=SC2154

  620.         chroot "$rootdir" apt-get -yq remove --purge apache2

  621.         chroot "$rootdir" rm -rf /etc/apache2

  622.     fi

  623. 

  624.     chroot "$rootdir" apt-get -yq install nginx

  625. 

  626.     if [ ! -d "$rootdir/etc/nginx" ]; then

  627.         echo $'Unable to install web server'

  628.         exit 346825

  629.     fi

  630. }

  631. 

  632. function install_web_server {

  633.     if [ "$INSTALLING_MESH" ]; then

  634.         mesh_web_server

  635.         return

  636.     fi

  637. 

  638.     # update to the next commit

  639.     function_check set_repo_commit

  640.     set_repo_commit "$INSTALL_DIR/nginx_ensite" "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  641. 

  642.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  643.         return

  644.     fi

  645.     # remove apache

  646.     apt-get -yq remove --purge apache2

  647.     if [ -d /etc/apache2 ]; then

  648.         rm -rf /etc/apache2

  649.     fi

  650.     # install nginx

  651.     apt-get -yq install nginx

  652.     apt-get -yq install php-fpm git

  653. 

  654.     # Turn off logs by default

  655.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  656.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  657. 

  658.     # limit the number of php processes

  659.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf

  660.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf

  661.     sed -i 's|;systemd_interval.*|systemd_interval = 10|g' /etc/php/7.0/fpm/php-fpm.conf

  662.     sed -i 's|;emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  663.     sed -i 's|emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  664.     sed -i 's|;emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  665.     sed -i 's|emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  666.     sed -i 's|;process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  667.     sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  668. 

  669.     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then

  670.         { echo 'pm = static';

  671.           echo 'pm.max_children = 10';

  672.           echo 'pm.start_servers = 2';

  673.           echo 'pm.min_spare_servers = 2';

  674.           echo 'pm.max_spare_servers = 5';

  675.           echo 'pm.max_requests = 10'; } >> /etc/php/7.0/fpm/php-fpm.conf

  676.     fi

  677.     if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then

  678.         echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf

  679.     else

  680.         sed -i 's|request_terminate_timeout =.*|request_terminate_timeout = 30|g'  >> /etc/php/7.0/fpm/php-fpm.conf

  681.     fi

  682.     sed -i 's|max_execution_time =.*|max_execution_time = 30|g' /etc/php/7.0/fpm/php.ini

  683. 

  684.     if [ ! -d /etc/nginx ]; then

  685.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  686.         exit 51

  687.     fi

  688. 

  689.     # Nginx settings

  690.     { echo 'user www-data;';

  691.       #echo "worker_processes; $CPU_CORES";

  692.       echo 'pid /run/nginx.pid;';

  693.       echo '';

  694.       echo 'events {';

  695.       echo '        worker_connections 50;';

  696.       echo '        # multi_accept on;';

  697.       echo '}';

  698.       echo '';

  699.       echo 'http {';

  700.       echo '        # limit the number of connections per single IP';

  701.       echo "        limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;";

  702.       echo '';

  703.       echo '        # limit the number of requests for a given session';

  704.       echo "        limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;";

  705.       echo '';

  706.       echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file';

  707.       echo '        client_body_buffer_size  128k;';

  708.       echo '';

  709.       echo '        # headerbuffer size for the request header from client, its set for testing purpose';

  710.       echo '        client_header_buffer_size 3m;';

  711.       echo '';

  712.       echo '        # maximum number and size of buffers for large headers to read from client request';

  713.       echo '        large_client_header_buffers 4 256k;';

  714.       echo '';

  715.       echo '        # read timeout for the request body from client, its set for testing purpose';

  716.       echo '        client_body_timeout   3m;';

  717.       echo '';

  718.       echo '        # how long to wait for the client to send a request header, its set for testing purpose';

  719.       echo '        client_header_timeout 3m;';

  720.       echo '';

  721.       echo '        ##';

  722.       echo '        # Basic Settings';

  723.       echo '        ##';

  724.       echo '';

  725.       echo '        sendfile on;';

  726.       echo '        tcp_nopush on;';

  727.       echo '        tcp_nodelay on;';

  728.       echo '        keepalive_timeout 65;';

  729.       echo '        types_hash_max_size 2048;';

  730.       echo '        server_tokens off;';

  731.       echo '';

  732.       echo '        # server_names_hash_bucket_size 64;';

  733.       echo '        # server_name_in_redirect off;';

  734.       echo '';

  735.       echo '        include /etc/nginx/mime.types;';

  736.       echo '        default_type application/octet-stream;';

  737.       echo '';

  738.       echo '        ##';

  739.       echo '        # Logging Settings';

  740.       echo '        ##';

  741.       echo '';

  742.       echo '        access_log /dev/null;';

  743.       echo '        error_log /dev/null;';

  744.       echo '';

  745.       echo '        ###';

  746.       echo '        # Gzip Settings';

  747.       echo '        ##';

  748.       echo '        gzip on;';

  749.       echo '        gzip_disable "msie6";';

  750.       echo '';

  751.       echo '        # gzip_vary on;';

  752.       echo '        # gzip_proxied any;';

  753.       echo '        # gzip_comp_level 6;';

  754.       echo '        # gzip_buffers 16 8k;';

  755.       echo '        # gzip_http_version 1.1;';

  756.       echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;';

  757.       echo '';

  758.       echo '        ##';

  759.       echo '        # Virtual Host Configs';

  760.       echo '        ##';

  761.       echo '';

  762.       echo '        include /etc/nginx/conf.d/*.conf;';

  763.       echo '        include /etc/nginx/sites-enabled/*;';

  764.       echo '}'; } > /etc/nginx/nginx.conf

  765. 

  766.     # install a script to easily enable and disable nginx virtual hosts

  767.     if [ ! -d "$INSTALL_DIR" ]; then

  768.         mkdir "$INSTALL_DIR"

  769.     fi

  770.     cd "$INSTALL_DIR" || exit 2798462846827

  771.     function_check git_clone

  772.     git_clone "$NGINX_ENSITE_REPO" "$INSTALL_DIR/nginx_ensite"

  773.     cd "$INSTALL_DIR/nginx_ensite" || exit 2468748223

  774.     git checkout "$NGINX_ENSITE_COMMIT" -b "$NGINX_ENSITE_COMMIT"

  775. 

  776.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  777. 

  778.     make install

  779.     nginx_dissite default

  780. 

  781.     function_check configure_firewall_for_web_access

  782.     configure_firewall_for_web_access

  783. 

  784.     mark_completed "${FUNCNAME[0]}"

  785. }

  786. 

  787. function remove_certs {

  788.     domain_name=$1

  789. 

  790.     if [ ! "$domain_name" ]; then

  791.         return

  792.     fi

  793. 

  794.     if [ -f "/etc/ssl/certs/${domain_name}.dhparam" ]; then

  795.         rm "/etc/ssl/certs/${domain_name}.dhparam"

  796.     fi

  797. 

  798.     if [ -f "/etc/ssl/certs/${domain_name}.pem" ]; then

  799.         rm "/etc/ssl/certs/${domain_name}.pem"

  800.     fi

  801. 

  802.     if [ -f "/etc/ssl/certs/${domain_name}.crt" ]; then

  803.         rm "/etc/ssl/certs/${domain_name}.crt"

  804.     fi

  805. 

  806.     if [ -f "/etc/ssl/private/${domain_name}.key" ]; then

  807.         rm "/etc/ssl/private/${domain_name}.key"

  808.     fi

  809. }

  810. 

  811. function configure_firewall_for_web_access {

  812.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  813.         return

  814.     fi

  815.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  816.         # docker does its own firewalling

  817.         return

  818.     fi

  819.     if [[ $ONION_ONLY != "no" ]]; then

  820.         return

  821.     fi

  822.     firewall_add HTTP 80 tcp

  823.     firewall_add HTTPS 443 tcp

  824.     mark_completed "${FUNCNAME[0]}"

  825. }

  826. 

  827. function update_default_domain {

  828.     echo $'Updating default domain'

  829.     if [[ $ONION_ONLY == 'no' ]]; then

  830.         if [ -f /etc/mumble-server.ini ]; then

  831.             if [ ! -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  832.                 if ! grep -q "mumble.pem" /etc/mumble-server.ini; then

  833.                     sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini

  834.                     sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini

  835.                     systemctl restart mumble

  836.                 fi

  837.             else

  838.                 if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then

  839.                     usermod -a -G ssl-cert mumble-server

  840.                     sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini

  841.                     sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini

  842.                     systemctl restart mumble

  843.                 fi

  844.             fi

  845.         fi

  846. 

  847.         if [ -d /etc/prosody ]; then

  848.             if [ ! -d /etc/prosody/certs ]; then

  849.                 mkdir /etc/prosody/certs

  850.             fi

  851.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  852.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  853.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  854.                 usermod -a -G ssl-cert prosody

  855.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  856.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  857.                 fi

  858.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  859.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  860.                 fi

  861. 

  862.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then

  863.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  864.                 fi

  865.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then

  866.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  867.                 fi

  868. 

  869.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  870.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  871.                 fi

  872. 

  873.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  874.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  875.                 fi

  876. 

  877.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then

  878.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  879.                 fi

  880. 

  881.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then

  882.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  883.                 fi

  884.             fi

  885. 

  886.             chown -R prosody:default /etc/prosody

  887.             chmod -R 700 /etc/prosody/certs/*

  888.             chmod 600 /etc/prosody/prosody.cfg.lua

  889.             if [ -d "$INSTALL_DIR/prosody-modules" ]; then

  890.                 cp -r "$INSTALL_DIR/prosody-modules/"* /var/lib/prosody/prosody-modules/

  891.                 cp -r "$INSTALL_DIR/prosody-modules/"* /usr/lib/prosody/modules/

  892.             fi

  893.             chown -R prosody:prosody /var/lib/prosody/prosody-modules

  894.             chown -R prosody:prosody /usr/lib/prosody/modules

  895.             systemctl reload prosody

  896.         fi

  897. 

  898.         if [ -d /home/znc/.znc ]; then

  899.             echo $'znc found'

  900.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  901.                 pkill znc

  902.                 cat "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" > /home/znc/.znc/znc.pem

  903.                 chown znc:znc /home/znc/.znc/znc.pem

  904.                 chmod 700 /home/znc/.znc/znc.pem

  905. 

  906.                 sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf

  907.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  908.                 sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf

  909.                 echo $'irc certificates updated'

  910. 

  911.                 systemctl restart ngircd

  912.                 su -c 'znc' - znc

  913.             fi

  914.         fi

  915. 

  916.         if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  917.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  918.                 if [ -d /etc/dovecot ]; then

  919.                     if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  920.                         sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  921.                         sed -i "s|ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  922.                         systemctl restart dovecot

  923.                     fi

  924.                 fi

  925. 

  926.                 if [ -d /etc/exim4 ]; then

  927.                     # Unfortunately there doesn't appear to be any other way than copying certs here

  928.                     cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem" /etc/exim4/

  929.                     chown root:Debian-exim /etc/exim4/*.pem

  930.                     chmod 640 /etc/exim4/*.pem

  931. 

  932.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  933.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template

  934.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  935.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template

  936. 

  937.                     systemctl restart exim4

  938.                 fi

  939.             fi

  940.         fi

  941.     fi

  942. }

  943. 

  944. function create_default_web_site {

  945.     if [ ! -f "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}" ]; then

  946.         # create a web site for the default domain

  947.         if [ ! -d "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs" ]; then

  948.             mkdir -p "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  949.             if [ -d "/root/${PROJECT_NAME}" ]; then

  950.                 cd "/root/${PROJECT_NAME}/website" || exit 24687246468

  951.                 ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  952.             else

  953.                 if [ -d "/home/${MY_USERNAME}/${PROJECT_NAME}" ]; then

  954.                     cd "/home/${MY_USERNAME}/${PROJECT_NAME}" || exit 2462874624

  955.                     ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  956.                 fi

  957.             fi

  958.         fi

  959. 

  960.         # add a config for the default domain

  961.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  962.         if [[ $ONION_ONLY == "no" ]]; then

  963.             function_check nginx_http_redirect

  964.             nginx_http_redirect "$DEFAULT_DOMAIN_NAME"

  965.             { echo 'server {';

  966.               echo '  listen 443 ssl;';

  967.               echo '  #listen [::]:443 ssl;';

  968.               echo "  server_name $DEFAULT_DOMAIN_NAME;";

  969.               echo '';

  970.               echo '  # Security'; } >> "$nginx_site"

  971.             function_check nginx_ssl

  972.             nginx_ssl "$DEFAULT_DOMAIN_NAME" mobile

  973. 

  974.             function_check nginx_security_options

  975.             nginx_security_options "$DEFAULT_DOMAIN_NAME"

  976. 

  977.             { echo '  add_header Strict-Transport-Security max-age=15768000;';

  978.               echo '';

  979.               echo '  # Logs';

  980.               echo '  access_log /dev/null;';

  981.               echo '  error_log /dev/null;';

  982.               echo '';

  983.               echo '  # Root';

  984.               echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  985.               echo '';

  986.               echo '  # Index';

  987.               echo '  index index.html;';

  988.               echo '';

  989.               echo '  # Location';

  990.               echo '  location / {'; } >> "$nginx_site"

  991.             function_check nginx_limits

  992.             nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  993.             { echo '  }';

  994.               echo '';

  995.               echo '  # Restrict access that is unnecessary anyway';

  996.               echo '  location ~ /\.(ht|git) {';

  997.               echo '    deny all;';

  998.               echo '  }';

  999.               echo '}'; } >> "$nginx_site"

  1000.         else

  1001.             echo -n '' > "$nginx_site"

  1002.         fi

  1003.         { echo 'server {';

  1004.           echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;";

  1005.           echo "    server_name $DEFAULT_DOMAIN_NAME;";

  1006.           echo ''; } >> "$nginx_site"

  1007.         function_check nginx_security_options

  1008.         nginx_security_options "$DEFAULT_DOMAIN_NAME"

  1009.         { echo '';

  1010.           echo '  # Logs';

  1011.           echo '  access_log /dev/null;';

  1012.           echo '  error_log /dev/null;';

  1013.           echo '';

  1014.           echo '  # Root';

  1015.           echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  1016.           echo '';

  1017.           echo '  # Location';

  1018.           echo '  location / {'; } >> "$nginx_site"

  1019.         function_check nginx_limits

  1020.         nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  1021.         { echo '  }';

  1022.           echo '';

  1023.           echo '  # Restrict access that is unnecessary anyway';

  1024.           echo '  location ~ /\.(ht|git) {';

  1025.           echo '    deny all;';

  1026.           echo '  }';

  1027.           echo '}'; } >> "$nginx_site"

  1028. 

  1029.         if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1030.             function_check create_site_certificate

  1031.             create_site_certificate "$DEFAULT_DOMAIN_NAME" 'yes'

  1032.         fi

  1033. 

  1034.         nginx_ensite "$DEFAULT_DOMAIN_NAME"

  1035.     fi

  1036. }

  1037. 

  1038. function install_composer {

  1039.     # curl -sS https://getcomposer.org/installer | php

  1040.     if [ -f "${HOME}/${PROJECT_NAME}/image_build/composer_install" ]; then

  1041.         php < "${HOME}/${PROJECT_NAME}/image_build/composer_install"

  1042.     else

  1043.         if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install" ]; then

  1044.             php < "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install"

  1045.         fi

  1046.     fi

  1047.     if [ -f composer.phar ]; then

  1048.         cp composer.phar composer

  1049.     fi

  1050.     if ! php composer.phar install; then

  1051.         echo $'Unable to run composer install'

  1052.         exit 7252198

  1053.     fi

  1054. }

  1055. 

  1056. function email_disable_chunking {

  1057.     if [ -f /etc/exim4/conf.d/main/04_exim4-config_chunking ]; then

  1058.         return

  1059.     fi

  1060.     echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking

  1061.     update-exim4.conf

  1062.     dpkg-reconfigure --frontend noninteractive exim4-config

  1063.     systemctl restart exim4

  1064. }

  1065. 

  1066. function email_update_onion_domain {

  1067.     email_hostname='/var/lib/tor/hidden_service_email/hostname'

  1068. 

  1069.     cp $email_hostname /etc/skel/.email_onion_domain

  1070. 

  1071.     for d in /home/*/ ; do

  1072.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1073.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1074.             cp $email_hostname "/home/$USERNAME/.email_onion_domain"

  1075.             chown "$USERNAME":"$USERNAME" "/home/$USERNAME/.email_onion_domain"

  1076.         fi

  1077.     done

  1078. }

  1079. 

  1080. function email_install_tls {

  1081.     tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  1082.     tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples

  1083.     email_config_changed=

  1084. 

  1085.     if [ ! -f $tls_config_file ]; then

  1086.         tls_config_file=/etc/exim4/exim4.conf.template

  1087.         tls_auth_config_file=$tls_config_file

  1088.     fi

  1089.     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then

  1090.         "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"

  1091.         CHECK_HOSTNAME=exim

  1092.         check_certificates exim

  1093.         cp /etc/ssl/certs/exim.dhparam /etc/exim4

  1094.         chown root:Debian-exim /etc/exim4/exim.dhparam

  1095.         chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam

  1096.         email_config_changed=1

  1097.     fi

  1098.     if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then

  1099.         sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\\MAIN_HARDCODE_PRIMARY_HOSTNAME =\\nMAIN_TLS_ENABLE = true" "$tls_config_file"

  1100.         email_config_changed=1

  1101.     fi

  1102.     if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then

  1103.         sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file

  1104.         email_config_changed=1

  1105.     fi

  1106.     if grep -q '# login_saslauthd_server' $tls_auth_config_file; then

  1107.         sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file

  1108.         email_config_changed=1

  1109.     fi

  1110.     if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1111.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/exim4/

  1112.         chown root:Debian-exim /etc/exim4/*.pem

  1113.         chmod 640 /etc/exim4/*.pem

  1114. 

  1115.         if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then

  1116.             sed -i "/.ifdef MAIN_TLS_CERTKEY/i\\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file

  1117.             email_config_changed=1

  1118.         fi

  1119.     fi

  1120.     if [ -f "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" ]; then

  1121.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/exim4/

  1122.         chown root:Debian-exim /etc/exim4/*.pem

  1123.         chmod 640 /etc/exim4/*.pem

  1124. 

  1125.         if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then

  1126.             sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file

  1127.             email_config_changed=1

  1128.         fi

  1129.     fi

  1130.     if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then

  1131.         sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4

  1132.         email_config_changed=1

  1133.     fi

  1134.     if [ $email_config_changed ]; then

  1135.         systemctl restart saslauthd

  1136.         systemctl restart exim4

  1137.     fi

  1138. }

  1139. 

  1140. function install_web_local_user_interface {

  1141.     # TODO

  1142.     # This is intended as a placeholder for a potential local web user interface

  1143.     # similar to Plinth or the yunohost admin interface

  1144.     local_hostname=$(grep 'host-name' /etc/avahi/avahi-daemon.conf | awk -F '=' '{print $2}').local

  1145. 

  1146.     if [ ! -d "/var/www/${local_hostname}/htdocs" ]; then

  1147.         mkdir -p "/var/www/${local_hostname}/htdocs"

  1148.     fi

  1149. 

  1150.     { echo '<html>';

  1151.       echo '  <body>';

  1152.       echo "  This is a test on ${local_hostname}";

  1153.       echo '  </body>';

  1154.       echo '</html>'; } > "/var/www/${local_hostname}/htdocs/index.html"

  1155. 

  1156.     nginx_file=/etc/nginx/sites-available/$local_hostname

  1157.     { echo 'server {';

  1158.       echo '  listen 80;';

  1159.       echo '  listen [::]:80;';

  1160.       echo "  server_name ${local_hostname};";

  1161.       echo "  root /var/www/${local_hostname}/htdocs;";

  1162.       echo '  index index.html;';

  1163.       echo '';

  1164.       echo '  access_log /dev/null;';

  1165.       echo '  error_log /dev/null;';

  1166.       echo '';

  1167.       echo '  location /icons {';

  1168.       echo '    autoindex on;';

  1169.       echo '    break;';

  1170.       echo '  }';

  1171.       echo '';

  1172.       echo '  rewrite ^/plinth/(.*)$ /api.json last;';

  1173.       echo '';

  1174.       echo '  location / {';

  1175.       echo "    root /var/www/${local_hostname}/htdocs/plinth;";

  1176.       echo '    index api.json /api.json;';

  1177.       echo "    error_page 405 = \$uri;";

  1178.       echo '  }';

  1179.       echo '}';

  1180.       echo '';

  1181.       echo 'server {';

  1182.       echo '  listen 443 ssl;';

  1183.       echo '  #listen [::]:443 ssl;';

  1184.       echo "  server_name ${local_hostname};";

  1185.       echo "  root /var/www/${local_hostname}/htdocs;";

  1186.       echo '  index index.html;';

  1187.       echo '';

  1188.       echo '  access_log /dev/null;';

  1189.       echo '  error_log /dev/null;';

  1190.       echo ''; } > "$nginx_file"

  1191. 

  1192.     nginx_ssl "${local_hostname}"

  1193.     nginx_security_options "${local_hostname}"

  1194. 

  1195.     { echo '  add_header Strict-Transport-Security max-age=0;';

  1196.       echo '';

  1197.       echo '  location /icons {';

  1198.       echo '    autoindex on;';

  1199.       echo '    break;';

  1200.       echo '  }';

  1201.       echo '';

  1202.       echo '  rewrite ^/plinth/(.*)$ /api.json last;';

  1203.       echo '';

  1204.       echo '  location / {';

  1205.       echo "    root /var/www/${local_hostname}/htdocs/plinth;";

  1206.       echo '    index api.json /api.json;';

  1207.       echo "    error_page 405 = \$uri;";

  1208.       echo '  }';

  1209.       echo '}'; } >> "$nginx_file"

  1210. 

  1211.     if [ ! -f "/etc/ssl/certs/${local_hostname}.crt" ]; then

  1212.         "${PROJECT_NAME}-addcert" -h "${local_hostname}" --dhkey "${DH_KEYLENGTH}"

  1213.     fi

  1214. 

  1215.     sed -i "s|ssl_certificate .*|ssl_certificate /etc/ssl/certs/${local_hostname}.crt;|g" "$nginx_file"

  1216.     sed -i "s|ssl_certificate_key .*|ssl_certificate_key /etc/ssl/private/${local_hostname}.key;|g" "$nginx_file"

  1217. 

  1218.     nginx_ensite "${local_hostname}"

  1219. 

  1220.     # Compatibility with FreedomBox android app

  1221.     # The installed apps get published to a json file called api.json

  1222.     # in this directory

  1223.     if [ ! -d "/var/www/${local_hostname}/htdocs/plinth" ]; then

  1224.         mkdir -p "/var/www/${local_hostname}/htdocs/plinth"

  1225.     fi

  1226. 

  1227.     chown -R www-data:www-data "/var/www/${local_hostname}/htdocs"

  1228. }

  1229. 

  1230. # NOTE: deliberately no exit 0