freedombone/src/freedombone-sec

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# Alters the security settings
#
# License
# =======
#
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-sec
export TEXTDOMAINDIR="/usr/share/locale"

SSL_PROTOCOLS=
SSL_CIPHERS=
SSH_CIPHERS=
SSH_MACS=
SSH_KEX=
SSH_HOST_KEY_ALGORITHMS=
SSH_PASSWORDS=
XMPP_CIPHERS=
XMPP_ECC_CURVE=

WEBSITES_DIRECTORY='/etc/nginx/sites-available'
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
SSH_CONFIG='/etc/ssh/sshd_config'
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

MINIMUM_LENGTH=6

IMPORT_FILE=
EXPORT_FILE=

CURRENT_DIR=$(pwd)

REGENERATE_SSH_HOST_KEYS="no"
REGENERATE_DH_KEYS="no"
DH_KEYLENGTH=2048

function get_protocols_from_website {
  if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
      return
  fi
  SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
}

function get_ciphers_from_website {
  if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
      return
  fi
  SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}

function get_website_settings {
  if [ ! -d $WEBSITES_DIRECTORY ]; then
      return
  fi

  cd $WEBSITES_DIRECTORY
  for file in `dir -d *` ; do
      get_protocols_from_website $file
      if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
          get_ciphers_from_website $file
          if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
              break
          else
              SSL_PROTOCOLS=""
          fi
      fi
  done
}

function get_imap_settings {
  if [ ! -f $DOVECOT_CIPHERS ]; then
      return
  fi
  # clear commented out cipher list
  sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  if [ $SSL_CIPHERS ]; then
      return
  fi
  if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
      return
  fi
  SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
}

function get_xmpp_settings {
  if [ ! -f $XMPP_CONFIG ]; then
      return
  fi
  XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}

function get_ssh_settings {
  if [ -f $SSH_CONFIG ]; then
      SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
      SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
      SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
      SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  fi
  if [ -f /etc/ssh/ssh_config ]; then
      SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
      if [ ! $SSH_CIPHERS ]; then
          SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
      fi
      if [ ! $SSH_MACS ]; then
          SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
      fi
  fi
}

function change_website_settings {
  if [ ! "$SSL_PROTOCOLS" ]; then
      return
  fi
  if [ ! $SSL_CIPHERS ]; then
      return
  fi
  if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
      return
  fi
  if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
      return
  fi
  if [ ! -d $WEBSITES_DIRECTORY ]; then
      return
  fi

  cd $WEBSITES_DIRECTORY
  for file in `dir -d *` ; do
      sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
      sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  done
  service nginx restart
  echo $'Web security settings changed'
}

function change_imap_settings {
  if [ ! -f $DOVECOT_CIPHERS ]; then
      return
  fi
  if [ ! $SSL_CIPHERS ]; then
      return
  fi
  if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
      return
  fi
  sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  service dovecot restart
  echo $'imap security settings changed'
}

function change_ssh_settings {
  if [ -f /etc/ssh/ssh_config ]; then
      if [ $SSH_HOST_KEY_ALGORITHMS ]; then
          sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
          echo $'ssh client security settings changed'
      fi
  fi
  if [ -f $SSH_CONFIG ]; then
      if [ ! $SSH_CIPHERS ]; then
          return
      fi
      if [ ! $SSH_MACS ]; then
          return
      fi
      if [ ! $SSH_KEX ]; then
          return
      fi
      if [ ! $SSH_PASSWORDS ]; then
          return
      fi

      sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
      sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
      sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
      sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
      service ssh restart
      echo $'ssh server security settings changed'
  fi
}

function change_xmpp_settings {
  if [ ! -f $XMPP_CONFIG ]; then
      return
  fi
  if [ ! $XMPP_CIPHERS ]; then
      return
  fi
  if [ ! $XMPP_ECC_CURVE ]; then
      return
  fi
  sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  service prosody restart
  echo $'xmpp security settings changed'
}

function interactive_setup {
  if [ $SSL_CIPHERS ]; then
      data=$(tempfile 2>/dev/null)
      trap "rm -f $data" 0 1 2 5 15
      dialog --backtitle "Freedombone Security Configuration" \
          --form "\nWeb/IMAP Ciphers:" 10 95 2 \
          "Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
          "Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
          2> $data
      sel=$?
      case $sel in
          1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
             SSL_CIPHERS=$(cat $data | sed -n 2p)
             ;;
          255) exit 0;;
      esac
  fi

  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  if [ $SSH_HOST_KEY_ALGORITHMS ]; then
      dialog --backtitle "Freedombone Security Configuration" \
        --form "\nSecure Shell Ciphers:" 13 95 4 \
         "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
         "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
         "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
         "Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
         2> $data
      sel=$?
      case $sel in
          1) SSH_CIPHERS=$(cat $data | sed -n 1p)
             SSH_MACS=$(cat $data | sed -n 2p)
             SSH_KEX=$(cat $data | sed -n 3p)
             SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
             ;;
          255) exit 0;;
      esac
  else
      dialog --backtitle "Freedombone Security Configuration" \
        --form "\nSecure Shell Ciphers:" 11 95 3 \
         "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
         "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
         "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
         2> $data
      sel=$?
      case $sel in
          1) SSH_CIPHERS=$(cat $data | sed -n 1p)
             SSH_MACS=$(cat $data | sed -n 2p)
             SSH_KEX=$(cat $data | sed -n 3p)
             ;;
          255) exit 0;;
      esac
  fi

  if [[ $SSH_PASSWORDS == "yes" ]]; then
      dialog --title "SSH Passwords" \
          --backtitle "Freedombone Security Configuration" \
          --yesno "\nAllow SSH login using passwords?" 7 60
  else
      dialog --title "SSH Passwords" \
          --backtitle "Freedombone Security Configuration" \
          --defaultno \
          --yesno "\nAllow SSH login using passwords?" 7 60
  fi
  sel=$?
  case $sel in
      0) SSH_PASSWORDS="yes";;
      1) SSH_PASSWORDS="no";;
      255) exit 0;;
  esac

  if [ $XMPP_CIPHERS ]; then
      data=$(tempfile 2>/dev/null)
      trap "rm -f $data" 0 1 2 5 15
      dialog --backtitle "Freedombone Security Configuration" \
          --form "\nXMPP Ciphers:" 10 95 2 \
          "Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
          "ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
          2> $data
      sel=$?
      case $sel in
          1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
             XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
             ;;
          255) exit 0;;
      esac
  fi

  dialog --title "Final Confirmation" \
      --backtitle "Freedombone Security Configuration" \
      --defaultno \
      --yesno "\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  sel=$?
  case $sel in
      1) clear
         echo $'Exiting without changing security settings'
         exit 0;;
      255) clear
           echo $'Exiting without changing security settings'
           exit 0;;
  esac

  clear
}

function regenerate_ssh_host_keys {
  if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
      rm -f /etc/ssh/ssh_host_*
      dpkg-reconfigure openssh-server
      echo $'ssh host keys regenerated'
      # remove small moduli
      awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
      mv ~/moduli /etc/ssh/moduli
      echo $'ssh small moduli removed'
      systemctl restart ssh
  fi
}

function regenerate_dh_keys {
  if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
      if [ ! -d /etc/ssl/mycerts ]; then
          echo $'No dhparam certificates were found'
          return
      fi

      data=$(tempfile 2>/dev/null)
      trap "rm -f $data" 0 1 2 5 15
      dialog --backtitle "Freedombone Security Configuration" \
             --title "Diffie-Hellman key length" \
             --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
             1 "2048 bits" off \
             2 "3072 bits" on \
             3 "4096 bits" off 2> $data
      sel=$?
      case $sel in
          1) exit 1;;
          255) exit 1;;
      esac
      case $(cat $data) in
          1) DH_KEYLENGTH=2048;;
          2) DH_KEYLENGTH=3072;;
          3) DH_KEYLENGTH=4096;;
      esac

      ctr=0
      for file in /etc/ssl/mycerts/*
      do
          if [[ -f $file ]]; then
              filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
              if [ -f $filename ]; then
                  openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
				  if [ ! "$?" = "0" ]; then
					  exit 3674
				  fi
                  ctr=$((ctr + 1))
              fi
          fi
      done
      echo $"$ctr dhparam certificates were regenerated"
  fi
}

function renew_startssl {
  renew_domain=
  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  dialog --title "Renew a StartSSL certificate" \
         --backtitle "Freedombone Security Settings" \
         --inputbox "Enter the domain name" 8 60 2>$data
  sel=$?
  case $sel in
      0)
          renew_domain=$(<$data)
          ;;
  esac

  if [ ! $renew_domain ]; then
	  return
  fi

  if [[ $renew_domain == "http"* ]]; then
      dialog --title "Renew a StartSSL certificate" \
             --msgbox "Don't include the https://" 6 40
	  return
  fi

  if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
      dialog --title "Renew a StartSSL certificate" \
             --msgbox "An existing certificate for $renew_domain was not found" 6 40
	  return
  fi

  if [[ $renew_domain != *"."* ]]; then
      dialog --title "Renew a StartSSL certificate" \
             --msgbox "Invalid domain name: $renew_domain" 6 40
	  return
  fi

  freedombone-renew-cert -h $renew_domain -p startssl

  exit 0
}

function renew_letsencrypt {
  renew_domain=
  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  dialog --title "Renew a Let's Encrypt certificate" \
         --backtitle "Freedombone Security Settings" \
         --inputbox "Enter the domain name" 8 60 2>$data
  sel=$?
  case $sel in
      0)
          renew_domain=$(<$data)
          ;;
  esac

  if [ ! $renew_domain ]; then
	  return
  fi

  if [[ $renew_domain == "http"* ]]; then
      dialog --title "Renew a Let's Encrypt certificate" \
             --msgbox "Don't include the https://" 6 40
	  return
  fi

  if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
      dialog --title "Renew a Let's Encrypt certificate" \
             --msgbox "An existing certificate for $renew_domain was not found" 6 40
	  return
  fi

  if [[ $renew_domain != *"."* ]]; then
      dialog --title "Renew a Let's Encrypt certificate" \
             --msgbox "Invalid domain name: $renew_domain" 6 40
	  return
  fi

  freedombone-renew-cert -h $renew_domain -p 'letsencrypt'

  exit 0
}

function housekeeping {
  cmd=(dialog --separate-output \
              --backtitle "Freedombone Security Configuration" \
              --title "Housekeeping options" \
              --checklist "If you don't need to do any of these things then just press Enter:" 10 76 16)
  options=(1 "Regenerate ssh host keys" off
           2 "Regenerate Diffie-Hellman keys" off
           3 "Renew a StartSSL certificate" off
           4 "Renew Let's Encrypt certificate" off)
  choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
  clear
  for choice in $choices
  do
    case $choice in
      1)
        REGENERATE_SSH_HOST_KEYS="yes"
        ;;
      2)
        REGENERATE_DH_KEYS="yes"
        ;;
      3)
        renew_startssl
        ;;
      4)
        renew_letsencrypt
        ;;
    esac
  done
}

function import_settings {
  cd $CURRENT_DIR

  if [ ! $IMPORT_FILE ]; then
      return
  fi

  if [ ! -f $IMPORT_FILE ]; then
      echo $"Import file $IMPORT_FILE not found"
      exit 6393
  fi

  if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          SSL_PROTOCOLS=$TEMP_VALUE
      fi
  fi
  if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          SSL_CIPHERS=$TEMP_VALUE
      fi
  fi
  if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          SSH_CIPHERS=$TEMP_VALUE
      fi
  fi
  if grep -q "SSH_MACS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          SSH_MACS=$TEMP_VALUE
      fi
  fi
  if grep -q "SSH_KEX" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          SSH_KEX=$TEMP_VALUE
      fi
  fi
  if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
      fi
  fi
  if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
          SSH_PASSWORDS=$TEMP_VALUE
      fi
  fi
  if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
          XMPP_CIPHERS=$TEMP_VALUE
      fi
  fi
  if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
      TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
      if [ ${#TEMP_VALUE} -gt 3 ]; then
          XMPP_ECC_CURVE=$TEMP_VALUE
      fi
  fi
}

function export_settings {
  if [ ! $EXPORT_FILE ]; then
      return
  fi

  cd $CURRENT_DIR

  if [ ! -f $EXPORT_FILE ]; then
      if [ "$SSL_PROTOCOLS" ]; then
          echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
      fi
      if [ $SSL_CIPHERS ]; then
          echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
      fi
      if [ $SSH_CIPHERS ]; then
          echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
      fi
      if [ $SSH_MACS ]; then
          echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
      fi
      if [ $SSH_KEX ]; then
          echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
      fi
      if [ $SSH_HOST_KEY_ALGORITHMS ]; then
          echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
      fi
      if [ $SSH_PASSWORDS ]; then
          echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
      fi
      if [ $XMPP_CIPHERS ]; then
          echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
      fi
      if [ $XMPP_ECC_CURVE ]; then
          echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
      fi
      echo "Security settings exported to $EXPORT_FILE"
      exit 0
  fi

  if [ "$SSL_PROTOCOLS" ]; then
      if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
          sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
      else
          echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
      fi
  fi
  if [ $SSL_CIPHERS ]; then
      if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
          sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
      else
          echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
      fi
  fi
  if [ $SSH_CIPHERS ]; then
      if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
          sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
      else
          echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
      fi
  fi
  if [ $SSH_MACS ]; then
      if grep -q "SSH_MACS" $EXPORT_FILE; then
          sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
      else
          echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
      fi
  fi
  if [ $SSH_KEX ]; then
      if grep -q "SSH_KEX" $EXPORT_FILE; then
          sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
      else
          echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
      fi
  fi
  if [ $SSH_HOST_KEY_ALGORITHMS ]; then
      if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
          sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
      else
          echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
      fi
  fi
  if [ $SSH_PASSWORDS ]; then
      if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
          sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
      else
          echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
      fi
  fi
  if [ $XMPP_CIPHERS ]; then
      if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
          sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
      else
          echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
      fi
  fi
  if [ $XMPP_ECC_CURVE ]; then
      if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
          sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
      else
          echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
      fi
  fi
  echo $"Security settings exported to $EXPORT_FILE"
  exit 0
}

function show_help {
  echo ''
  echo "${PROJECT_NAME}-sec"
  echo ''
  echo $'Alters the security settings'
  echo ''
  echo ''
  echo $'  -h --help             Show help'
  echo $'  -e --export           Export security settings to a file'
  echo $'  -i --import           Import security settings from a file'
  echo ''
  exit 0
}


# Get the commandline options
while [[ $# > 1 ]]
do
key="$1"

case $key in
    -h|--help)
    show_help
    ;;
    # Export settings
    -e|--export)
    shift
    EXPORT_FILE="$1"
    ;;
    # Export settings
    -i|--import)
    shift
    IMPORT_FILE="$1"
    ;;
    *)
    # unknown option
    ;;
esac
shift
done

housekeeping
get_website_settings
get_imap_settings
get_ssh_settings
get_xmpp_settings
import_settings
export_settings
interactive_setup
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
regenerate_ssh_host_keys
regenerate_dh_keys
exit 0