free
/
freedombone
關註 1
收藏 0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 0 Wiki Activity
9204 Commit
5 分支
目錄樹: 969ded313e
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '969ded313e'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 44KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # Web related functions

  10. #

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. # default search engine for command line browser

  30. DEFAULT_SEARCH='https://searx.laquadrature.net'

  31. 

  32. # onion port for the default domain

  33. DEFAULT_DOMAIN_ONION_PORT=8099

  34. 

  35. # Whether Let's Encrypt is enabled for all sites

  36. LETSENCRYPT_ENABLED="yes"

  37. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  38. 

  39. # list of encryption protocols

  40. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  41. 

  42. # Mozilla recommended default ciphers. These work better on Android

  43. # See https://wiki.mozilla.org/Security/Server_Side_TLS

  44. SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

  45. 

  46. # some mobile apps (eg. NextCloud) have not very good cipher compatibility.

  47. # These ciphers can be used for those cases

  48. SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"

  49. 

  50. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  51. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  52. 

  53. # memory limit for php in MB

  54. MAX_PHP_MEMORY=64

  55. 

  56. # logging level for Nginx

  57. WEBSERVER_LOG_LEVEL='warn'

  58. 

  59. # test a domain name to see if it's valid

  60. function validate_domain_name {

  61.     # count the number of dots in the domain name

  62.     dots=${TEST_DOMAIN_NAME//[^.]}

  63.     no_of_dots=${#dots}

  64.     if (( no_of_dots > 3 )); then

  65.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  66.     fi

  67.     if (( no_of_dots == 0 )); then

  68.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  69.     fi

  70. }

  71. 

  72. function nginx_security_options {

  73.     domain_name=$1

  74.     filename=/etc/nginx/sites-available/$domain_name

  75.     { echo '    add_header X-Frame-Options DENY;';

  76.       echo '    add_header X-Content-Type-Options nosniff;';

  77.       echo '    add_header X-XSS-Protection "1; mode=block";';

  78.       echo '    add_header X-Robots-Tag none;';

  79.       echo '    add_header X-Download-Options noopen;';

  80.       echo '    add_header X-Permitted-Cross-Domain-Policies none;';

  81.       echo ''; } >> "$filename"

  82. }

  83. 

  84. function nginx_limits {

  85.     domain_name=$1

  86.     max_body='20m'

  87.     if [ "$2" ]; then

  88.         max_body=$2

  89.     fi

  90.     filename=/etc/nginx/sites-available/$domain_name

  91.     { echo "    client_max_body_size ${max_body};";

  92.       echo '    client_body_buffer_size 128k;';

  93.       echo '';

  94.       echo '    limit_conn conn_limit_per_ip 10;';

  95.       echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;';

  96.       echo ''; } >> "$filename"

  97. }

  98. 

  99. function nginx_stapling {

  100.     domain_name="$1"

  101.     filename=/etc/nginx/sites-available/$domain_name

  102.     { echo "    ssl_stapling on;";

  103.       echo '    ssl_stapling_verify on;';

  104.       echo "    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;";

  105.       echo ''; } >> "$filename"

  106. }

  107. 

  108. function nginx_http_redirect {

  109.     # redirect port 80 to https

  110.     domain_name=$1

  111.     filename=/etc/nginx/sites-available/$domain_name

  112.     { echo 'server {';

  113.       echo '    listen 80;';

  114.       echo '    listen [::]:80;';

  115.       echo "    server_name ${domain_name};";

  116.       echo "    root /var/www/${domain_name}/htdocs;";

  117.       echo '    access_log /dev/null;';

  118.       echo "    error_log /dev/null;"; } > "$filename"

  119.     function_check nginx_limits

  120.     nginx_limits "$domain_name"

  121.     if [ ${#2} -gt 0 ]; then

  122.         echo "    $2;" >> "$filename"

  123.     fi

  124.     { echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";

  125.       echo '}';

  126.       echo ''; } >> "$filename"

  127. }

  128. 

  129. function nginx_compress {

  130.     domain_name=$1

  131.     filename=/etc/nginx/sites-available/$domain_name

  132. 

  133.     { echo '    gzip            on;';

  134.       echo '    gzip_min_length 1000;';

  135.       echo '    gzip_proxied    expired no-cache no-store private auth;';

  136.       echo '    gzip_types      text/plain application/xml;'; } >> "$filename"

  137. }

  138. 

  139. function nginx_ssl {

  140.     # creates the SSL/TLS section for a website

  141.     domain_name=$1

  142.     mobile_ciphers=$2

  143.     filename=/etc/nginx/sites-available/$domain_name

  144. 

  145.     { echo '    ssl_stapling off;';

  146.       echo '    ssl_stapling_verify off;';

  147.       echo '    ssl on;';

  148.       echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;";

  149.       echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;";

  150.       echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;";

  151.       echo '';

  152.       echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';

  153.       echo '    ssl_session_timeout 60m;';

  154.       echo '    ssl_prefer_server_ciphers on;';

  155.       echo "    ssl_protocols $SSL_PROTOCOLS;"; } >> "$filename"

  156.     if [ "$mobile_ciphers" ]; then

  157.         echo "    # Mobile compatible ciphers" >> "$filename"

  158.         echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> "$filename"

  159.     else

  160.         echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"

  161.     fi

  162.     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> "$filename"

  163. 

  164.     #nginx_stapling $1

  165. }

  166. 

  167. # check an individual domain name

  168. function test_domain_name {

  169.     if [ "$1" ]; then

  170.         TEST_DOMAIN_NAME=$1

  171.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  172.             function_check validate_domain_name

  173.             validate_domain_name

  174.             if [[ "$TEST_DOMAIN_NAME" != "$1" ]]; then

  175.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  176.                 exit 8528

  177.             fi

  178.         fi

  179.     fi

  180. }

  181. 

  182. # Checks whether certificates were generated for the given hostname

  183. function check_certificates {

  184.     if [ ! "$1" ]; then

  185.         echo $'No certificate name provided'

  186.         exit 3568736585683

  187.     fi

  188.     USE_LETSENCRYPT='no'

  189.     if [ "$2" ]; then

  190.         USE_LETSENCRYPT="$2"

  191.     fi

  192.     if [[ $USE_LETSENCRYPT == 'no' || "$ONION_ONLY" != 'no' ]]; then

  193.         if [ ! -f "/etc/ssl/private/${1}.key" ]; then

  194.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  195.             exit 63959

  196.         fi

  197.         if [ ! -f "/etc/ssl/certs/${1}.crt" ]; then

  198.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  199.             exit 7679

  200.         fi

  201. 

  202.         if grep -q "${1}.pem" "/etc/nginx/sites-available/${1}"; then

  203.             sed -i "s|${1}.pem|${1}.crt|g" "/etc/nginx/sites-available/${1}"

  204.         fi

  205.     else

  206.         if [ ! -f "/etc/letsencrypt/live/${1}/privkey.pem" ]; then

  207.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  208.             exit 6282

  209.         fi

  210.         if [ ! -f "/etc/letsencrypt/live/${1}/fullchain.pem" ]; then

  211.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  212.             exit 5328

  213.         fi

  214.         if grep -q "${1}.crt" "/etc/nginx/sites-available/${1}"; then

  215.             sed -i "s|${1}.crt|${1}.pem|g" "/etc/nginx/sites-available/${1}"

  216.         fi

  217.     fi

  218.     if [ ! -f "/etc/ssl/certs/${1}.dhparam" ]; then

  219.         echo $"DiffieHellman parameters for ${CHECK_HOSTNAME} were not created"

  220.         exit 5989

  221.     fi

  222. }

  223. 

  224. function cert_exists {

  225.     cert_type='dhparam'

  226.     if [ "$2" ]; then

  227.         cert_type="$2"

  228.     fi

  229.     if [ -f "/etc/ssl/certs/${1}.${cert_type}" ]; then

  230.         echo "1"

  231.     else

  232.         if [ -f "/etc/letsencrypt/live/${1}/fullchain.${cert_type}" ]; then

  233.             echo "1"

  234.         else

  235.             echo "0"

  236.         fi

  237.     fi

  238. }

  239. 

  240. function create_self_signed_cert {

  241.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  242.         echo $'No site domain specified for self signed cert'

  243.         exit 4638565385

  244.     fi

  245.     "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  246.     function_check check_certificates

  247.     check_certificates "${SITE_DOMAIN_NAME}"

  248. }

  249. 

  250. function create_letsencrypt_cert {

  251.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  252.         echo $'No site domain specified for letsencrypt cert'

  253.         exit 246824624

  254.     fi

  255. 

  256.     if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then

  257.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  258.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  259.             "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  260.             function_check check_certificates

  261.             CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  262.             check_certificates "${SITE_DOMAIN_NAME}"

  263.         else

  264.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  265.             if [ -f "/etc/nginx/sites-available/$SITE_DOMAIN_NAME" ]; then

  266.                 nginx_dissite "$SITE_DOMAIN_NAME"

  267.                 systemctl restart nginx

  268.             fi

  269.             exit 682529

  270.         fi

  271.         return

  272.     fi

  273. 

  274.     function_check check_certificates

  275.     CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  276.     check_certificates "${SITE_DOMAIN_NAME}" 'yes'

  277. }

  278. 

  279. function create_site_certificate {

  280.     SITE_DOMAIN_NAME="$1"

  281. 

  282.     # if yes then only "valid" certs are allowed, not self-signed

  283.     NO_SELF_SIGNED='no'

  284.     if [ "$2" ]; then

  285.         NO_SELF_SIGNED="$2"

  286.     fi

  287. 

  288.     if [[ $ONION_ONLY == "no" ]]; then

  289.         if [[ "$(cert_exists "${SITE_DOMAIN_NAME}")" == "0" ]]; then

  290.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  291.                 create_self_signed_cert

  292.             else

  293.                 create_letsencrypt_cert

  294.             fi

  295.         else

  296.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  297.                 if [[ "$(cert_exists "${SITE_DOMAIN_NAME}" pem)" == "0" ]]; then

  298.                     create_letsencrypt_cert

  299.                 fi

  300.             fi

  301.         fi

  302.     fi

  303. }

  304. 

  305. # script to automatically renew any Let's Encrypt certificates

  306. function letsencrypt_renewals {

  307.     if [[ $ONION_ONLY != "no" ]]; then

  308.         return

  309.     fi

  310. 

  311.     renewals_script=/tmp/renewals_letsencrypt

  312.     renewals_retry_script=/tmp/renewals_retry_letsencrypt

  313.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  314.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  315. 

  316.     # the main script tries to renew once per month

  317.     { echo '#!/bin/bash';

  318.       echo '';

  319.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  320.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  321.       echo '';

  322.       echo 'if [ -d /etc/letsencrypt ]; then';

  323.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  324.       echo '        rm ~/letsencrypt_failed';

  325.       echo '    fi';

  326.       echo -n "    ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  327.       echo -n "awk -F ':' '{print ";

  328.       echo -n "\$2";

  329.       echo "}')";

  330.       echo "    ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  331.       echo '    for d in /etc/letsencrypt/live/*/ ; do';

  332.       echo -n "        LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  333.       echo -n "awk -F '/' '{print ";

  334.       echo -n "\$5";

  335.       echo "}')";

  336.       echo "        if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  337.       echo "            \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  338.       echo '            if [ ! "$?" = "0" ]; then';

  339.       echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  340.       echo '                echo "" >> ~/temp_renewletsencrypt.txt';

  341.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  342.       echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  343.       echo "\$ADMIN_EMAIL_ADDRESS";

  344.       echo '                rm ~/temp_renewletsencrypt.txt';

  345.       echo '                if [ ! -f ~/letsencrypt_failed ]; then';

  346.       echo '                    touch ~/letsencrypt_failed';

  347.       echo '                fi';

  348.       echo '            fi';

  349.       echo '        fi';

  350.       echo '    done';

  351.       echo 'fi'; } > "$renewals_script"

  352.     chmod +x "$renewals_script"

  353. 

  354.     if [ ! -f /etc/cron.monthly/letsencrypt ]; then

  355.         cp $renewals_script /etc/cron.monthly/letsencrypt

  356.     else

  357.         HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')

  358.         HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')

  359.         if [[ "$HASH1" != "$HASH2" ]]; then

  360.             cp $renewals_script /etc/cron.monthly/letsencrypt

  361.         fi

  362.     fi

  363.     rm $renewals_script

  364. 

  365.     # a secondary script keeps trying to renew after a failure

  366.     { echo '#!/bin/bash';

  367.       echo '';

  368.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  369.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  370.       echo '';

  371.       echo 'if [ -d /etc/letsencrypt ]; then';

  372.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  373.       echo '        rm ~/letsencrypt_failed';

  374.       echo -n "        ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  375.       echo -n "awk -F ':' '{print ";

  376.       echo -n "\$2";

  377.       echo "}')";

  378.       echo "        ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  379.       echo '        for d in /etc/letsencrypt/live/*/ ; do';

  380.       echo -n "            LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  381.       echo -n "awk -F '/' '{print ";

  382.       echo -n "\$5";

  383.       echo "}')";

  384.       echo "            if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  385.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  386.       echo '                if [ ! "$?" = "0" ]; then';

  387.       echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  388.       echo '                    echo "" >> ~/temp_renewletsencrypt.txt';

  389.       echo "                    \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  390.       echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  391.       echo "\$ADMIN_EMAIL_ADDRESS";

  392.       echo '                    rm ~/temp_renewletsencrypt.txt';

  393.       echo '                    if [ ! -f ~/letsencrypt_failed ]; then';

  394.       echo '                        touch ~/letsencrypt_failed';

  395.       echo '                    fi';

  396.       echo '                fi';

  397.       echo '            fi';

  398.       echo '        done';

  399.       echo '    fi';

  400.       echo 'fi'; } > "$renewals_retry_script"

  401.     chmod +x "$renewals_retry_script"

  402. 

  403.     if [ ! -f /etc/cron.daily/letsencrypt ]; then

  404.         cp $renewals_retry_script /etc/cron.daily/letsencrypt

  405.     else

  406.         HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')

  407.         HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')

  408.         if [[ "$HASH1" != "$HASH2" ]]; then

  409.             cp $renewals_retry_script /etc/cron.daily/letsencrypt

  410.         fi

  411.     fi

  412.     rm $renewals_retry_script

  413. }

  414. 

  415. function configure_php {

  416.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini

  417.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini

  418.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini

  419.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini

  420.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/cli/php.ini

  421.     sed -i "s/post_max_size =.*/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini

  422. }

  423. 

  424. function install_web_server_access_control {

  425.     if [ ! -f /etc/pam.d/nginx ]; then

  426.         { echo '#%PAM-1.0';

  427.           echo '@include common-auth';

  428.           echo '@include common-account';

  429.           echo '@include common-session'; } > /etc/pam.d/nginx

  430.     fi

  431. }

  432. 

  433. function install_dynamicdns {

  434.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  435.         return

  436.     fi

  437.     if [[ $ONION_ONLY != "no" ]]; then

  438.         return

  439.     fi

  440. 

  441.     CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")

  442.     if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then

  443.         return

  444.     fi

  445. 

  446.     # update to the next commit

  447.     function_check set_repo_commit

  448.     set_repo_commit "$INSTALL_DIR/inadyn" "inadyn commit" "$INADYN_COMMIT" "$INADYN_REPO"

  449. 

  450.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  451.         return

  452.     fi

  453. 

  454.     # Here we compile from source because the current package

  455.     # doesn't support https, which could result in passwords

  456.     # being leaked

  457.     # Debian version 1.99.4-1

  458.     # https version 1.99.8

  459. 

  460.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  461.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  462.         if [ -d /repos/inadyn ]; then

  463.             mkdir "$INSTALL_DIR/inadyn"

  464.             cp -r -p /repos/inadyn/. "$INSTALL_DIR/inadyn"

  465.             cd "$INSTALL_DIR/inadyn" || exit 2462874684

  466.             git pull

  467.         else

  468.             git_clone "$INADYN_REPO" "$INSTALL_DIR/inadyn"

  469.         fi

  470.     fi

  471.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  472.         echo 'inadyn repo not cloned'

  473.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  474.         exit 6785

  475.     fi

  476.     cd "$INSTALL_DIR/inadyn" || exit 246824684

  477.     git checkout "$INADYN_COMMIT" -b "$INADYN_COMMIT"

  478.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  479. 

  480.     #./autogen.sh

  481.     if ! ./configure; then

  482.         exit 74890

  483.     fi

  484.     if ! USE_OPENSSL=1 make; then

  485.         exit 74858

  486.     fi

  487.     if ! make install; then

  488.         exit 3785

  489.     fi

  490. 

  491.     # create an unprivileged user

  492.     #chmod 600 /etc/shadow

  493.     #chmod 600 /etc/gshadow

  494.     #useradd -r -s /bin/false debian-inadyn

  495.     #chmod 0000 /etc/shadow

  496.     #chmod 0000 /etc/gshadow

  497. 

  498.     # create a configuration file

  499.     { echo 'background';

  500.       echo 'verbose        1';

  501.       echo 'period         300';

  502.       echo 'startup-delay  60';

  503.       echo 'cache-dir      /run/inadyn';

  504.       echo 'logfile        /dev/null'; } > /etc/inadyn.conf

  505.     chmod 600 /etc/inadyn.conf

  506. 

  507.     { echo '[Unit]';

  508.       echo 'Description=inadyn (DynDNS updater)';

  509.       echo 'After=network.target';

  510.       echo '';

  511.       echo '[Service]';

  512.       echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf';

  513.       echo 'Restart=always';

  514.       echo 'Type=forking';

  515.       echo '';

  516.       echo '[Install]';

  517.       echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/inadyn.service

  518.     systemctl enable inadyn

  519.     systemctl start inadyn

  520.     systemctl daemon-reload

  521. 

  522.     mark_completed "${FUNCNAME[0]}"

  523. }

  524. 

  525. function update_default_search_engine {

  526.     for d in /home/*/ ; do

  527.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  528.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  529.             if ! grep -q "WWW_HOME" "/home/$USERNAME/.bashrc"; then

  530.                 if ! grep -q 'controluser' "/home/$USERNAME/.bashrc"; then

  531.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  532.                         echo "export WWW_HOME=$DEFAULT_SEARCH" >> "/home/$USERNAME/.bashrc"

  533.                     else

  534.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  535.                     fi

  536.                 else

  537.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  538.                         sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" "/home/$USERNAME/.bashrc"

  539.                     else

  540.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  541.                     fi

  542.                 fi

  543.             fi

  544.         fi

  545.     done

  546. }

  547. 

  548. function install_command_line_browser {

  549.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  550.         return

  551.     fi

  552.     apt-get -yq install elinks

  553.     update_default_search_engine

  554. 

  555.     mark_completed "${FUNCNAME[0]}"

  556. }

  557. 

  558. function mesh_web_server {

  559.     if [ -d /etc/apache2 ]; then

  560.         # shellcheck disable=SC2154

  561.         chroot "$rootdir" apt-get -yq remove --purge apache2

  562.         chroot "$rootdir" rm -rf /etc/apache2

  563.     fi

  564. 

  565.     chroot "$rootdir" apt-get -yq install nginx

  566. 

  567.     if [ ! -d "$rootdir/etc/nginx" ]; then

  568.         echo $'Unable to install web server'

  569.         exit 346825

  570.     fi

  571. }

  572. 

  573. function install_web_server {

  574.     if [ "$INSTALLING_MESH" ]; then

  575.         mesh_web_server

  576.         return

  577.     fi

  578. 

  579.     # update to the next commit

  580.     function_check set_repo_commit

  581.     set_repo_commit "$INSTALL_DIR/nginx_ensite" "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  582. 

  583.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  584.         return

  585.     fi

  586.     # remove apache

  587.     apt-get -yq remove --purge apache2

  588.     if [ -d /etc/apache2 ]; then

  589.         rm -rf /etc/apache2

  590.     fi

  591.     # install nginx

  592.     apt-get -yq install nginx

  593.     apt-get -yq install php-fpm git

  594. 

  595.     # Turn off logs by default

  596.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  597.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  598. 

  599.     # limit the number of php processes

  600.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf

  601.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf

  602.     sed -i 's|;systemd_interval.*|systemd_interval = 10|g' /etc/php/7.0/fpm/php-fpm.conf

  603.     sed -i 's|;emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  604.     sed -i 's|emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  605.     sed -i 's|;emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  606.     sed -i 's|emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  607.     sed -i 's|;process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  608.     sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  609. 

  610.     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then

  611.         { echo 'pm = static';

  612.           echo 'pm.max_children = 10';

  613.           echo 'pm.start_servers = 2';

  614.           echo 'pm.min_spare_servers = 2';

  615.           echo 'pm.max_spare_servers = 5';

  616.           echo 'pm.max_requests = 10'; } >> /etc/php/7.0/fpm/php-fpm.conf

  617.     fi

  618.     if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then

  619.         echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf

  620.     else

  621.         sed -i 's|request_terminate_timeout =.*|request_terminate_timeout = 30|g'  >> /etc/php/7.0/fpm/php-fpm.conf

  622.     fi

  623.     sed -i 's|max_execution_time =.*|max_execution_time = 30|g' /etc/php/7.0/fpm/php.ini

  624. 

  625.     if [ ! -d /etc/nginx ]; then

  626.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  627.         exit 51

  628.     fi

  629. 

  630.     # Nginx settings

  631.     { echo 'user www-data;';

  632.       #echo "worker_processes; $CPU_CORES";

  633.       echo 'pid /run/nginx.pid;';

  634.       echo '';

  635.       echo 'events {';

  636.       echo '        worker_connections 50;';

  637.       echo '        # multi_accept on;';

  638.       echo '}';

  639.       echo '';

  640.       echo 'http {';

  641.       echo '        # limit the number of connections per single IP';

  642.       echo "        limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;";

  643.       echo '';

  644.       echo '        # limit the number of requests for a given session';

  645.       echo "        limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;";

  646.       echo '';

  647.       echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file';

  648.       echo '        client_body_buffer_size  128k;';

  649.       echo '';

  650.       echo '        # headerbuffer size for the request header from client, its set for testing purpose';

  651.       echo '        client_header_buffer_size 3m;';

  652.       echo '';

  653.       echo '        # maximum number and size of buffers for large headers to read from client request';

  654.       echo '        large_client_header_buffers 4 256k;';

  655.       echo '';

  656.       echo '        # read timeout for the request body from client, its set for testing purpose';

  657.       echo '        client_body_timeout   3m;';

  658.       echo '';

  659.       echo '        # how long to wait for the client to send a request header, its set for testing purpose';

  660.       echo '        client_header_timeout 3m;';

  661.       echo '';

  662.       echo '        ##';

  663.       echo '        # Basic Settings';

  664.       echo '        ##';

  665.       echo '';

  666.       echo '        sendfile on;';

  667.       echo '        tcp_nopush on;';

  668.       echo '        tcp_nodelay on;';

  669.       echo '        keepalive_timeout 65;';

  670.       echo '        types_hash_max_size 2048;';

  671.       echo '        server_tokens off;';

  672.       echo '';

  673.       echo '        # server_names_hash_bucket_size 64;';

  674.       echo '        # server_name_in_redirect off;';

  675.       echo '';

  676.       echo '        include /etc/nginx/mime.types;';

  677.       echo '        default_type application/octet-stream;';

  678.       echo '';

  679.       echo '        ##';

  680.       echo '        # Logging Settings';

  681.       echo '        ##';

  682.       echo '';

  683.       echo '        access_log /dev/null;';

  684.       echo '        error_log /dev/null;';

  685.       echo '';

  686.       echo '        ###';

  687.       echo '        # Gzip Settings';

  688.       echo '        ##';

  689.       echo '        gzip on;';

  690.       echo '        gzip_disable "msie6";';

  691.       echo '';

  692.       echo '        # gzip_vary on;';

  693.       echo '        # gzip_proxied any;';

  694.       echo '        # gzip_comp_level 6;';

  695.       echo '        # gzip_buffers 16 8k;';

  696.       echo '        # gzip_http_version 1.1;';

  697.       echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;';

  698.       echo '';

  699.       echo '        ##';

  700.       echo '        # Virtual Host Configs';

  701.       echo '        ##';

  702.       echo '';

  703.       echo '        include /etc/nginx/conf.d/*.conf;';

  704.       echo '        include /etc/nginx/sites-enabled/*;';

  705.       echo '}'; } > /etc/nginx/nginx.conf

  706. 

  707.     # install a script to easily enable and disable nginx virtual hosts

  708.     if [ ! -d "$INSTALL_DIR" ]; then

  709.         mkdir "$INSTALL_DIR"

  710.     fi

  711.     cd "$INSTALL_DIR" || exit 2798462846827

  712.     function_check git_clone

  713.     git_clone "$NGINX_ENSITE_REPO" "$INSTALL_DIR/nginx_ensite"

  714.     cd "$INSTALL_DIR/nginx_ensite" || exit 2468748223

  715.     git checkout "$NGINX_ENSITE_COMMIT" -b "$NGINX_ENSITE_COMMIT"

  716. 

  717.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  718. 

  719.     make install

  720.     nginx_dissite default

  721. 

  722.     function_check configure_firewall_for_web_access

  723.     configure_firewall_for_web_access

  724. 

  725.     mark_completed "${FUNCNAME[0]}"

  726. }

  727. 

  728. function remove_certs {

  729.     domain_name=$1

  730. 

  731.     if [ ! "$domain_name" ]; then

  732.         return

  733.     fi

  734. 

  735.     if [ -f "/etc/ssl/certs/${domain_name}.dhparam" ]; then

  736.         rm "/etc/ssl/certs/${domain_name}.dhparam"

  737.     fi

  738. 

  739.     if [ -f "/etc/ssl/certs/${domain_name}.pem" ]; then

  740.         rm "/etc/ssl/certs/${domain_name}.pem"

  741.     fi

  742. 

  743.     if [ -f "/etc/ssl/certs/${domain_name}.crt" ]; then

  744.         rm "/etc/ssl/certs/${domain_name}.crt"

  745.     fi

  746. 

  747.     if [ -f "/etc/ssl/private/${domain_name}.key" ]; then

  748.         rm "/etc/ssl/private/${domain_name}.key"

  749.     fi

  750. }

  751. 

  752. function configure_firewall_for_web_access {

  753.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  754.         return

  755.     fi

  756.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  757.         # docker does its own firewalling

  758.         return

  759.     fi

  760.     if [[ $ONION_ONLY != "no" ]]; then

  761.         return

  762.     fi

  763.     firewall_add HTTP 80 tcp

  764.     firewall_add HTTPS 443 tcp

  765.     mark_completed "${FUNCNAME[0]}"

  766. }

  767. 

  768. function update_default_domain {

  769.     echo $'Updating default domain'

  770.     if [[ $ONION_ONLY == 'no' ]]; then

  771.         if [ -f /etc/mumble-server.ini ]; then

  772.             if [ ! -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  773.                 if ! grep -q "mumble.pem" /etc/mumble-server.ini; then

  774.                     sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini

  775.                     sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini

  776.                     systemctl restart mumble

  777.                 fi

  778.             else

  779.                 if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then

  780.                     usermod -a -G ssl-cert mumble-server

  781.                     sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini

  782.                     sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini

  783.                     systemctl restart mumble

  784.                 fi

  785.             fi

  786.         fi

  787. 

  788.         if [ -d /etc/prosody ]; then

  789.             if [ ! -d /etc/prosody/certs ]; then

  790.                 mkdir /etc/prosody/certs

  791.             fi

  792.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  793.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  794.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  795.                 usermod -a -G ssl-cert prosody

  796.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  797.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  798.                 fi

  799.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  800.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  801.                 fi

  802. 

  803.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then

  804.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  805.                 fi

  806.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then

  807.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  808.                 fi

  809. 

  810.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  811.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  812.                 fi

  813. 

  814.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  815.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  816.                 fi

  817. 

  818.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then

  819.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  820.                 fi

  821. 

  822.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then

  823.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  824.                 fi

  825.             fi

  826. 

  827.             chown -R prosody:default /etc/prosody

  828.             chmod -R 700 /etc/prosody/certs/*

  829.             chmod 600 /etc/prosody/prosody.cfg.lua

  830.             if [ -d "$INSTALL_DIR/prosody-modules" ]; then

  831.                 cp -r "$INSTALL_DIR/prosody-modules/"* /var/lib/prosody/prosody-modules/

  832.                 cp -r "$INSTALL_DIR/prosody-modules/"* /usr/lib/prosody/modules/

  833.             fi

  834.             chown -R prosody:prosody /var/lib/prosody/prosody-modules

  835.             chown -R prosody:prosody /usr/lib/prosody/modules

  836.             systemctl reload prosody

  837.         fi

  838. 

  839.         if [ -d /home/znc/.znc ]; then

  840.             echo $'znc found'

  841.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  842.                 pkill znc

  843.                 cat "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" > /home/znc/.znc/znc.pem

  844.                 chown znc:znc /home/znc/.znc/znc.pem

  845.                 chmod 700 /home/znc/.znc/znc.pem

  846. 

  847.                 sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf

  848.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  849.                 sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf

  850.                 echo $'irc certificates updated'

  851. 

  852.                 systemctl restart ngircd

  853.                 su -c 'znc' - znc

  854.             fi

  855.         fi

  856. 

  857.         if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  858.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  859.                 if [ -d /etc/dovecot ]; then

  860.                     if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  861.                         sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  862.                         sed -i "s|ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  863.                         systemctl restart dovecot

  864.                     fi

  865.                 fi

  866. 

  867.                 if [ -d /etc/exim4 ]; then

  868.                     # Unfortunately there doesn't appear to be any other way than copying certs here

  869.                     cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem" /etc/exim4/

  870.                     chown root:Debian-exim /etc/exim4/*.pem

  871.                     chmod 640 /etc/exim4/*.pem

  872. 

  873.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  874.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template

  875.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  876.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template

  877. 

  878.                     systemctl restart exim4

  879.                 fi

  880.             fi

  881.         fi

  882.     fi

  883. }

  884. 

  885. function create_default_web_site {

  886.     if [ ! -f "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}" ]; then

  887.         # create a web site for the default domain

  888.         if [ ! -d "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs" ]; then

  889.             mkdir -p "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  890.             if [ -d "/root/${PROJECT_NAME}" ]; then

  891.                 cd "/root/${PROJECT_NAME}/website" || exit 24687246468

  892.                 ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  893.             else

  894.                 if [ -d "/home/${MY_USERNAME}/${PROJECT_NAME}" ]; then

  895.                     cd "/home/${MY_USERNAME}/${PROJECT_NAME}" || exit 2462874624

  896.                     ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  897.                 fi

  898.             fi

  899.         fi

  900. 

  901.         # add a config for the default domain

  902.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  903.         if [[ $ONION_ONLY == "no" ]]; then

  904.             function_check nginx_http_redirect

  905.             nginx_http_redirect "$DEFAULT_DOMAIN_NAME"

  906.             { echo 'server {';

  907.               echo '  listen 443 ssl;';

  908.               echo '  #listen [::]:443 ssl;';

  909.               echo "  server_name $DEFAULT_DOMAIN_NAME;";

  910.               echo '';

  911.               echo '  # Security'; } >> "$nginx_site"

  912.             function_check nginx_ssl

  913.             nginx_ssl "$DEFAULT_DOMAIN_NAME" mobile

  914. 

  915.             function_check nginx_security_options

  916.             nginx_security_options "$DEFAULT_DOMAIN_NAME"

  917. 

  918.             { echo '  add_header Strict-Transport-Security max-age=15768000;';

  919.               echo '';

  920.               echo '  # Logs';

  921.               echo '  access_log /dev/null;';

  922.               echo '  error_log /dev/null;';

  923.               echo '';

  924.               echo '  # Root';

  925.               echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  926.               echo '';

  927.               echo '  # Index';

  928.               echo '  index index.html;';

  929.               echo '';

  930.               echo '  # Location';

  931.               echo '  location / {'; } >> "$nginx_site"

  932.             function_check nginx_limits

  933.             nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  934.             { echo '  }';

  935.               echo '';

  936.               echo '  # Restrict access that is unnecessary anyway';

  937.               echo '  location ~ /\.(ht|git) {';

  938.               echo '    deny all;';

  939.               echo '  }';

  940.               echo '}'; } >> "$nginx_site"

  941.         else

  942.             echo -n '' > "$nginx_site"

  943.         fi

  944.         { echo 'server {';

  945.           echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;";

  946.           echo "    server_name $DEFAULT_DOMAIN_NAME;";

  947.           echo ''; } >> "$nginx_site"

  948.         function_check nginx_security_options

  949.         nginx_security_options "$DEFAULT_DOMAIN_NAME"

  950.         { echo '';

  951.           echo '  # Logs';

  952.           echo '  access_log /dev/null;';

  953.           echo '  error_log /dev/null;';

  954.           echo '';

  955.           echo '  # Root';

  956.           echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  957.           echo '';

  958.           echo '  # Location';

  959.           echo '  location / {'; } >> "$nginx_site"

  960.         function_check nginx_limits

  961.         nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  962.         { echo '  }';

  963.           echo '';

  964.           echo '  # Restrict access that is unnecessary anyway';

  965.           echo '  location ~ /\.(ht|git) {';

  966.           echo '    deny all;';

  967.           echo '  }';

  968.           echo '}'; } >> "$nginx_site"

  969. 

  970.         if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  971.             function_check create_site_certificate

  972.             create_site_certificate "$DEFAULT_DOMAIN_NAME" 'yes'

  973.         fi

  974. 

  975.         nginx_ensite "$DEFAULT_DOMAIN_NAME"

  976.     fi

  977. }

  978. 

  979. function install_composer {

  980.     # curl -sS https://getcomposer.org/installer | php

  981.     if [ -f "${HOME}/${PROJECT_NAME}/image_build/composer_install" ]; then

  982.         php < "${HOME}/${PROJECT_NAME}/image_build/composer_install"

  983.     else

  984.         if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install" ]; then

  985.             php < "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install"

  986.         fi

  987.     fi

  988.     if [ -f composer.phar ]; then

  989.         cp composer.phar composer

  990.     fi

  991.     if ! php composer.phar install; then

  992.         echo $'Unable to run composer install'

  993.         exit 7252198

  994.     fi

  995. }

  996. 

  997. function email_disable_chunking {

  998.     if [ -f /etc/exim4/conf.d/main/04_exim4-config_chunking ]; then

  999.         return

  1000.     fi

  1001.     echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking

  1002.     update-exim4.conf

  1003.     dpkg-reconfigure --frontend noninteractive exim4-config

  1004.     systemctl restart exim4

  1005. }

  1006. 

  1007. function email_update_onion_domain {

  1008.     email_hostname='/var/lib/tor/hidden_service_email/hostname'

  1009. 

  1010.     cp $email_hostname /etc/skel/.email_onion_domain

  1011. 

  1012.     for d in /home/*/ ; do

  1013.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1014.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1015.             cp $email_hostname "/home/$USERNAME/.email_onion_domain"

  1016.             chown "$USERNAME":"$USERNAME" "/home/$USERNAME/.email_onion_domain"

  1017.         fi

  1018.     done

  1019. }

  1020. 

  1021. function email_install_tls {

  1022.     tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  1023.     tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples

  1024.     email_config_changed=

  1025. 

  1026.     if [ ! -f $tls_config_file ]; then

  1027.         tls_config_file=/etc/exim4/exim4.conf.template

  1028.         tls_auth_config_file=$tls_config_file

  1029.     fi

  1030.     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then

  1031.         "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"

  1032.         CHECK_HOSTNAME=exim

  1033.         check_certificates exim

  1034.         cp /etc/ssl/certs/exim.dhparam /etc/exim4

  1035.         chown root:Debian-exim /etc/exim4/exim.dhparam

  1036.         chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam

  1037.         email_config_changed=1

  1038.     fi

  1039.     if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then

  1040.         sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\\MAIN_HARDCODE_PRIMARY_HOSTNAME =\\nMAIN_TLS_ENABLE = true" "$tls_config_file"

  1041.         email_config_changed=1

  1042.     fi

  1043.     if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then

  1044.         sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file

  1045.         email_config_changed=1

  1046.     fi

  1047.     if grep -q '# login_saslauthd_server' $tls_auth_config_file; then

  1048.         sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file

  1049.         email_config_changed=1

  1050.     fi

  1051.     if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1052.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/exim4/

  1053.         chown root:Debian-exim /etc/exim4/*.pem

  1054.         chmod 640 /etc/exim4/*.pem

  1055. 

  1056.         if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then

  1057.             sed -i "/.ifdef MAIN_TLS_CERTKEY/i\\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file

  1058.             email_config_changed=1

  1059.         fi

  1060.     fi

  1061.     if [ -f "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" ]; then

  1062.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/exim4/

  1063.         chown root:Debian-exim /etc/exim4/*.pem

  1064.         chmod 640 /etc/exim4/*.pem

  1065. 

  1066.         if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then

  1067.             sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file

  1068.             email_config_changed=1

  1069.         fi

  1070.     fi

  1071.     if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then

  1072.         sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4

  1073.         email_config_changed=1

  1074.     fi

  1075.     if [ $email_config_changed ]; then

  1076.         systemctl restart saslauthd

  1077.         systemctl restart exim4

  1078.     fi

  1079. }

  1080. 

  1081. function install_web_local_user_interface {

  1082.     # TODO

  1083.     # This is intended as a placeholder for a potential local web user interface

  1084.     # similar to Plinth or the yunohost admin interface

  1085.     local_hostname=$(grep 'host-name' /etc/avahi/avahi-daemon.conf | awk -F '=' '{print $2}').local

  1086. 

  1087.     mkdir -p "/var/www/${local_hostname}/htdocs"

  1088.     { echo '<html>';

  1089.       echo '  <body>';

  1090.       echo "  This is a test on $local_hostname";

  1091.       echo '  </body>';

  1092.       echo '</html>'; } > "/var/www/${local_hostname}/htdocs/index.html"

  1093.     chown -R www-data:www-data "/var/www/${local_hostname}/htdocs"

  1094. 

  1095.     nginx_file=/etc/nginx/sites-available/$local_hostname

  1096.     { echo 'server {';

  1097.       echo '  listen 80;';

  1098.       echo '  listen [::]:80;';

  1099.       echo "  server_name ${local_hostname};";

  1100.       echo "  root /var/www/${local_hostname}/htdocs;";

  1101.       echo '  index index.html;';

  1102.       echo '}'; } > "$nginx_file"

  1103.     nginx_ensite "$local_hostname"

  1104. }

  1105. 

  1106. # NOTE: deliberately no exit 0