free
/
freedombone
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
9474 提交
5 分支
目录树: 9f46dded25
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '9f46dded25'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 46KB
文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # Web related functions

  10. #

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. # default search engine for command line browser

  30. DEFAULT_SEARCH='https://searx.laquadrature.net'

  31. 

  32. # onion port for the default domain

  33. DEFAULT_DOMAIN_ONION_PORT=8099

  34. 

  35. # Whether Let's Encrypt is enabled for all sites

  36. LETSENCRYPT_ENABLED="yes"

  37. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  38. 

  39. # list of encryption protocols

  40. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  41. 

  42. # Mozilla recommended default ciphers. These work better on Android

  43. # See https://wiki.mozilla.org/Security/Server_Side_TLS

  44. SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

  45. 

  46. # some mobile apps (eg. NextCloud) have not very good cipher compatibility.

  47. # These ciphers can be used for those cases

  48. SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"

  49. 

  50. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  51. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  52. 

  53. # memory limit for php in MB

  54. MAX_PHP_MEMORY=64

  55. 

  56. # logging level for Nginx

  57. WEBSERVER_LOG_LEVEL='warn'

  58. 

  59. # test a domain name to see if it's valid

  60. function validate_domain_name {

  61.     # count the number of dots in the domain name

  62.     dots=${TEST_DOMAIN_NAME//[^.]}

  63.     no_of_dots=${#dots}

  64.     if (( no_of_dots > 3 )); then

  65.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  66.     fi

  67.     if (( no_of_dots == 0 )); then

  68.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  69.     fi

  70. }

  71. 

  72. function nginx_security_options {

  73.     domain_name=$1

  74.     filename=/etc/nginx/sites-available/$domain_name

  75.     { echo '    add_header X-Frame-Options DENY;';

  76.       echo '    add_header X-Content-Type-Options nosniff;';

  77.       echo '    add_header X-XSS-Protection "1; mode=block";';

  78.       echo '    add_header X-Robots-Tag none;';

  79.       echo '    add_header X-Download-Options noopen;';

  80.       echo '    add_header X-Permitted-Cross-Domain-Policies none;';

  81.       echo ''; } >> "$filename"

  82. }

  83. 

  84. function nginx_limits {

  85.     domain_name=$1

  86.     max_body='20m'

  87.     if [ "$2" ]; then

  88.         max_body=$2

  89.     fi

  90.     filename=/etc/nginx/sites-available/$domain_name

  91.     { echo "        client_max_body_size ${max_body};";

  92.       echo '        client_body_buffer_size 128k;';

  93.       echo '';

  94.       echo '        limit_conn conn_limit_per_ip 10;';

  95.       echo '        limit_req zone=req_limit_per_ip burst=10 nodelay;';

  96.       echo ''; } >> "$filename"

  97. }

  98. 

  99. function nginx_stapling {

  100.     domain_name="$1"

  101.     filename=/etc/nginx/sites-available/$domain_name

  102.     { echo "    ssl_stapling on;";

  103.       echo '    ssl_stapling_verify on;';

  104.       echo "    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;";

  105.       echo ''; } >> "$filename"

  106. }

  107. 

  108. function nginx_http_redirect {

  109.     # redirect port 80 to https

  110.     domain_name=$1

  111.     filename=/etc/nginx/sites-available/$domain_name

  112.     { echo 'server {';

  113.       echo '    listen 80;';

  114.       echo '    listen [::]:80;';

  115.       echo "    server_name ${domain_name};";

  116.       echo "    root /var/www/${domain_name}/htdocs;";

  117.       echo '    access_log /dev/null;';

  118.       echo "    error_log /dev/null;"; } > "$filename"

  119.     function_check nginx_limits

  120.     nginx_limits "$domain_name"

  121.     if [ ${#2} -gt 0 ]; then

  122.         echo "    $2;" >> "$filename"

  123.     fi

  124.     { echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";

  125.       echo '}';

  126.       echo ''; } >> "$filename"

  127. }

  128. 

  129. function nginx_compress {

  130.     domain_name=$1

  131.     filename=/etc/nginx/sites-available/$domain_name

  132. 

  133.     { echo '    gzip            on;';

  134.       echo '    gzip_min_length 1000;';

  135.       echo '    gzip_proxied    expired no-cache no-store private auth;';

  136.       echo '    gzip_types      text/plain application/xml;'; } >> "$filename"

  137. }

  138. 

  139. function nginx_ssl {

  140.     # creates the SSL/TLS section for a website

  141.     domain_name=$1

  142.     mobile_ciphers=$2

  143.     filename=/etc/nginx/sites-available/$domain_name

  144. 

  145.     { echo '    ssl_stapling off;';

  146.       echo '    ssl_stapling_verify off;';

  147.       echo '    ssl on;';

  148.       echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;";

  149.       echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;";

  150.       echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;";

  151.       echo '';

  152.       echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';

  153.       echo '    ssl_session_timeout 60m;';

  154.       echo '    ssl_prefer_server_ciphers on;';

  155.       echo "    ssl_protocols $SSL_PROTOCOLS;"; } >> "$filename"

  156.     if [ "$mobile_ciphers" ]; then

  157.         echo "    # Mobile compatible ciphers" >> "$filename"

  158.         echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> "$filename"

  159.     else

  160.         echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"

  161.     fi

  162.     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> "$filename"

  163. 

  164.     #nginx_stapling $1

  165. }

  166. 

  167. # check an individual domain name

  168. function test_domain_name {

  169.     if [ "$1" ]; then

  170.         TEST_DOMAIN_NAME=$1

  171.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  172.             function_check validate_domain_name

  173.             validate_domain_name

  174.             if [[ "$TEST_DOMAIN_NAME" != "$1" ]]; then

  175.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  176.                 exit 8528

  177.             fi

  178.         fi

  179.     fi

  180. }

  181. 

  182. # Checks whether certificates were generated for the given hostname

  183. function check_certificates {

  184.     if [ ! "$1" ]; then

  185.         echo $'No certificate name provided'

  186.         exit 3568736585683

  187.     fi

  188.     USE_LETSENCRYPT='no'

  189.     if [ "$2" ]; then

  190.         USE_LETSENCRYPT="$2"

  191.     fi

  192.     if [[ $USE_LETSENCRYPT == 'no' || "$ONION_ONLY" != 'no' ]]; then

  193.         if [ ! -f "/etc/ssl/private/${1}.key" ]; then

  194.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  195.             exit 63959

  196.         fi

  197.         if [ ! -f "/etc/ssl/certs/${1}.crt" ]; then

  198.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  199.             exit 7679

  200.         fi

  201. 

  202.         if grep -q "${1}.pem" "/etc/nginx/sites-available/${1}"; then

  203.             sed -i "s|${1}.pem|${1}.crt|g" "/etc/nginx/sites-available/${1}"

  204.         fi

  205.     else

  206.         if [ ! -f "/etc/letsencrypt/live/${1}/privkey.pem" ]; then

  207.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  208.             exit 6282

  209.         fi

  210.         if [ ! -f "/etc/letsencrypt/live/${1}/fullchain.pem" ]; then

  211.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  212.             exit 5328

  213.         fi

  214.         if grep -q "${1}.crt" "/etc/nginx/sites-available/${1}"; then

  215.             sed -i "s|${1}.crt|${1}.pem|g" "/etc/nginx/sites-available/${1}"

  216.         fi

  217.     fi

  218.     if [ ! -f "/etc/ssl/certs/${1}.dhparam" ]; then

  219.         echo $"DiffieHellman parameters for ${CHECK_HOSTNAME} were not created"

  220.         exit 5989

  221.     fi

  222. }

  223. 

  224. function cert_exists {

  225.     cert_type='dhparam'

  226.     if [ "$2" ]; then

  227.         cert_type="$2"

  228.     fi

  229.     if [ -f "/etc/ssl/certs/${1}.${cert_type}" ]; then

  230.         echo "1"

  231.     else

  232.         if [ -f "/etc/letsencrypt/live/${1}/fullchain.${cert_type}" ]; then

  233.             echo "1"

  234.         else

  235.             echo "0"

  236.         fi

  237.     fi

  238. }

  239. 

  240. function create_self_signed_cert {

  241.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  242.         echo $'No site domain specified for self signed cert'

  243.         exit 4638565385

  244.     fi

  245.     "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  246.     function_check check_certificates

  247.     check_certificates "${SITE_DOMAIN_NAME}"

  248. }

  249. 

  250. function create_letsencrypt_cert {

  251.     if [ ! "${SITE_DOMAIN_NAME}" ]; then

  252.         echo $'No site domain specified for letsencrypt cert'

  253.         exit 246824624

  254.     fi

  255. 

  256.     if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then

  257.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  258.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  259.             "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  260.             function_check check_certificates

  261.             CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  262.             check_certificates "${SITE_DOMAIN_NAME}"

  263.         else

  264.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  265.             if [ -f "/etc/nginx/sites-available/$SITE_DOMAIN_NAME" ]; then

  266.                 nginx_dissite "$SITE_DOMAIN_NAME"

  267.                 systemctl restart nginx

  268.             fi

  269.             exit 682529

  270.         fi

  271.         return

  272.     fi

  273. 

  274.     function_check check_certificates

  275.     CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"

  276.     check_certificates "${SITE_DOMAIN_NAME}" 'yes'

  277. }

  278. 

  279. function create_site_certificate {

  280.     SITE_DOMAIN_NAME="$1"

  281. 

  282.     # if yes then only "valid" certs are allowed, not self-signed

  283.     NO_SELF_SIGNED='no'

  284.     if [ "$2" ]; then

  285.         NO_SELF_SIGNED="$2"

  286.     fi

  287. 

  288.     if [[ $ONION_ONLY == "no" ]]; then

  289.         if [[ "$(cert_exists "${SITE_DOMAIN_NAME}")" == "0" ]]; then

  290.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  291.                 create_self_signed_cert

  292.             else

  293.                 create_letsencrypt_cert

  294.             fi

  295.         else

  296.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  297.                 if [[ "$(cert_exists "${SITE_DOMAIN_NAME}" pem)" == "0" ]]; then

  298.                     create_letsencrypt_cert

  299.                 fi

  300.             fi

  301.         fi

  302.     fi

  303. }

  304. 

  305. # script to automatically renew any Let's Encrypt certificates

  306. function letsencrypt_renewals {

  307.     if [[ $ONION_ONLY != "no" ]]; then

  308.         return

  309.     fi

  310. 

  311.     renewals_script=/tmp/renewals_letsencrypt

  312.     renewals_retry_script=/tmp/renewals_retry_letsencrypt

  313.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  314.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  315. 

  316.     # the main script tries to renew once per month

  317.     { echo '#!/bin/bash';

  318.       echo '';

  319.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  320.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  321.       echo '';

  322.       echo 'if [ -d /etc/letsencrypt ]; then';

  323.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  324.       echo '        rm ~/letsencrypt_failed';

  325.       echo '    fi';

  326.       echo -n "    ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  327.       echo -n "awk -F ':' '{print ";

  328.       echo -n "\$2";

  329.       echo "}')";

  330.       echo "    ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  331.       echo '    for d in /etc/letsencrypt/live/*/ ; do';

  332.       echo -n "        LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  333.       echo -n "awk -F '/' '{print ";

  334.       echo -n "\$5";

  335.       echo "}')";

  336.       echo "        if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  337.       echo "            \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  338.       echo '            if [ ! "$?" = "0" ]; then';

  339.       echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  340.       echo '                echo "" >> ~/temp_renewletsencrypt.txt';

  341.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  342.       echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  343.       echo "\$ADMIN_EMAIL_ADDRESS";

  344.       echo '                rm ~/temp_renewletsencrypt.txt';

  345.       echo '                if [ ! -f ~/letsencrypt_failed ]; then';

  346.       echo '                    touch ~/letsencrypt_failed';

  347.       echo '                fi';

  348.       echo '            fi';

  349.       echo '        fi';

  350.       echo '    done';

  351.       echo 'fi'; } > "$renewals_script"

  352.     chmod +x "$renewals_script"

  353. 

  354.     if [ ! -f /etc/cron.monthly/letsencrypt ]; then

  355.         cp $renewals_script /etc/cron.monthly/letsencrypt

  356.     else

  357.         HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')

  358.         HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')

  359.         if [[ "$HASH1" != "$HASH2" ]]; then

  360.             cp $renewals_script /etc/cron.monthly/letsencrypt

  361.         fi

  362.     fi

  363.     rm $renewals_script

  364. 

  365.     # a secondary script keeps trying to renew after a failure

  366.     { echo '#!/bin/bash';

  367.       echo '';

  368.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  369.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  370.       echo '';

  371.       echo 'if [ -d /etc/letsencrypt ]; then';

  372.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  373.       echo '        rm ~/letsencrypt_failed';

  374.       echo -n "        ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  375.       echo -n "awk -F ':' '{print ";

  376.       echo -n "\$2";

  377.       echo "}')";

  378.       echo "        ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  379.       echo '        for d in /etc/letsencrypt/live/*/ ; do';

  380.       echo -n "            LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  381.       echo -n "awk -F '/' '{print ";

  382.       echo -n "\$5";

  383.       echo "}')";

  384.       echo "            if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  385.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  386.       echo '                if [ ! "$?" = "0" ]; then';

  387.       echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  388.       echo '                    echo "" >> ~/temp_renewletsencrypt.txt';

  389.       echo "                    \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  390.       echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  391.       echo "\$ADMIN_EMAIL_ADDRESS";

  392.       echo '                    rm ~/temp_renewletsencrypt.txt';

  393.       echo '                    if [ ! -f ~/letsencrypt_failed ]; then';

  394.       echo '                        touch ~/letsencrypt_failed';

  395.       echo '                    fi';

  396.       echo '                fi';

  397.       echo '            fi';

  398.       echo '        done';

  399.       echo '    fi';

  400.       echo 'fi'; } > "$renewals_retry_script"

  401.     chmod +x "$renewals_retry_script"

  402. 

  403.     if [ ! -f /etc/cron.daily/letsencrypt ]; then

  404.         cp $renewals_retry_script /etc/cron.daily/letsencrypt

  405.     else

  406.         HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')

  407.         HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')

  408.         if [[ "$HASH1" != "$HASH2" ]]; then

  409.             cp $renewals_retry_script /etc/cron.daily/letsencrypt

  410.         fi

  411.     fi

  412.     rm $renewals_retry_script

  413. }

  414. 

  415. function configure_php {

  416.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini

  417.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini

  418.     sed -i "s/memory_limit =.*/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini

  419.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini

  420.     sed -i "s/upload_max_filesize =.*/upload_max_filesize = 50M/g" /etc/php/7.0/cli/php.ini

  421.     sed -i "s/post_max_size =.*/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini

  422. }

  423. 

  424. function install_web_server_access_control {

  425.     if [ ! -f /etc/pam.d/nginx ]; then

  426.         { echo '#%PAM-1.0';

  427.           echo '@include common-auth';

  428.           echo '@include common-account';

  429.           echo '@include common-session'; } > /etc/pam.d/nginx

  430.     fi

  431. }

  432. 

  433. function upgrade_inadyn_config {

  434.     if [ ! -f "${INADYN_CONFIG_FILE}" ]; then

  435.         return

  436.     fi

  437. 

  438.     if [ ! -f /usr/sbin/inadyn ]; then

  439.         return

  440.     fi

  441. 

  442.     if grep -q "{" "${INADYN_CONFIG_FILE}"; then

  443.         return

  444.     fi

  445. 

  446.     read_config_param DDNS_PROVIDER

  447.     read_config_param DDNS_USERNAME

  448.     read_config_param DDNS_PASSWORD

  449.     read_config_param DEFAULT_DOMAIN_NAME

  450. 

  451.     grep "alias " "${INADYN_CONFIG_FILE}" | sed 's| alias ||g' > ~/.inadyn_existing_sites

  452. 

  453.     if [[ "$DDNS_PROVIDER" == "default@freedns.afraid.org" ]]; then

  454.         DDNS_PROVIDER='freedns'

  455.         write_config_param DDNS_PROVIDER "$DDNS_PROVIDER"

  456.     fi

  457. 

  458.     { echo 'period          = 300';

  459.       echo '';

  460.       echo "provider $DDNS_PROVIDER {";

  461.       echo "    ssl            = true";

  462.       echo "    username       = $DDNS_USERNAME";

  463.       echo "    password       = $DDNS_PASSWORD";

  464.       echo '    wildcard       = true';

  465.       echo "    hostname       = $DEFAULT_DOMAIN_NAME";

  466.       echo '}'; } > "${INADYN_CONFIG_FILE}"

  467. }

  468. 

  469. function install_dynamicdns {

  470.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  471.         return

  472.     fi

  473. 

  474.     if [[ $ONION_ONLY != "no" ]]; then

  475.         return

  476.     fi

  477. 

  478.     if grep -q "INADYN_REPO" "$CONFIGURATION_FILE"; then

  479.         sed -i '/INADYN_REPO/d' "$CONFIGURATION_FILE"

  480.     fi

  481.     if grep -q "INADYN_COMMIT" "$CONFIGURATION_FILE"; then

  482.         sed -i '/INADYN_COMMIT/d' "$CONFIGURATION_FILE"

  483.     fi

  484. 

  485.     if [ -f /usr/local/sbin/inadyn ]; then

  486.         if grep -q "inadyn commit" "$COMPLETION_FILE"; then

  487.             sed -i '/inadyn commit/d' "$COMPLETION_FILE"

  488.         fi

  489.     else

  490.         CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")

  491.         if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then

  492.             return

  493.         fi

  494.     fi

  495. 

  496.     if [ -f /usr/local/sbin/inadyn ]; then

  497.         if [ -d "$INSTALL_DIR/inadyn" ]; then

  498.             rm -rf "$INSTALL_DIR/inadyn"

  499.         fi

  500.         if [ -d /repos/inadyn ]; then

  501.             rm -rf /repos/inadyn

  502.         fi

  503.     else

  504.         # update to the next commit

  505.         function_check set_repo_commit

  506.         set_repo_commit "$INSTALL_DIR/inadyn" "inadyn commit" "$INADYN_COMMIT" "$INADYN_REPO"

  507.     fi

  508. 

  509.     # Here we compile from source because the current package

  510.     # doesn't support https, which could result in passwords

  511.     # being leaked

  512.     # Debian version 1.99.4-1

  513.     # https version 1.99.8

  514. 

  515.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  516.     apt-get -yq install gnutls-dev libconfuse-dev pkg-config libtool

  517. 

  518.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  519.         if [ -d /repos/inadyn ]; then

  520.             mkdir "$INSTALL_DIR/inadyn"

  521.             cp -r -p /repos/inadyn/. "$INSTALL_DIR/inadyn"

  522.             cd "$INSTALL_DIR/inadyn" || exit 2462874684

  523.             git pull

  524.         else

  525.             git_clone "$INADYN_REPO" "$INSTALL_DIR/inadyn"

  526.         fi

  527.     fi

  528.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  529.         echo 'inadyn repo not cloned'

  530.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  531.         exit 6785

  532.     fi

  533.     cd "$INSTALL_DIR/inadyn" || exit 246824684

  534.     git checkout "$INADYN_COMMIT" -b "$INADYN_COMMIT"

  535.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  536. 

  537.     ./autogen.sh

  538. 

  539.     if ! ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var; then

  540.         exit 74890

  541.     fi

  542.     if ! make -j5; then

  543.         exit 74858

  544.     fi

  545.     if ! make install-strip; then

  546.         exit 3785

  547.     fi

  548. 

  549.     # create a configuration file

  550.     if [ ! -f "${INADYN_CONFIG_FILE}" ]; then

  551.         { echo 'period          = 300';

  552.           echo ''; } > "${INADYN_CONFIG_FILE}"

  553.     fi

  554.     chmod 600 "${INADYN_CONFIG_FILE}"

  555. 

  556.     { echo '[Unit]';

  557.       echo 'Description=Internet Dynamic DNS Client';

  558.       echo 'Documentation=man:inadyn';

  559.       echo 'Documentation=man:inadyn.conf';

  560.       echo 'Documentation=https://github.com/troglobit/inadyn';

  561.       echo 'ConditionPathExists=/etc/inadyn.conf';

  562.       echo 'After=network-online.target';

  563.       echo 'Requires=network-online.target';

  564.       echo '';

  565.       echo '[Service]';

  566.       echo 'Type=simple';

  567.       echo "ExecStart=/usr/sbin/inadyn -C -n -s --loglevel=err --config ${INADYN_CONFIG_FILE}";

  568.       echo 'Restart=on-failure';

  569.       echo 'RestartSec=10';

  570.       echo '';

  571.       echo '[Install]';

  572.       echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/inadyn.service

  573.     systemctl daemon-reload

  574.     systemctl enable inadyn

  575.     systemctl start inadyn

  576. 

  577.     # Remove old version of inadyn

  578.     if [ -f /usr/local/sbin/inadyn ]; then

  579.         rm /usr/local/sbin/inadyn

  580.         upgrade_inadyn_config

  581.     fi

  582. }

  583. 

  584. function update_default_search_engine {

  585.     for d in /home/*/ ; do

  586.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  587.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  588.             if ! grep -q "WWW_HOME" "/home/$USERNAME/.bashrc"; then

  589.                 if ! grep -q 'controluser' "/home/$USERNAME/.bashrc"; then

  590.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  591.                         echo "export WWW_HOME=$DEFAULT_SEARCH" >> "/home/$USERNAME/.bashrc"

  592.                     else

  593.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  594.                     fi

  595.                 else

  596.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  597.                         sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" "/home/$USERNAME/.bashrc"

  598.                     else

  599.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  600.                     fi

  601.                 fi

  602.             fi

  603.         fi

  604.     done

  605. }

  606. 

  607. function install_command_line_browser {

  608.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  609.         return

  610.     fi

  611.     apt-get -yq install elinks

  612.     update_default_search_engine

  613. 

  614.     mark_completed "${FUNCNAME[0]}"

  615. }

  616. 

  617. function mesh_web_server {

  618.     if [ -d /etc/apache2 ]; then

  619.         # shellcheck disable=SC2154

  620.         chroot "$rootdir" apt-get -yq remove --purge apache2

  621.         chroot "$rootdir" rm -rf /etc/apache2

  622.     fi

  623. 

  624.     chroot "$rootdir" apt-get -yq install nginx

  625. 

  626.     if [ ! -d "$rootdir/etc/nginx" ]; then

  627.         echo $'Unable to install web server'

  628.         exit 346825

  629.     fi

  630. }

  631. 

  632. function install_web_server {

  633.     if [ "$INSTALLING_MESH" ]; then

  634.         mesh_web_server

  635.         return

  636.     fi

  637. 

  638.     # update to the next commit

  639.     function_check set_repo_commit

  640.     set_repo_commit "$INSTALL_DIR/nginx_ensite" "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  641. 

  642.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  643.         return

  644.     fi

  645.     # remove apache

  646.     apt-get -yq remove --purge apache2

  647.     if [ -d /etc/apache2 ]; then

  648.         rm -rf /etc/apache2

  649.     fi

  650.     # install nginx

  651.     apt-get -yq install nginx

  652.     apt-get -yq install php-fpm git

  653. 

  654.     # Turn off logs by default

  655.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  656.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  657. 

  658.     # limit the number of php processes

  659.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf

  660.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf

  661.     sed -i 's|;systemd_interval.*|systemd_interval = 10|g' /etc/php/7.0/fpm/php-fpm.conf

  662.     sed -i 's|;emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  663.     sed -i 's|emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  664.     sed -i 's|;emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  665.     sed -i 's|emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  666.     sed -i 's|;process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  667.     sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  668. 

  669.     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then

  670.         { echo 'pm = static';

  671.           echo 'pm.max_children = 10';

  672.           echo 'pm.start_servers = 2';

  673.           echo 'pm.min_spare_servers = 2';

  674.           echo 'pm.max_spare_servers = 5';

  675.           echo 'pm.max_requests = 10'; } >> /etc/php/7.0/fpm/php-fpm.conf

  676.     fi

  677.     if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then

  678.         echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf

  679.     else

  680.         sed -i 's|request_terminate_timeout =.*|request_terminate_timeout = 30|g'  >> /etc/php/7.0/fpm/php-fpm.conf

  681.     fi

  682.     sed -i 's|max_execution_time =.*|max_execution_time = 30|g' /etc/php/7.0/fpm/php.ini

  683. 

  684.     if [ ! -d /etc/nginx ]; then

  685.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  686.         exit 51

  687.     fi

  688. 

  689.     # Nginx settings

  690.     { echo 'user www-data;';

  691.       #echo "worker_processes; $CPU_CORES";

  692.       echo 'pid /run/nginx.pid;';

  693.       echo '';

  694.       echo 'events {';

  695.       echo '        worker_connections 50;';

  696.       echo '        # multi_accept on;';

  697.       echo '}';

  698.       echo '';

  699.       echo 'http {';

  700.       echo '        # limit the number of connections per single IP';

  701.       echo "        limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;";

  702.       echo '';

  703.       echo '        # limit the number of requests for a given session';

  704.       echo "        limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;";

  705.       echo '';

  706.       echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file';

  707.       echo '        client_body_buffer_size  128k;';

  708.       echo '';

  709.       echo '        # headerbuffer size for the request header from client, its set for testing purpose';

  710.       echo '        client_header_buffer_size 3m;';

  711.       echo '';

  712.       echo '        # maximum number and size of buffers for large headers to read from client request';

  713.       echo '        large_client_header_buffers 4 256k;';

  714.       echo '';

  715.       echo '        # read timeout for the request body from client, its set for testing purpose';

  716.       echo '        client_body_timeout   3m;';

  717.       echo '';

  718.       echo '        # how long to wait for the client to send a request header, its set for testing purpose';

  719.       echo '        client_header_timeout 3m;';

  720.       echo '';

  721.       echo '        ##';

  722.       echo '        # Basic Settings';

  723.       echo '        ##';

  724.       echo '';

  725.       echo '        sendfile on;';

  726.       echo '        tcp_nopush on;';

  727.       echo '        tcp_nodelay on;';

  728.       echo '        keepalive_timeout 65;';

  729.       echo '        types_hash_max_size 2048;';

  730.       echo '        server_tokens off;';

  731.       echo '';

  732.       echo '        # server_names_hash_bucket_size 64;';

  733.       echo '        # server_name_in_redirect off;';

  734.       echo '';

  735.       echo '        include /etc/nginx/mime.types;';

  736.       echo '        default_type application/octet-stream;';

  737.       echo '';

  738.       echo '        ##';

  739.       echo '        # Logging Settings';

  740.       echo '        ##';

  741.       echo '';

  742.       echo '        access_log /dev/null;';

  743.       echo '        error_log /dev/null;';

  744.       echo '';

  745.       echo '        ###';

  746.       echo '        # Gzip Settings';

  747.       echo '        ##';

  748.       echo '        gzip on;';

  749.       echo '        gzip_disable "msie6";';

  750.       echo '';

  751.       echo '        # gzip_vary on;';

  752.       echo '        # gzip_proxied any;';

  753.       echo '        # gzip_comp_level 6;';

  754.       echo '        # gzip_buffers 16 8k;';

  755.       echo '        # gzip_http_version 1.1;';

  756.       echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;';

  757.       echo '';

  758.       echo '        ##';

  759.       echo '        # Virtual Host Configs';

  760.       echo '        ##';

  761.       echo '';

  762.       echo '        include /etc/nginx/conf.d/*.conf;';

  763.       echo '        include /etc/nginx/sites-enabled/*;';

  764.       echo '}'; } > /etc/nginx/nginx.conf

  765. 

  766.     # install a script to easily enable and disable nginx virtual hosts

  767.     if [ ! -d "$INSTALL_DIR" ]; then

  768.         mkdir "$INSTALL_DIR"

  769.     fi

  770.     cd "$INSTALL_DIR" || exit 2798462846827

  771.     function_check git_clone

  772.     git_clone "$NGINX_ENSITE_REPO" "$INSTALL_DIR/nginx_ensite"

  773.     cd "$INSTALL_DIR/nginx_ensite" || exit 2468748223

  774.     git checkout "$NGINX_ENSITE_COMMIT" -b "$NGINX_ENSITE_COMMIT"

  775. 

  776.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  777. 

  778.     make install

  779.     nginx_dissite default

  780. 

  781.     function_check configure_firewall_for_web_access

  782.     configure_firewall_for_web_access

  783. 

  784.     mark_completed "${FUNCNAME[0]}"

  785. }

  786. 

  787. function remove_certs {

  788.     domain_name=$1

  789. 

  790.     if [ ! "$domain_name" ]; then

  791.         return

  792.     fi

  793. 

  794.     if [ -f "/etc/ssl/certs/${domain_name}.dhparam" ]; then

  795.         rm "/etc/ssl/certs/${domain_name}.dhparam"

  796.     fi

  797. 

  798.     if [ -f "/etc/ssl/certs/${domain_name}.pem" ]; then

  799.         rm "/etc/ssl/certs/${domain_name}.pem"

  800.     fi

  801. 

  802.     if [ -f "/etc/ssl/certs/${domain_name}.crt" ]; then

  803.         rm "/etc/ssl/certs/${domain_name}.crt"

  804.     fi

  805. 

  806.     if [ -f "/etc/ssl/private/${domain_name}.key" ]; then

  807.         rm "/etc/ssl/private/${domain_name}.key"

  808.     fi

  809. }

  810. 

  811. function configure_firewall_for_web_access {

  812.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  813.         return

  814.     fi

  815.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  816.         # docker does its own firewalling

  817.         return

  818.     fi

  819.     if [[ $ONION_ONLY != "no" ]]; then

  820.         return

  821.     fi

  822.     firewall_add HTTP 80 tcp

  823.     firewall_add HTTPS 443 tcp

  824.     mark_completed "${FUNCNAME[0]}"

  825. }

  826. 

  827. function update_default_domain {

  828.     echo $'Updating default domain'

  829.     if [[ $ONION_ONLY == 'no' ]]; then

  830.         if [ -f /etc/mumble-server.ini ]; then

  831.             if [ ! -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  832.                 if ! grep -q "mumble.pem" /etc/mumble-server.ini; then

  833.                     sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini

  834.                     sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini

  835.                     systemctl restart mumble

  836.                 fi

  837.             else

  838.                 if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then

  839.                     usermod -a -G ssl-cert mumble-server

  840.                     sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini

  841.                     sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini

  842.                     systemctl restart mumble

  843.                 fi

  844.             fi

  845.         fi

  846. 

  847.         if [ -d /etc/prosody ]; then

  848.             if [ ! -d /etc/prosody/certs ]; then

  849.                 mkdir /etc/prosody/certs

  850.             fi

  851.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  852.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  853.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  854.                 usermod -a -G ssl-cert prosody

  855.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  856.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  857.                 fi

  858.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  859.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  860.                 fi

  861. 

  862.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then

  863.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  864.                 fi

  865.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then

  866.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  867.                 fi

  868. 

  869.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  870.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  871.                 fi

  872. 

  873.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  874.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  875.                 fi

  876. 

  877.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then

  878.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  879.                 fi

  880. 

  881.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then

  882.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  883.                 fi

  884.             fi

  885. 

  886.             chown -R prosody:default /etc/prosody

  887.             chmod -R 700 /etc/prosody/certs/*

  888.             chmod 600 /etc/prosody/prosody.cfg.lua

  889.             if [ -d "$INSTALL_DIR/prosody-modules" ]; then

  890.                 cp -r "$INSTALL_DIR/prosody-modules/"* /var/lib/prosody/prosody-modules/

  891.                 cp -r "$INSTALL_DIR/prosody-modules/"* /usr/lib/prosody/modules/

  892.             fi

  893.             chown -R prosody:prosody /var/lib/prosody/prosody-modules

  894.             chown -R prosody:prosody /usr/lib/prosody/modules

  895.             systemctl reload prosody

  896.         fi

  897. 

  898.         if [ -d /home/znc/.znc ]; then

  899.             echo $'znc found'

  900.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  901.                 pkill znc

  902.                 cat "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" > /home/znc/.znc/znc.pem

  903.                 chown znc:znc /home/znc/.znc/znc.pem

  904.                 chmod 700 /home/znc/.znc/znc.pem

  905. 

  906.                 sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf

  907.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  908.                 sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf

  909.                 echo $'irc certificates updated'

  910. 

  911.                 systemctl restart ngircd

  912.                 su -c 'znc' - znc

  913.             fi

  914.         fi

  915. 

  916.         if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  917.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  918.                 if [ -d /etc/dovecot ]; then

  919.                     if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  920.                         sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  921.                         sed -i "s|ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  922.                         systemctl restart dovecot

  923.                     fi

  924.                 fi

  925. 

  926.                 if [ -d /etc/exim4 ]; then

  927.                     # Unfortunately there doesn't appear to be any other way than copying certs here

  928.                     cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem" /etc/exim4/

  929.                     chown root:Debian-exim /etc/exim4/*.pem

  930.                     chmod 640 /etc/exim4/*.pem

  931. 

  932.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  933.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template

  934.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  935.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template

  936. 

  937.                     systemctl restart exim4

  938.                 fi

  939.             fi

  940.         fi

  941.     fi

  942. }

  943. 

  944. function create_default_web_site {

  945.     if [ ! -f "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}" ]; then

  946.         # create a web site for the default domain

  947.         if [ ! -d "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs" ]; then

  948.             mkdir -p "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  949.             if [ -d "/root/${PROJECT_NAME}" ]; then

  950.                 cd "/root/${PROJECT_NAME}/website" || exit 24687246468

  951.                 ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  952.             else

  953.                 if [ -d "/home/${MY_USERNAME}/${PROJECT_NAME}" ]; then

  954.                     cd "/home/${MY_USERNAME}/${PROJECT_NAME}" || exit 2462874624

  955.                     ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  956.                 fi

  957.             fi

  958.         fi

  959. 

  960.         # add a config for the default domain

  961.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  962.         if [[ $ONION_ONLY == "no" ]]; then

  963.             function_check nginx_http_redirect

  964.             nginx_http_redirect "$DEFAULT_DOMAIN_NAME"

  965.             { echo 'server {';

  966.               echo '  listen 443 ssl;';

  967.               echo '  #listen [::]:443 ssl;';

  968.               echo "  server_name $DEFAULT_DOMAIN_NAME;";

  969.               echo '';

  970.               echo '  # Security'; } >> "$nginx_site"

  971.             function_check nginx_ssl

  972.             nginx_ssl "$DEFAULT_DOMAIN_NAME" mobile

  973. 

  974.             function_check nginx_security_options

  975.             nginx_security_options "$DEFAULT_DOMAIN_NAME"

  976. 

  977.             { echo '  add_header Strict-Transport-Security max-age=15768000;';

  978.               echo '';

  979.               echo '  # Logs';

  980.               echo '  access_log /dev/null;';

  981.               echo '  error_log /dev/null;';

  982.               echo '';

  983.               echo '  # Root';

  984.               echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  985.               echo '';

  986.               echo '  # Index';

  987.               echo '  index index.html;';

  988.               echo '';

  989.               echo '  # Location';

  990.               echo '  location / {'; } >> "$nginx_site"

  991.             function_check nginx_limits

  992.             nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  993.             { echo '  }';

  994.               echo '';

  995.               echo '  # Restrict access that is unnecessary anyway';

  996.               echo '  location ~ /\.(ht|git) {';

  997.               echo '    deny all;';

  998.               echo '  }';

  999.               echo '}'; } >> "$nginx_site"

  1000.         else

  1001.             echo -n '' > "$nginx_site"

  1002.         fi

  1003.         { echo 'server {';

  1004.           echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;";

  1005.           echo "    server_name $DEFAULT_DOMAIN_NAME;";

  1006.           echo ''; } >> "$nginx_site"

  1007.         function_check nginx_security_options

  1008.         nginx_security_options "$DEFAULT_DOMAIN_NAME"

  1009.         { echo '';

  1010.           echo '  # Logs';

  1011.           echo '  access_log /dev/null;';

  1012.           echo '  error_log /dev/null;';

  1013.           echo '';

  1014.           echo '  # Root';

  1015.           echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  1016.           echo '';

  1017.           echo '  # Location';

  1018.           echo '  location / {'; } >> "$nginx_site"

  1019.         function_check nginx_limits

  1020.         nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  1021.         { echo '  }';

  1022.           echo '';

  1023.           echo '  # Restrict access that is unnecessary anyway';

  1024.           echo '  location ~ /\.(ht|git) {';

  1025.           echo '    deny all;';

  1026.           echo '  }';

  1027.           echo '}'; } >> "$nginx_site"

  1028. 

  1029.         if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1030.             function_check create_site_certificate

  1031.             create_site_certificate "$DEFAULT_DOMAIN_NAME" 'yes'

  1032.         fi

  1033. 

  1034.         nginx_ensite "$DEFAULT_DOMAIN_NAME"

  1035.     fi

  1036. }

  1037. 

  1038. function install_composer {

  1039.     # curl -sS https://getcomposer.org/installer | php

  1040.     if [ -f "${HOME}/${PROJECT_NAME}/image_build/composer_install" ]; then

  1041.         php < "${HOME}/${PROJECT_NAME}/image_build/composer_install"

  1042.     else

  1043.         if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install" ]; then

  1044.             php < "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install"

  1045.         fi

  1046.     fi

  1047.     if [ -f composer.phar ]; then

  1048.         cp composer.phar composer

  1049.     fi

  1050.     if ! php composer.phar install; then

  1051.         echo $'Unable to run composer install'

  1052.         exit 7252198

  1053.     fi

  1054. }

  1055. 

  1056. function email_disable_chunking {

  1057.     if [ -f /etc/exim4/conf.d/main/04_exim4-config_chunking ]; then

  1058.         return

  1059.     fi

  1060.     echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking

  1061.     update-exim4.conf

  1062.     dpkg-reconfigure --frontend noninteractive exim4-config

  1063.     systemctl restart exim4

  1064. }

  1065. 

  1066. function email_update_onion_domain {

  1067.     email_hostname='/var/lib/tor/hidden_service_email/hostname'

  1068. 

  1069.     cp $email_hostname /etc/skel/.email_onion_domain

  1070. 

  1071.     for d in /home/*/ ; do

  1072.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1073.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1074.             cp $email_hostname "/home/$USERNAME/.email_onion_domain"

  1075.             chown "$USERNAME":"$USERNAME" "/home/$USERNAME/.email_onion_domain"

  1076.         fi

  1077.     done

  1078. }

  1079. 

  1080. function email_install_tls {

  1081.     tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  1082.     tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples

  1083.     email_config_changed=

  1084. 

  1085.     if [ ! -f $tls_config_file ]; then

  1086.         tls_config_file=/etc/exim4/exim4.conf.template

  1087.         tls_auth_config_file=$tls_config_file

  1088.     fi

  1089.     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then

  1090.         "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"

  1091.         CHECK_HOSTNAME=exim

  1092.         check_certificates exim

  1093.         cp /etc/ssl/certs/exim.dhparam /etc/exim4

  1094.         chown root:Debian-exim /etc/exim4/exim.dhparam

  1095.         chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam

  1096.         email_config_changed=1

  1097.     fi

  1098.     if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then

  1099.         sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\\MAIN_HARDCODE_PRIMARY_HOSTNAME =\\nMAIN_TLS_ENABLE = true" "$tls_config_file"

  1100.         email_config_changed=1

  1101.     fi

  1102.     if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then

  1103.         sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file

  1104.         email_config_changed=1

  1105.     fi

  1106.     if grep -q '# login_saslauthd_server' $tls_auth_config_file; then

  1107.         sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file

  1108.         email_config_changed=1

  1109.     fi

  1110.     if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1111.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/exim4/

  1112.         chown root:Debian-exim /etc/exim4/*.pem

  1113.         chmod 640 /etc/exim4/*.pem

  1114. 

  1115.         if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then

  1116.             sed -i "/.ifdef MAIN_TLS_CERTKEY/i\\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file

  1117.             email_config_changed=1

  1118.         fi

  1119.     fi

  1120.     if [ -f "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" ]; then

  1121.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/exim4/

  1122.         chown root:Debian-exim /etc/exim4/*.pem

  1123.         chmod 640 /etc/exim4/*.pem

  1124. 

  1125.         if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then

  1126.             sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file

  1127.             email_config_changed=1

  1128.         fi

  1129.     fi

  1130.     if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then

  1131.         sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4

  1132.         email_config_changed=1

  1133.     fi

  1134.     if [ $email_config_changed ]; then

  1135.         systemctl restart saslauthd

  1136.         systemctl restart exim4

  1137.     fi

  1138. }

  1139. 

  1140. function install_web_local_user_interface {

  1141.     # TODO

  1142.     # This is intended as a placeholder for a potential local web user interface

  1143.     # similar to Plinth or the yunohost admin interface

  1144.     local_hostname=$(grep 'host-name' /etc/avahi/avahi-daemon.conf | awk -F '=' '{print $2}').local

  1145. 

  1146.     mkdir -p "/var/www/${local_hostname}/htdocs"

  1147.     { echo '<html>';

  1148.       echo '  <body>';

  1149.       echo "  This is a test on $local_hostname";

  1150.       echo '  </body>';

  1151.       echo '</html>'; } > "/var/www/${local_hostname}/htdocs/index.html"

  1152.     chown -R www-data:www-data "/var/www/${local_hostname}/htdocs"

  1153. 

  1154.     nginx_file=/etc/nginx/sites-available/$local_hostname

  1155.     { echo 'server {';

  1156.       echo '  listen 80;';

  1157.       echo '  listen [::]:80;';

  1158.       echo "  server_name ${local_hostname};";

  1159.       echo "  root /var/www/${local_hostname}/htdocs;";

  1160.       echo '  index index.html;';

  1161.       echo '}'; } > "$nginx_file"

  1162.     nginx_ensite "$local_hostname"

  1163. }

  1164. 

  1165. # NOTE: deliberately no exit 0