freedombone/src/freedombone-sec

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# Alters the security settings
#
# License
# =======
#
# Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-sec
export TEXTDOMAINDIR="/usr/share/locale"

CONFIGURATION_FILE=/root/${PROJECT_NAME}.cfg
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

SSL_PROTOCOLS=
SSL_CIPHERS=
SSH_CIPHERS=
SSH_MACS=
SSH_KEX=
SSH_HOST_KEY_ALGORITHMS=
SSH_PASSWORDS=
XMPP_CIPHERS=
XMPP_ECC_CURVE=

WEBSITES_DIRECTORY='/etc/nginx/sites-available'
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
SSH_CONFIG='/etc/ssh/sshd_config'
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

MINIMUM_LENGTH=6

IMPORT_FILE=
EXPORT_FILE=

CURRENT_DIR=$(pwd)

REGENERATE_SSH_HOST_KEYS="no"
REGENERATE_DH_KEYS="no"
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

MY_USERNAME=

function get_protocols_from_website {
  if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
	  return
  fi
  SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
}

function get_ciphers_from_website {
  if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
	  return
  fi
  SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}

function get_website_settings {
  if [ ! -d $WEBSITES_DIRECTORY ]; then
	  return
  fi

  cd $WEBSITES_DIRECTORY
  for file in `dir -d *` ; do
	  get_protocols_from_website $file
	  if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
		  get_ciphers_from_website $file
		  if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
			  break
		  else
			  SSL_PROTOCOLS=""
		  fi
	  fi
  done
}

function get_imap_settings {
  if [ ! -f $DOVECOT_CIPHERS ]; then
	  return
  fi
  # clear commented out cipher list
  sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  if [ $SSL_CIPHERS ]; then
	  return
  fi
  if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
	  return
  fi
  SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
}

function get_xmpp_settings {
  if [ ! -f $XMPP_CONFIG ]; then
	  return
  fi
  XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}

function get_ssh_settings {
  if [ -f $SSH_CONFIG ]; then
	  SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
	  SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
	  SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
	  SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  fi
  if [ -f /etc/ssh/ssh_config ]; then
	  SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
	  if [ ! $SSH_CIPHERS ]; then
		  SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
	  fi
	  if [ ! $SSH_MACS ]; then
		  SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
	  fi
  fi
}

function change_website_settings {
  if [ ! "$SSL_PROTOCOLS" ]; then
	  return
  fi
  if [ ! $SSL_CIPHERS ]; then
	  return
  fi
  if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
	  return
  fi
  if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
	  return
  fi
  if [ ! -d $WEBSITES_DIRECTORY ]; then
	  return
  fi

  cd $WEBSITES_DIRECTORY
  for file in `dir -d *` ; do
	  sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
	  sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  done
  systemctl restart nginx
  echo $'Web security settings changed'
}

function change_imap_settings {
  if [ ! -f $DOVECOT_CIPHERS ]; then
	  return
  fi
  if [ ! $SSL_CIPHERS ]; then
	  return
  fi
  if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
	  return
  fi
  sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  systemctl restart dovecot
  echo $'imap security settings changed'
}

function change_ssh_settings {
  if [ -f /etc/ssh/ssh_config ]; then
	  if [ $SSH_HOST_KEY_ALGORITHMS ]; then
		  sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
		  echo $'ssh client security settings changed'
	  fi
  fi
  if [ -f $SSH_CONFIG ]; then
	  if [ ! $SSH_CIPHERS ]; then
		  return
	  fi
	  if [ ! $SSH_MACS ]; then
		  return
	  fi
	  if [ ! $SSH_KEX ]; then
		  return
	  fi
	  if [ ! $SSH_PASSWORDS ]; then
		  return
	  fi

	  sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
	  sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
	  sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
	  sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
	  systemctl restart ssh
	  echo $'ssh server security settings changed'
  fi
}

function change_xmpp_settings {
  if [ ! -f $XMPP_CONFIG ]; then
	  return
  fi
  if [ ! $XMPP_CIPHERS ]; then
	  return
  fi
  if [ ! $XMPP_ECC_CURVE ]; then
	  return
  fi
  sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  systemctl restart prosody
  echo $'xmpp security settings changed'
}

function interactive_setup {
  if [ $SSL_CIPHERS ]; then
	  data=$(tempfile 2>/dev/null)
	  trap "rm -f $data" 0 1 2 5 15
	  dialog --backtitle $"Freedombone Security Configuration" \
		  --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
		  $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
		  $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
		  2> $data
	  sel=$?
	  case $sel in
		  1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
			 SSL_CIPHERS=$(cat $data | sed -n 2p)
			 ;;
		  255) exit 0;;
	  esac
  fi

  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  if [ $SSH_HOST_KEY_ALGORITHMS ]; then
	  dialog --backtitle $"Freedombone Security Configuration" \
		--form $"\nSecure Shell Ciphers:" 13 95 4 \
		 $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
		 $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
		 $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
		 $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
		 2> $data
	  sel=$?
	  case $sel in
		  1) SSH_CIPHERS=$(cat $data | sed -n 1p)
			 SSH_MACS=$(cat $data | sed -n 2p)
			 SSH_KEX=$(cat $data | sed -n 3p)
			 SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
			 ;;
		  255) exit 0;;
	  esac
  else
	  dialog --backtitle $"Freedombone Security Configuration" \
		--form $"\nSecure Shell Ciphers:" 11 95 3 \
		 $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
		 $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
		 $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
		 2> $data
	  sel=$?
	  case $sel in
		  1) SSH_CIPHERS=$(cat $data | sed -n 1p)
			 SSH_MACS=$(cat $data | sed -n 2p)
			 SSH_KEX=$(cat $data | sed -n 3p)
			 ;;
		  255) exit 0;;
	  esac
  fi

  if [[ $SSH_PASSWORDS == "yes" ]]; then
	  dialog --title $"SSH Passwords" \
		  --backtitle $"Freedombone Security Configuration" \
		  --yesno $"\nAllow SSH login using passwords?" 7 60
  else
	  dialog --title $"SSH Passwords" \
		  --backtitle $"Freedombone Security Configuration" \
		  --defaultno \
		  --yesno $"\nAllow SSH login using passwords?" 7 60
  fi
  sel=$?
  case $sel in
	  0) SSH_PASSWORDS="yes";;
	  1) SSH_PASSWORDS="no";;
	  255) exit 0;;
  esac

  if [ $XMPP_CIPHERS ]; then
	  data=$(tempfile 2>/dev/null)
	  trap "rm -f $data" 0 1 2 5 15
	  dialog --backtitle $"Freedombone Security Configuration" \
		  --form $"\nXMPP Ciphers:" 10 95 2 \
		  $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
		  $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
		  2> $data
	  sel=$?
	  case $sel in
		  1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
			 XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
			 ;;
		  255) exit 0;;
	  esac
  fi

  dialog --title $"Final Confirmation" \
	  --backtitle $"Freedombone Security Configuration" \
	  --defaultno \
	  --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  sel=$?
  case $sel in
	  1) clear
		 echo $'Exiting without changing security settings'
		 exit 0;;
	  255) clear
		   echo $'Exiting without changing security settings'
		   exit 0;;
  esac

  clear
}

function send_monkeysphere_server_keys_to_users {
	monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
	for d in /home/*/ ; do
		USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
		if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then
			if [ ! -d /home/$USERNAME/.monkeysphere ]; then
				mkdir /home/$USERNAME/.monkeysphere
			fi
			echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
			chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
		fi
	done
}

function regenerate_ssh_host_keys {
  if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
	  rm -f /etc/ssh/ssh_host_*
	  dpkg-reconfigure openssh-server
	  echo $'ssh host keys regenerated'
	  # remove small moduli
	  awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
	  mv ~/moduli /etc/ssh/moduli
	  echo $'ssh small moduli removed'
	  # update monkeysphere
	  DEFAULT_DOMAIN_NAME=
	  if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
		  DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
	  fi
	  monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
	  SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
	  monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
	  monkeysphere-host publish-key
	  send_monkeysphere_server_keys_to_users
	  echo $'updated monkeysphere ssh host key'
	  systemctl restart ssh
  fi
}

function regenerate_dh_keys {
  if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
	  if [ ! -d /etc/ssl/mycerts ]; then
		  echo $'No dhparam certificates were found'
		  return
	  fi

	  data=$(tempfile 2>/dev/null)
	  trap "rm -f $data" 0 1 2 5 15
	  dialog --backtitle "Freedombone Security Configuration" \
			 --title "Diffie-Hellman key length" \
			 --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
			 1 "2048 bits" off \
			 2 "3072 bits" on \
			 3 "4096 bits" off 2> $data
	  sel=$?
	  case $sel in
		  1) exit 1;;
		  255) exit 1;;
	  esac
	  case $(cat $data) in
		  1) DH_KEYLENGTH=2048;;
		  2) DH_KEYLENGTH=3072;;
		  3) DH_KEYLENGTH=4096;;
	  esac

	  ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  fi
}

function renew_startssl {
  renew_domain=
  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  dialog --title $"Renew a StartSSL certificate" \
		 --backtitle $"Freedombone Security Settings" \
		 --inputbox $"Enter the domain name" 8 60 2>$data
  sel=$?
  case $sel in
	  0)
		  renew_domain=$(<$data)
		  ;;
  esac

  if [ ! $renew_domain ]; then
	  return
  fi

  if [[ $renew_domain == "http"* ]]; then
	  dialog --title $"Renew a StartSSL certificate" \
			 --msgbox $"Don't include the https://" 6 40
	  return
  fi

  if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
	  dialog --title $"Renew a StartSSL certificate" \
			 --msgbox $"An existing certificate for $renew_domain was not found" 6 40
	  return
  fi

  if [[ $renew_domain != *"."* ]]; then
	  dialog --title $"Renew a StartSSL certificate" \
			 --msgbox $"Invalid domain name: $renew_domain" 6 40
	  return
  fi

  ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

  exit 0
}

function renew_letsencrypt {
  renew_domain=
  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  dialog --title $"Renew a Let's Encrypt certificate" \
		 --backtitle $"Freedombone Security Settings" \
		 --inputbox $"Enter the domain name" 8 60 2>$data
  sel=$?
  case $sel in
	  0)
		  renew_domain=$(<$data)
		  ;;
  esac

  if [ ! $renew_domain ]; then
	  return
  fi

  if [[ $renew_domain == "http"* ]]; then
	  dialog --title $"Renew a Let's Encrypt certificate" \
			 --msgbox $"Don't include the https://" 6 40
	  return
  fi

  if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
	  dialog --title $"Renew a Let's Encrypt certificate" \
			 --msgbox $"An existing certificate for $renew_domain was not found" 6 40
	  return
  fi

  if [[ $renew_domain != *"."* ]]; then
	  dialog --title $"Renew a Let's Encrypt certificate" \
			 --msgbox $"Invalid domain name: $renew_domain" 6 40
	  return
  fi

  ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

  exit 0
}

function create_letsencrypt {
  new_domain=
  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  dialog --title $"Create a new Let's Encrypt certificate" \
		 --backtitle $"Freedombone Security Settings" \
		 --inputbox $"Enter the domain name" 8 60 2>$data
  sel=$?
  case $sel in
	  0)
		  new_domain=$(<$data)
		  ;;
  esac

  if [ ! $new_domain ]; then
	  return
  fi

  if [[ $new_domain == "http"* ]]; then
	  dialog --title $"Create a new Let's Encrypt certificate" \
			 --msgbox $"Don't include the https://" 6 40
	  return
  fi

  if [[ $new_domain != *"."* ]]; then
	  dialog --title $"Create a new Let's Encrypt certificate" \
			 --msgbox $"Invalid domain name: $new_domain" 6 40
	  return
  fi

  if [ ! -d /var/www/${new_domain} ]; then
	  dialog --title $"Create a new Let's Encrypt certificate" \
			 --msgbox $'Domain not found within /var/www' 6 40
	  return
  fi

  ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

  exit 0
}

function update_ciphersuite {
	project_filename=/usr/local/bin/${PROJECT_NAME}
	if [ ! -f $project_filename ]; then
		project_filename=/usr/bin/${PROJECT_NAME}
	fi

	RECOMMENDED_SSL_CIPHERS=$(cat $project_filename | grep 'SSL_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
	if [ ! "$RECOMMENDED_SSL_CIPHERS" ]; then
		return
	fi
	if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
		return
	fi

	RECOMMENDED_SSL_PROTOCOLS=$(cat $project_filename | grep 'SSL_PROTOCOLS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
	if [ ! "$RECOMMENDED_SSL_PROTOCOLS" ]; then
		return
	fi
	if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
		return
	fi

	RECOMMENDED_SSH_CIPHERS=$(cat $project_filename | grep 'SSH_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
	if [ ! "$RECOMMENDED_SSH_CIPHERS" ]; then
		return
	fi
	if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
		return
	fi

	RECOMMENDED_SSH_MACS=$(cat $project_filename | grep 'SSH_MACS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
	if [ ! "$RECOMMENDED_SSH_MACS" ]; then
		return
	fi
	if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
		return
	fi

	RECOMMENDED_SSH_KEX=$(cat $project_filename | grep 'SSH_KEX=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
	if [ ! "$RECOMMENDED_SSH_KEX" ]; then
		return
	fi
	if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
		return
	fi

	cd $WEBSITES_DIRECTORY
	for file in `dir -d *` ; do
		sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
		sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
	done
	systemctl restart nginx

	sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
	sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
	sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
	systemctl restart ssh

	dialog --title $"Update ciphersuite" \
		   --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
	exit 0
}

function gpg_pubkey_from_email {
	key_owner_username=$1
	key_email_address=$2
	key_id=
	if [[ $key_owner_username != "root" ]]; then
		key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
	else
		key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
	fi
	echo $key_id
}

function enable_monkeysphere {
	monkey=
	dialog --title $"GPG based authentication" \
		   --backtitle $"Freedombone Security Configuration" \
		   --defaultno \
		   --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
	sel=$?
	case $sel in
		0) monkey='yes';;
		255) exit 0;;
	esac

	if [ $monkey ]; then
		if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then
			MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
		fi

		if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
			dialog --title $"GPG based authentication" \
				   --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
			exit 0
		fi

		MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
		if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
			echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
			exit 52825
		fi

		sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
		sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
		monkeysphere-authentication update-users

		# The admin user is the identity certifier
		fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
		monkeysphere-authentication add-identity-certifier $fpr
		monkeysphere-host publish-key
		send_monkeysphere_server_keys_to_users
	else
		sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
		sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
	fi

	systemctl restart ssh

	if [ $monkey ]; then
		dialog --title $"GPG based authentication" \
			   --msgbox $"GPG based authentication was enabled" 6 40
	else
		dialog --title $"GPG based authentication" \
			   --msgbox $"GPG based authentication was disabled" 6 40
	fi
	exit 0
}

function register_website {
	domain="$1"

	if [[ ${domain} == *".local" ]]; then
		echo $"Can't register local domains"
		return
	fi

	if [ ! -f /etc/ssl/private/${domain}.key ]; then
		echo $"No SSL/TLS private key found for ${domain}"
		return
	fi

	if [ ! -f /etc/nginx/sites-available/${domain} ]; then
		echo $"No virtual host found for ${domain}"
		return
	fi

	monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
	monkeysphere-host publish-key
	echo "0"
}

function register_website_interactive {
  data=$(tempfile 2>/dev/null)
  trap "rm -f $data" 0 1 2 5 15
  dialog --title $"Register a website with monkeysphere" \
		 --backtitle $"Freedombone Security Settings" \
		 --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  sel=$?
  case $sel in
	  0)
		  domain=$(<$data)
		  register_website "$domain"
		  if [ ! "$?" = "0" ]; then
			  dialog --title $"Register a website with monkeysphere" \
					 --msgbox "$?" 6 40
		  else
			  dialog --title $"Register a website with monkeysphere" \
					 --msgbox $"$domain has been registered" 6 40
		  fi
		  ;;
  esac
}

function housekeeping {
  cmd=(dialog --separate-output \
			  --backtitle "Freedombone Security Configuration" \
			  --title "Housekeeping options" \
			  --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17)
  options=(1 "Regenerate ssh host keys" off
		   2 "Regenerate Diffie-Hellman keys" off
		   3 "Renew a StartSSL certificate" off
		   4 "Update cipersuite" off
		   5 "Create a new Let's Encrypt certificate" off
		   6 "Renew Let's Encrypt certificate" off
		   7 "Enable GPG based authentication (monkeysphere)" off
		   8 "Register a website with monkeysphere" off
		   9 "Go Back/Exit" on)
  choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
  clear
  for choice in $choices
  do
	case $choice in
	  1)
		REGENERATE_SSH_HOST_KEYS="yes"
		;;
	  2)
		REGENERATE_DH_KEYS="yes"
		;;
	  3)
		renew_startssl
		;;
	  4)
		update_ciphersuite
		;;
	  5)
		create_letsencrypt
		;;
	  6)
		renew_letsencrypt
		;;
	  7)
		enable_monkeysphere
		;;
	  8)
		register_website
		;;
	  9)
		exit 0
		;;
	esac
  done
}

function import_settings {
  cd $CURRENT_DIR

  if [ ! $IMPORT_FILE ]; then
	  return
  fi

  if [ ! -f $IMPORT_FILE ]; then
	  echo $"Import file $IMPORT_FILE not found"
	  exit 6393
  fi

  if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  SSL_PROTOCOLS=$TEMP_VALUE
	  fi
  fi
  if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  SSL_CIPHERS=$TEMP_VALUE
	  fi
  fi
  if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  SSH_CIPHERS=$TEMP_VALUE
	  fi
  fi
  if grep -q "SSH_MACS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  SSH_MACS=$TEMP_VALUE
	  fi
  fi
  if grep -q "SSH_KEX" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  SSH_KEX=$TEMP_VALUE
	  fi
  fi
  if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
	  fi
  fi
  if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
		  SSH_PASSWORDS=$TEMP_VALUE
	  fi
  fi
  if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
		  XMPP_CIPHERS=$TEMP_VALUE
	  fi
  fi
  if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
	  TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
	  if [ ${#TEMP_VALUE} -gt 3 ]; then
		  XMPP_ECC_CURVE=$TEMP_VALUE
	  fi
  fi
}

function export_settings {
  if [ ! $EXPORT_FILE ]; then
	  return
  fi

  cd $CURRENT_DIR

  if [ ! -f $EXPORT_FILE ]; then
	  if [ "$SSL_PROTOCOLS" ]; then
		  echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
	  fi
	  if [ $SSL_CIPHERS ]; then
		  echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
	  fi
	  if [ $SSH_CIPHERS ]; then
		  echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
	  fi
	  if [ $SSH_MACS ]; then
		  echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
	  fi
	  if [ $SSH_KEX ]; then
		  echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
	  fi
	  if [ $SSH_HOST_KEY_ALGORITHMS ]; then
		  echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
	  fi
	  if [ $SSH_PASSWORDS ]; then
		  echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
	  fi
	  if [ $XMPP_CIPHERS ]; then
		  echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
	  fi
	  if [ $XMPP_ECC_CURVE ]; then
		  echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
	  fi
	  echo "Security settings exported to $EXPORT_FILE"
	  exit 0
  fi

  if [ "$SSL_PROTOCOLS" ]; then
	  if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
		  sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
	  else
		  echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
	  fi
  fi
  if [ $SSL_CIPHERS ]; then
	  if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
		  sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
	  else
		  echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
	  fi
  fi
  if [ $SSH_CIPHERS ]; then
	  if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
		  sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
	  else
		  echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
	  fi
  fi
  if [ $SSH_MACS ]; then
	  if grep -q "SSH_MACS" $EXPORT_FILE; then
		  sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
	  else
		  echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
	  fi
  fi
  if [ $SSH_KEX ]; then
	  if grep -q "SSH_KEX" $EXPORT_FILE; then
		  sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
	  else
		  echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
	  fi
  fi
  if [ $SSH_HOST_KEY_ALGORITHMS ]; then
	  if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
		  sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
	  else
		  echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
	  fi
  fi
  if [ $SSH_PASSWORDS ]; then
	  if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
		  sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
	  else
		  echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
	  fi
  fi
  if [ $XMPP_CIPHERS ]; then
	  if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
		  sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
	  else
		  echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
	  fi
  fi
  if [ $XMPP_ECC_CURVE ]; then
	  if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
		  sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
	  else
		  echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
	  fi
  fi
  echo $"Security settings exported to $EXPORT_FILE"
  exit 0
}

function refresh_gpg_keys {
	for d in /home/*/ ; do
		USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
		if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then
			su -c 'gpg --refresh-keys' - $USERNAME
		fi
	done
	exit 0
}

function monkeysphere_sign_server_keys {
	server_keys_file=/home/$USER/.monkeysphere/server_keys
	if [ ! -f $server_keys_file ]; then
		exit 0
	fi

	keys_signed=
	while read line; do
		echo $line
		if [ ${#line} -gt 2 ]; then
			fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
			if [ ${#fpr} -gt 2 ]; then
				gpg --sign-key $fpr
				if [ "$?" = "0" ]; then
					gpg --update-trustdb
					keys_signed=1
				fi
			fi
		fi
	done <$server_keys_file

	if [ $keys_signed ]; then
		rm $server_keys_file
	fi
	exit 0
}

function blog_hash {
	# produces a hash corresponding to a blog password
	pass="$1"
	BLOGHASH_FILENAME=/usr/bin/bloghash

	echo '<?php' > $BLOGHASH_FILENAME
	echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $BLOGHASH_FILENAME
	echo '$password = $_GET["password"];' >> $BLOGHASH_FILENAME
	echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $BLOGHASH_FILENAME
	echo 'if (password_verify($password, $hash)) {' >> $BLOGHASH_FILENAME
	echo '  echo $hash;' >> $BLOGHASH_FILENAME
	echo '}' >> $BLOGHASH_FILENAME
	echo '?>' >> $BLOGHASH_FILENAME

	php $BLOGHASH_FILENAME password="$pass"
}

function show_help {
  echo ''
  echo "${PROJECT_NAME}-sec"
  echo ''
  echo $'Alters the security settings'
  echo ''
  echo ''
  echo $'  -h --help                Show help'
  echo $'  -e --export              Export security settings to a file'
  echo $'  -i --import              Import security settings from a file'
  echo $'  -r --refresh             Refresh GPG keys for all users'
  echo $'  -s --sign                Sign monkeysphere server keys'
  echo $'     --register [domain]   Register a https domain with monkeysphere'
  echo $'  -b --bloghash [password] Returns the hash of a password for the blog'
  echo ''
  exit 0
}


# Get the commandline options
while [[ $# > 1 ]]
do
key="$1"

case $key in
	-h|--help)
	show_help
	;;
	# Export settings
	-e|--export)
	shift
	EXPORT_FILE="$1"
	;;
	# Export settings
	-i|--import)
	shift
	IMPORT_FILE="$1"
	;;
	# Refresh GPG keys
	-r|--refresh)
	shift
	refresh_gpg_keys
	;;
	# register a website
	--register|--reg|--site)
	shift
	register_website "$1"
	;;
	# user signs monkeysphere server keys
	-s|--sign)
	shift
	monkeysphere_sign_server_keys
	;;
	# get a hash of the given blog password
	-b|--bloghash)
	shift
	blog_hash "$1"
	exit 0
	;;
	*)
	# unknown option
	;;
esac
shift
done

housekeeping
get_website_settings
get_imap_settings
get_ssh_settings
get_xmpp_settings
import_settings
export_settings
interactive_setup
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
regenerate_ssh_host_keys
regenerate_dh_keys
exit 0