free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
8562 Commits
5 Branches
Tree: d5d74165c0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd5d74165c0'
${ noResults }
freedombone/src/freedombone-utils-web

freedombone-utils-web 43KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Web related functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. # default search engine for command line browser

  32. DEFAULT_SEARCH='https://searx.laquadrature.net'

  33. 

  34. # onion port for the default domain

  35. DEFAULT_DOMAIN_ONION_PORT=8099

  36. 

  37. # Whether Let's Encrypt is enabled for all sites

  38. LETSENCRYPT_ENABLED="yes"

  39. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  40. 

  41. # list of encryption protocols

  42. SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"

  43. 

  44. # Mozilla recommended default ciphers. These work better on Android

  45. # See https://wiki.mozilla.org/Security/Server_Side_TLS

  46. SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

  47. 

  48. # some mobile apps (eg. NextCloud) have not very good cipher compatibility.

  49. # These ciphers can be used for those cases

  50. SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"

  51. 

  52. NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"

  53. NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

  54. 

  55. # memory limit for php in MB

  56. MAX_PHP_MEMORY=64

  57. 

  58. # logging level for Nginx

  59. WEBSERVER_LOG_LEVEL='warn'

  60. 

  61. # test a domain name to see if it's valid

  62. function validate_domain_name {

  63.     # count the number of dots in the domain name

  64.     dots=${TEST_DOMAIN_NAME//[^.]}

  65.     no_of_dots=${#dots}

  66.     if (( no_of_dots > 3 )); then

  67.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"

  68.     fi

  69.     if (( no_of_dots == 0 )); then

  70.         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"

  71.     fi

  72. }

  73. 

  74. function nginx_disable_sniffing {

  75.     domain_name=$1

  76.     filename=/etc/nginx/sites-available/$domain_name

  77.     { echo '    add_header X-Frame-Options DENY;';

  78.       echo '    add_header X-Content-Type-Options nosniff;';

  79.       echo ''; } >> "$filename"

  80. }

  81. 

  82. function nginx_limits {

  83.     domain_name=$1

  84.     max_body='20m'

  85.     if [ "$2" ]; then

  86.         max_body=$2

  87.     fi

  88.     filename=/etc/nginx/sites-available/$domain_name

  89.     { echo "    client_max_body_size ${max_body};";

  90.       echo '    client_body_buffer_size 128k;';

  91.       echo '';

  92.       echo '    limit_conn conn_limit_per_ip 10;';

  93.       echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;';

  94.       echo ''; } >> "$filename"

  95. }

  96. 

  97. function nginx_stapling {

  98.     domain_name="$1"

  99.     filename=/etc/nginx/sites-available/$domain_name

  100.     { echo "    ssl_stapling on;";

  101.       echo '    ssl_stapling_verify on;';

  102.       echo "    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;";

  103.       echo ''; } >> "$filename"

  104. }

  105. 

  106. function nginx_http_redirect {

  107.     # redirect port 80 to https

  108.     domain_name=$1

  109.     filename=/etc/nginx/sites-available/$domain_name

  110.     { echo 'server {';

  111.       echo '    listen 80;';

  112.       echo '    listen [::]:80;';

  113.       echo "    server_name ${domain_name};";

  114.       echo "    root /var/www/${domain_name}/htdocs;";

  115.       echo '    access_log /dev/null;';

  116.       echo "    error_log /dev/null;"; } > "$filename"

  117.     function_check nginx_limits

  118.     nginx_limits "$domain_name"

  119.     if [ ${#2} -gt 0 ]; then

  120.         echo "    $2;" >> "$filename"

  121.     fi

  122.     { echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";

  123.       echo '}';

  124.       echo ''; } >> "$filename"

  125. }

  126. 

  127. function nginx_compress {

  128.     domain_name=$1

  129.     filename=/etc/nginx/sites-available/$domain_name

  130. 

  131.     { echo '    gzip            on;';

  132.       echo '    gzip_min_length 1000;';

  133.       echo '    gzip_proxied    expired no-cache no-store private auth;';

  134.       echo '    gzip_types      text/plain application/xml;'; } >> "$filename"

  135. }

  136. 

  137. function nginx_ssl {

  138.     # creates the SSL/TLS section for a website

  139.     domain_name=$1

  140.     mobile_ciphers=$2

  141.     filename=/etc/nginx/sites-available/$domain_name

  142. 

  143.     { echo '    ssl_stapling off;';

  144.       echo '    ssl_stapling_verify off;';

  145.       echo '    ssl on;';

  146.       echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;";

  147.       echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;";

  148.       echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;";

  149.       echo '';

  150.       echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';

  151.       echo '    ssl_session_timeout 60m;';

  152.       echo '    ssl_prefer_server_ciphers on;';

  153.       echo "    ssl_protocols $SSL_PROTOCOLS;"; } >> "$filename"

  154.     if [ "$mobile_ciphers" ]; then

  155.         echo "    # Mobile compatible ciphers" >> "$filename"

  156.         echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> "$filename"

  157.     else

  158.         echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"

  159.     fi

  160.     { echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";

  161.       echo '    add_header X-XSS-Protection "1; mode=block";';

  162.       echo '    add_header X-Robots-Tag none;';

  163.       echo '    add_header X-Download-Options noopen;';

  164.       echo '    add_header X-Permitted-Cross-Domain-Policies none;'; } >> "$filename"

  165. 

  166.     #nginx_stapling $1

  167. }

  168. 

  169. # check an individual domain name

  170. function test_domain_name {

  171.     if [ "$1" ]; then

  172.         TEST_DOMAIN_NAME=$1

  173.         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then

  174.             function_check validate_domain_name

  175.             validate_domain_name

  176.             if [[ "$TEST_DOMAIN_NAME" != "$1" ]]; then

  177.                 echo $"Invalid domain name $TEST_DOMAIN_NAME"

  178.                 exit 8528

  179.             fi

  180.         fi

  181.     fi

  182. }

  183. 

  184. # Checks whether certificates were generated for the given hostname

  185. function check_certificates {

  186.     if [ ! "$1" ]; then

  187.         return

  188.     fi

  189.     USE_LETSENCRYPT='no'

  190.     if [ "$2" ]; then

  191.         USE_LETSENCRYPT="$2"

  192.     fi

  193.     if [[ $USE_LETSENCRYPT == 'no' ]]; then

  194.         if [ ! -f "/etc/ssl/private/${1}.key" ]; then

  195.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  196.             exit 63959

  197.         fi

  198.         if [ ! -f "/etc/ssl/certs/${1}.crt" ]; then

  199.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  200.             exit 7679

  201.         fi

  202. 

  203.         if grep -q "${1}.pem" "/etc/nginx/sites-available/${1}"; then

  204.             sed -i "s|${1}.pem|${1}.crt|g" "/etc/nginx/sites-available/${1}"

  205.         fi

  206.     else

  207.         if [ ! -f "/etc/letsencrypt/live/${1}/privkey.pem" ]; then

  208.             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"

  209.             exit 6282

  210.         fi

  211.         if [ ! -f "/etc/letsencrypt/live/${1}/fullchain.pem" ]; then

  212.             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"

  213.             exit 5328

  214.         fi

  215.         if grep -q "${1}.crt" "/etc/nginx/sites-available/${1}"; then

  216.             sed -i "s|${1}.crt|${1}.pem|g" "/etc/nginx/sites-available/${1}"

  217.         fi

  218.     fi

  219.     if [ ! -f "/etc/ssl/certs/${1}.dhparam" ]; then

  220.         echo $"Diffie–Hellman parameters for ${CHECK_HOSTNAME} were not created"

  221.         exit 5989

  222.     fi

  223. }

  224. 

  225. function cert_exists {

  226.     cert_type='dhparam'

  227.     if [ "$2" ]; then

  228.         cert_type="$2"

  229.     fi

  230.     if [ -f "/etc/ssl/certs/${1}.${cert_type}" ]; then

  231.         echo "1"

  232.     else

  233.         if [ -f "/etc/letsencrypt/live/${1}/fullchain.${cert_type}" ]; then

  234.             echo "1"

  235.         else

  236.             echo "0"

  237.         fi

  238.     fi

  239. }

  240. 

  241. function create_self_signed_cert {

  242.     "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  243.     function_check check_certificates

  244.     check_certificates "${SITE_DOMAIN_NAME}"

  245. }

  246. 

  247. function create_letsencrypt_cert {

  248.     if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then

  249.         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then

  250.             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

  251.             "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"

  252.             function_check check_certificates

  253.             check_certificates "${SITE_DOMAIN_NAME}"

  254.         else

  255.             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"

  256.             if [ -f "/etc/nginx/sites-available/$SITE_DOMAIN_NAME" ]; then

  257.                 nginx_dissite "$SITE_DOMAIN_NAME"

  258.                 systemctl restart nginx

  259.             fi

  260.             exit 682529

  261.         fi

  262.         return

  263.     fi

  264. 

  265.     function_check check_certificates

  266.     check_certificates "${SITE_DOMAIN_NAME}" 'yes'

  267. }

  268. 

  269. function create_site_certificate {

  270.     SITE_DOMAIN_NAME="$1"

  271. 

  272.     # if yes then only "valid" certs are allowed, not self-signed

  273.     NO_SELF_SIGNED='no'

  274.     if [ "$2" ]; then

  275.         NO_SELF_SIGNED="$2"

  276.     fi

  277. 

  278.     if [[ $ONION_ONLY == "no" ]]; then

  279.         if [[ "$(cert_exists "${SITE_DOMAIN_NAME}")" == "0" ]]; then

  280.             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then

  281.                 create_self_signed_cert

  282.             else

  283.                 create_letsencrypt_cert

  284.             fi

  285.         else

  286.             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then

  287.                 if [[ "$(cert_exists "${SITE_DOMAIN_NAME}" pem)" == "0" ]]; then

  288.                     create_letsencrypt_cert

  289.                 fi

  290.             fi

  291.         fi

  292.     fi

  293. }

  294. 

  295. # script to automatically renew any Let's Encrypt certificates

  296. function letsencrypt_renewals {

  297.     if [[ $ONION_ONLY != "no" ]]; then

  298.         return

  299.     fi

  300. 

  301.     renewals_script=/tmp/renewals_letsencrypt

  302.     renewals_retry_script=/tmp/renewals_retry_letsencrypt

  303.     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'

  304.     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'

  305. 

  306.     # the main script tries to renew once per month

  307.     { echo '#!/bin/bash';

  308.       echo '';

  309.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  310.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  311.       echo '';

  312.       echo 'if [ -d /etc/letsencrypt ]; then';

  313.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  314.       echo '        rm ~/letsencrypt_failed';

  315.       echo '    fi';

  316.       echo -n "    ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  317.       echo -n "awk -F ':' '{print ";

  318.       echo -n "\$2";

  319.       echo "}')";

  320.       echo "    ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  321.       echo '    for d in /etc/letsencrypt/live/*/ ; do';

  322.       echo -n "        LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  323.       echo -n "awk -F '/' '{print ";

  324.       echo -n "\$5";

  325.       echo "}')";

  326.       echo "        if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  327.       echo "            \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  328.       echo '            if [ ! "$?" = "0" ]; then';

  329.       echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  330.       echo '                echo "" >> ~/temp_renewletsencrypt.txt';

  331.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  332.       echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  333.       echo "\$ADMIN_EMAIL_ADDRESS";

  334.       echo '                rm ~/temp_renewletsencrypt.txt';

  335.       echo '                if [ ! -f ~/letsencrypt_failed ]; then';

  336.       echo '                    touch ~/letsencrypt_failed';

  337.       echo '                fi';

  338.       echo '            fi';

  339.       echo '        fi';

  340.       echo '    done';

  341.       echo 'fi'; } > "$renewals_script"

  342.     chmod +x "$renewals_script"

  343. 

  344.     if [ ! -f /etc/cron.monthly/letsencrypt ]; then

  345.         cp $renewals_script /etc/cron.monthly/letsencrypt

  346.     else

  347.         HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')

  348.         HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')

  349.         if [[ "$HASH1" != "$HASH2" ]]; then

  350.             cp $renewals_script /etc/cron.monthly/letsencrypt

  351.         fi

  352.     fi

  353.     rm $renewals_script

  354. 

  355.     # a secondary script keeps trying to renew after a failure

  356.     { echo '#!/bin/bash';

  357.       echo '';

  358.       echo "PROJECT_NAME='${PROJECT_NAME}'";

  359.       echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";

  360.       echo '';

  361.       echo 'if [ -d /etc/letsencrypt ]; then';

  362.       echo '    if [ -f ~/letsencrypt_failed ]; then';

  363.       echo '        rm ~/letsencrypt_failed';

  364.       echo -n "        ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";

  365.       echo -n "awk -F ':' '{print ";

  366.       echo -n "\$2";

  367.       echo "}')";

  368.       echo "        ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";

  369.       echo '        for d in /etc/letsencrypt/live/*/ ; do';

  370.       echo -n "            LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";

  371.       echo -n "awk -F '/' '{print ";

  372.       echo -n "\$5";

  373.       echo "}')";

  374.       echo "            if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";

  375.       echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";

  376.       echo '                if [ ! "$?" = "0" ]; then';

  377.       echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";

  378.       echo '                    echo "" >> ~/temp_renewletsencrypt.txt';

  379.       echo "                    \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";

  380.       echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";

  381.       echo "\$ADMIN_EMAIL_ADDRESS";

  382.       echo '                    rm ~/temp_renewletsencrypt.txt';

  383.       echo '                    if [ ! -f ~/letsencrypt_failed ]; then';

  384.       echo '                        touch ~/letsencrypt_failed';

  385.       echo '                    fi';

  386.       echo '                fi';

  387.       echo '            fi';

  388.       echo '        done';

  389.       echo '    fi';

  390.       echo 'fi'; } > "$renewals_retry_script"

  391.     chmod +x "$renewals_retry_script"

  392. 

  393.     if [ ! -f /etc/cron.daily/letsencrypt ]; then

  394.         cp $renewals_retry_script /etc/cron.daily/letsencrypt

  395.     else

  396.         HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')

  397.         HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')

  398.         if [[ "$HASH1" != "$HASH2" ]]; then

  399.             cp $renewals_retry_script /etc/cron.daily/letsencrypt

  400.         fi

  401.     fi

  402.     rm $renewals_retry_script

  403. }

  404. 

  405. function configure_php {

  406.     sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini

  407.     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini

  408.     sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini

  409.     sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini

  410.     sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini

  411. }

  412. 

  413. function install_web_server_access_control {

  414.     if [ ! -f /etc/pam.d/nginx ]; then

  415.         { echo '#%PAM-1.0';

  416.           echo '@include common-auth';

  417.           echo '@include common-account';

  418.           echo '@include common-session'; } > /etc/pam.d/nginx

  419.     fi

  420. }

  421. 

  422. function install_dynamicdns {

  423.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  424.         return

  425.     fi

  426.     if [[ $ONION_ONLY != "no" ]]; then

  427.         return

  428.     fi

  429. 

  430.     CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")

  431.     if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then

  432.         return

  433.     fi

  434. 

  435.     # update to the next commit

  436.     function_check set_repo_commit

  437.     set_repo_commit "$INSTALL_DIR/inadyn" "inadyn commit" "$INADYN_COMMIT" "$INADYN_REPO"

  438. 

  439.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  440.         return

  441.     fi

  442. 

  443.     # Here we compile from source because the current package

  444.     # doesn't support https, which could result in passwords

  445.     # being leaked

  446.     # Debian version 1.99.4-1

  447.     # https version 1.99.8

  448. 

  449.     apt-get -yq install build-essential curl libgnutls28-dev automake1.11

  450.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  451.         if [ -d /repos/inadyn ]; then

  452.             mkdir "$INSTALL_DIR/inadyn"

  453.             cp -r -p /repos/inadyn/. "$INSTALL_DIR/inadyn"

  454.             cd "$INSTALL_DIR/inadyn" || exit 2462874684

  455.             git pull

  456.         else

  457.             git_clone "$INADYN_REPO" "$INSTALL_DIR/inadyn"

  458.         fi

  459.     fi

  460.     if [ ! -d "$INSTALL_DIR/inadyn" ]; then

  461.         echo 'inadyn repo not cloned'

  462.         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs

  463.         exit 6785

  464.     fi

  465.     cd "$INSTALL_DIR/inadyn" || exit 246824684

  466.     git checkout "$INADYN_COMMIT" -b "$INADYN_COMMIT"

  467.     set_completion_param "inadyn commit" "$INADYN_COMMIT"

  468. 

  469.     #./autogen.sh

  470.     if ! ./configure; then

  471.         exit 74890

  472.     fi

  473.     if ! USE_OPENSSL=1 make; then

  474.         exit 74858

  475.     fi

  476.     if ! make install; then

  477.         exit 3785

  478.     fi

  479. 

  480.     # create an unprivileged user

  481.     #chmod 600 /etc/shadow

  482.     #chmod 600 /etc/gshadow

  483.     #useradd -r -s /bin/false debian-inadyn

  484.     #chmod 0000 /etc/shadow

  485.     #chmod 0000 /etc/gshadow

  486. 

  487.     # create a configuration file

  488.     { echo 'background';

  489.       echo 'verbose        1';

  490.       echo 'period         300';

  491.       echo 'startup-delay  60';

  492.       echo 'cache-dir      /run/inadyn';

  493.       echo 'logfile        /dev/null'; } > /etc/inadyn.conf

  494.     chmod 600 /etc/inadyn.conf

  495. 

  496.     { echo '[Unit]';

  497.       echo 'Description=inadyn (DynDNS updater)';

  498.       echo 'After=network.target';

  499.       echo '';

  500.       echo '[Service]';

  501.       echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf';

  502.       echo 'Restart=always';

  503.       echo 'Type=forking';

  504.       echo '';

  505.       echo '[Install]';

  506.       echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/inadyn.service

  507.     systemctl enable inadyn

  508.     systemctl start inadyn

  509.     systemctl daemon-reload

  510. 

  511.     mark_completed "${FUNCNAME[0]}"

  512. }

  513. 

  514. function update_default_search_engine {

  515.     for d in /home/*/ ; do

  516.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  517.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  518.             if ! grep -q "WWW_HOME" "/home/$USERNAME/.bashrc"; then

  519.                 if ! grep -q 'controluser' "/home/$USERNAME/.bashrc"; then

  520.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  521.                         echo "export WWW_HOME=$DEFAULT_SEARCH" >> "/home/$USERNAME/.bashrc"

  522.                     else

  523.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  524.                     fi

  525.                 else

  526.                     if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then

  527.                         sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" "/home/$USERNAME/.bashrc"

  528.                     else

  529.                         sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"

  530.                     fi

  531.                 fi

  532.             fi

  533.         fi

  534.     done

  535. }

  536. 

  537. function install_command_line_browser {

  538.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  539.         return

  540.     fi

  541.     apt-get -yq install elinks

  542.     update_default_search_engine

  543. 

  544.     mark_completed "${FUNCNAME[0]}"

  545. }

  546. 

  547. function mesh_web_server {

  548.     if [ -d /etc/apache2 ]; then

  549.         # shellcheck disable=SC2154

  550.         chroot "$rootdir" apt-get -yq remove --purge apache2

  551.         chroot "$rootdir" rm -rf /etc/apache2

  552.     fi

  553. 

  554.     chroot "$rootdir" apt-get -yq install nginx

  555. 

  556.     if [ ! -d "$rootdir/etc/nginx" ]; then

  557.         echo $'Unable to install web server'

  558.         exit 346825

  559.     fi

  560. }

  561. 

  562. function install_web_server {

  563.     if [ "$INSTALLING_MESH" ]; then

  564.         mesh_web_server

  565.         return

  566.     fi

  567. 

  568.     # update to the next commit

  569.     function_check set_repo_commit

  570.     set_repo_commit "$INSTALL_DIR/nginx_ensite" "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO

  571. 

  572.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  573.         return

  574.     fi

  575.     # remove apache

  576.     apt-get -yq remove --purge apache2

  577.     if [ -d /etc/apache2 ]; then

  578.         rm -rf /etc/apache2

  579.     fi

  580.     # install nginx

  581.     apt-get -yq install nginx

  582.     apt-get -yq install php-fpm git

  583. 

  584.     # Turn off logs by default

  585.     sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf

  586.     sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf

  587. 

  588.     # limit the number of php processes

  589.     sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf

  590.     #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf

  591.     sed -i 's|;systemd_interval.*|systemd_interval = 10|g' /etc/php/7.0/fpm/php-fpm.conf

  592.     sed -i 's|;emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  593.     sed -i 's|emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf

  594.     sed -i 's|;emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  595.     sed -i 's|emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf

  596.     sed -i 's|;process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  597.     sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf

  598. 

  599.     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then

  600.         { echo 'pm = static';

  601.           echo 'pm.max_children = 10';

  602.           echo 'pm.start_servers = 2';

  603.           echo 'pm.min_spare_servers = 2';

  604.           echo 'pm.max_spare_servers = 5';

  605.           echo 'pm.max_requests = 10'; } >> /etc/php/7.0/fpm/php-fpm.conf

  606.     fi

  607.     if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then

  608.         echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf

  609.     else

  610.         sed -i 's|request_terminate_timeout =.*|request_terminate_timeout = 30|g'  >> /etc/php/7.0/fpm/php-fpm.conf

  611.     fi

  612.     sed -i 's|max_execution_time =.*|max_execution_time = 30|g' /etc/php/7.0/fpm/php.ini

  613. 

  614.     if [ ! -d /etc/nginx ]; then

  615.         echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"

  616.         exit 51

  617.     fi

  618. 

  619.     # Nginx settings

  620.     { echo 'user www-data;';

  621.       #echo "worker_processes; $CPU_CORES";

  622.       echo 'pid /run/nginx.pid;';

  623.       echo '';

  624.       echo 'events {';

  625.       echo '        worker_connections 50;';

  626.       echo '        # multi_accept on;';

  627.       echo '}';

  628.       echo '';

  629.       echo 'http {';

  630.       echo '        # limit the number of connections per single IP';

  631.       echo "        limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;";

  632.       echo '';

  633.       echo '        # limit the number of requests for a given session';

  634.       echo "        limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;";

  635.       echo '';

  636.       echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file';

  637.       echo '        client_body_buffer_size  128k;';

  638.       echo '';

  639.       echo '        # headerbuffer size for the request header from client, its set for testing purpose';

  640.       echo '        client_header_buffer_size 3m;';

  641.       echo '';

  642.       echo '        # maximum number and size of buffers for large headers to read from client request';

  643.       echo '        large_client_header_buffers 4 256k;';

  644.       echo '';

  645.       echo '        # read timeout for the request body from client, its set for testing purpose';

  646.       echo '        client_body_timeout   3m;';

  647.       echo '';

  648.       echo '        # how long to wait for the client to send a request header, its set for testing purpose';

  649.       echo '        client_header_timeout 3m;';

  650.       echo '';

  651.       echo '        ##';

  652.       echo '        # Basic Settings';

  653.       echo '        ##';

  654.       echo '';

  655.       echo '        sendfile on;';

  656.       echo '        tcp_nopush on;';

  657.       echo '        tcp_nodelay on;';

  658.       echo '        keepalive_timeout 65;';

  659.       echo '        types_hash_max_size 2048;';

  660.       echo '        server_tokens off;';

  661.       echo '';

  662.       echo '        # server_names_hash_bucket_size 64;';

  663.       echo '        # server_name_in_redirect off;';

  664.       echo '';

  665.       echo '        include /etc/nginx/mime.types;';

  666.       echo '        default_type application/octet-stream;';

  667.       echo '';

  668.       echo '        ##';

  669.       echo '        # Logging Settings';

  670.       echo '        ##';

  671.       echo '';

  672.       echo '        access_log /dev/null;';

  673.       echo '        error_log /dev/null;';

  674.       echo '';

  675.       echo '        ###';

  676.       echo '        # Gzip Settings';

  677.       echo '        ##';

  678.       echo '        gzip on;';

  679.       echo '        gzip_disable "msie6";';

  680.       echo '';

  681.       echo '        # gzip_vary on;';

  682.       echo '        # gzip_proxied any;';

  683.       echo '        # gzip_comp_level 6;';

  684.       echo '        # gzip_buffers 16 8k;';

  685.       echo '        # gzip_http_version 1.1;';

  686.       echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;';

  687.       echo '';

  688.       echo '        ##';

  689.       echo '        # Virtual Host Configs';

  690.       echo '        ##';

  691.       echo '';

  692.       echo '        include /etc/nginx/conf.d/*.conf;';

  693.       echo '        include /etc/nginx/sites-enabled/*;';

  694.       echo '}'; } > /etc/nginx/nginx.conf

  695. 

  696.     # install a script to easily enable and disable nginx virtual hosts

  697.     if [ ! -d "$INSTALL_DIR" ]; then

  698.         mkdir "$INSTALL_DIR"

  699.     fi

  700.     cd "$INSTALL_DIR" || exit 2798462846827

  701.     function_check git_clone

  702.     git_clone "$NGINX_ENSITE_REPO" "$INSTALL_DIR/nginx_ensite"

  703.     cd "$INSTALL_DIR/nginx_ensite" || exit 2468748223

  704.     git checkout "$NGINX_ENSITE_COMMIT" -b "$NGINX_ENSITE_COMMIT"

  705. 

  706.     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"

  707. 

  708.     make install

  709.     nginx_dissite default

  710. 

  711.     function_check configure_firewall_for_web_access

  712.     configure_firewall_for_web_access

  713. 

  714.     mark_completed "${FUNCNAME[0]}"

  715. }

  716. 

  717. function remove_certs {

  718.     domain_name=$1

  719. 

  720.     if [ ! "$domain_name" ]; then

  721.         return

  722.     fi

  723. 

  724.     if [ -f "/etc/ssl/certs/${domain_name}.dhparam" ]; then

  725.         rm "/etc/ssl/certs/${domain_name}.dhparam"

  726.     fi

  727. 

  728.     if [ -f "/etc/ssl/certs/${domain_name}.pem" ]; then

  729.         rm "/etc/ssl/certs/${domain_name}.pem"

  730.     fi

  731. 

  732.     if [ -f "/etc/ssl/certs/${domain_name}.crt" ]; then

  733.         rm "/etc/ssl/certs/${domain_name}.crt"

  734.     fi

  735. 

  736.     if [ -f "/etc/ssl/private/${domain_name}.key" ]; then

  737.         rm "/etc/ssl/private/${domain_name}.key"

  738.     fi

  739. }

  740. 

  741. function configure_firewall_for_web_access {

  742.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  743.         return

  744.     fi

  745.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  746.         # docker does its own firewalling

  747.         return

  748.     fi

  749.     if [[ $ONION_ONLY != "no" ]]; then

  750.         return

  751.     fi

  752.     firewall_add HTTP 80 tcp

  753.     firewall_add HTTPS 443 tcp

  754.     mark_completed "${FUNCNAME[0]}"

  755. }

  756. 

  757. function update_default_domain {

  758.     echo $'Updating default domain'

  759.     if [[ $ONION_ONLY == 'no' ]]; then

  760.         if [ -f /etc/mumble-server.ini ]; then

  761.             if [ ! -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  762.                 if ! grep -q "mumble.pem" /etc/mumble-server.ini; then

  763.                     sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini

  764.                     sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini

  765.                     systemctl restart mumble

  766.                 fi

  767.             else

  768.                 if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then

  769.                     usermod -a -G ssl-cert mumble-server

  770.                     sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini

  771.                     sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini

  772.                     systemctl restart mumble

  773.                 fi

  774.             fi

  775.         fi

  776. 

  777.         if [ -d /etc/prosody ]; then

  778.             if [ ! -d /etc/prosody/certs ]; then

  779.                 mkdir /etc/prosody/certs

  780.             fi

  781.             cp /etc/ssl/private/xmpp* /etc/prosody/certs

  782.             cp /etc/ssl/certs/xmpp* /etc/prosody/certs

  783.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  784.                 usermod -a -G ssl-cert prosody

  785.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  786.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  787.                 fi

  788.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  789.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  790.                 fi

  791. 

  792.                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then

  793.                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  794.                 fi

  795.                 if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then

  796.                     sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  797.                 fi

  798. 

  799.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  800.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  801.                 fi

  802. 

  803.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then

  804.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua

  805.                 fi

  806. 

  807.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then

  808.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua

  809.                 fi

  810. 

  811.                 if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then

  812.                     sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua

  813.                 fi

  814.             fi

  815. 

  816.             chown -R prosody:default /etc/prosody

  817.             chmod -R 700 /etc/prosody/certs/*

  818.             chmod 600 /etc/prosody/prosody.cfg.lua

  819.             if [ -d "$INSTALL_DIR/prosody-modules" ]; then

  820.                 cp -r "$INSTALL_DIR/prosody-modules/*" /var/lib/prosody/prosody-modules/

  821.                 cp -r "$INSTALL_DIR/prosody-modules/*" /usr/lib/prosody/modules/

  822.             fi

  823.             chown -R prosody:prosody /var/lib/prosody/prosody-modules

  824.             chown -R prosody:prosody /usr/lib/prosody/modules

  825.             systemctl reload prosody

  826.         fi

  827. 

  828.         if [ -d /home/znc/.znc ]; then

  829.             echo $'znc found'

  830.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  831.                 pkill znc

  832.                 cat "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" > /home/znc/.znc/znc.pem

  833.                 chown znc:znc /home/znc/.znc/znc.pem

  834.                 chmod 700 /home/znc/.znc/znc.pem

  835. 

  836.                 sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf

  837.                 sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf

  838.                 sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf

  839.                 echo $'irc certificates updated'

  840. 

  841.                 systemctl restart ngircd

  842.                 su -c 'znc' - znc

  843.             fi

  844.         fi

  845. 

  846.         if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then

  847.             if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then

  848.                 if [ -d /etc/dovecot ]; then

  849.                     if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then

  850.                         sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  851.                         sed -i "s|ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf

  852.                         systemctl restart dovecot

  853.                     fi

  854.                 fi

  855. 

  856.                 if [ -d /etc/exim4 ]; then

  857.                     # Unfortunately there doesn't appear to be any other way than copying certs here

  858.                     cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem" /etc/exim4/

  859.                     chown root:Debian-exim /etc/exim4/*.pem

  860.                     chmod 640 /etc/exim4/*.pem

  861. 

  862.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  863.                     sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template

  864.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  865.                     sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template

  866. 

  867.                     systemctl restart exim4

  868.                 fi

  869.             fi

  870.         fi

  871.     fi

  872. }

  873. 

  874. function create_default_web_site {

  875.     if [ ! -f "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}" ]; then

  876.         # create a web site for the default domain

  877.         if [ ! -d "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs" ]; then

  878.             mkdir -p "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  879.             if [ -d "/root/${PROJECT_NAME}" ]; then

  880.                 cd "/root/${PROJECT_NAME}/website" || exit 24687246468

  881.                 ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  882.             else

  883.                 if [ -d "/home/${MY_USERNAME}/${PROJECT_NAME}" ]; then

  884.                     cd "/home/${MY_USERNAME}/${PROJECT_NAME}" || exit 2462874624

  885.                     ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"

  886.                 fi

  887.             fi

  888.         fi

  889. 

  890.         # add a config for the default domain

  891.         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME

  892.         if [[ $ONION_ONLY == "no" ]]; then

  893.             function_check nginx_http_redirect

  894.             nginx_http_redirect "$DEFAULT_DOMAIN_NAME"

  895.             { echo 'server {';

  896.               echo '  listen 443 ssl;';

  897.               echo '  #listen [::]:443 ssl;';

  898.               echo "  server_name $DEFAULT_DOMAIN_NAME;";

  899.               echo '';

  900.               echo '  # Security'; } >> "$nginx_site"

  901.             function_check nginx_ssl

  902.             nginx_ssl "$DEFAULT_DOMAIN_NAME" mobile

  903. 

  904.             function_check nginx_disable_sniffing

  905.             nginx_disable_sniffing "$DEFAULT_DOMAIN_NAME"

  906. 

  907.             { echo '  add_header Strict-Transport-Security max-age=15768000;';

  908.               echo '';

  909.               echo '  # Logs';

  910.               echo '  access_log /dev/null;';

  911.               echo '  error_log /dev/null;';

  912.               echo '';

  913.               echo '  # Root';

  914.               echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  915.               echo '';

  916.               echo '  # Index';

  917.               echo '  index index.html;';

  918.               echo '';

  919.               echo '  # Location';

  920.               echo '  location / {'; } >> "$nginx_site"

  921.             function_check nginx_limits

  922.             nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  923.             { echo '  }';

  924.               echo '';

  925.               echo '  # Restrict access that is unnecessary anyway';

  926.               echo '  location ~ /\.(ht|git) {';

  927.               echo '    deny all;';

  928.               echo '  }';

  929.               echo '}'; } >> "$nginx_site"

  930.         else

  931.             echo -n '' > "$nginx_site"

  932.         fi

  933.         { echo 'server {';

  934.           echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;";

  935.           echo "    server_name $DEFAULT_DOMAIN_NAME;";

  936.           echo ''; } >> "$nginx_site"

  937.         function_check nginx_disable_sniffing

  938.         nginx_disable_sniffing "$DEFAULT_DOMAIN_NAME"

  939.         { echo '';

  940.           echo '  # Logs';

  941.           echo '  access_log /dev/null;';

  942.           echo '  error_log /dev/null;';

  943.           echo '';

  944.           echo '  # Root';

  945.           echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";

  946.           echo '';

  947.           echo '  # Location';

  948.           echo '  location / {'; } >> "$nginx_site"

  949.         function_check nginx_limits

  950.         nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'

  951.         { echo '  }';

  952.           echo '';

  953.           echo '  # Restrict access that is unnecessary anyway';

  954.           echo '  location ~ /\.(ht|git) {';

  955.           echo '    deny all;';

  956.           echo '  }';

  957.           echo '}'; } >> "$nginx_site"

  958. 

  959.         if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  960.             function_check create_site_certificate

  961.             create_site_certificate "$DEFAULT_DOMAIN_NAME" 'yes'

  962.         fi

  963. 

  964.         nginx_ensite "$DEFAULT_DOMAIN_NAME"

  965.     fi

  966. }

  967. 

  968. function install_composer {

  969.     # curl -sS https://getcomposer.org/installer | php

  970.     if [ -f "${HOME}/${PROJECT_NAME}/image_build/composer_install" ]; then

  971.         php < "${HOME}/${PROJECT_NAME}/image_build/composer_install"

  972.     else

  973.         if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install" ]; then

  974.             php < "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install"

  975.         fi

  976.     fi

  977.     if [ -f composer.phar ]; then

  978.         cp composer.phar composer

  979.     fi

  980.     if ! php composer.phar install; then

  981.         echo $'Unable to run composer install'

  982.         exit 7252198

  983.     fi

  984. }

  985. 

  986. function email_disable_chunking {

  987.     if [ -f /etc/exim4/conf.d/main/04_exim4-config_chunking ]; then

  988.         return

  989.     fi

  990.     echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking

  991.     update-exim4.conf

  992.     dpkg-reconfigure --frontend noninteractive exim4-config

  993.     systemctl restart exim4

  994. }

  995. 

  996. function email_install_tls {

  997.     tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions

  998.     tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples

  999.     email_config_changed=

  1000. 

  1001.     if [ ! -f $tls_config_file ]; then

  1002.         tls_config_file=/etc/exim4/exim4.conf.template

  1003.         tls_auth_config_file=$tls_config_file

  1004.     fi

  1005.     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then

  1006.         "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"

  1007.         check_certificates exim

  1008.         cp /etc/ssl/certs/exim.dhparam /etc/exim4

  1009.         chown root:Debian-exim /etc/exim4/exim.dhparam

  1010.         chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam

  1011.         email_config_changed=1

  1012.     fi

  1013.     if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then

  1014.         sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\\MAIN_HARDCODE_PRIMARY_HOSTNAME =\\nMAIN_TLS_ENABLE = true" "$tls_config_file"

  1015.         email_config_changed=1

  1016.     fi

  1017.     if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then

  1018.         sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file

  1019.         email_config_changed=1

  1020.     fi

  1021.     if grep -q '# login_saslauthd_server' $tls_auth_config_file; then

  1022.         sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file

  1023.         email_config_changed=1

  1024.     fi

  1025.     if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then

  1026.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/exim4/

  1027.         chown root:Debian-exim /etc/exim4/*.pem

  1028.         chmod 640 /etc/exim4/*.pem

  1029. 

  1030.         if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then

  1031.             sed -i "/.ifdef MAIN_TLS_CERTKEY/i\\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file

  1032.             email_config_changed=1

  1033.         fi

  1034.     fi

  1035.     if [ -f "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" ]; then

  1036.         cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/exim4/

  1037.         chown root:Debian-exim /etc/exim4/*.pem

  1038.         chmod 640 /etc/exim4/*.pem

  1039. 

  1040.         if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then

  1041.             sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file

  1042.             email_config_changed=1

  1043.         fi

  1044.     fi

  1045.     if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then

  1046.         sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4

  1047.         email_config_changed=1

  1048.     fi

  1049.     if [ $email_config_changed ]; then

  1050.         systemctl restart saslauthd

  1051.         systemctl restart exim4

  1052.     fi

  1053. }

  1054. 

  1055. function install_web_local_user_interface {

  1056.     # TODO

  1057.     # This is intended as a placeholder for a potential local web user interface

  1058.     # similar to Plinth or the yunohost admin interface

  1059.     local_hostname=$(grep 'host-name' /etc/avahi/avahi-daemon.conf | awk -F '=' '{print $2}').local

  1060. 

  1061.     mkdir -p "/var/www/${local_hostname}/htdocs"

  1062.     { echo '<html>';

  1063.       echo '  <body>';

  1064.       echo "  This is a test on $local_hostname";

  1065.       echo '  </body>';

  1066.       echo '</html>'; } > "/var/www/${local_hostname}/htdocs/index.html"

  1067.     chown -R www-data:www-data "/var/www/${local_hostname}/htdocs"

  1068. 

  1069.     nginx_file=/etc/nginx/sites-available/$local_hostname

  1070.     { echo 'server {';

  1071.       echo '  listen 80;';

  1072.       echo '  listen [::]:80;';

  1073.       echo "  server_name ${local_hostname};";

  1074.       echo "  root /var/www/${local_hostname}/htdocs;";

  1075.       echo '  index index.html;';

  1076.       echo '}'; } > "$nginx_file"

  1077.     nginx_ensite "$local_hostname"

  1078. }

  1079. 

  1080. # NOTE: deliberately no exit 0