free
/
freedombone
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
3982 коммитов
5 веток
Дерево: d66370009d
веток Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'd66370009d'
${ noResults }
freedombone/src/freedombone-app-blog

freedombone-app-blog 27KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Blog functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. VARIANTS="full writer"

  32. 

  33. FULLBLOG_DOMAIN_NAME=

  34. FULLBLOG_CODE=

  35. FULLBLOG_ONION_PORT=8086

  36. FULLBLOG_REPO="https://github.com/danpros/htmly"

  37. FULLBLOG_COMMIT='bf5fe9486160be4da86d8987d3e5c977e1dc6d32'

  38. MY_BLOG_TITLE="My Blog"

  39. MY_BLOG_SUBTITLE="Another ${PROJECT_NAME} Blog"

  40. 

  41. function reconfigure_blog {

  42.     echo -n ''

  43. }

  44. 

  45. function upgrade_blog {

  46.     if ! grep -Fxq "install_blog" $COMPLETION_FILE; then

  47. 	return

  48.     fi

  49.     function_check set_repo_commit

  50.     set_repo_commit /var/www/$FULLBLOG_DOMAIN_NAME/htdocs "Blog commit" "$FULLBLOG_COMMIT" $FULLBLOG_REPO

  51. 

  52.     # update blog avatar

  53.     ${PROJECT_NAME}-blog

  54. }

  55. 

  56. function backup_local_blog {

  57.     FULLBLOG_DOMAIN_NAME='blog'

  58.     if grep -q "Blog domain" $COMPLETION_FILE; then

  59. 	FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}')

  60.     fi

  61. 

  62.     source_directory=/var/www/${FULLBLOG_DOMAIN_NAME}/htdocs

  63.     if [ -d $source_directory ]; then

  64. 	dest_directory=blog

  65. 	echo $"Backing up $source_directory to $dest_directory"

  66. 

  67. 	function_check suspend_site

  68. 	suspend_site ${FULLBLOG_DOMAIN_NAME}

  69. 

  70. 	function_check backup_directory_to_usb

  71. 	backup_directory_to_usb $source_directory $dest_directory

  72. 

  73. 	function_check restart_site

  74. 	restart_site

  75. 

  76. 	echo $"Backup to $dest_directory complete"

  77.     fi

  78. }

  79. 

  80. function restore_local_blog {

  81.     FULLBLOG_DOMAIN_NAME='blog'

  82.     if grep -q "Blog domain" $COMPLETION_FILE; then

  83. 	FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}')

  84.     fi

  85.     if [ $FULLBLOG_DOMAIN_NAME ]; then

  86. 	echo $"Restoring blog installation"

  87. 	temp_restore_dir=/root/tempblog

  88. 	restore_directory_from_usb $temp_restore_dir blog

  89. 	rm -rf /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs

  90. 	cp -r $temp_restore_dir/var/www/${FULLBLOG_DOMAIN_NAME}/htdocs /var/www/${FULLBLOG_DOMAIN_NAME}/

  91. 	if [ ! "$?" = "0" ]; then

  92. 	    set_user_permissions

  93. 	    backup_unmount_drive

  94. 	    exit 593

  95. 	fi

  96. 	rm -rf $temp_restore_dir

  97. 	if [ ! -d /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content ]; then

  98. 	    echo $"No content directory found after restoring blog"

  99. 	    set_user_permissions

  100. 	    backup_unmount_drive

  101. 	    exit 287

  102. 	fi

  103. 	chown -R www-data:www-data /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs

  104. 	# Ensure that the bundled SSL cert is being used

  105. 	if [ -f /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.bundle.crt ]; then

  106. 	    sed -i "s|${FULLBLOG_DOMAIN_NAME}.crt|${FULLBLOG_DOMAIN_NAME}.bundle.crt|g" /etc/nginx/sites-available/${FULLBLOG_DOMAIN_NAME}

  107. 	fi

  108. 	for d in /home/*/ ; do

  109. 	    USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  110. 	    if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then

  111. 		if [ -d /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content/$USERNAME/blog/uncategorized/post ]; then

  112. 		    mv /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content/$USERNAME/blog/*.md /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content/$USERNAME/blog/uncategorized/post

  113. 		fi

  114. 	    fi

  115. 	done

  116. 	if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then

  117. 	    ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key

  118. 	    ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem

  119. 	fi

  120.     fi

  121. }

  122. 

  123. function backup_remote_blog {

  124.     if grep -q "Blog domain" $COMPLETION_FILE; then

  125. 	FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}')

  126. 	temp_backup_dir=/var/www/${FULLBLOG_DOMAIN_NAME}/htdocs

  127. 	if [ -d $temp_backup_dir ]; then

  128. 	    echo $"Backing up blog"

  129. 	    backup_directory_to_friend $temp_backup_dir blog

  130. 	    echo $"Backup of blog complete"

  131. 	else

  132. 	    echo $"Blog domain specified but not found in $temp_backup_dir"

  133. 	    exit 2578

  134. 	fi

  135.     fi

  136. }

  137. 

  138. function restore_remote_blog {

  139.     if [ -d $SERVER_DIRECTORY/backup/blog ]; then

  140. 	FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}')

  141. 	echo $"Restoring blog installation $FULLBLOG_DOMAIN_NAME"

  142. 	temp_restore_dir=/root/tempblog

  143. 	mkdir $temp_restore_dir

  144. 	function_check restore_directory_from_friend

  145. 	restore_directory_from_friend $temp_restore_dir blog

  146. 	rm -rf /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs

  147. 	cp -r $temp_restore_dir/var/www/${FULLBLOG_DOMAIN_NAME}/htdocs /var/www/${FULLBLOG_DOMAIN_NAME}/

  148. 	if [ ! "$?" = "0" ]; then

  149. 	    exit 593

  150. 	fi

  151. 	rm -rf $temp_restore_dir

  152. 	if [ ! -d /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content ]; then

  153. 	    echo $"No content directory found after restoring blog"

  154. 	    exit 287

  155. 	fi

  156. 	# Ensure that the bundled SSL cert is being used

  157. 	if [ -f /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.bundle.crt ]; then

  158. 	    sed -i "s|${FULLBLOG_DOMAIN_NAME}.crt|${FULLBLOG_DOMAIN_NAME}.bundle.crt|g" /etc/nginx/sites-available/${FULLBLOG_DOMAIN_NAME}

  159. 	fi

  160. 	for d in /home/*/ ; do

  161. 	    USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  162. 	    if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then

  163. 		if [ -d /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content/$USERNAME/blog/uncategorized/post ]; then

  164. 		    mv /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content/$USERNAME/blog/*.md /var/www/${FULLBLOG_DOMAIN_NAME}/htdocs/content/$USERNAME/blog/uncategorized/post

  165. 		fi

  166. 	    fi

  167. 	done

  168. 	if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then

  169. 	    ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key

  170. 	    ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem

  171. 	fi

  172. 	echo $"Restore of blog complete"

  173.     fi

  174. }

  175. 

  176. function remove_blog {

  177.     if ! grep -Fxq "install_blog" $COMPLETION_FILE; then

  178. 	return

  179.     fi

  180.     if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME ]; then

  181. 	rm -rf /var/www/$FULLBLOG_DOMAIN_NAME

  182.     fi

  183.     nginx_dissite $FULLBLOG_DOMAIN_NAME

  184.     if [ ! -f /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME ]; then

  185. 	rm -rf /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  186.     fi

  187.     if [ $FULLBLOG_CODE ]; then

  188. 	if [ -f /usr/bin/dynamicdns ]; then

  189. 	    sed -i "/$FULLBLOG_DOMAIN_NAME/d" /usr/bin/dynamicdns

  190. 	    sed -i "/$FULLBLOG_CODE/d" /usr/bin/dynamicdns

  191. 	fi

  192.     fi

  193.     function_check remove_onion_service

  194.     remove_onion_service blog ${FULLBLOG_ONION_PORT}

  195.     sed -i '/install_blog/d' $COMPLETION_FILE

  196.     sed -i '/Blog .*/d' $COMPLETION_FILE

  197. }

  198. 

  199. function get_blog_admin_password {

  200.     if [ -f /home/$MY_USERNAME/README ]; then

  201. 	if grep -q "Your blog password is" /home/$MY_USERNAME/README; then

  202. 	    FULLBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Your blog password is" | awk -F ':' '{print $2}' | sed 's/^ *//')

  203. 	fi

  204.     fi

  205. }

  206. 

  207. function install_blog {

  208.     if [ ! $FULLBLOG_DOMAIN_NAME ]; then

  209. 	echo $'The blog domain name was not specified'

  210. 	exit 5062

  211.     fi

  212. 

  213.     if grep -Fxq "install_blog" $COMPLETION_FILE; then

  214. 	return

  215.     fi

  216. 

  217.     # for the avatar changing command

  218.     apt-get -y install imagemagick

  219. 

  220.     if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME ]; then

  221. 	mkdir /var/www/$FULLBLOG_DOMAIN_NAME

  222.     fi

  223. 

  224.     cd /var/www/$FULLBLOG_DOMAIN_NAME

  225.     git_clone $FULLBLOG_REPO htdocs

  226.     cd htdocs

  227.     git checkout $FULLBLOG_COMMIT -b $FULLBLOG_COMMIT

  228.     if ! grep -q "Blog commit" $COMPLETION_FILE; then

  229. 	echo "Blog commit:$FULLBLOG_COMMIT" >> $COMPLETION_FILE

  230.     else

  231. 	sed -i "s/Blog commit.*/Blog commit:$FULLBLOG_COMMIT/g" $COMPLETION_FILE

  232.     fi

  233.     cd /var/www/$FULLBLOG_DOMAIN_NAME

  234. 

  235.     chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs

  236. 

  237.     if [[ $ONION_ONLY == "no" ]]; then

  238. 	function_check nginx_http_redirect

  239. 	nginx_http_redirect $FULLBLOG_DOMAIN_NAME

  240. 	echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  241. 	echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  242. 	echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  243. 	echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  244. 	echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  245. 	echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  246. 	echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  247. 	echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  248. 	echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  249. 	function_check nginx_limits

  250. 	nginx_limits $FULLBLOG_DOMAIN_NAME

  251. 	function_check nginx_ssl

  252. 	nginx_ssl $FULLBLOG_DOMAIN_NAME

  253. 	function_check nginx_disable_sniffing

  254. 	nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME

  255. 	echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  256. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  257. 	echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  258. 	echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  259. 	echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  260. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  261. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  262. 	echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  263. 	echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  264. 	echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  265. 	echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  266. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  267. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  268. 	echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  269. 	echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  270. 	echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  271. 	echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  272. 	echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  273. 	echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  274. 	echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  275. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  276. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  277. 	echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  278. 	echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  279. 	echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  280. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  281. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  282. 	echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  283. 	echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  284. 	echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  285. 	echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  286. 	echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  287. 	echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  288. 	echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  289. 	echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  290. 	echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  291. 	echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  292. 	echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  293. 	echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  294. 	echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  295. 	echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  296. 	echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  297. 	echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  298. 	echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  299. 	echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  300. 	echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  301. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  302. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  303. 	echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  304. 	echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  305. 	echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  306. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  307. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  308. 	echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  309. 	echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  310. 	echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  311. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  312. 	echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  313. 	echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  314. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  315. 	echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  316. 	echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  317. 	echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  318. 	echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  319. 	echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  320.     else

  321. 	echo -n '' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  322.     fi

  323.     echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  324.     echo "    listen 127.0.0.1:${FULLBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  325.     echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  326.     echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  327.     echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  328.     echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  329.     echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  330.     echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  331.     echo '    proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  332.     function_check nginx_limits

  333.     nginx_limits $FULLBLOG_DOMAIN_NAME

  334.     function_check nginx_disable_sniffing

  335.     nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME

  336.     echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  337.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  338.     echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  339.     echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  340.     echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  341.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  342.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  343.     echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  344.     echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  345.     echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  346.     echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  347.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  348.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  349.     echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  350.     echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  351.     echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  352.     echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  353.     echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  354.     echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  355.     echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  356.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  357.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  358.     echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  359.     echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  360.     echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  361.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  362.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  363.     echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  364.     echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  365.     echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  366.     echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  367.     echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  368.     echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  369.     echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  370.     echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  371.     echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  372.     echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  373.     echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  374.     echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  375.     echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  376.     echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  377.     echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  378.     echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  379.     echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  380.     echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  381.     echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  382.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  383.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  384.     echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  385.     echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  386.     echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  387.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  388.     echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  389.     echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  390.     echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  391.     echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  392.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  393.     echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  394.     echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  395.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  396.     echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  397.     echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  398.     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  399.     echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME

  400. 

  401.     function_check create_site_certificate

  402.     create_site_certificate $FULLBLOG_DOMAIN_NAME 'yes'

  403. 

  404.     function_check configure_php

  405.     configure_php

  406. 

  407.     # blog settings

  408.     cp /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini.example /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  409.     sed -i "s|site.url.*|site.url = '/'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  410.     sed -i "s|blog.title.*|blog.title = '$MY_BLOG_TITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  411.     sed -i "s|blog.tagline.*|blog.tagline = '$MY_BLOG_SUBTITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  412.     sed -i 's|timezone.*|timezone = "Europe/London"|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  413.     sed -i "s|Your name|$MY_NAME|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  414. 

  415.     # set social networks

  416.     if grep -q "social.hubzilla" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then

  417. 	sed -i "s|;social.hubzilla|social.hubzilla|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  418. 	sed -i "s|social.hubzilla.*|social.hubzilla = \"$HUBZILLA_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  419.     fi

  420.     if grep -q "social.gnusocial" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then

  421. 	sed -i "s|;social.gnusocial|social.gnusocial|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  422. 	sed -i "s|social.gnusocial.*|social.gnusocial = \"$MICROBLOG_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  423.     fi

  424. 

  425.     # clear proprietary social network strings

  426.     sed -i 's|social.facebook.*|social.facebook = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  427.     sed -i 's|social.twitter.*|social.twitter = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  428.     sed -i 's|social.google.*|social.google = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini

  429. 

  430.     # create a user password

  431.     function_check get_blog_admin_password

  432.     get_blog_admin_password

  433.     if [ ! $FULLBLOG_ADMIN_PASSWORD ]; then

  434. 	if [ -f $IMAGE_PASSWORD_FILE ]; then

  435. 	    FULLBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"

  436. 	else

  437. 	    FULLBLOG_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})"

  438. 	fi

  439. 	echo '' >> /home/$MY_USERNAME/README

  440. 	echo '' >> /home/$MY_USERNAME/README

  441. 	echo $'HTMLy Blog' >> /home/$MY_USERNAME/README

  442. 	echo '==========' >> /home/$MY_USERNAME/README

  443. 	echo $"Your blog username: $MY_USERNAME" >> /home/$MY_USERNAME/README

  444. 	echo $"Your blog password is: $FULLBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README

  445. 	if [[ $ONION_ONLY == 'no' ]]; then

  446. 	    echo $"Log into your blog at https://$FULLBLOG_DOMAIN_NAME/login" >> /home/$MY_USERNAME/README

  447. 	fi

  448. 	chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README

  449. 	chmod 600 /home/$MY_USERNAME/README

  450.     fi

  451. 

  452.     # create a user

  453.     FULLBLOG_ADMIN_PASSWORD_HASH=$(${PROJECT_NAME}-sec --bloghash "$FULLBLOG_ADMIN_PASSWORD")

  454.     if [ ${#FULLBLOG_ADMIN_PASSWORD_HASH} -lt 8 ]; then

  455. 	echo $'Blog admin password could not be hashed'

  456. 	exit 625728

  457.     fi

  458.     echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini

  459.     echo "password = $FULLBLOG_ADMIN_PASSWORD_HASH" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini

  460.     echo 'encryption = password_hash' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini

  461.     echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini

  462.     echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini

  463. 

  464.     function_check nginx_ensite

  465.     nginx_ensite $FULLBLOG_DOMAIN_NAME

  466. 

  467.     FULLBLOG_ONION_HOSTNAME=$(add_onion_service blog 80 ${FULLBLOG_ONION_PORT})

  468. 

  469.     systemctl restart php5-fpm

  470.     systemctl restart nginx

  471. 

  472.     if ! grep -q "Blog onion domain" /home/$MY_USERNAME/README; then

  473. 	echo $"Blog onion domain: ${FULLBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README

  474. 	echo $"Log into your blog at https://${FULLBLOG_ONION_HOSTNAME}/login" >> /home/$MY_USERNAME/README

  475. 	echo '' >> /home/$MY_USERNAME/README

  476. 	chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README

  477. 	chmod 600 /home/$MY_USERNAME/README

  478.     fi

  479.     echo "Blog onion domain:${FULLBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE

  480. 

  481.     function_check add_ddns_domain

  482.     add_ddns_domain $FULLBLOG_DOMAIN_NAME

  483. 

  484.     if ! grep -q "Blog domain:" $COMPLETION_FILE; then

  485. 	echo "Blog domain:$FULLBLOG_DOMAIN_NAME" >> $COMPLETION_FILE

  486.     fi

  487. 

  488.     echo 'install_blog' >> $COMPLETION_FILE

  489. }

  490. 

  491. # NOTE: deliberately no exit 0