freedombone/src/freedombone-app-keyserver

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# SKS Keyserver
#
# License
# =======
#
# Copyright (C) 2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

VARIANTS='full full-vim'

IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1

KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite"
KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339'
KEYSERVER_PORT=11371
KEYSERVER_ONION_PORT=8122
KEYSERVER_DOMAIN_NAME=
KEYSERVER_CODE=

keyserver_variables=(ONION_ONLY
                     MY_USERNAME
                     DEFAULT_DOMAIN_NAME
                     KEYSERVER_DOMAIN_NAME
                     KEYSERVER_CODE)

function check_keyserver_directory_size {
    dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
    # 500M
    if [ $dirsize -gt 500000 ]; then
        echo "1"
        return
    fi
    echo "0"
}

function configure_firewall_for_keyserver {
    if [[ $ONION_ONLY != "no" ]]; then
        return
    fi
    firewall_add keyserver 11370 tcp
    firewall_add keyserver 11371 tcp
    firewall_add keyserver 11372 tcp
    mark_completed $FUNCNAME
}

function keyserver_reset_database {
    if [ -d /var/lib/sks/DB ]; then
        rm -rf /var/lib/sks/DB
    fi
    sks build
    chown -Rc debian-sks: /var/lib/sks
    systemctl restart sks
}

function logging_on_keyserver {
    echo -n ''
}

function logging_off_keyserver {
    echo -n ''
}

function reconfigure_keyserver {
    echo -n ''
}

function upgrade_keyserver {
    CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
    if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
        return
    fi

    if grep -q "keyserver domain" $COMPLETION_FILE; then
        KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain")
    fi

    # update to the next commit
    function_check set_repo_commit
    set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO

    read_config_param MY_USERNAME
    USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
    GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
    if [ ! $GPG_ID ]; then
        echo $'No GPG ID for admin user'
        exit 846336
    fi
    if [ ${#GPG_ID} -lt 5 ]; then
        echo $'GPG ID not retrieved for admin user'
        exit 835292
    fi
    if [[ "$GPG_ID" == *"error"* ]]; then
        echo $'GPG ID not retrieved for admin user due to error'
        exit 74825
    fi
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

    chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
}

function backup_local_keyserver {
    source_directory=/etc/sks
    if [ -d $source_directory ]; then
        systemctl stop sks
        dest_directory=keyserverconfig
        function_check backup_directory_to_usb
        backup_directory_to_usb $source_directory $dest_directory
        systemctl start sks
    fi
    if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
        echo $'WARNING: Keyserver database size is too large to backup'
        return
    fi
    source_directory=/var/lib/sks/DB
    if [ -d $source_directory ]; then
        systemctl stop sks
        dest_directory=keyserver
        function_check backup_directory_to_usb
        backup_directory_to_usb $source_directory $dest_directory
        systemctl start sks
    fi
}

function restore_local_keyserver {
    if [ ! -d /var/lib/sks/DB ]; then
        return
    fi
    echo $"Restoring SKS Keyserver"
    systemctl stop sks

    temp_restore_dir=/root/tempkeyserverconfig
    function_check restore_directory_from_usb
    restore_directory_from_usb $temp_restore_dir keyserverconfig
    cp -r $temp_restore_dir/etc/sks/* /etc/sks/
    rm -rf $temp_restore_dir
    chown -Rc debian-sks: /etc/sks/sksconf
    chown -Rc debian-sks: /etc/sks/mailsync

    temp_restore_dir=/root/tempkeyserver
    function_check restore_directory_from_usb
    restore_directory_from_usb $temp_restore_dir keyserver
    mv /var/lib/sks/DB /var/lib/sks/DB_prev
    cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
    if [ ! "$?" = "0" ]; then
        # restore the old database
        rm -rf /var/lib/sks/DB
        mv /var/lib/sks/DB_prev /var/lib/sks/DB

        rm -rf $temp_restore_dir
        function_check set_user_permissions
        set_user_permissions
        function_check backup_unmount_drive
        backup_unmount_drive
        exit 5627294
    fi
    rm -rf $temp_restore_dir
    chown -Rc debian-sks: /var/lib/sks

    # remove the old database
    rm -rf /var/lib/sks/DB_prev

    systemctl start sks
}

function backup_remote_keyserver {
    source_directory=/etc/sks
    if [ -d $source_directory ]; then
        systemctl stop sks
        dest_directory=keyserverconfig
        function_check backup_directory_to_friend
        backup_directory_to_friend $source_directory $dest_directory
        systemctl start sks
    fi
    if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
        echo $'WARNING: Keyserver database size is too large to backup'
        return
    fi
    source_directory=/var/lib/sks/DB
    if [ -d $source_directory ]; then
        systemctl stop sks
        dest_directory=keyserver
        function_check backup_directory_to_friend
        backup_directory_to_friend $source_directory $dest_directory
        systemctl start sks
    fi
}

function restore_remote_keyserver {
    if [ ! -d /var/lib/sks/DB ]; then
        return
    fi
    echo $"Restoring SKS Keyserver"
    systemctl stop sks

    temp_restore_dir=/root/tempkeyserverconfig
    function_check restore_directory_from_friend
    restore_directory_from_friend $temp_restore_dir keyserverconfig
    cp -r $temp_restore_dir/etc/sks/* /etc/sks/
    rm -rf $temp_restore_dir
    chown -Rc debian-sks: /etc/sks/sksconf
    chown -Rc debian-sks: /etc/sks/mailsync

    temp_restore_dir=/root/tempkeyserver
    function_check restore_directory_from_friend
    restore_directory_from_friend $temp_restore_dir keyserver
    mv /var/lib/sks/DB /var/lib/sks/DB_prev
    cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
    if [ ! "$?" = "0" ]; then
        # restore the old database
        rm -rf /var/lib/sks/DB
        mv /var/lib/sks/DB_prev /var/lib/sks/DB

        rm -rf $temp_restore_dir
        function_check set_user_permissions
        set_user_permissions
        return
    fi
    rm -rf $temp_restore_dir
    chown -Rc debian-sks: /var/lib/sks

    # remove the old database
    rm -rf /var/lib/sks/DB_prev

    systemctl start sks
}

function remove_keyserver {
    systemctl stop sks
    apt-get -qy remove sks dirmngr

    read_config_param "KEYSERVER_DOMAIN_NAME"
    nginx_dissite $KEYSERVER_DOMAIN_NAME
    remove_certs ${KEYSERVER_DOMAIN_NAME}
    if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then
        rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
    fi
    if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
        rm -rf /var/www/$KEYSERVER_DOMAIN_NAME
    fi
    function_check remove_ddns_domain
    remove_ddns_domain $KEYSERVER_DOMAIN_NAME

    remove_config_param KEYSERVER_DOMAIN_NAME
    remove_config_param KEYSERVER_CODE
    function_check remove_onion_service
    remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
    remove_onion_service sks 11370 11371 11372
    remove_completion_param "install_keyserver"

    firewall_remove 11370 tcp
    firewall_remove 11371 tcp
    firewall_remove 11372 tcp

    sed -i '/keyserver/d' $COMPLETION_FILE
    sed -i '/sks onion/d' $COMPLETION_FILE
    if [ -d /var/lib/sks ]; then
        rm -rf /var/lib/sks
    fi
}

function install_interactive_keyserver {
    if [ ! $ONION_ONLY ]; then
        ONION_ONLY='no'
    fi

    if [[ $ONION_ONLY != "no" ]]; then
        KEYSERVER_DOMAIN_NAME='keyserver.local'
        write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME"
    else
        function_check interactive_site_details
        interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE"
    fi
    APP_INSTALLED=1
}

function keyserver_create_mailsync {
    echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
    echo '' >> /etc/sks/mailsync
    chown -Rc debian-sks: /etc/sks/mailsync
}

function keyserver_create_membership {
    if [ -f /etc/sks/membership ]; then
        return
    fi
    systemctl stop sks
    echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership
    echo '#' >> /etc/sks/membership
    echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership
    echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership
    echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership
    echo '' >> /etc/sks/membership
    chown -Rc debian-sks: /etc/sks/membership
    systemctl start sks
}

function keyserver_import_keys {
    # NOTE: this function isn't used, but kept for reference
    dialog --title $"Import public keys database" \
           --backtitle $"Freedombone Control Panel" \
           --defaultno \
           --yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60
    sel=$?
    case $sel in
        1) return;;
        255) return;;
    esac
    if [ ! -d /var/lib/sks/dump ]; then
        mkdir -p /var/lib/sks/dump
    fi
    cd /var/lib/sks/dump
    echo $'Getting keyserver dump. This may take a few days or longer, so be patient.'
    rm -rf /var/lib/sks/dump/*
    KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/"
    wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \
         -A pgp,txt $KEYSERVER_DUMP_URL

    cd /var/lib/sks
    echo $'Building the keyserver database from the downloaded dump'
    keyserver_reset_database
}

function keyserver_sync {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --backtitle $"Freedombone Control Panel" \
           --title $"Sync with other keyserver" \
           --form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
           $"Domain:" 1 1 "" 1 25 32 64 \
           $"Port:" 2 1 "11370" 2 25 6 6 \
           $"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
           2> $data
    sel=$?
    case $sel in
        1) return;;
        255) return;;
    esac
    other_keyserver_domain=$(cat $data | sed -n 1p)
    other_keyserver_port=$(cat $data | sed -n 2p)
    other_keyserver_email=$(cat $data | sed -n 3p)
    if [[ "$other_keyserver_domain" != *'.'* ]]; then
        return
    fi
    if [[ "$other_keyserver_domain" == *' '* ]]; then
        return
    fi
    if [[ "$other_keyserver_port" == *'.'* ]]; then
        return
    fi
    if [[ "$other_keyserver_port" == *' '* ]]; then
        return
    fi
    if [ ${#other_keyserver_domain} -lt 4 ]; then
        return
    fi
    if [ ${#other_keyserver_port} -lt 4 ]; then
        return
    fi
    if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
        if [[ "$other_keyserver_email" == *"@"* ]]; then
            keyserver_create_mailsync
            if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
                echo "$other_keyserver_email" >> /etc/sks/mailsync
                chown -Rc debian-sks: /etc/sks/mailsync
            fi
        fi
    fi
    keyserver_create_membership
    if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
        return
    fi
    if grep -q "$other_keyserver_domain " /etc/sks/membership; then
        sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
    else
        echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
    fi
    chown -Rc debian-sks: /etc/sks/membership
    systemctl restart sks
    dialog --title $"Sync with other keyserver" \
           --msgbox $"Keyserver added" 6 40
}

function keyserver_edit {
    if [ ! -f /etc/sks/membership ]; then
        return
    fi
    editor /etc/sks/membership
    chown -Rc debian-sks: /etc/sks/membership
    systemctl restart sks
}

function configure_interactive_keyserver {
    while true
    do
        data=$(tempfile 2>/dev/null)
        trap "rm -f $data" 0 1 2 5 15
        dialog --backtitle $"Freedombone Control Panel" \
               --title $"SKS Keyserver" \
               --radiolist $"Choose an operation:" 11 70 3 \
               1 $"Sync with other keyserver" off \
               2 $"Edit sync keyservers" off \
               3 $"Exit" on 2> $data
        sel=$?
        case $sel in
            1) return;;
            255) return;;
        esac
        case $(cat $data) in
            1) keyserver_sync;;
            2) keyserver_edit;;
            3) break;;
        esac
    done
}

function install_keyserver {
    apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
    keyserver_reset_database
    sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
    apt-get -qy install dirmngr
    systemctl restart sks

    if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
        mkdir /var/www/$KEYSERVER_DOMAIN_NAME
    fi

    cd /var/www/$KEYSERVER_DOMAIN_NAME
    if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
        rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
    fi

    if [ -d /repos/keyserverweb ]; then
        mkdir htdocs
        cp -r -p /repos/keyserverweb/. htdocs
        cd htdocs
        git pull
    else
        git_clone $KEYSERVER_WEB_REPO htdocs
    fi
    if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then
        echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found"
        exit 6539230
    fi

    cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs
    git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT
    set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT"


    USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
    GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME)
    if [ ! $GPG_ID ]; then
        echo $'No GPG ID for admin user'
        exit 846336
    fi
    if [ ${#GPG_ID} -lt 5 ]; then
        echo $'GPG ID not retrieved for admin user'
        exit 835292
    fi
    if [[ "$GPG_ID" == *"error"* ]]; then
        echo $'GPG ID not retrieved for admin user due to error'
        exit 74825
    fi
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
    sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html

    sksconf_file=/etc/sks/sksconf
    sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
    sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
    sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
    sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
    sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
    sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
    sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
    sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
    sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
    sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
    sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
    sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
    sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file

    if ! grep -q "#disable_mailsync" $sksconf_file; then
        echo '#disable_mailsync:' >> $sksconf_file
    else
        sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
    fi
    if ! grep -q "membership_reload_interval:" $sksconf_file; then
        echo 'membership_reload_interval:     1' >> $sksconf_file
    else
        sed -i 's|#membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file
        sed -i 's|membership_reload_interval:.*|membership_reload_interval:     1|g' $sksconf_file
    fi
    if ! grep -q "max_matches:" $sksconf_file; then
        echo 'max_matches: 50' >> $sksconf_file
    else
        sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
        sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
    fi
    if ! grep -q "stat_hour:" $sksconf_file; then
        echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
    else
        sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
        sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
    fi

    chown debian-sks: $sksconf_file

    if ! grep -q "hidden_service_sks" /etc/tor/torrc; then
        echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc
        echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc
        echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc
        echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc
        echo $'Added onion site for sks'
    fi

    onion_update
    wait_for_onion_service 'sks'

    if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
        echo $'sks onion site hostname not found'
        exit 8352982
    fi
    SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)

    KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})

    keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
    if [[ $ONION_ONLY == "no" ]]; then
        # NOTE: without http active on port 80 the keyserver doesn't work
        #       from the commandline
        echo 'server {' > $keyserver_nginx_site
        echo '  listen 80;' >> $keyserver_nginx_site
        echo '  listen 0.0.0.0:11371;' >> $keyserver_nginx_site
        echo '  listen [::]:80;' >> $keyserver_nginx_site
        echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Logs' >> $keyserver_nginx_site
        echo '  access_log /dev/null;' >> $keyserver_nginx_site
        echo '  error_log /dev/null;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Root' >> $keyserver_nginx_site
        echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
        echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  location /pks {' >> $keyserver_nginx_site
        echo '    proxy_pass         http://127.0.0.1:11373;' >> $keyserver_nginx_site
        echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
        echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site
        echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
        echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
        echo '  }' >> $keyserver_nginx_site
        echo '}' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo 'server {' >> $keyserver_nginx_site
        echo '  listen 443 ssl;' >> $keyserver_nginx_site
        echo '  listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site
        echo '  listen [::]:443 ssl;' >> $keyserver_nginx_site
        echo "  server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  error_page 404 /404.html;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
        echo '    deny all;' >> $keyserver_nginx_site
        echo '    return 404;' >> $keyserver_nginx_site
        echo '  }' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Security' >> $keyserver_nginx_site
        function_check nginx_ssl
        nginx_ssl $KEYSERVER_DOMAIN_NAME

        function_check nginx_disable_sniffing
        nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME

        echo '  add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Logs' >> $keyserver_nginx_site
        echo '  access_log /dev/null;' >> $keyserver_nginx_site
        echo '  error_log /dev/null;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  # Root' >> $keyserver_nginx_site
        echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site

        echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
        echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
        echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
        echo '  location /pks {' >> $keyserver_nginx_site
        echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site
        echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
        echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site
        echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
        echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
        echo '  }' >> $keyserver_nginx_site
        echo '}' >> $keyserver_nginx_site
        echo '' >> $keyserver_nginx_site
    else
        echo -n '' > $keyserver_nginx_site
    fi
    echo 'server {' >> $keyserver_nginx_site
    echo "  listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
    echo "  server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  error_page 404 /404.html;' >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
    echo '    deny all;' >> $keyserver_nginx_site
    echo '    return 404;' >> $keyserver_nginx_site
    echo '  }' >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    function_check nginx_disable_sniffing
    nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
    echo '' >> $keyserver_nginx_site
    echo '  # Logs' >> $keyserver_nginx_site
    echo '  access_log /dev/null;' >> $keyserver_nginx_site
    echo '  error_log /dev/null;' >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  # Root' >> $keyserver_nginx_site
    echo "  root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
    echo '  rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
    echo '  rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
    echo '' >> $keyserver_nginx_site
    echo '  location /pks {' >> $keyserver_nginx_site
    echo "    proxy_pass         http://127.0.0.1:11373;" >> $keyserver_nginx_site
    echo '    proxy_pass_header  Server;' >> $keyserver_nginx_site
    echo "    add_header         Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site
    echo '    proxy_ignore_client_abort on;' >> $keyserver_nginx_site
    echo '    client_max_body_size 8m;' >> $keyserver_nginx_site
    echo '  }' >> $keyserver_nginx_site
    echo '}' >> $keyserver_nginx_site

    function_check create_site_certificate
    if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
        create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes'
    fi

    if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then
        mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
    fi
    if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then
        chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem
        sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME}
    fi
    if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then
        chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key
    fi

    chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs

    function_check nginx_ensite
    nginx_ensite $KEYSERVER_DOMAIN_NAME

    configure_firewall_for_keyserver

    # remove membership file - don't try to sync with other keyservers
    if [ -f /etc/sks/membership ]; then
        rm /etc/sks/membership
    fi

    if ! grep -q "pgp-public-keys" /etc/aliases; then
        echo 'pgp-public-keys:      "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
    fi
    chown -Rc debian-sks: /etc/sks/mailsync

    systemctl enable sks
    systemctl restart sks
    systemctl restart nginx

    set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
    set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
    set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"

    APP_INSTALLED=1
}

# NOTE: deliberately no exit 0