deploy.sh

#!/bin/bash

lang=$1
dest_dir=$2

PROJECT_NAME=freedombone

CONFIGURATION_FILE=/root/${PROJECT_NAME}.cfg

ONION_ONLY='no'
site_domain=${PROJECT_NAME}.net
site_onion_port=8149

if [ -f "$CONFIGURATION_FILE" ]; then
    ONION_ONLY=$(grep 'ONION_ONLY=' "$CONFIGURATION_FILE" | head -n 1 | awk -F '=' '{print $2}')
fi

if ! grep -q ":$site_onion_port" /etc/torrc.d/${PROJECT_NAME}; then
    { echo "HiddenServiceDir /var/lib/tor/hidden_service_${PROJECT_NAME}/";
      echo 'HiddenServiceVersion 3';
      echo "HiddenServicePort 80 127.0.0.1:${site_onion_port}"; } >> /etc/torrc.d/${PROJECT_NAME}
    systemctl restart tor
fi

if [[ "$ONION_ONLY" == 'no' ]]; then
    { echo 'server {';
      echo '    listen 80;';
      echo '    listen [::]:80;';
      echo "    server_name ${site_domain};";
      echo "    root /var/www/${site_domain}/htdocs;";
      echo '    access_log /dev/null;';
      echo '    error_log /dev/null;';
      echo '    client_max_body_size 20m;';
      echo '    client_body_buffer_size 128k;';
      echo '';
      echo '    limit_conn conn_limit_per_ip 10;';
      echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;';
      echo '';
      echo '    index index.php;';
      echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";
      echo '}';
      echo '';
      echo 'server {';
      echo '  listen 443 ssl;';
      echo "  server_name ${site_domain};";
      echo '';
      echo '    gzip            on;';
      echo '    gzip_min_length 1000;';
      echo '    gzip_proxied    expired no-cache no-store private auth;';
      echo '    gzip_types      text/plain application/xml;';
      echo '';
      echo '    ssl_stapling off;';
      echo '    ssl_stapling_verify off;';
      echo '    ssl on;';
      echo "    ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
      echo "    ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
      echo "    ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
      echo '';
      echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;'
      echo '    ssl_session_timeout 60m;';
      echo '    ssl_prefer_server_ciphers on;';
      echo '    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
      echo "    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
      echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
      echo '    add_header X-XSS-Protection "1; mode=block";';
      echo '    add_header X-Robots-Tag none;';
      echo '    add_header X-Download-Options noopen;';
      echo '    add_header X-Permitted-Cross-Domain-Policies none;';
      echo '    add_header X-Frame-Options DENY;';
      echo '    add_header X-Content-Type-Options nosniff;';
      echo '';
      echo '  add_header Strict-Transport-Security max-age=15768000;';
      echo '';
      echo '  access_log /dev/null;';
      echo '  error_log /dev/null;';
      echo '';
      echo "  root /var/www/${site_domain}/htdocs;";
      echo '';
      echo '  index index.html;';
      echo '';
      echo '  location / {';
      echo '      client_max_body_size 15m;';
      echo '          client_body_buffer_size 1m;';
      echo '';
      echo '      limit_conn conn_limit_per_ip 10;';
      echo '          limit_req zone=req_limit_per_ip burst=10 nodelay;';
      echo '  }';
      echo '';
      echo '  location /downloads {';
      echo '      client_max_body_size 2G;';
      echo '      client_body_buffer_size 128k;';
      echo '';
      echo '      limit_conn conn_limit_per_ip 10;';
      echo '      limit_req zone=req_limit_per_ip burst=10 nodelay;';
      echo '      autoindex on;';
      echo '  }';
      echo '';
      echo '  location ^~ /.well-known/ {';
      echo '      allow all;';
      echo '  }';
      echo '}';
      echo '';
      echo '# TURN Server';
      echo 'server {';
      echo '  listen 3407 ssl;';
      echo '  listen [::]:3407 ssl;';
      echo "  server_name ${site_domain};";
      echo '';
      echo '    ssl_stapling off;';
      echo '    ssl_stapling_verify off;';
      echo '    ssl on;';
      echo "    ssl_certificate /etc/letsencrypt/live/${site_domain}/fullchain.pem;";
      echo "    ssl_certificate_key /etc/letsencrypt/live/${site_domain}/privkey.pem;";
      echo "    ssl_dhparam /etc/ssl/certs/${site_domain}.dhparam;";
      echo '';
      echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';
      echo '    ssl_session_timeout 60m;';
      echo '    ssl_prefer_server_ciphers on;';
      echo '    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
      echo "    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';";
      echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
      echo '    add_header X-XSS-Protection "1; mode=block";';
      echo '    add_header X-Robots-Tag none;';
      echo '    add_header X-Download-Options noopen;';
      echo '    add_header X-Permitted-Cross-Domain-Policies none;';
      echo '    add_header X-Frame-Options DENY;';
      echo '    add_header X-Content-Type-Options nosniff;';
      echo '';
      echo '  add_header Strict-Transport-Security max-age=15768000;';
      echo '';
      echo '  access_log /dev/null;';
      echo '  error_log /dev/null;';
      echo '';
      echo '  index index.html;';
      echo '';
      echo '  location / {';
      echo '      client_max_body_size 15m;';
      echo '      client_body_buffer_size 128k;';
      echo '';
      echo '      limit_conn conn_limit_per_ip 10;';
      echo '      limit_req zone=req_limit_per_ip burst=10 nodelay;';
      echo '';
      echo '      proxy_pass http://localhost:3478;';
      echo "      proxy_set_header X-Forwarded-For \$remote_addr;";
      echo '  }';
      echo '}';
      echo ''; } > /etc/nginx/sites-available/${site_domain}
else
    echo -n '' > /etc/nginx/sites-available/${site_domain}
fi

{ echo 'server {';
  echo "    listen 127.0.0.1:${site_onion_port} default_server;";
  echo "    server_name ${site_domain};";
  echo '';
  echo '    add_header X-Frame-Options DENY;';
  echo '    add_header X-Content-Type-Options nosniff;';
  echo '';
  echo '    access_log /dev/null;';
  echo '    error_log /dev/null;';
  echo '';
  echo "    root /var/www/${site_domain}/htdocs;";
  echo '';
  echo '    index index.html;';
  echo '';
  echo '    location / {';
  echo '        #proxy_pass http://127.0.0.1:8099;';
  echo '            client_max_body_size 15m;';
  echo '            client_body_buffer_size 1m;';
  echo '';
  echo '        limit_conn conn_limit_per_ip 10;';
  echo '            limit_req zone=req_limit_per_ip burst=10 nodelay;';
  echo '        }';
  echo '';
  echo '    location ^~ /downloads/ {';
  echo '      client_max_body_size 1m;';
  echo '      client_body_buffer_size 128k;';
  echo '';
  echo '      limit_conn conn_limit_per_ip 10;';
  echo '      limit_req zone=req_limit_per_ip burst=10 nodelay;';
  echo '      autoindex on;';
  echo '        }';
  echo '';
  echo '        location ^~ /.well-known/ {';
  echo '            allow all;';
  echo '        }';
  echo '}';
  echo '';
  echo 'server {';
  echo '    listen 127.0.0.1:8110 default_server;';
  echo "    server_name ${site_domain};";
  echo '';
  echo '    add_header X-Frame-Options DENY;';
  echo '    add_header X-Content-Type-Options nosniff;';
  echo '';
  echo '    access_log /dev/null;';
  echo '    error_log /dev/null;';
  echo '';
  echo '    location / {';
  echo '        client_max_body_size 15m;';
  echo '        client_body_buffer_size 128k;';
  echo '';
  echo '        limit_conn conn_limit_per_ip 10;';
  echo '        limit_req zone=req_limit_per_ip burst=10 nodelay;';
  echo '';
  echo '        proxy_pass http://localhost:3478;';
  echo "        proxy_set_header X-Forwarded-For \$remote_addr;";
  echo '    }';
  echo '}';
  echo '# End of TURN Server'; } >> /etc/nginx/sites-available/${site_domain}

nginx_ensite ${site_domain}

if [[ "$ONION_ONLY" == 'no' ]]; then
    if [ ! -f "/etc/letsencrypt/live/${site_domain}/fullchain.pem" ]; then
        DH_KEYLENGTH=2048
        LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
        ${PROJECT_NAME}-addcert -e "${site_domain}" -s "$LETSENCRYPT_SERVER" --dhkey "$DH_KEYLENGTH"
    fi
fi

if [ ! "$lang" ]; then
    lang='EN'
fi
if [ ! "$2" ]; then
    echo 'Specify language and destination directory'
    exit 1
fi

if [ ! -d "$dest_dir" ]; then
    mkdir -p "$dest_dir"
fi
if [ ! -d "$dest_dir/images" ]; then
    mkdir "$dest_dir/images"
fi

cp -r "$lang"/* "$dest_dir"
cp *.css "$dest_dir"
cp -r ../img/* "$dest_dir/images"
cp -r ../webadmin/EN/help_*.html "$dest_dir"
if [ ! -d "$dest_dir/downloads" ]; then
    mkdir "$dest_dir/downloads"
fi
cp "$lang/images.txt" "$dest_dir/downloads"
chown -R www-data:www-data "$dest_dir"

systemctl restart nginx

echo "Website deployed to $dest_dir"