privatebin app

ace52490 · Bob Mottram · 371b5d0f · ace52490
Commit ace52490 authored 7 years ago by Bob Mottram
--- a/src/freedombone-app-privatebin
+++ b/src/freedombone-app-privatebin
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# privatebin application
+#
+# License
+# =======
+#
+# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+VARIANTS='full full-vim writer'
+
+IN_DEFAULT_INSTALL=0
+SHOW_ON_ABOUT=1
+
+PRIVATEBIN_DOMAIN_NAME=
+PRIVATEBIN_CODE=
+PRIVATEBIN_ONION_PORT=8150
+PRIVATEBIN_REPO="https://github.com/PrivateBin/PrivateBin"
+PRIVATEBIN_COMMIT='9c132cd839fd5e91da18e4a1e8ebef64fce605fb'
+PRIVATEBIN_ADMIN_PASSWORD=
+
+privatebin_variables=(ONION_ONLY
+                      PRIVATEBIN_DOMAIN_NAME
+                      PRIVATEBIN_CODE
+                      DDNS_PROVIDER
+                      MY_USERNAME)
+
+function secure_privatebin {
+    pbpath="/var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs"
+    pbdata="/var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/data"
+    htgroup='www-data'
+    rootuser='root'
+
+    find "${pbpath}/" -type f -print0 | xargs -0 chmod 0640
+    find "${pbpath}/" -type d -print0 | xargs -0 chmod 0550
+    find "${pbdata}/" -type f -print0 | xargs -0 chmod 0640
+    find "${pbdata}/" -type d -print0 | xargs -0 chmod 0750
+
+    chown -R ${rootuser}:${htgroup} "${pbpath}/"
+}
+
+function logging_on_privatebin {
+    echo -n ''
+}
+
+function logging_off_privatebin {
+    echo -n ''
+}
+
+function remove_user_privatebin {
+    remove_username="$1"
+}
+
+function add_user_privatebin {
+    new_username="$1"
+    new_user_password="$2"
+
+    echo '0'
+}
+
+function install_interactive_privatebin {
+    if [ ! $ONION_ONLY ]; then
+        ONION_ONLY='no'
+    fi
+
+    if [[ $ONION_ONLY != "no" ]]; then
+        PRIVATEBIN_DOMAIN_NAME='privatebin.local'
+    else
+        PRIVATEBIN_DETAILS_COMPLETE=
+        while [ ! $PRIVATEBIN_DETAILS_COMPLETE ]
+        do
+            data=$(tempfile 2>/dev/null)
+            trap "rm -f $data" 0 1 2 5 15
+            if [[ $DDNS_PROVIDER == "default@freedns.afraid.org" ]]; then
+                dialog --backtitle $"Freedombone Configuration" \
+                       --title $"PrivateBin Configuration" \
+                       --form $"\nPlease enter your privatebin details. The background image URL can be left blank.\n\nIMPORTANT: This should be a domain name which is supported by Let's Encrypt:" 16 65 4 \
+                       $"Domain:" 1 1 "$(grep 'PRIVATEBIN_DOMAIN_NAME' temp.cfg | awk -F '=' '{print $2}')" 1 25 33 40 \
+                       $"Code:" 2 1 "$(grep 'PRIVATEBIN_CODE' temp.cfg | awk -F '=' '{print $2}')" 4 25 33 255 \
+                       2> $data
+            else
+                dialog --backtitle $"Freedombone Configuration" \
+                       --title $"PrivateBin Configuration" \
+                       --form $"\nPlease enter your privatebin details. The background image URL can be left blank.\n\nIMPORTANT: This should be a domain name which is supported by Let's Encrypt:" 16 65 4 \
+                       $"Domain:" 1 1 "$(grep 'PRIVATEBIN_DOMAIN_NAME' temp.cfg | awk -F '=' '{print $2}')" 1 25 33 40 \
+                       2> $data
+            fi
+            sel=$?
+            case $sel in
+                1) exit 1;;
+                255) exit 1;;
+            esac
+            PRIVATEBIN_DOMAIN_NAME=$(cat $data | sed -n 1p)
+            if [ $PRIVATEBIN_DOMAIN_NAME ]; then
+                if [[ $PRIVATEBIN_DOMAIN_NAME == "$HUBZILLA_DOMAIN_NAME" ]]; then
+                    PRIVATEBIN_DOMAIN_NAME=""
+                fi
+                TEST_DOMAIN_NAME=$PRIVATEBIN_DOMAIN_NAME
+                validate_domain_name
+                if [[ $TEST_DOMAIN_NAME != $PRIVATEBIN_DOMAIN_NAME ]]; then
+                    PRIVATEBIN_DOMAIN_NAME=
+                    dialog --title $"Domain name validation" --msgbox "$TEST_DOMAIN_NAME" 15 50
+                else
+                    if [[ $DDNS_PROVIDER == "default@freedns.afraid.org" ]]; then
+                        PRIVATEBIN_CODE=$(cat $data | sed -n 2p)
+                        validate_freedns_code "$PRIVATEBIN_CODE"
+                        if [ ! $VALID_CODE ]; then
+                            PRIVATEBIN_DOMAIN_NAME=
+                        fi
+                    fi
+                fi
+            fi
+            if [ $PRIVATEBIN_DOMAIN_NAME ]; then
+                PRIVATEBIN_DETAILS_COMPLETE="yes"
+            fi
+        done
+
+        write_config_param "PRIVATEBIN_CODE" "$PRIVATEBIN_CODE"
+    fi
+    write_config_param "PRIVATEBIN_DOMAIN_NAME" "$PRIVATEBIN_DOMAIN_NAME"
+    APP_INSTALLED=1
+}
+
+function change_password_privatebin {
+    curr_username="$1"
+    new_user_password="$2"
+}
+
+function reconfigure_privatebin {
+    echo -n ''
+}
+
+function upgrade_privatebin {
+    CURR_PRIVATEBIN_COMMIT=$(get_completion_param "privatebin commit")
+    if [[ "$CURR_PRIVATEBIN_COMMIT" == "$PRIVATEBIN_COMMIT" ]]; then
+        return
+    fi
+
+    if grep -q "privatebin domain" $COMPLETION_FILE; then
+        PRIVATEBIN_DOMAIN_NAME=$(get_completion_param "privatebin domain")
+    fi
+
+    # update to the next commit
+    function_check set_repo_commit
+    set_repo_commit /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs "privatebin commit" "$PRIVATEBIN_COMMIT" $PRIVATEBIN_REPO
+
+    secure_privatebin
+}
+
+
+function backup_local_privatebin {
+    PRIVATEBIN_DOMAIN_NAME='privatebin'
+    if grep -q "privatebin domain" $COMPLETION_FILE; then
+        PRIVATEBIN_DOMAIN_NAME=$(get_completion_param "privatebin domain")
+    fi
+
+    source_directory=/var/www/${PRIVATEBIN_DOMAIN_NAME}/htdocs/data
+
+    function_check suspend_site
+    suspend_site ${PRIVATEBIN_DOMAIN_NAME}
+
+    function_check backup_directory_to_usb
+    dest_directory=privatebin
+    backup_directory_to_usb $source_directory $dest_directory
+
+    function_check restart_site
+    restart_site
+}
+
+function restore_local_privatebin {
+    if ! grep -q "privatebin domain" $COMPLETION_FILE; then
+        return
+    fi
+    PRIVATEBIN_DOMAIN_NAME=$(get_completion_param "privatebin domain")
+    if [ $PRIVATEBIN_DOMAIN_NAME ]; then
+        echo $"Restoring privatebin"
+        temp_restore_dir=/root/tempprivatebin
+        privatebin_dir=/var/www/${PRIVATEBIN_DOMAIN_NAME}/htdocs/data
+
+        function_check restore_directory_from_usb
+        restore_directory_from_usb $temp_restore_dir privatebin
+        if [ -d $temp_restore_dir ]; then
+            if [ -d cp $temp_restore_dir$privatebin_dir ]; then
+                cp -rp $temp_restore_dir$privatebin_dir/* $privatebin_dir/
+            else
+                cp -rp $temp_restore_dir/* $privatebin_dir/
+            fi
+            secure_privatebin
+            rm -rf $temp_restore_dir
+        fi
+
+        echo $"Restore of privatebin complete"
+    fi
+}
+
+function backup_remote_privatebin {
+    PRIVATEBIN_DOMAIN_NAME='privatebin'
+    if grep -q "privatebin domain" $COMPLETION_FILE; then
+        PRIVATEBIN_DOMAIN_NAME=$(get_completion_param "privatebin domain")
+    fi
+
+    source_directory=/var/www/${PRIVATEBIN_DOMAIN_NAME}/htdocs/data
+
+    function_check suspend_site
+    suspend_site ${PRIVATEBIN_DOMAIN_NAME}
+
+    function_check backup_directory_to_friend
+    dest_directory=privatebin
+    backup_directory_to_friend $source_directory $dest_directory
+
+    function_check restart_site
+    restart_site
+}
+
+function restore_remote_privatebin {
+    if ! grep -q "privatebin domain" $COMPLETION_FILE; then
+        return
+    fi
+    PRIVATEBIN_DOMAIN_NAME=$(get_completion_param "privatebin domain")
+    if [ $PRIVATEBIN_DOMAIN_NAME ]; then
+        temp_restore_dir=/root/tempprivatebin
+        privatebin_dir=/var/www/${PRIVATEBIN_DOMAIN_NAME}/htdocs/data
+
+        function_check restore_directory_from_friend
+        restore_directory_from_friend $temp_restore_dir privatebin
+        if [ -d $temp_restore_dir ]; then
+            if [ -d cp $temp_restore_dir$privatebin_dir ]; then
+                cp -rp $temp_restore_dir$privatebin_dir/* $privatebin_dir/
+            else
+                cp -rp $temp_restore_dir/* $privatebin_dir/
+            fi
+            secure_privatebin
+            rm -rf $temp_restore_dir
+        fi
+    fi
+}
+
+function remove_privatebin {
+    if [ ${#PRIVATEBIN_DOMAIN_NAME} -eq 0 ]; then
+        return
+    fi
+    read_config_param "PRIVATEBIN_DOMAIN_NAME"
+    read_config_param "MY_USERNAME"
+    echo "Removing $PRIVATEBIN_DOMAIN_NAME"
+    nginx_dissite $PRIVATEBIN_DOMAIN_NAME
+    remove_certs $PRIVATEBIN_DOMAIN_NAME
+
+    if [ -d /var/www/$PRIVATEBIN_DOMAIN_NAME ]; then
+        rm -rf /var/www/$PRIVATEBIN_DOMAIN_NAME
+    fi
+    if [ -f /etc/nginx/sites-available/$PRIVATEBIN_DOMAIN_NAME ]; then
+        rm /etc/nginx/sites-available/$PRIVATEBIN_DOMAIN_NAME
+    fi
+    function_check remove_onion_service
+    remove_onion_service privatebin ${PRIVATEBIN_ONION_PORT}
+    if grep -q "privatebin" /etc/crontab; then
+        sed -i "/privatebin/d" /etc/crontab
+    fi
+    remove_app privatebin
+    remove_completion_param install_privatebin
+    sed -i '/privatebin/d' $COMPLETION_FILE
+
+    function_check remove_ddns_domain
+    remove_ddns_domain $PRIVATEBIN_DOMAIN_NAME
+}
+
+function install_privatebin {
+    if [ ! $ONION_ONLY ]; then
+        ONION_ONLY='no'
+    fi
+
+    if [ ! $PRIVATEBIN_DOMAIN_NAME ]; then
+        echo $'No domain name was given for privatebin'
+        exit 7359
+    fi
+
+    apt-get -yq install php-gettext php-curl php-gd php-mysql git curl
+    apt-get -yq install memcached php-memcached php-intl exiftool libfcgi0ldbl
+
+    if [ ! -d /var/www/$PRIVATEBIN_DOMAIN_NAME ]; then
+        mkdir /var/www/$PRIVATEBIN_DOMAIN_NAME
+    fi
+    if [ ! -d /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs ]; then
+
+        if [ -d /repos/privatebin ]; then
+            mkdir /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+            cp -r -p /repos/privatebin/. /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+            cd /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+            git pull
+        else
+            function_check git_clone
+            git_clone $PRIVATEBIN_REPO /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+        fi
+
+        if [ ! -d /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs ]; then
+            echo $'Unable to clone privatebin repo'
+            exit 63763873
+        fi
+    fi
+
+    cd /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+    git checkout $PRIVATEBIN_COMMIT -b $PRIVATEBIN_COMMIT
+    set_completion_param "privatebin commit" "$PRIVATEBIN_COMMIT"
+
+    chmod g+w /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+    chown -R www-data:www-data /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs
+
+    function_check add_ddns_domain
+    add_ddns_domain $PRIVATEBIN_DOMAIN_NAME
+
+    PRIVATEBIN_ONION_HOSTNAME=$(add_onion_service privatebin 80 ${PRIVATEBIN_ONION_PORT})
+
+    privatebin_nginx_site=/etc/nginx/sites-available/$PRIVATEBIN_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        function_check nginx_http_redirect
+        nginx_http_redirect $PRIVATEBIN_DOMAIN_NAME "index index.php"
+        echo 'server {' >> $privatebin_nginx_site
+        echo '  listen 443 ssl;' >> $privatebin_nginx_site
+        echo '  listen [::]:443 ssl;' >> $privatebin_nginx_site
+        echo "  server_name $PRIVATEBIN_DOMAIN_NAME;" >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        function_check nginx_compress
+        nginx_compress $PRIVATEBIN_DOMAIN_NAME
+        echo '' >> $privatebin_nginx_site
+        echo '  # Security' >> $privatebin_nginx_site
+        function_check nginx_ssl
+        nginx_ssl $PRIVATEBIN_DOMAIN_NAME
+
+        function_check nginx_disable_sniffing
+        nginx_disable_sniffing $PRIVATEBIN_DOMAIN_NAME
+
+        echo '  add_header Strict-Transport-Security max-age=15768000;' >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        echo '  # Logs' >> $privatebin_nginx_site
+        echo '  access_log /dev/null;' >> $privatebin_nginx_site
+        echo '  error_log /dev/null;' >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        echo "  root /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs;" >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        echo '  index index.php;' >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        echo '  location ~ \.php {' >> $privatebin_nginx_site
+        echo '    include snippets/fastcgi-php.conf;' >> $privatebin_nginx_site
+        echo '    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;' >> $privatebin_nginx_site
+        echo '    fastcgi_read_timeout 30;' >> $privatebin_nginx_site
+        echo '  }' >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        echo '  # Location' >> $privatebin_nginx_site
+        echo '  location / {' >> $privatebin_nginx_site
+        function_check nginx_limits
+        nginx_limits $PRIVATEBIN_DOMAIN_NAME '15m'
+        echo '    try_files $uri $uri/ @privatebin;' >> $privatebin_nginx_site
+        echo '  }' >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+        echo '  # Restrict access that is unnecessary anyway' >> $privatebin_nginx_site
+        echo '  location ~ /\.(ht|git) {' >> $privatebin_nginx_site
+        echo '    deny all;' >> $privatebin_nginx_site
+        echo '  }' >> $privatebin_nginx_site
+        echo '}' >> $privatebin_nginx_site
+        echo '' >> $privatebin_nginx_site
+    else
+        echo -n '' > $privatebin_nginx_site
+    fi
+    echo 'server {' >> $privatebin_nginx_site
+    echo "    listen 127.0.0.1:$PRIVATEBIN_ONION_PORT default_server;" >> $privatebin_nginx_site
+    echo "    server_name $PRIVATEBIN_ONION_HOSTNAME;" >> $privatebin_nginx_site
+    echo '' >> $privatebin_nginx_site
+    function_check nginx_compress
+    nginx_compress $PRIVATEBIN_DOMAIN_NAME
+    echo '' >> $privatebin_nginx_site
+    function_check nginx_disable_sniffing
+    nginx_disable_sniffing $PRIVATEBIN_DOMAIN_NAME
+    echo '' >> $privatebin_nginx_site
+    echo '  # Logs' >> $privatebin_nginx_site
+    echo '  access_log /dev/null;' >> $privatebin_nginx_site
+    echo '  error_log /dev/null;' >> $privatebin_nginx_site
+    echo '' >> $privatebin_nginx_site
+    echo "  root /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs;" >> $privatebin_nginx_site
+    echo '' >> $privatebin_nginx_site
+    echo '  index index.php;' >> $privatebin_nginx_site
+    echo '' >> $privatebin_nginx_site
+    echo '  location ~ \.php {' >> $privatebin_nginx_site
+    echo '    include snippets/fastcgi-php.conf;' >> $privatebin_nginx_site
+    echo '    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;' >> $privatebin_nginx_site
+    echo '    fastcgi_read_timeout 30;' >> $privatebin_nginx_site
+    echo '  }' >> $privatebin_nginx_site
+    echo '' >> $privatebin_nginx_site
+    echo '  # Location' >> $privatebin_nginx_site
+    echo '  location / {' >> $privatebin_nginx_site
+    function_check nginx_limits
+    nginx_limits $PRIVATEBIN_DOMAIN_NAME '15m'
+    echo '    try_files $uri $uri/ @privatebin;' >> $privatebin_nginx_site
+    echo '  }' >> $privatebin_nginx_site
+    echo '' >> $privatebin_nginx_site
+    echo '  # Restrict access that is unnecessary anyway' >> $privatebin_nginx_site
+    echo '  location ~ /\.(ht|git) {' >> $privatebin_nginx_site
+    echo '    deny all;' >> $privatebin_nginx_site
+    echo '  }' >> $privatebin_nginx_site
+    echo '}' >> $privatebin_nginx_site
+
+    function_check configure_php
+    configure_php
+
+    function_check create_site_certificate
+    create_site_certificate $PRIVATEBIN_DOMAIN_NAME 'yes'
+
+    function_check nginx_ensite
+    nginx_ensite $PRIVATEBIN_DOMAIN_NAME
+
+    cp /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.sample.php /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+
+    # Change some defaults
+    sed -i 's|; qrcode|qrcode|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|default =.*|default = "1day"|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|1week =|; 1week =|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|1month =|; 1month =|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|1year =|; 1year =|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|never =|; never =|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|limit =.*|limit = 30|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|sizelimit =.*|sizelimit = 32768|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+    sed -i 's|defaultformatter =.*|defaultformatter = "Markdown"|g' /var/www/$PRIVATEBIN_DOMAIN_NAME/htdocs/cfg/conf.php
+
+    secure_privatebin
+
+    systemctl restart php7.0-fpm
+    systemctl restart nginx
+
+    set_completion_param "privatebin domain" "$PRIVATEBIN_DOMAIN_NAME"
+
+    APP_INSTALLED=1
+}
+
+# NOTE: deliberately there is no "exit 0"