autoscript-services

#!/bin/bash

EDITOR=nano

internet=$(ping -c1 www.communitycube.net >/dev/null 2>/dev/null ; echo $?)
if [ "$internet" != "0" ]; then
  echo "You need internet to proceed. Exiting"
  exit 7
fi


if [ "$(whoami)" != "root" ]; then
  echo "You need to be root to proceed. Exiting"
  exit 8
fi


waitakey() { 
echo
echo "press a key"
read key
}

apt-get install -y nginx
apt-get install -y php5-common php5-fpm php5-cli php5-json php5-mysql php5-curl php5-intl php5-mcrypt php5-memcache php-xml-parser php-pear
mkdir -p /etc/ssl/nginx/

echo "upstream php-handler {
  server 127.0.0.1:9000;
  #server unix:/var/run/php5-fpm.sock;
  }" > /etc/nginx/sites-enabled/php-fpm

echo "server {
  listen 80 default_server;
  return 301 http://communitycube.local;
}

server {
  listen 80;
  server_name box.local;
  return 301 http://communitycube.local;
}" > /etc/nginx/sites-enabled/default
  
  
echo "server {
  listen 80;
  server_name communitycube.local 10.0.0.1;
  root /var/www/html;
  index index.html;

        location /phpmyadmin {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/phpmyadmin/(.+\.php)$ {
                       try_files \$uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
                       include /etc/nginx/fastcgi_params;
               }
               location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /phpMyAdmin {
               rewrite ^/* /phpmyadmin last;
        }
}" > /etc/nginx/sites-enabled/communitycube

service nginx restart

#TOR
apt-get install -y tor
service tor stop
tordir=/var/lib/tor/hidden_service
for i in yacy owncloud prosody friendica mailpile box
do

mkdir -p $tordir/$i
chown debian-tor:debian-tor $tordir/$i -R
rm -f $tordir/$i/*

done

echo "Change RUN_DAEMON to yes"
# waitakey
# $EDITOR /etc/default/tor 
sed "s~RUN_DAEMON=.*~RUN_DAEMON=\"yes\"~g" -i /etc/default/tor 


rm -f /etc/tor/torrc
cp /usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc

echo "
HiddenServiceDir /var/lib/tor/hidden_service/yacy
HiddenServicePort 80 127.0.0.1:8090

HiddenServiceDir /var/lib/tor/hidden_service/owncloud
HiddenServicePort 80 127.0.0.1:7070
HiddenServicePort 443 127.0.0.1:443

HiddenServiceDir /var/lib/tor/hidden_service/friendica
HiddenServicePort 80 127.0.0.1:8181
HiddenServicePort 443 127.0.0.1:443

HiddenServiceDir /var/lib/tor/hidden_service/prosody
HiddenServicePort 5222 127.0.0.1:5222
HiddenServicePort 5269 127.0.0.1:5269


DNSPort   9053
DNSListenAddress 10.0.0.1
VirtualAddrNetworkIPv4 10.192.0.0/16
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.0.1
SocksPort 9050 # what port to open for local application connectio$
SocksBindAddress 127.0.0.1 # accept connections only from localhost
AllowUnverifiedNodes middle,rendezvous
#Log notice syslog" >>  /etc/tor/torrc 


service tor start

sleep 5

found=no
for i in 1 2 3 4 5 6 7 8 9 10
do
  if [ -e "$tordir/owncloud/hostname" ]; then
    echo "Tor configuration OK"
    break
  else
    sleep 10
  fi
done

#i2p
apt-get install -y i2p

echo "Change RUN_DAEMON to true"
# waitakey
# $EDITOR /etc/default/i2p
sed "s~RUN_DAEMON=.*~RUN_DAEMON=\"true\"~g" -i /etc/default/i2p 


service i2p restart


cat << EOF > /etc/nginx/sites-enabled/i2p 
server {
        listen 80;
        server_name i2p.local;


location / {
    proxy_pass       http://127.0.0.1:7657;
    proxy_set_header Host      \$host;
    proxy_set_header X-Real-IP \$remote_addr;
  }

}
EOF

service nginx restart



#unbound
apt-get install -y unbound

echo '# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    interface: 0.0.0.0
    access-control: 10.0.0.0/8 allow
    access-control: 127.0.0.1/8 allow
    access-control: 0.0.0.0/0 refuse
#    access-control
#    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    do-not-query-localhost: no
#domain-insecure: "onion"
#private-domain: "onion"

#Local destinations
local-zone: "local." static
local-data: "communitycube.local. IN A 10.0.0.1"
local-data: "i2p.local. IN A 10.0.0.1"
local-data: "tahoe.local. IN A 10.0.0.1"' > /etc/unbound/unbound.conf-static

for i in $(ls /var/lib/tor/hidden_service/)
do

cat << EOF >>  /etc/unbound/unbound.conf-static
local-data: "$i.local.  IN A 10.0.0.1"
EOF

done

for i in $(ls /var/lib/tor/hidden_service/)
do

hn="$(cat /var/lib/tor/hidden_service/$i/hostname 2>/dev/null)"

if [ -n "$hn" ]; then
cat << EOF >>  /etc/unbound/unbound.conf-static

local-zone: "$hn." static
local-data: "$hn. IN A 10.0.0.1"
EOF

fi

done

echo '
#I2P domains
local-zone: "i2p" redirect
local-data: "i2p A 10.191.0.1"' >> /etc/unbound/unbound.conf-static

echo '#Forward rest of zones to TOR
forward-zone:
    name: "."
    forward-addr: 10.0.0.1@9053' > /etc/unbound/forward.conf

cat /etc/unbound/unbound.conf-static > /etc/unbound/unbound.conf
echo "include: /etc/unbound/forward.conf" >> /etc/unbound/unbound.conf
    
service unbound restart

#owncloud
apt-get install -y owncloud apache2-mpm-prefork- apache2-utils- apache2.2-bin- apache2.2-common-

echo "Change to"
echo "  listen = localhost:9000"
sed "s~listen =.*~listen = localhost:9000~g" -i /etc/php5/fpm/pool.d/www.conf 
# waitakey
# $EDITOR /etc/php5/fpm/pool.d/www.conf 

echo "Change upload_max_filesize and post_max_size to 2000M"
# waitakey 
sed "s~upload_max_filesize =.*~upload_max_filesize = 2000M~g" -i /etc/php5/fpm/php.ini
sed "s~upload_max_filesize =.*~upload_max_filesize = 2000M~g" -i /etc/php5/cli/php.ini 
sed "s~post_max_size =.*~post_max_size = 2000M~g" -i /etc/php5/fpm/php.ini
sed "s~post_max_size =.*~post_max_size = 2000M~g" -i /etc/php5/cli/php.ini 
# $EDITOR  /etc/php5/fpm/php.ini /etc/php5/cli/php.ini 

hn=`cat /var/lib/tor/hidden_service/owncloud/hostname`

cat << EOF > /etc/nginx/sites-enabled/owncloud 
server {
  listen 80;
  server_name $hn;
  return 301 https://\$server_name\$request_uri;
  }
  
server {
        listen 10.0.0.253;
        server_name _;
        return 301 https://$hn;
}
  
  
  server {
  listen 80;
  server_name owncloud.local;
  return 301 https://$hn\$request_uri;
  }

server {
  listen 7070;
  server_name $hn;
  return 301 https://\$server_name\$request_uri;
  }

server {
  listen 443;
  ssl on;
  server_name $hn;
  ssl_certificate /etc/ssl/nginx/$hn.crt;
  ssl_certificate_key /etc/ssl/nginx/$hn.key;

  # Path to the root of your installation
  root /var/www/owncloud/;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  rewrite ^/caldav(.*)\$ /remote.php/caldav\$1 redirect;
  rewrite ^/carddav(.*)\$ /remote.php/carddav\$1 redirect;
  rewrite ^/webdav(.*)\$ /remote.php/webdav\$1 redirect;

  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    }

  location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
    deny all;
    }

  location / {
   # The following 2 rules are only needed with webfinger
   rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
   rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

   rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
   rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

   rewrite ^(/core/doc/[^\/]+/)\$ \$1/index.html;

   try_files \$uri \$uri/ /index.php;
   }

   location ~ \.php(?:\$|/) {
   fastcgi_split_path_info ^(.+\.php)(/.+)\$;
   include fastcgi_params;
   fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
   fastcgi_param PATH_INFO \$fastcgi_path_info;
   fastcgi_param HTTPS on;
   fastcgi_pass php-handler;
   }

   # Optional: set long EXPIRES header on static assets
   location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)\$ {
       expires 30d;
       # Optional: Don't log access to assets
         access_log off;
   }

  }
EOF

if [ ! -e /etc/ssl/nginx/$hn.key -o ! -e /etc/ssl/nginx/$h.csr -o ! -e  /etc/ssl/nginx/$hn.crt ]; then
    openssl genrsa -des3 -out /etc/ssl/nginx/$hn.key 2048
    openssl req -new -key /etc/ssl/nginx/$hn.key -out /etc/ssl/nginx/$hn.csr
    cp /etc/ssl/nginx/$hn.key /etc/ssl/nginx/$hn.key.org
    openssl rsa -in /etc/ssl/nginx/$hn.key.org -out /etc/ssl/nginx/$hn.key
    openssl x509 -req -days 365 -in /etc/ssl/nginx/$hn.csr -signkey /etc/ssl/nginx/$hn.key -out /etc/ssl/nginx/$hn.crt
fi

service php5-fpm restart
service nginx restart

#Java
apt-get install -y openjdk-7-jre-headless
apt-get remove -y openjdk-6-jre-headless
apt-get remove -y openjdk-6-jre-lib


#Yacy
echo "On ask, maximum 300Mb"
waitakey
apt-get install -y yacy


hn="$(cat /var/lib/tor/hidden_service/yacy/hostname 2>/dev/null)"
echo "server {
        listen 80;
        server_name yacy.local;
        return 301 http://$hn\$request_uri;
}

server {
        listen 10.0.0.251;
        server_name _;
        return 301 http://$hn;
}

server {
        listen 80;
        server_name $hn;

location / {
    proxy_pass       http://127.0.0.1:8090;
    proxy_set_header Host      \$host;
    proxy_set_header X-Real-IP \$remote_addr;
  }

}" > /etc/nginx/sites-enabled/yacy 

#tahoe
apt-get install -y i2p-tahoe-lafs

service tahoe-lafs stop


echo 'AUTOSTART="i2p"' > /etc/default/tahoe-lafs 

mkdir /var/lib/tahoe-lafs/ -p

[ -z "$(grep tahoelafs /etc/group)" ] && addgroup --system tahoelafs
[ -z "$(grep tahoelafs /etc/passwd)" ] && adduser --disabled-login --system --home /var/lib/tahoe-lafs --shell /bin/bash --no-create-home --ingroup tahoelafs tahoelafs


chown tahoelafs:tahoelafs /var/lib/tahoe-lafs -R
tahoe create-node /var/lib/tahoe-lafs/i2p/

echo 'pb://c6w5ernw7y7rp3uwmdyu5clujyt2y4m4@w2zrwz5gplkkufix7cb4gmxfbrkwg2abnsgk62bm5iifzlahe7kq.b32.i2p/introducer
pb://exupps5kk3amc5iq4q6f5ahggkm4s5fl@oj7cffq5fnk46iw3i3h2sdgncxrqbxm7wh6i4h2cbpmqsydygkcq.b32.i2p/introducer
pb://md2tltfmdjvzptg4mznha5zktaxatpmz@5nrsgknvztikjxnpvidlokquojjlsudf7xlnrnyobj7e7trdmuta.b32.i2p/introducer
pb://fmcbgy7zd6ubrbphilmrlocvb7f327z5@gdr3tt5uewgnm7r7xn54k2qikf2kuwwegjjsnkz44pjticcacsua.b32.i2p/introducer
pb://tq7rx35yopkvodmsxkqra4qqkbho3yaa@6ga2r2h2fyq6tzcyh6bf3hpio3i7r4edadbq7l4wnh4y62taj6ia.b32.i2p/introducer
pb://cys5w43lvx3oi5lbgk6liet6rbguekuo@sagljtwlctcoktizkmyv3nyjsuygty6tpkn5riwxlruh3f2oze2q.b32.i2p/introducer
pb://r3bs6joub24gtsofe7ohnnjcnwfmo2jy@qaihdh5z7osn7tc3326ahv3z46badiuaulff43wchmap7skg7euq.b32.i2p/42mrbm7zxmjemz6hzejo3i7aunx4eoun' > /var/lib/tahoe-lafs/i2p/introducers



echo "Point your browser to http://i2p.local/i2ptunnel/wizard"
echo " Server Tunnel > Standard > tahoe/tahoe > 127.0.0.1:3459 > autostart"
echo
echo "Then point to http://i2p.local/i2ptunnelmgr"
echo " and get base32 URL to put in   tub.location ="
echo "This process can be 5 minutes long. Wait"
echo
waitakey

echo "Change config"
echo "[node]
nickname = yourpreferednick
web.port = tcp:3456:interface=127.0.0.1
web.static = public_html
http_proxy = 127.0.0.1:4444
tub.port = 3459
tub.location= %base32TUB.LOCATION%
[storage]
enabled = true
reserved_space = 20G
[helper]
enabled = true"

waitakey

nano /var/lib/tahoe-lafs/i2p/tahoe.cfg

chown tahoelafs:tahoelafs /var/lib/tahoe-lafs -R

service tahoe-lafs restart

echo 'server {
        listen 80;
        server_name tahoe.local;


location / {
    proxy_pass       http://127.0.0.1:3456;
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
  }

}' > /etc/nginx/sites-enabled/tahoe


service nginx restart

#phpmyadmin
echo "If it's asked for a webserver, do not mark any"
waitakey
apt-get install -y phpmyadmin

#service nginx restart

#friendica
apt-get install -y php5 mysql-server php5-curl php5-gd php5-mysql php5-imap smarty3 git

if [ ! -e  /var/lib/mysql/frndc ]; then
  echo "Enter root mysql password"
  echo "CREATE DATABASE frndc;
grant all privileges on frndc.* to  friendica@localhost  identified by 'SuperPass8Wor1_2';" | mysql -u root -p
fi

if [ ! -e  /var/www/friendica ]; then

cd /var/www
git clone https://github.com/friendica/friendica.git
cd friendica
git clone https://github.com/friendica/friendica-addons.git addon

chown -R www-data:www-data /var/www/friendica/view/smarty3
chmod g+w /var/www/friendica/view/smarty3
touch /var/www/friendica/.htconfig.php
chown www-data:www-data /var/www/friendica/.htconfig.php
chmod g+rwx /var/www/friendica/.htconfig.php

fi

if [ -z "$(grep "friendica/include/poller" /etc/crontab)" ]; then
    echo '*/10 * * * * /usr/bin/php /var/www/friendica/include/poller.php' >> /etc/crontab
fi

onion="$(cat /var/lib/tor/hidden_service/friendica/hostname 2>/dev/null)"
if [ ! -e /etc/ssl/nginx/$onion.key -o ! -e /etc/ssl/nginx/$onion.csr -o ! -e  /etc/ssl/nginx/$onion.crt ]; then
    openssl genrsa -des3 -out /etc/ssl/nginx/$onion.key 2048
    openssl req -new -key /etc/ssl/nginx/$onion.key -out /etc/ssl/nginx/$onion.csr
    cp /etc/ssl/nginx/$onion.key /etc/ssl/nginx/$onion.key.org
    openssl rsa -in /etc/ssl/nginx/$onion.key.org -out /etc/ssl/nginx/$onion.key
    openssl x509 -req -days 365 -in /etc/ssl/nginx/$onion.csr -signkey /etc/ssl/nginx/$onion.key -out /etc/ssl/nginx/$onion.crt
fi

cat << EOF > /etc/nginx/sites-enabled/friendica 
server {
  listen 8181;
  server_name $onion;
  index index.php;
  root /var/www/friendica;
  rewrite ^ https://$onion\$request_uri? permanent;
  }

server {
  listen 80;
  server_name $onion;
  index index.php;
  root /var/www/friendica;
  rewrite ^ https://$onion\$request_uri? permanent;
  }

server {
        listen 10.0.0.252;
        server_name _;
        return 301 https://$onion;
}
  
server {
  listen 80;
  server_name friendica.local;
  index index.php;
  root /var/www/friendica;
  rewrite ^ https://$onion\$request_uri? permanent;
  }

server {
  listen 443;
  ssl on;
  server_name $onion;
  ssl_certificate /etc/ssl/nginx/$onion.crt;
  ssl_certificate_key /etc/ssl/nginx/$onion.key;
  ssl_session_timeout 5m;
  ssl_protocols SSLv3 TLSv1;
  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
  ssl_prefer_server_ciphers on;

  index index.php;
  charset utf-8;
  root /var/www/friendica;
  access_log /var/log/nginx/friendica.log;
  # allow uploads up to 20MB in size
  client_max_body_size 20m;
  client_body_buffer_size 128k;


  # rewrite to front controller as default rule
  location / {
    rewrite ^/(.*) /index.php?q=\$uri&\$args last;
  }

  # make sure webfinger and other well known services aren't blocked
  # by denying dot files and rewrite request to the front controller
  location ^~ /.well-known/ {
    allow all;
    rewrite ^/(.*) /index.php?q=\$uri&\$args last;
  }

  # statically serve these file types when possible
  # otherwise fall back to front controller
  # allow browser to cache them
  # added .htm for advanced source code editor library
  location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
    expires 30d;
    try_files \$uri /index.php?q=\$uri&\$args;
  }
  
  # block these file types
  location ~* \.(tpl|md|tgz|log|out)$ {
    deny all;
  }

  # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
  # or a unix socket
  location ~* \.php$ {
    # Zero-day exploit defense.
    # http://forum.nginx.org/read.php?2,88845,page=3
    # Won't work properly (404 error) if the file is not stored on this
    # server, which is entirely possible with php-fpm/php-fcgi.
    # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
    # another machine.  And then cross your fingers that you won't get hacked.
    try_files \$uri =404;

    # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    fastcgi_split_path_info ^(.+\.php)(/.+)$;

    # With php5-cgi alone:
    fastcgi_pass 127.0.0.1:9000;

    # With php5-fpm:
    #fastcgi_pass unix:/var/run/php5-fpm.sock;

    include fastcgi_params;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
  }

  # deny access to all dot files
  location ~ /\. {
    deny all;
  }
}


EOF

service nginx restart

#html
mkdir -p /var/www/html
rm -f /var/www/html/index.html
for i in $(ls /var/lib/tor/hidden_service/ --ignore=box)
do

hn="$(cat /var/lib/tor/hidden_service/$i/hostname 2>/dev/null)"

cat << EOF >> /var/www/html/index.html
<a href="http://$hn">$i</a>
EOF
done


if [ -z "$(grep apache_get_modules /var/www/friendica/mod/install.php | grep -i function_exists | grep -i '/\*')" ]; then
    sed "s~if(function_exists('apache_get_modules')).*~/*if(function_exists('apache_get_modules'))~g" -i /var/www/friendica/mod/install.php
    sed "s~if(! function_exists('curl_init')){.*~*/ if(! function_exists('curl_init')){~g" -i /var/www/friendica/mod/install.php
fi


echo '<a href="http://tahoe.local">tahoe</a>' >> /var/www/html/index.html
echo '<a href="http://i2p.local">i2p</a>' >> /var/www/html/index.html
echo '<a href="http://communitycube.local/phpmyadmin">phpmyadmin</a>' >> /var/www/html/index.html