124 lines
4.2 KiB
Bash
124 lines
4.2 KiB
Bash
[ "$EUID" -eq 0 ] || { echo '[ERROR] The script must be executed under sudo!'; exit 1; };
|
|
|
|
echo '----- START HIDDEN SERVICE INSTALL -----';
|
|
|
|
# Install all the necessary things
|
|
apt install -y lighttpd;
|
|
|
|
# Where am I?
|
|
ScriptDir=$( dirname $0; );
|
|
|
|
# Arguments
|
|
ServiceName=${1};
|
|
echo '[INFO] Service Name: '${ServiceName}'';
|
|
ServiceTag=${2};
|
|
echo '[INFO] Service Tag: '${ServiceTag}'';
|
|
ServiceArchive=${3};
|
|
echo '[INFO] Service Archive: '${ServiceArchive}'';
|
|
KeyArchive=${4};
|
|
echo '[INFO] Key Archive: '${KeyArchive}'';
|
|
Action=${5};
|
|
echo '[INFO] Key Archive Action: '${Action}'';
|
|
|
|
# Create filenames
|
|
UUID=$( cat /proc/sys/kernel/random/uuid; );
|
|
echo '[INFO] Service UUID: '${UUID}'';
|
|
LightyJail=/${UUID}
|
|
ServiceDir=/var/lib/tor/${UUID};
|
|
ServiceSecret=${ServiceDir}/hs_ed25519_secret_key;
|
|
ServiceHostname=${ServiceDir}/hostname;
|
|
UnixSocket=/var/run/${UUID}.sock;
|
|
Torrc=/etc/tor/torrc;
|
|
LightyConf=/etc/lighttpd/lighttpd.conf;
|
|
|
|
# Users
|
|
TorUser='debian-tor';
|
|
LightyUser='www-data';
|
|
|
|
# If Key exists
|
|
if [ "${Action}" == 'get' ]; then {
|
|
# Copy secret key
|
|
mkdir -p ${ServiceDir};
|
|
GNUPGHOME=/home/amnesia/.gnupg gpg --batch --yes -o ${ServiceSecret} -d ${KeyArchive};
|
|
[ $? -eq 0 ] || { echo "[ERROR] Can't decrypt Key Archive. Exiting."; exit 1; };
|
|
chown -R ${TorUser}:${TorUser} ${ServiceDir};
|
|
chmod -R 0700 ${ServiceDir};
|
|
echo '[INFO] Key copied to service directory';
|
|
} fi
|
|
|
|
# Config Tor
|
|
echo '# ----- START HS '${UUID}' CONFIG -----' >> ${Torrc};
|
|
echo 'HiddenServiceDir '${ServiceDir}'' >> ${Torrc};
|
|
echo 'HiddenServicePort 80 unix:'${UnixSocket}'' >> ${Torrc};
|
|
echo '# ----- END HS '${UUID}' CONFIG -----' >> ${Torrc};
|
|
echo '[INFO] Tor configured';
|
|
|
|
# Restart Tor
|
|
service tor stop;
|
|
service tor start;
|
|
[ $? -eq 0 ] || { echo "[ERROR] Can't restart tor. Exiting."; exit 1; };
|
|
echo '[INFO] Tor restarted';
|
|
|
|
# If Key does not exist
|
|
if [ ''${Action}'' == 'store' ]; then {
|
|
# Copy secret key
|
|
echo '[INFO] Waiting for the secret ...';
|
|
while [ ! -f ${ServiceSecret} ]; do sleep 1; done;
|
|
echo '[INFO] Secret found!';
|
|
GNUPGHOME=/home/amnesia/.gnupg gpg --batch --yes -o ${KeyArchive} -a --default-recipient-self -e ${ServiceSecret};
|
|
[ $? -eq 0 ] || { echo "[ERROR] Can't encrypt Key Archive. Exiting."; exit 1; };
|
|
echo '[INFO] Secret successfully stored';
|
|
} fi
|
|
|
|
# Jail Lighty
|
|
mkdir -p ${LightyJail}/{tmp,etc};
|
|
mkdir -p ${LightyJail}/var/{log/lighttpd,tmp/lighttpd/cache/compress,www/html,run};
|
|
mkdir -p ${LightyJail}/home/lighttpd;
|
|
chown -R root:${LightyUser} ${LightyJail};
|
|
chmod -R 0750 ${LightyJail};
|
|
chmod 0770 ${LightyJail}/tmp;
|
|
chown ${LightyUser}:${LightyUser} ${LightyJail}/var/log/lighttpd;
|
|
chown ${LightyUser}:${LightyUser} ${LightyJail}/var/tmp/lighttpd/cache/compress;
|
|
chown ${LightyUser}:${LightyUser} ${LightyJail}/home/lighttpd;
|
|
chmod 0700 ${LightyJail}/home/lighttpd;
|
|
echo '[INFO] Lighty Jail created';
|
|
|
|
# Config lighttpd
|
|
echo '# ----- START HS '${UUID}' CONFIG -----' >> ${LightyConf};
|
|
echo 'server.chroot = "'${LightyJail}'"' >> ${LightyConf};
|
|
echo 'server.name = "'${ServiceName}'"' >> ${LightyConf};
|
|
echo 'server.tag = "'${ServiceTag}'"' >> ${LightyConf};
|
|
echo 'server.bind = "'${UnixSocket}'"' >> ${LightyConf};
|
|
echo 'server.socket-perms = "0770"' >> ${LightyConf};
|
|
echo '# ----- END HS '${UUID}' CONFIG -----' >> ${LightyConf};
|
|
echo '[INFO] Lighty configured';
|
|
|
|
# Restart lighttpd
|
|
service lighttpd stop;
|
|
service lighttpd start;
|
|
[ $? -eq 0 ] || { echo "[ERROR] Can't restart lighttpd. Exiting."; exit 1; };
|
|
echo '[INFO] Lighty restarted';
|
|
|
|
# Wait until socket is created
|
|
echo '[INFO] Waiting for the socket ...';
|
|
while [ ! -S ${UnixSocket} ]; do sleep 1; done;
|
|
echo '[INFO] Socket found!';
|
|
|
|
# Owners for socket
|
|
chown ${LightyUser}:${TorUser} ${UnixSocket};
|
|
|
|
# Copy docs
|
|
GNUPGHOME=/home/amnesia/.gnupg gpg --batch --yes -o ${LightyJail}/tmp/docs.tar -d ${ServiceArchive};
|
|
[ $? -eq 0 ] || { echo "[ERROR] Can't decrypt Service Archive. Exiting."; exit 1; };
|
|
tar -x -f ${LightyJail}/tmp/docs.tar -C ${LightyJail}/var/www/html;
|
|
[ $? -eq 0 ] || { echo "[ERROR] Can't untar Service Archive. Exiting."; exit 1; };
|
|
rm ${LightyJail}/tmp/docs.tar;
|
|
|
|
# Perms for docs
|
|
chown -R ${LightyUser}:${LightyUser} ${LightyJail}/var/www;
|
|
chmod -R 0500 ${LightyJail}/var/www;
|
|
|
|
ServiceAddress=$( cat ${ServiceHostname}; );
|
|
echo '[INFO] Hidden Service address: http://'${ServiceAddress}'';
|
|
echo '----- END HIDDEN SERVICE INSTALL -----';
|