forked from NSAKEY/paranoid-prosody
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bootstrap.sh
executable file
·133 lines (118 loc) · 5.73 KB
/
bootstrap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash
# "Paranoid Prosody" settings for config like OTR.im forked from https://github.com/NSAKEY/paranoid-prosody
# Updated December 2023 for Debian Bookworm
# Released under GNU General Public License v3 or any later version
# Check for root
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
PWD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Update software
echo "== Updating software"
apt-get --allow-releaseinfo-change update
apt-get dist-upgrade -y
apt-transport-https
apt-get install -y
# add official Tor repository
if ! grep -q "deb.torproject.org/torproject.org" /etc/apt/sources.list; then
echo "== Adding the official Tor repository"
echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main" >> /etc/apt/sources.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt-get update
apt-get install deb.torproject.org-keyring
fi
# Add the official Prosody repository
#if ! grep -q "packages.prosody.im/debian" /etc/apt/sources.list; then
# echo "== Adding the official Prosody repository"
# echo "deb https://packages.prosody.im/debian bookworm main" >> /etc/apt/sources.list
# wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
# apt-get update
#fi
echo "== Adding Prosody via Debian extrepo"
apt install extrepo
extrepo enable prosody
apt-get update
# Install prosody and tor, plus related packages
echo "== Installing Prosody and Tor"
apt-get install -y deb.torproject.org-keyring tor tor-arm tor-geoipdb prosody lua-event
service tor stop
service prosody stop
# SSL/TLS prep for prosody
# Generate self-signed certificate
#openssl genrsa -out /etc/prosody/certs/xmpp.key 4096
#openssl req -new -key /etc/prosody/certs/xmpp.key -out /etc/prosody/certs/xmpp.crt
#openssl dhparam -out /etc/prosody/certs/dhparam.pem 4096
# Use Let's Encrypt certificate authority for prosody
apt-get install certbot
certbot certonly --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live"
echo -e "#!/bin/sh\n/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live" >> /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
chown prosody:prosody /etc/prosody/certs/*
chmod 600 /etc/prosody/certs/*
certbot renew --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live"
prosodyctl --root cert import /etc/letsencrypt/live
# Configure tor
cp $PWD/etc/tor/torrc /etc/tor/torrc
# Configure prosody
cp $PWD/etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua
mkdir /usr/share
mkdir /usr/share/lua
mkdir /usr/share/lua/5.1
mkdir /usr/share/lua/5.1/mod_otr
cp $PWD/usr/lib/prosody/modules/* /usr/lib/prosody/modules/
cp $PWD/usr/lib/prosody/modules/mod_otr.lua /usr/share/lua/5.1/mod_otr/
# Configure firewall rules
echo "== Configuring firewall rules"
apt-get install -y debconf-utils
echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections
echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
apt-get install -y iptables iptables-persistent
cp $PWD/etc/iptables/rules.v4 /etc/iptables/rules.v4
cp $PWD/etc/iptables/rules.v6 /etc/iptables/rules.v6
chmod 600 /etc/iptables/rules.v4
chmod 600 /etc/iptables/rules.v6
iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6
# Configure automatic updates
echo "== Configuring unattended upgrades"
apt-get install -y unattended-upgrades apt-listchanges
cp $PWD/etc/apt/apt.conf.d/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
service unattended-upgrades restart
# Install and configure apparmor
apt-get install -y apparmor apparmor-profiles apparmor-utils grub
sed -i.bak 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="\1 apparmor=1 security=apparmor"/' /etc/default/grub
update-grub
cp $PWD/etc/apparmor.d/usr.bin.prosody /etc/apparmor.d/usr.bin.prosody
# Install and config for apt-transport-tor
systemctl start tor
apt-get install apt-transport-tor
sed -i 's|https://deb.torproject.org|tor://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion|g' /etc/apt/sources.list
apt-get update
apt-get upgrade
apt-get install --reinstall deb.torproject.org-keyring tor
# Final instructions
echo ""
echo "== Try SSHing into this server again in a new window as well as connecting to XMPP, to confirm the firewall isn't broken"
echo ""
echo "== TO DO LIST:"
echo ""
echo "1. This script uses certbot and Let\'s Encrypt by default to generate SSL/TLS certificates. See: https://prosody.im/doc/letsencrypt"
echo "If you used OpenSSL to generate certificates, run 'cat /etc/prosody/certs/xmpp.crt' and submit its contents to your friendly neighborhood Certificate Authority."
echo ""
echo "2. Configure DNS. Example (replace 'example.org' with your domain):"
echo "SRV _xmpp-client._tcp 3600 10 0 5222 example.org."
echo "SRV _xmpp-server._tcp 3600 10 0 5269 example.org."
echo ""
echo "3. Edit /etc/prosody/prosody.cfg.lua so that all cases of 'example.org' are replaced with your domain."
echo ""
echo "4. After you reboot, you can run 'aa-enforce /etc/apparmor.d/usr.bin.prosody' to update apparmor rules."
echo ""
echo "5. After the reboot, be sure to run 'cat /var/lib/tor/xmpp/hostname' to get your Tor hidden service address."
echo ""
echo "6. The option to allow SSH as an authenticated Tor hidden service has been supplied. Just read the comments in /etc/tor/torrc."
echo ""
echo "7. To create an account, run 'prosodyctl adduser [email protected]' See: https://prosody.im/doc/creating_accounts"
echo ""
echo "8. It is recommended to use a XMPP client like CoyIM to connect via OTR and Tor. See: https://coy.im"
echo ""
echo "== REBOOT THIS SERVER"