diff --git a/scripts/commons b/scripts/commons deleted file mode 100644 index 878e756..0000000 --- a/scripts/commons +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -# Fix hostname and configure hosts -set_correct_hostname() { - domain=$(cat /etc/yunohost/current_host) - if [ -n "$domain" ] && ! hostnamectl --static | grep -q '\.'; then - sudo hostnamectl --static set-hostname "${domain}" - sudo hostnamectl --transient set-hostname "${domain}" - sudo hostnamectl --pretty set-hostname "La Brique Internet (${domain})" - - if ! grep -q "127.0.0.1 ${domain}" /etc/hosts; then - echo "127.0.0.1 $domain" | sudo tee -a /etc/hosts - fi - if ! grep -q "::1 ${domain}" /etc/hosts; then - echo "::1 $domain" | sudo tee -a /etc/hosts - fi - fi -} diff --git a/scripts/install b/scripts/install index dc0083b..0e5fbf1 100644 --- a/scripts/install +++ b/scripts/install @@ -1,46 +1,34 @@ #!/bin/bash -set -xe +source src/env +source src/helpers +source src/commands -source ./commons +set_doctorcube_version "${_LATESTVERSION}" -export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true -export LC_ALL=C LANGUAGE=C LANG=C -apt='sudo --preserve-env apt-get' - -sudo yunohost app setting doctorcube version -v "0.2.1" -sudo yunohost app fetchlist -n labriqueinternet -u https://labriqueinter.net/apps/labriqueinternet.json - -if [ "$(find /boot/ -name '*olinux*')" ]; then - # We are on a brique, or at least on a olinux board :) - - set_correct_hostname - - sudo rm -f /etc/apt/sources.list.d/{backports,testing}.list - sudo rm -f /etc/apt/preferences.d/kernel-{backports,testing} - - if dpkg -l | grep -q 'linux-image-4'; then - KERNEL_VERSION=$(uname -r) - - echo "linux-image-$KERNEL_VERSION linux-image-$KERNEL_VERSION/prerm/removing-running-kernel-$KERNEL_VERSION boolean false" | sudo debconf-set-selections +# Adds labriqueinternet app list +if ! has_labriqueinternet_applist; then + fetch_labriqueinternet_applist +fi - $apt remove --purge -qy --force-yes \ - linux-image-4* flash-kernel u-boot-tools u-boot-sunxi +# Sets a correct hostname based on the first Yunohost domain +if ! has_correct_hostname; then + fix_hostname +fi +# Removes testing kernel 4.* bugged with Olimex network cards +if is_olinux_board && has_testing_kernel; then + remove_testing_kernel +fi - if [ -f /etc/crypttab ] ; then - sudo su root -c "echo 'LINUX_KERNEL_CMDLINE=\"console=ttyS2 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mapper/root cryptopts=target=root,source=/dev/mmcblk0p2,cipher=aes-xts-plain64,size=256,hash=sha1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0\"' > /etc/default/flash-kernel" - else - sudo su root -c "echo 'LINUX_KERNEL_CMDLINE=\"console=ttyS1 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mmcblk0p1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0\"' > /etc/default/flash-kernel" - fi +# The filesystem is encrypted +if has_encryptedfs; then - $apt clean -q - $apt update -q - $apt install -qy --force-yes \ - -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold \ - linux-image-armmp flash-kernel u-boot-sunxi u-boot-tools - sudo update-initramfs -k all -u - fi -else - echo "WARNING: you aren't running this script on an Internet Cube, therefor I'm not touching your kernel but I'm still adding you the InternetCube apps list." + # Updates the decryption web interface and rebuilds the initramfs + decryption_webinterface_version=6becabaf57e95e334ebb8141642b807974885f84 + if ! compare_decryption_webinterface_version "${decryption_webinterface_version}"; then + update_decryption_webinterface "${decryption_webinterface_version}" + fi fi + +exit 0 diff --git a/scripts/remove b/scripts/remove index a9bf588..8c3cbfc 100644 --- a/scripts/remove +++ b/scripts/remove @@ -1 +1,3 @@ #!/bin/bash + +exit 0 diff --git a/scripts/src/commands b/scripts/src/commands new file mode 100644 index 0000000..e9f3542 --- /dev/null +++ b/scripts/src/commands @@ -0,0 +1,96 @@ +function has_labriqueinternet_applist() { + sudo yunohost app listlists | grep -q labriqueinternet +} + +function fetch_labriqueinternet_applist() { + info "Fetching labriqueinternet app list..." + + sudo yunohost app fetchlist -n labriqueinternet -u https://labriqueinter.net/apps/labriqueinternet.json |& to_logs +} + +function has_testing_kernel() { + [ -f /etc/apt/sources.list.d/testing.list -o -f /etc/apt/sources.list.d/backports.list ]\ + && dpkg -l | grep -q linux-image-4 +} + +function remove_testing_kernel() { + info "Removing testing kernel..." + + sudo rm -f /etc/apt/sources.list.d/{backports,testing}.list + sudo rm -f /etc/apt/preferences.d/kernel-{backports,testing} + + local kernel_version="$(uname -r)" + echo "linux-image-${kernel_version} linux-image-${kernel_version}/prerm/removing-running-kernel-${kernel_version} boolean false" | sudo debconf-set-selections |& to_logs + + $_APT remove --purge -y --force-yes '^linux-image-4.*' flash-kernel u-boot-tools u-boot-sunxi |& to_logs + + if has_encryptedfs; then + echo 'LINUX_KERNEL_CMDLINE="console=ttyS2 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mapper/root cryptopts=target=root,source=/dev/mmcblk0p2,cipher=aes-xts-plain64,size=256,hash=sha1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0"' | sudo tee /etc/default/flash-kernel &> /dev/null + else + echo 'LINUX_KERNEL_CMDLINE="console=ttyS1 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mmcblk0p1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0"' | sudo tee /etc/default/flash-kernel &> /dev/null + fi + + $_APT clean |& to_logs + $_APT update |& to_logs + $_APT install -y --force-yes -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold linux-image-armmp flash-kernel u-boot-sunxi u-boot-tools |& to_logs + + sudo update-initramfs -k all -u |& to_logs +} + +function has_correct_hostname() { + hostnamectl --static | grep -q '\.' +} + +function fix_hostname() { + info "Fixing hostname..." + + local main_domain=$(sudo cat /etc/yunohost/current_host) + + if [ -n "${main_domain}" ]; then + sudo hostnamectl --static set-hostname "${main_domain}" |& to_logs + sudo hostnamectl --transient set-hostname "${main_domain}" |& to_logs + sudo hostnamectl --pretty set-hostname "La Brique Internet (${main_domain})" |& to_logs + + if ! grep -q "${main_domain}" /etc/hosts; then + echo "::1 $main_domain" | sudo tee -a /etc/hosts &> /dev/null + echo "127.0.0.1 $main_domain" | sudo tee -a /etc/hosts &> /dev/null + fi + else + warn "Hostname cannot be fixed because there is no current host" + fi +} + +function download_decryption_webinterface() { + local commit=$1 + + mkdir -p "${_TMPDIR}/webdecryption/" + + wget "https://dev.yunohost.org/projects/la-brique-internet/repository/build/revisions/${commit}/raw/build/script/initramfs/www/cgi-bin/post.sh" -O "${_TMPDIR}/webdecryption/${commit}_post.sh" |& to_logs + wget "https://dev.yunohost.org/projects/la-brique-internet/repository/build/revisions/${commit}/raw/build/script/initramfs/www/index.html" -O "${_TMPDIR}/webdecryption/${commit}_index.html" |& to_logs +} + +function compare_decryption_webinterface_version() { + local commit=$1 + + download_decryption_webinterface "${commit}" + + sudo cmp -s "${_TMPDIR}/webdecryption/${commit}_index.html" /etc/initramfs-tools/root/www/index.html\ + && sudo cmp -s "${_TMPDIR}/webdecryption/${commit}_post.sh" /etc/initramfs-tools/root/www/cgi-bin/post.sh +} + +function update_decryption_webinterface() { + local commit=$1 + + info "Updating decryption web interface (${commit})..." + + if ! [ -f "${_TMPDIR}/webdecryption/${commit}_post.sh" -a -f "${_TMPDIR}/webdecryption/${commit}_index.html" ]; then + download_decryption_webinterface "${commit}" + fi + + sudo mv "${_TMPDIR}/webdecryption/${commit}_index.html" /etc/initramfs-tools/root/www/index.html + sudo mv "${_TMPDIR}/webdecryption/${commit}_post.sh" /etc/initramfs-tools/root/www/cgi-bin/post.sh + sudo chmod +x /etc/initramfs-tools/root/www/cgi-bin/post.sh + + sudo sed 's/^TIMEOUTclose.*/TIMEOUTclose = 3600/' -i /etc/initramfs-tools/stunnel.conf + sudo update-initramfs -u -k all |& to_logs +} diff --git a/scripts/src/env b/scripts/src/env new file mode 100644 index 0000000..d1f3904 --- /dev/null +++ b/scripts/src/env @@ -0,0 +1,23 @@ +set -Eu -o pipefail + +export DEBIAN_FRONTEND=noninteractive +export DEBCONF_NONINTERACTIVE_SEEN=true +export LC_ALL=C LANGUAGE=C LANG=C + +readonly _ISVERBOSE="$([ "${-/x}" != "${-}" ] && echo true || echo false)" +readonly _LATESTVERSION="$(cat ./version)" +readonly _CURRENTVERSION="$(sudo yunohost app setting doctorcube version 2> /dev/null || true)" +readonly _TMPDIR="$(mktemp -dp /tmp/ doctorcube-XXXXX)" +readonly _APT='sudo --preserve-env apt-get' + +function cleaning() { + rm -fr "${_TMPDIR}" +} + +function cleaning_err() { + err "There was an error, script aborted" + exit 1 +} + +trap cleaning EXIT +trap cleaning_err ERR diff --git a/scripts/src/helpers b/scripts/src/helpers new file mode 100644 index 0000000..1dd3a8d --- /dev/null +++ b/scripts/src/helpers @@ -0,0 +1,40 @@ +function log() { + echo "${1}" +} + +function info() { + log "[INFO] ${1}" +} + +function warn() { + log "[WARN] ${1}" +} + +function err() { + log "[ERR] ${1}" +} + +function to_logs() { + + # When yunohost --verbose or bash -x + if $_ISVERBOSE; then + cat + else + cat > /dev/null + fi +} + +function set_doctorcube_version() { + local version=$1 + sudo yunohost app setting doctorcube version -v "${version}" + + info "DoctorCube version is now ${version}" +} + +function is_olinux_board() { + sudo grep -qi olinux /etc/flash-kernel/machine &> /dev/null +} + +function has_encryptedfs() { + sudo grep -q '^root\s' /etc/crypttab &> /dev/null +} diff --git a/scripts/upgrade b/scripts/upgrade index 5415661..6741415 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -1,29 +1,66 @@ #!/bin/bash -set -e +source src/env +source src/helpers +source src/commands -source ./commons +version=$_CURRENTVERSION -version=$(sudo yunohost app setting doctorcube version) +info "Current version of DoctorCube is ${version}" +info "Latest version of DoctorCube is ${_LATESTVERSION}" + +if [ "${version}" = "${_LATESTVERSION}" ]; then + info "Up-to-date, nothing to do" + exit 0 +fi + +info "Upgrading..." # 0.1 -> 0.2.1 -if [[ "$version" == "0.1" ]]; then +if [ "${version}" = 0.1 ]; then - set_correct_hostname + # The hostname should not be a fake one like "olinux" + if ! has_correct_hostname; then + fix_hostname + fi - sudo yunohost app setting doctorcube version -v "0.2.1" - version="0.2.1" + version=0.2.1 + set_doctorcube_version "${version}" fi # 0.2 -> 0.2.1 -if [[ "$version" == "0.2" ]]; then +if [ "${version}" = 0.2 ]; then + + # The hostname was not correctly set in the case of only one single domain + if ! has_correct_hostname; then + fix_hostname + fi + + version=0.2.1 + set_doctorcube_version "${version}" +fi + +# 0.2.1 -> 0.3 +if [ "${version}" = 0.2.1 ]; then + if has_encryptedfs; then - # we weren't setting the domain correctly in the case of only - # one single domain - if [[ "$(hostname)" == "olinux" ]]; then - set_correct_hostname + # The testing kernel was not correctly removed in the case of an + # encrypted filesystem + if is_olinux_board && has_testing_kernel; then + remove_testing_kernel + fi + + # Fixes a security issue (removing eval commands) and some minor bugs + decryption_webinterface_version=6becabaf57e95e334ebb8141642b807974885f84 + if ! compare_decryption_webinterface_version "${decryption_webinterface_version}"; then + update_decryption_webinterface "${decryption_webinterface_version}" fi + fi - sudo yunohost app setting doctorcube version -v "0.2.1" - version="0.2.1" + version=0.3 + set_doctorcube_version "${version}" fi + +info "Upgrading done" + +exit 0 diff --git a/scripts/version b/scripts/version new file mode 100644 index 0000000..be58634 --- /dev/null +++ b/scripts/version @@ -0,0 +1 @@ +0.3