diff --git a/devuan/install.sh b/devuan/install.sh index af1840c..65fec21 100755 --- a/devuan/install.sh +++ b/devuan/install.sh @@ -15,19 +15,35 @@ verbose "Update installed packages" apt-get -q update && apt-get -q --assume-yes upgrade #Add dependencies -apt-get install -q -y lsb-release sudo +apt-get install -y wget +apt-get install -y lsb-release +apt-get install -y ca-certificates +apt-get install -y dialog +apt-get install -y nano +apt-get install -y net-tools + +#SNMP +apt-get install -y snmpd +echo "rocommunity public" > /etc/snmp/snmpd.conf +service snmpd restart #IPTables resources/iptables.sh +#Optional CLI SIP monitoring tool +resources/sngrep.sh + #FusionPBX resources/fusionpbx.sh +#PHP +resources/php.sh + #NGINX web server resources/nginx.sh -#PHP -resources/php.sh +#Postgres +resources/postgresql.sh #FreeSWITCH resources/switch.sh @@ -35,22 +51,8 @@ resources/switch.sh #Fail2ban resources/fail2ban.sh -#Optional CLI SIP monitoring tool -resources/sngrep.sh - -#Postgres -resources/postgresql.sh - -#restart services -if [ ."$php_version" = ."5" ]; then - service php5-fpm restart -fi -if [ ."$php_version" = ."7" ]; then - service php7.0-fpm restart -fi - -service nginx restart -service fail2ban restart +#set the ip address +server_address=$(hostname -I) #add the database schema, user and groups resources/finish.sh diff --git a/devuan/resources/backup/fusionpbx-backup.sh b/devuan/resources/backup/fusionpbx-backup similarity index 68% rename from devuan/resources/backup/fusionpbx-backup.sh rename to devuan/resources/backup/fusionpbx-backup index 68625f7..6c0f5ab 100755 --- a/devuan/resources/backup/fusionpbx-backup.sh +++ b/devuan/resources/backup/fusionpbx-backup @@ -19,9 +19,9 @@ find /var/backups/fusionpbx/*.tgz -mtime +2 -exec rm {} \; pg_dump --verbose -Fc --host=$db_host --port=$db_port -U fusionpbx fusionpbx --schema=public -f /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql #package -tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/share/freeswitch/scripts /var/lib/freeswitch/storage /var/lib/freeswitch/recordings /etc/fusionpbx /etc/freeswitch +#tar --exclude='/var/lib/freeswitch/recordings/*/archive' -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/share/freeswitch/scripts /var/lib/freeswitch/storage /var/lib/freeswitch/recordings /etc/fusionpbx /etc/freeswitch /usr/share/freeswitch/sounds/music/ #source -#tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/local/freeswitch/scripts /usr/local/freeswitch/storage /usr/local/freeswitch/recordings /etc/fusionpbx /usr/local/freeswitch/conf +#tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/local/freeswitch/scripts /usr/local/freeswitch/storage /usr/local/freeswitch/recordings /etc/fusionpbx /usr/local/freeswitch/conf /usr/local/freeswitch/sounds/music/ echo "Backup Completed" diff --git a/devuan/resources/backup/fusionpbx-maintenance b/devuan/resources/backup/fusionpbx-maintenance new file mode 100755 index 0000000..ea36249 --- /dev/null +++ b/devuan/resources/backup/fusionpbx-maintenance @@ -0,0 +1,119 @@ +#!/bin/sh + +#settings +export PGPASSWORD="zzz" +db_host=127.0.0.1 +db_port=5432 +switch_package=true # true or false + +purge_voicemail=false +purge_call_recordings=false +purge_cdrs=false +purge_fax=false +purge_switch_logs=true +purge_php_sessions=true +purge_database_transactions=true + +days_keep_voicemail=90 +days_keep_call_recordings=90 +days_keep_cdrs=90 +days_keep_fax=90 +days_keep_switch_logs=7 +days_keep_php_sessions=8 +days_keep_database_transactions=30 + +#set the date +now=$(date +%Y-%m-%d) + +#make sure the directory exists +if [ -e /var/backups/fusionpbx/postgresql ]; then + echo "postgres backup directory exists" +else + mkdir -p /var/backups/fusionpbx/postgresql +fi + +#show message to the console +echo "Maintenance Started" + +if [ .$purge_switch_logs = .true ]; then + #delete freeswitch logs older 7 days + if [ .$switch_package = .true ]; then + find /var/log/freeswitch/freeswitch.log.* -mtime +$days_keep_switch_logs -exec rm {} \; + else + find /usr/local/freeswitch/log/freeswitch.log.* -mtime +$days_keep_switch_logs -exec rm {} \; + fi +else + echo "not purging Freeswitch logs" +fi + +if [ .$purge_fax = .true ]; then + #delete fax older than 90 days + if [ .$switch_package = .true ]; then + echo "."; + find /var/lib/freeswitch/storage/fax/* -name '*.tif' -mtime +$days_keep_fax -exec rm {} \; + find /var/lib/freeswitch/storage/fax/* -name '*.pdf' -mtime +$days_keep_fax -exec rm {} \; + else + echo "."; + find /usr/local/freeswitch/storage/fax/* -name '*.tif' -mtime +$days_keep_fax -exec rm {} \; + find /usr/local/freeswitch/storage/fax/* -name '*.pdf' -mtime +$days_keep_fax -exec rm {} \; + fi + #delete from the database + psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_files WHERE fax_date < NOW() - INTERVAL '$days_keep_fax days'" + psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_logs WHERE fax_date < NOW() - INTERVAL '$days_keep_fax days'" +else + echo "not purging Faxes" +fi + +if [ .$purge_call_recordings = .true ]; then + #delete call recordings older than 90 days + if [ .$switch_package = .true ]; then + find /var/lib/freeswitch/recordings/*/archive/* -name '*.wav' -mtime +$days_keep_call_recordings -exec rm {} \; + find /var/lib/freeswitch/recordings/*/archive/* -name '*.mp3' -mtime +$days_keep_call_recordings -exec rm {} \; + else + find /usr/local/freeswitch/recordings/*/archive/* -name '*.wav' -mtime +$days_keep_call_recordings -exec rm {} \; + find /usr/local/freeswitch/recordings/*/archive/* -name '*.mp3' -mtime +$days_keep_call_recordings -exec rm {} \; + fi + psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_call_recordings WHERE call_recording_date < NOW() - INTERVAL '90 days'" +else + echo "not purging Recordings." +fi + +if [ .$purge_voicemail = .true ]; then + #delete voicemail older than 90 days + if [ .$switch_package = .true ]; then + echo "."; + find /var/lib/freeswitch/storage/voicemail/default/* -name 'msg_*.wav' -mtime +$days_keep_voicemail -exec rm {} \; + find /var/lib/freeswitch/storage/voicemail/default/* -name 'msg_*.mp3' -mtime +$days_keep_voicemail -exec rm {} \; + else + echo "."; + find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.wav' -mtime +$days_keep_voicemail -exec rm {} \; + find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.mp3' -mtime +$days_keep_voicemail -exec rm {} \; + fi + psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_voicemail_messages WHERE to_timestamp(created_epoch) < NOW() - INTERVAL '$days_keep_voicemail days'" +else + echo "not purging voicemails." +fi + +if [ .$purge_cdrs = .true ]; then + #delete call detail records older 90 days + psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_xml_cdr WHERE start_stamp < NOW() - INTERVAL '$days_keep_cdrs days'" +else + echo "not purging CDRs." +fi + +#delete php sessions +if [ .$purge_php_sessions = .true ]; then + find /var/lib/php/sessions/* -name 'sess_*' -mtime +$days_keep_php_sessions -exec rm {} \; +else + echo "not purging PHP Sessions." +fi + +#delete database_transactions older 90 days +if [ .$purge_database_transactions = .true ]; then + psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_database_transactions where transaction_date < NOW() - INTERVAL '$days_keep_database_transactions days'" +else + echo "not purging database_transactions." +fi + +#completed message +echo "Maintenance Completed"; diff --git a/devuan/resources/backup/fusionpbx-maintenance.sh b/devuan/resources/backup/fusionpbx-maintenance.sh deleted file mode 100755 index 3fc428d..0000000 --- a/devuan/resources/backup/fusionpbx-maintenance.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -#settings -#export PGPASSWORD="zzzzz" -db_host=127.0.0.1 -db_port=5432 -switch_package=true # true or false - -#set the date -now=$(date +%Y-%m-%d) - -#make sure the directory exists -mkdir -p /var/backups/fusionpbx/postgresql - -#show message to the console -echo "Maintenance Started" - -#delete freeswitch logs older 7 days -if [ .$switch_package = .true ]; then - find /var/log/freeswitch/freeswitch.log.* -mtime +7 -exec rm {} \; -else - find /usr/local/freeswitch/log/freeswitch.log.* -mtime +7 -exec rm {} \; -fi - -#delete fax older than 90 days -if [ .$switch_package = .true ]; then - echo "."; - #find /var/lib/freeswitch/storage/fax/* -name '*.tif' -mtime +90 -exec rm {} \; - #find /var/lib/freeswitch/storage/fax/* -name '*.pdf' -mtime +90 -exec rm {} \; -else - echo "."; - #find /usr/local/freeswitch/storage/fax/* -name '*.tif' -mtime +90 -exec rm {} \; - #find /usr/local/freeswitch/storage/fax/* -name '*.pdf' -mtime +90 -exec rm {} \; -fi -#delete from the database -#psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_files WHERE fax_date < NOW() - INTERVAL '90 days'" -#psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_logs WHERE fax_date < NOW() - INTERVAL '90 days'" - -#delete voicemail older than 90 days -if [ .$switch_package = .true ]; then - echo "."; - #find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.wav' -mtime +90 -exec rm {} \; - #find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.mp3' -mtime +90 -exec rm {} \; -else - echo "."; - #find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.wav' -mtime +90 -exec rm {} \; - #find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.mp3' -mtime +90 -exec rm {} \; -fi -#psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_voicemail_messages WHERE to_timestamp(created_epoch) < NOW() - INTERVAL '90 days'" -#delete call detail records older 90 days -#psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_xml_cdr WHERE start_stamp < NOW() - INTERVAL '90 days'" - -#completed message -echo "Maintenance Completed"; diff --git a/devuan/resources/config.sh b/devuan/resources/config.sh index e7ca7a8..f571cc0 100755 --- a/devuan/resources/config.sh +++ b/devuan/resources/config.sh @@ -1,18 +1,26 @@ # FusionPBX Settings -system_username=admin # default username admin -system_password=random # random or as a pre-set value -system_branch=stable # master, stable +domain_name=ip_address # hostname, ip_address or a custom value +system_username=admin # default username admin +system_password=random # random or a custom value +system_branch=master # master, stable # FreeSWITCH Settings -switch_branch=stable # master, stable -switch_source=false # true or false -switch_package=true # true or false - +switch_branch=stable # master, stable +switch_source=false # true (source compile) or false (binary package) +switch_package=true # true (binary package) or false (source compile) +switch_version=1.10.7 # which source code to download, only for source +switch_tls=true # true or false +switch_token= # Get the auth token from https://signalwire.com + # Signup or Login -> Profile -> Personal Auth Token # Database Settings -database_password=random # random or as a pre-set value -database_repo=system # PostgreSQL official, system, 2ndquadrant -database_backup=false # true or false +database_password=random # random or a custom value (safe characters A-Z, a-z, 0-9) +database_repo=system # PostgreSQL official, system, 2ndquadrant +database_version=latest # requires repo official +database_host=127.0.0.1 # hostname or IP address +database_port=5432 # port number +database_backup=false # true or false # General Settings -php_version=7 # PHP version 5 or 7 +php_version=7.4 # PHP version 7.3, 7.4 +letsencrypt_folder=false # true or false diff --git a/devuan/resources/environment.sh b/devuan/resources/environment.sh index 7bce9a9..ac56ab6 100755 --- a/devuan/resources/environment.sh +++ b/devuan/resources/environment.sh @@ -10,8 +10,25 @@ cpu_name=$(uname -m) cpu_architecture='unknown' cpu_mode='unknown' +#set the environment path +export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +#debian release name +if [ .$os_codename = .'chimaera' ]; then + os_codename_debian='bullseye' +elif [ .$os_codename = .'beowulf' ]; then + os_codename_debian='buster' +else + warning "couldn't set a matching debian codename, are you using an old devuan release?" +fi + #check what the CPU and OS are -if [ .$cpu_name = .'armv7l' ]; then +if [ .$cpu_name = .'armv6l' ]; then + # RaspberryPi Zero + os_mode='32' + cpu_mode='32' + cpu_architecture='arm' +elif [ .$cpu_name = .'armv7l' ]; then # RaspberryPi 3 is actually armv8l but current Raspbian reports the cpu as armv7l and no Raspbian 64Bit has been released at this time os_mode='32' cpu_mode='32' @@ -21,6 +38,10 @@ elif [ .$cpu_name = .'armv8l' ]; then os_mode='unknown' cpu_mode='64' cpu_architecture='arm' +elif [ .$cpu_name = .'aarch64' ]; then + os_mode='64' + cpu_mode='64' + cpu_architecture='arm' elif [ .$cpu_name = .'i386' ]; then os_mode='32' if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then diff --git a/devuan/resources/fail2ban.sh b/devuan/resources/fail2ban.sh index 6a55ebf..9e5cdaf 100755 --- a/devuan/resources/fail2ban.sh +++ b/devuan/resources/fail2ban.sh @@ -15,20 +15,23 @@ verbose "Installing Fail2ban" apt-get -q -y install fail2ban #move the filters -cp fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf -cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf -cp fail2ban/freeswitch-404.conf /etc/fail2ban/filter.d/freeswitch-404.conf cp fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf +cp fail2ban/freeswitch-acl.conf /etc/fail2ban/filter.d/freeswitch-acl.conf +cp fail2ban/sip-auth-failure.conf /etc/fail2ban/filter.d/sip-auth-failure.conf +cp fail2ban/sip-auth-challenge.conf /etc/fail2ban/filter.d/sip-auth-challenge.conf +cp fail2ban/auth-challenge-ip.conf /etc/fail2ban/filter.d/auth-challenge-ip.conf +cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf cp fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf +cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf +cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf cp fail2ban/jail.local /etc/fail2ban/jail.local #update config if source is being used -if [ .$switch_source = .true ]; then - sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local -fi +#if [ .$switch_source = .true ]; then +# sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local +#fi +#restart fail2ban /usr/sbin/service fail2ban restart - -# missing log file will show error diff --git a/devuan/resources/fail2ban/auth-challenge-ip.conf b/devuan/resources/fail2ban/auth-challenge-ip.conf new file mode 100644 index 0000000..dab8f7b --- /dev/null +++ b/devuan/resources/fail2ban/auth-challenge-ip.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#[WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [+972592277524@xxx.xxx.xxx.xxx] from ip 209.160.120.12 +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \((INVITE|REGISTER)\) on sofia profile \'.*\' for \[.*@\d+.\d+.\d+.\d+\] from ip + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/fail2ban/freeswitch-acl.conf b/devuan/resources/fail2ban/freeswitch-acl.conf new file mode 100644 index 0000000..9fe8e4e --- /dev/null +++ b/devuan/resources/fail2ban/freeswitch-acl.conf @@ -0,0 +1,20 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#2021-02-03 16:27:57.292697 [WARNING] sofia_reg.c:2353 IP 62.210.78.91 Rejected by register acl "domains" +failregex = \[WARNING\] sofia_reg.c:\d+ IP Rejected by register acl + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/fail2ban/freeswitch-404.conf b/devuan/resources/fail2ban/fusionpbx-404.conf similarity index 100% rename from devuan/resources/fail2ban/freeswitch-404.conf rename to devuan/resources/fail2ban/fusionpbx-404.conf diff --git a/devuan/resources/fail2ban/fusionpbx-mac.conf b/devuan/resources/fail2ban/fusionpbx-mac.conf new file mode 100644 index 0000000..3bdff68 --- /dev/null +++ b/devuan/resources/fail2ban/fusionpbx-mac.conf @@ -0,0 +1,20 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#Oct 9 02:56:16 m1 fusionpbx-provision[28628]: [10.0.0.1] invalid mac address 000000000000 +failregex = \[\] invalid mac address + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/fail2ban/jail.local b/devuan/resources/fail2ban/jail.local index 5762aa0..726854c 100755 --- a/devuan/resources/fail2ban/jail.local +++ b/devuan/resources/fail2ban/jail.local @@ -1,80 +1,97 @@ -[freeswitch-udp] +[ssh] enabled = true -port = 5060,5061,5080,5081 +port = 22 +protocol = ssh +filter = sshd +logpath = /var/log/auth.log +action = iptables-allports[name=sshd, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 86400 + +[freeswitch] +enabled = true +port = 5060:5091 protocol = all filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] -maxretry = 5 -findtime = 600 -bantime = 600 +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=freeswitch, protocol=all] +maxretry = 10 +findtime = 60 +bantime = 3600 # sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed -[freeswitch-tcp] +[freeswitch-acl] enabled = true -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all -filter = freeswitch +filter = freeswitch-acl logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] -maxretry = 5 -findtime = 600 -bantime = 600 -# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=freeswitch-acl, protocol=all] +maxretry = 900 +findtime = 60 +bantime = 86400 -[freeswitch-ip-tcp] +[freeswitch-ip] enabled = false -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all filter = freeswitch-ip logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-ip-tcp, port="5060,5061,5080,5081", protocol=tcp] +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=freeswitch-ip, protocol=all] maxretry = 1 -findtime = 30 +findtime = 60 bantime = 86400 -[freeswitch-ip-udp] +[auth-challenge-ip] enabled = false -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all -filter = freeswitch-ip +filter = auth-challenge-ip logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-ip-udp, port="5060,5061,5080,5081", protocol=udp] +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=auth-challenge-ip, protocol=all] maxretry = 1 -findtime = 30 +findtime = 60 bantime = 86400 -[freeswitch-dos-udp] -enabled = true -port = 5060,5061,5080,5081 -protocol = all -filter = freeswitch-dos -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-dos-udp, port="5060,5061,5080,5081", protocol=udp] -maxretry = 50 -findtime = 30 -bantime = 6000 - -[freeswitch-dos-tcp] -enabled = true -port = 5060,5061,5080,5081 -protocol = all -filter = freeswitch-dos -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-dos-tcp, port="5060,5061,5080,5081", protocol=tcp] -maxretry = 50 -findtime = 30 -bantime = 6000 - -[freeswitch-404] +[sip-auth-challenge] enabled = false -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all -filter = freeswitch-404 +filter = sip-auth-challenge logpath = /var/log/freeswitch/freeswitch.log -action = iptables-allports[name=freeswitch-404, protocol=all] -maxretry = 3 -findtime = 300 +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=sip-auth-challenge, protocol=all] +maxretry = 100 +findtime = 60 +bantime = 7200 + +[sip-auth-failure] +enabled = true +port = 5060:5091 +protocol = all +filter = sip-auth-failure +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=sip-auth-failure, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 7200 + +[fusionpbx-404] +enabled = false +port = 5060:5091 +protocol = all +filter = fusionpbx-404 +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=fusionpbx-404, protocol=all] +maxretry = 6 +findtime = 60 bantime = 86400 [fusionpbx] @@ -83,11 +100,23 @@ port = 80,443 protocol = tcp filter = fusionpbx logpath = /var/log/auth.log -action = iptables-multiport[name=fusionpbx, port="http,https", protocol=tcp] +action = iptables-allports[name=fusionpbx, protocol=all] # sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed +maxretry = 20 +findtime = 60 +bantime = 3600 + +[fusionpbx-mac] +enabled = true +port = 80,443 +protocol = tcp +filter = fusionpbx-mac +logpath = /var/log/syslog +action = iptables-allports[name=fusionpbx-mac, protocol=all] +# sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed maxretry = 10 -findtime = 600 -bantime = 600 +findtime = 60 +bantime = 86400 [nginx-404] enabled = true @@ -95,19 +124,20 @@ port = 80,443 protocol = tcp filter = nginx-404 logpath = /var/log/nginx/access*.log +action = iptables-allports[name=nginx-404, protocol=all] bantime = 3600 findtime = 60 -maxretry = 120 +maxretry = 300 [nginx-dos] # Based on apache-badbots but a simple IP check (any IP requesting more than # 300 pages in 60 seconds, or 5p/s average, is suspicious) -# Block for two full days. enabled = true port = 80,443 protocol = tcp filter = nginx-dos logpath = /var/log/nginx/access*.log +action = iptables-allports[name=nginx-dos, protocol=all] findtime = 60 bantime = 86400 -maxretry = 300 +maxretry = 800 diff --git a/devuan/resources/fail2ban/freeswitch-dos.conf b/devuan/resources/fail2ban/sip-auth-challenge.conf old mode 100755 new mode 100644 similarity index 100% rename from devuan/resources/fail2ban/freeswitch-dos.conf rename to devuan/resources/fail2ban/sip-auth-challenge.conf diff --git a/devuan/resources/fail2ban/sip-auth-failure.conf b/devuan/resources/fail2ban/sip-auth-failure.conf new file mode 100755 index 0000000..0d4ee23 --- /dev/null +++ b/devuan/resources/fail2ban/sip-auth-failure.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file +# +# Author: soapee01 +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/finish.sh b/devuan/resources/finish.sh index 0c4964a..6d0c1fb 100755 --- a/devuan/resources/finish.sh +++ b/devuan/resources/finish.sh @@ -6,64 +6,29 @@ cd "$(dirname "$0")" #includes . ./config.sh . ./colors.sh -. ./environment.sh #database details -database_host=127.0.0.1 -database_port=5432 database_username=fusionpbx if [ .$database_password = .'random' ]; then - database_password="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20 | xargs)" + database_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') fi -verbose "Create the database and users" +#allow the script to use the new password +export PGPASSWORD=$database_password -# -# Install the database backup scripts -# +#update the database password +#sudo -u postgres psql --host=$database_host --port=$database_port --username=$database_username -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';" +#sudo -u postgres psql --host=$database_host --port=$database_port --username=$database_username -c "ALTER USER freeswitch WITH PASSWORD '$database_password';" +sudo -u postgres psql -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';" +sudo -u postgres psql -c "ALTER USER freeswitch WITH PASSWORD '$database_password';" -cp backup/fusionpbx-backup.sh /etc/cron.daily -chmod 755 /etc/cron.daily/fusionpbx-backup.sh -sed -i "s/zzz/${database_password}/g" /etc/cron.daily/fusionpbx-backup.sh - -# -# Install the maintenance script -# - -cp backup/fusionpbx-maintenance.sh /etc/cron.daily -chmod 755 /etc/cron.daily/fusionpbx-maintenance.sh -sed -i "s/zzz/${database_password}/g" /etc/cron.daily/fusionpbx-maintenance.sh - -# -# Move to /tmp to prevent a red herring error when running sudo with psql -# - -cwd=$(pwd) -cd /tmp - -# -# I'm not sure why we would do this when the databases don't exist yet. -# - -#sudo -u postgres psql -d fusionpbx -c "DROP SCHEMA public cascade;"; -#sudo -u postgres psql -d fusionpbx -c "CREATE SCHEMA public;"; - -sudo -u postgres psql -c "CREATE DATABASE fusionpbx;"; -sudo -u postgres psql -c "CREATE ROLE fusionpbx WITH SUPERUSER LOGIN PASSWORD '$database_password';" -sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE fusionpbx to fusionpbx;" - -# -# Maybe the freeswitch will use the freeswitch database in the future? -# Right now it's configured to use SQLite. -# So we will comment this out. -# - -#sudo -u postgres psql -c "CREATE DATABASE freeswitch;"; -#sudo -u postgres psql -c "CREATE ROLE freeswitch WITH SUPERUSER LOGIN PASSWORD '$password';" -#sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE freeswitch to fusionpbx;" -#sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE freeswitch to freeswitch;" - -cd $cwd +#install the database backup +cp backup/fusionpbx-backup /etc/cron.daily +cp backup/fusionpbx-maintenance /etc/cron.daily +chmod 755 /etc/cron.daily/fusionpbx-backup +chmod 755 /etc/cron.daily/fusionpbx-maintenance +sed -i "s/zzz/$database_password/g" /etc/cron.daily/fusionpbx-backup +sed -i "s/zzz/$database_password/g" /etc/cron.daily/fusionpbx-maintenance #add the config.php mkdir -p /etc/fusionpbx @@ -77,21 +42,22 @@ sed -i /etc/fusionpbx/config.php -e s:"{database_password}:$database_password:" cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_schema.php > /dev/null 2>&1 #get the server hostname -#domain_name=$(hostname -f) +if [ .$domain_name = .'hostname' ]; then + domain_name=$(hostname -f) +fi #get the ip address -domain_name=$(hostname -I | cut -d ' ' -f1) +if [ .$domain_name = .'ip_address' ]; then + domain_name=$(hostname -I | cut -d ' ' -f1) +fi -#get a domain_uuid +#get the domain_uuid domain_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); -#allow the script to use the new password -export PGPASSWORD=$database_password - #add the domain name psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_domains (domain_uuid, domain_name, domain_enabled) values('$domain_uuid', '$domain_name', 'true');" -#app defaults - this is needed here otherwise group superadmin will not exist for "get the superadmin group_uuid" * +#app defaults cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_domains.php #add the user @@ -99,45 +65,47 @@ user_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); user_salt=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); user_name=$system_username if [ .$system_password = .'random' ]; then - user_password="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 12 | xargs)" + user_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') else user_password=$system_password fi - password_hash=$(php -r "echo md5('$user_salt$user_password');"); - psql --host=$database_host --port=$database_port --username=$database_username -t -c "insert into v_users (user_uuid, domain_uuid, username, password, salt, user_enabled) values('$user_uuid', '$domain_uuid', '$user_name', '$password_hash', '$user_salt', 'true');" -#get the superadmin group_uuid * -group_uuid=$(psql --host=$database_host --port=$database_port --username=$database_username -t -c "select group_uuid from v_groups where group_name = 'superadmin';"); -group_uuid=$(echo $group_uuid | sed 's/^[[:blank:]]*//;s/[[:blank:]]*$//') +#get the superadmin group_uuid +#echo "psql --host=$database_host --port=$database_port --username=$database_username -qtAX -c \"select group_uuid from v_groups where group_name = 'superadmin';\"" +group_uuid=$(psql --host=$database_host --port=$database_port --username=$database_username -qtAX -c "select group_uuid from v_groups where group_name = 'superadmin';"); #add the user to the group user_group_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); group_name=superadmin if [ .$system_branch = .'master' ]; then + #echo "insert into v_user_groups (user_group_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');" psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_user_groups (user_group_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');" else psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_group_users (group_user_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');" -fi +fi #update xml_cdr url, user and password -xml_cdr_username=$(dd if=/dev/urandom bs=1 count=12 2>/dev/null | base64 | sed 's/[=\+//]//g') -xml_cdr_password=$(dd if=/dev/urandom bs=1 count=12 2>/dev/null | base64 | sed 's/[=\+//]//g') +xml_cdr_username=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') +xml_cdr_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_http_protocol}:http:" -sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{domain_name}:127.0.0.1:" +sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{domain_name}:$database_host:" sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_project_path}::" sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_user}:$xml_cdr_username:" sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_pass}:$xml_cdr_password:" -#app defaults - not sure if this needs to be executed again -cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_domains.php +#app defaults +cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade.php +#restart freeswitch /usr/sbin/service freeswitch restart #welcome message echo "" echo "" -verbose "Installation has completed." +verbose "Installation Notes. " +echo "" +echo " Please save the this information and reboot this system to complete the install. " echo "" echo " Use a web browser to login." echo " domain name: https://$domain_name" @@ -153,8 +121,8 @@ echo " Fastest way to learn FusionPBX. For more information https://www.fus echo " Available online and in person. Includes documentation and recording." echo "" echo " Location: Online" -echo " Admin Training: TBA" -echo " Advanced Training: TBA" +echo " Admin Training: TBA" +echo " Advanced Training: TBA" echo " Continuing Education: https://www.fusionpbx.com/training" echo " Timezone: https://www.timeanddate.com/weather/usa/idaho" echo "" diff --git a/devuan/resources/fusionpbx.sh b/devuan/resources/fusionpbx.sh index 9b9da4c..556b2e6 100755 --- a/devuan/resources/fusionpbx.sh +++ b/devuan/resources/fusionpbx.sh @@ -6,16 +6,15 @@ cd "$(dirname "$0")" #includes . ./config.sh . ./colors.sh -. ./environment.sh #send a message verbose "Installing FusionPBX" #install dependencies -apt-get install -qq -y git dbus haveged ssl-cert -apt-get install -qq -y ghostscript libtiff5-dev libtiff-tools at +apt-get install -y vim git dbus haveged ssl-cert qrencode +apt-get install -y ghostscript libtiff5-dev libtiff-tools at -#set the version +#get the branch if [ .$system_branch = .'master' ]; then verbose "Using master" branch="" @@ -27,6 +26,10 @@ else branch="-b $system_version" fi +#add the cache directory +mkdir -p /var/cache/fusionpbx +chown -R www-data:www-data /var/cache/fusionpbx + #get the source code git clone $branch https://github.com/fusionpbx/fusionpbx.git /var/www/fusionpbx chown -R www-data:www-data /var/www/fusionpbx diff --git a/devuan/resources/ioncube.sh b/devuan/resources/ioncube.sh new file mode 100755 index 0000000..3db6bb1 --- /dev/null +++ b/devuan/resources/ioncube.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +#includes +. ./config.sh +. ./colors.sh +. ./environment.sh + +#show cpu details +echo "cpu architecture: $cpu_architecture" +echo "cpu name: $cpu_name" + +#make sure unzip is install +apt-get install -y unzip + +#remove the ioncube directory if it exists +if [ -d "ioncube" ]; then + rm -Rf ioncube; +fi + +#get the ioncube load and unzip it +if [ .$cpu_architecture = .'x86' ]; then + #get the ioncube 64 bit loader + wget --no-check-certificate https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.zip + + #uncompress the file + unzip ioncube_loaders_lin_x86-64.zip + + #remove the zip file + rm ioncube_loaders_lin_x86-64.zip +elif [ .$cpu_architecture = ."arm" ]; then + if [ .$cpu_name = .'armv7l' ]; then + #get the ioncube 64 bit loader + wget --no-check-certificate https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_armv7l.zip + + #uncompress the file + unzip ioncube_loaders_lin_armv7l.zip + + #remove the zip file + rm ioncube_loaders_lin_armv7l.zip + fi +fi + +#set the version of php +if [ ."$os_codename" = ."beowolf" ]; then + php_version=7.3 +fi +if [ ."$os_codename" = ."chimaera" ]; then + php_version=7.4 +fi + +#copy the loader to the correct directory +if [ ."$php_version" = ."7.3" ]; then + #copy the php extension .so into the php lib directory + cp ioncube/ioncube_loader_lin_7.3.so /usr/lib/php/20180731 + + #add the 00-ioncube.ini file + echo "zend_extension = /usr/lib/php/20180731/ioncube_loader_lin_7.3.so" > /etc/php/7.3/fpm/conf.d/00-ioncube.ini + echo "zend_extension = /usr/lib/php/20180731/ioncube_loader_lin_7.3.so" > /etc/php/7.3/cli/conf.d/00-ioncube.ini + + #restart the service + /usr/sbin/service php7.3-fpm restart +fi +if [ ."$php_version" = ."7.4" ]; then + #copy the php extension .so into the php lib directory + cp ioncube/ioncube_loader_lin_7.4.so /usr/lib/php/20190902 + + #add the 00-ioncube.ini file + echo "zend_extension = /usr/lib/php/20190902/ioncube_loader_lin_7.4.so" > /etc/php/7.4/fpm/conf.d/00-ioncube.ini + echo "zend_extension = /usr/lib/php/20190902/ioncube_loader_lin_7.4.so" > /etc/php/7.4/cli/conf.d/00-ioncube.ini + + #restart the service + /usr/sbin/service php7.4-fpm restart +fi diff --git a/devuan/resources/iptables.sh b/devuan/resources/iptables.sh index c663520..1ee101d 100755 --- a/devuan/resources/iptables.sh +++ b/devuan/resources/iptables.sh @@ -3,40 +3,61 @@ #move to script directory so all relative paths work cd "$(dirname "$0")" + +#add the includes . ./config.sh . ./colors.sh +. ./environment.sh #send a message verbose "Configuring IPTables" +#defaults to nftables by default this enables iptables +if [ ."$os_codename" = ."beowulf" ]; then + update-alternatives --set iptables /usr/sbin/iptables-legacy + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy +fi +if [ ."$os_codename" = ."chimaera" ]; then + apt-get install -y iptables + update-alternatives --set iptables /usr/sbin/iptables-legacy + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy +fi + +#remove ufw +[ -x /usr/sbin/ufw ] && ufw reset +[ -x /usr/sbin/ufw ] && ufw disable +apt-get remove -y ufw +#apt-get purge ufw + #run iptables commands iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -A INPUT -j DROP -p udp --dport 5060:5061 -m string --string "friendly-scanner" --algo bm -iptables -A INPUT -j DROP -p udp --dport 5060:5061 -m string --string "sipcli/" --algo bm -iptables -A INPUT -j DROP -p udp --dport 5060:5061 -m string --string "VaxSIPUserAgent/" --algo bm -iptables -A INPUT -j DROP -p tcp --dport 5060:5061 -m string --string "friendly-scanner" --algo bm -iptables -A INPUT -j DROP -p tcp --dport 5060:5061 -m string --string "sipcli/" --algo bm -iptables -A INPUT -j DROP -p tcp --dport 5060:5061 -m string --string "VaxSIPUserAgent/" --algo bm -iptables -A INPUT -j DROP -p udp --dport 5080:5081 -m string --string "friendly-scanner" --algo bm -iptables -A INPUT -j DROP -p udp --dport 5080:5081 -m string --string "sipcli/" --algo bm -iptables -A INPUT -j DROP -p udp --dport 5080:5081 -m string --string "VaxSIPUserAgent/" --algo bm -iptables -A INPUT -j DROP -p tcp --dport 5080:5081 -m string --string "friendly-scanner" --algo bm -iptables -A INPUT -j DROP -p tcp --dport 5080:5081 -m string --string "sipcli/" --algo bm -iptables -A INPUT -j DROP -p tcp --dport 5080:5081 -m string --string "VaxSIPUserAgent/" --algo bm +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase +iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase +iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT -iptables -A INPUT -p tcp --dport 5060:5061 -j ACCEPT -iptables -A INPUT -p udp --dport 5060:5061 -j ACCEPT -iptables -A INPUT -p tcp --dport 5080:5081 -j ACCEPT -iptables -A INPUT -p udp --dport 5080:5081 -j ACCEPT +iptables -A INPUT -p tcp --dport 7443 -j ACCEPT +iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT +iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46 -iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5081 -j DSCP --set-dscp 26 -iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5081 -j DSCP --set-dscp 26 +iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26 +iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT @@ -44,6 +65,4 @@ iptables -P OUTPUT ACCEPT #answer the questions for iptables persistent echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections -apt-get install -y -q iptables-persistent - -# update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults +apt-get install -y iptables-persistent diff --git a/devuan/resources/letsencrypt.sh b/devuan/resources/letsencrypt.sh index e603527..b86bbaa 100755 --- a/devuan/resources/letsencrypt.sh +++ b/devuan/resources/letsencrypt.sh @@ -1,80 +1,127 @@ #!/bin/sh +# FusionPBX - Install +# Mark J Crane +# Copyright (C) 2018 +# All Rights Reserved. + #move to script directory so all relative paths work cd "$(dirname "$0")" #includes . ./config.sh -. ./colors.sh -. ./environment.sh -#request the domain and email +#remove dehyrdated letsencrypt script +rm /usr/local/sbin/dehydrated +rm -R /usr/src/dehydrated +#rm -R /etc/dehydrated/ +#rm -R /usr/src/dns-01-manual +#rm -R /var/www/dehydrated + +#request the domain name, email address and wild card domain read -p 'Domain Name: ' domain_name read -p 'Email Address: ' email_address -#domain_name=subdomain.domain.com -#email=username@domain.com -#remove previous install -rm -R /opt/letsencrypt -rm -R /etc/letsencrypt +#get and install dehydrated +cd /usr/src && git clone https://github.com/lukas2511/dehydrated.git +cd /usr/src/dehydrated +cp dehydrated /usr/local/sbin +mkdir -p /var/www/dehydrated +mkdir -p /etc/dehydrated/certs -#use php version 5 for arm -if [ .$cpu_architecture = .'arm' ]; then - php_version=5 +#wildcard detection +wildcard_domain=$(echo $domain_name | cut -c1-1) +if [ "$wildcard_domain" = "*" ]; then + wildcard_domain="true" +else + wildcard_domain="false" fi -#enable fusionpbx nginx config -cp nginx/fusionpbx /etc/nginx/sites-available/fusionpbx - -#prepare socket name -if [ ."$php_version" = ."5" ]; then - sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php5-fpm.sock;#g' +#remove the wildcard and period +if [ .$wildcard_domain = ."true" ]; then + domain_name=$(echo "$domain_name" | cut -c3-255) fi -if [ ."$php_version" = ."7" ]; then - sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.0-fpm.sock;#g' + +#manual dns hook +if [ .$wildcard_domain = ."true" ]; then + cd /usr/src + git clone https://github.com/gheja/dns-01-manual.git + cd /usr/src/dns-01-manual/ + cp hook.sh /etc/dehydrated/hook.sh + chmod 755 /etc/dehydrated/hook.sh fi -ln -s /etc/nginx/sites-available/fusionpbx /etc/nginx/sites-enabled/fusionpbx -#read the config -/usr/sbin/nginx -t && /usr/sbin/nginx -s reload +#copy config and hook.sh into /etc/dehydrated +cd /usr/src/dehydrated +cp docs/examples/config /etc/dehydrated +#cp docs/examples/hook.sh /etc/dehydrated -#install letsencrypt -git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt -chmod 755 /opt/letsencrypt/certbot-auto -/opt/letsencrypt/./certbot-auto -mkdir -p /etc/letsencrypt/configs -mkdir -p /var/www/letsencrypt/ +#update the dehydrated config +#sed "s#CONTACT_EMAIL=#CONTACT_EMAIL=$email_address" -i /etc/dehydrated/config +sed -i 's/#CONTACT_EMAIL=/CONTACT_EMAIL="'"$email_address"'"/g' /etc/dehydrated/config +sed -i 's/#WELLKNOWN=/WELLKNOWN=/g' /etc/dehydrated/config -#cd $pwd -#cd "$(dirname "$0")" +#accept the terms +./dehydrated --register --accept-terms --config /etc/dehydrated/config -#copy the domain conf -cp letsencrypt/domain_name.conf /etc/letsencrypt/configs/$domain_name.conf +#set the domain alias +domain_alias=$(echo "$domain_name" | head -n1 | cut -d " " -f1) -#update the domain_name and email_address -sed "s#{domain_name}#$domain_name#g" -i /etc/letsencrypt/configs/$domain_name.conf -sed "s#{email_address}#$email_address#g" -i /etc/letsencrypt/configs/$domain_name.conf +#create an alias when using wildcard dns +if [ .$wildcard_domain = ."true" ]; then + echo "*.$domain_name > $domain_name" > /etc/dehydrated/domains.txt +fi -#letsencrypt -#sed "s@#letsencrypt@location /.well-known/acme-challenge { root /var/www/letsencrypt; }@g" -i /etc/nginx/sites-available/fusionpbx +#add the domain name to domains.txt +if [ .$wildcard_domain = ."false" ]; then + echo "$domain_name" > /etc/dehydrated/domains.txt +fi -#get the certs from letsencrypt -cd /opt/letsencrypt && ./letsencrypt-auto --config /etc/letsencrypt/configs/$domain_name.conf certonly +#request the certificates +if [ .$wildcard_domain = ."true" ]; then + ./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh +fi +if [ .$wildcard_domain = ."false" ]; then + ./dehydrated --cron --alias $domain_alias --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge http-01 +fi + +#make sure the nginx ssl directory exists +mkdir -p /etc/nginx/ssl #update nginx config -sed "s@ssl_certificate /etc/ssl/certs/nginx.crt;@ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;@g" -i /etc/nginx/sites-available/fusionpbx -sed "s@ssl_certificate_key /etc/ssl/private/nginx.key;@ssl_certificate_key /etc/letsencrypt/live/$domain_name/privkey.pem;@g" -i /etc/nginx/sites-available/fusionpbx +sed "s@ssl_certificate /etc/ssl/certs/nginx.crt;@ssl_certificate /etc/dehydrated/certs/$domain_alias/fullchain.pem;@g" -i /etc/nginx/sites-available/fusionpbx +sed "s@ssl_certificate_key /etc/ssl/private/nginx.key;@ssl_certificate_key /etc/dehydrated/certs/$domain_alias/privkey.pem;@g" -i /etc/nginx/sites-available/fusionpbx #read the config /usr/sbin/nginx -t && /usr/sbin/nginx -s reload -#combine the certs into all.pem -cat /etc/letsencrypt/live/$domain_name/cert.pem > /etc/letsencrypt/live/$domain_name/all.pem -cat /etc/letsencrypt/live/$domain_name/privkey.pem >> /etc/letsencrypt/live/$domain_name/all.pem -cat /etc/letsencrypt/live/$domain_name/chain.pem >> /etc/letsencrypt/live/$domain_name/all.pem +#setup freeswitch tls +if [ .$switch_tls = ."true" ]; then -#copy the certs to the switch tls directory -mkdir -p /etc/freeswitch/tls -cp /etc/letsencrypt/live/$domain_name/*.pem /etc/freeswitch/tls -cp /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem -chown -R www-data:www-data /etc/freeswitch + #make sure the freeswitch directory exists + mkdir -p /etc/freeswitch/tls + + #make sure the freeswitch certificate directory is empty + rm /etc/freeswitch/tls/* + + #combine the certs into all.pem + cat /etc/dehydrated/certs/$domain_alias/fullchain.pem > /etc/freeswitch/tls/all.pem + cat /etc/dehydrated/certs/$domain_alias/privkey.pem >> /etc/freeswitch/tls/all.pem + #cat /etc/dehydrated/certs/$domain_alias/chain.pem >> /etc/freeswitch/tls/all.pem + + #copy the certificates + cp /etc/dehydrated/certs/$domain_alias/cert.pem /etc/freeswitch/tls + cp /etc/dehydrated/certs/$domain_alias/chain.pem /etc/freeswitch/tls + cp /etc/dehydrated/certs/$domain_alias/fullchain.pem /etc/freeswitch/tls + cp /etc/dehydrated/certs/$domain_alias/privkey.pem /etc/freeswitch/tls + + #add symbolic links + ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem + ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem + ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem + ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem + + #set the permissions + chown -R www-data:www-data /etc/freeswitch/tls + +fi diff --git a/devuan/resources/nginx.sh b/devuan/resources/nginx.sh index 3156887..3f2cb63 100755 --- a/devuan/resources/nginx.sh +++ b/devuan/resources/nginx.sh @@ -9,69 +9,36 @@ cd "$(dirname "$0")" . ./environment.sh #send a message -verbose "Installing Nginx" +verbose "Installing the web server" -#if [ ."$cpu_architecture" = ."arm" ]; then - #9.x - */stretch/ - #8.x - */jessie/ -#fi -if [ ."$php_version" = ."5" ]; then - #verbose "Switching forcefully to php5* packages" - which add-apt-repository || apt-get install -y software-properties-common - #LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php - #LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php5-compat - apt-get update -elif [ ."$os_name" = ."Ubuntu" ]; then - #16.10.x - */yakkety/ - #16.04.x - */xenial/ - #14.04.x - */trusty/ - if [ ."$os_codename" = ."trusty" ]; then - which add-apt-repository || apt-get install -y software-properties-common - LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php - apt-get -q update - fi -elif [ ."$cpu_architecture" = ."arm" ]; then - #Pi2 and Pi3 Raspbian - #Odroid - if [ ."$os_codename" = ."jessie" ]; then - echo "deb http://packages.moopi.uk/debian jessie main" > /etc/apt/sources.list.d/moopi.list - wget -O - http://packages.moopi.uk/debian/moopi.gpg.key | apt-key add - - apt-get -q update - fi -else - #9.x - */stretch/ - #8.x - */jessie/ - if [ ."$os_codename" = ."jessie" ]; then - echo "deb http://packages.dotdeb.org $os_codename all" > /etc/apt/sources.list.d/dotdeb.list - echo "deb-src http://packages.dotdeb.org $os_codename all" >> /etc/apt/sources.list.d/dotdeb.list - wget -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add - - apt-get -q update - fi +#change the version of php for arm +if [ ."$cpu_architecture" = ."arm" ]; then + #Pi2 and Pi3 Raspbian + #Odroid + if [ ."$os_codename" = ."stretch" ]; then + php_version=7.2 + else + php_version=5.6 + fi fi -#use php version 5 for arm -#if [ .$cpu_architecture = .'arm' ]; then -# php_version=5 -#fi - -#install dependencies -apt-get install -y -q nginx -if [ ."$php_version" = ."5" ]; then - apt-get install -y -q php5 php5-cli php5-fpm php5-pgsql php5-sqlite php5-odbc php5-curl php5-imap +#set the version of php +if [ ."$os_codename" = ."chimaera" ]; then + php_version=7.4 fi -if [ ."$php_version" = ."7" ]; then - apt-get install -y -q php7.0 php7.0-cli php7.0-fpm php7.0-pgsql php7.0-sqlite3 php7.0-odbc php7.0-curl php7.0-imap php7.0-xml +if [ ."$os_codename" = ."beowulf" ]; then + php_version=7.3 fi #enable fusionpbx nginx config cp nginx/fusionpbx /etc/nginx/sites-available/fusionpbx #prepare socket name -if [ ."$php_version" = ."5" ]; then - sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php5-fpm.sock;#g' +if [ ."$php_version" = ."7.3" ]; then + sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.3-fpm.sock;#g' fi -if [ ."$php_version" = ."7" ]; then - sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.0-fpm.sock;#g' +if [ ."$php_version" = ."7.4" ]; then + sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.4-fpm.sock;#g' fi ln -s /etc/nginx/sites-available/fusionpbx /etc/nginx/sites-enabled/fusionpbx @@ -82,8 +49,15 @@ ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/nginx.crt #remove the default site rm /etc/nginx/sites-enabled/default +#update config if LetsEncrypt folder is unwanted +# if [ .$letsencrypt_folder = .false ]; then +# sed -i '151,155d' /etc/nginx/sites-available/fusionpbx +# fi + #add the letsencrypt directory -mkdir -p /var/www/letsencrypt/ +if [ .$letsencrypt_folder = .true ]; then + mkdir -p /var/www/letsencrypt/ +fi #restart nginx -service nginx restart +/usr/sbin/service nginx restart diff --git a/devuan/resources/nginx/fusionpbx b/devuan/resources/nginx/fusionpbx index 4a9256a..bc7570f 100755 --- a/devuan/resources/nginx/fusionpbx +++ b/devuan/resources/nginx/fusionpbx @@ -1,254 +1,303 @@ - -server { - listen 127.0.0.1:80; - server_name 127.0.0.1; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - client_max_body_size 80M; - client_body_buffer_size 128k; - - location / { - root /var/www/fusionpbx; - index index.php; - } - - location ~ \.php$ { - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; - } - - # Allow the upgrade routines to run longer than normal - location = /core/upgrade/index.php { - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; - fastcgi_read_timeout 15m; - } - - # Disable viewing .htaccess & .htpassword & .db - location ~ .htaccess { - deny all; - } - location ~ .htpassword { - deny all; - } - location ~^.+.(db)$ { - deny all; - } -} - -server { - listen 80; - server_name fusionpbx; - if ($uri !~* ^.*(provision|xml_cdr).*$) { - rewrite ^(.*) https://$host$1 permanent; - break; - } - - #REST api - if ($uri ~* ^.*/api/.*$) { - rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; - break; - } - - #algo - rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last; - - #mitel - rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; - rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; - - #grandstream - rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; - rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml; - #grandstream-wave softphone by ext because Android doesn't pass MAC. - rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1; - - #aastra - rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; - #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; - - #yealink common - rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; - - #yealink mac - rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; - - #polycom - rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; - #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; - rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml"; - - #cisco - rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; - - #Escene - rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; - rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last; - - #Vtech - rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1; - rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml; - - #Digium - rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg"; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg"; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - client_max_body_size 80M; - client_body_buffer_size 128k; - - location / { - root /var/www/fusionpbx; - index index.php; - } - - location ~ \.php$ { - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; - } - - # Allow the upgrade routines to run longer than normal - location = /core/upgrade/index.php { - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; - fastcgi_read_timeout 15m; - } - - # Disable viewing .htaccess & .htpassword & .db - location ~ .htaccess { - deny all; - } - location ~ .htpassword { - deny all; - } - location ~^.+.(db)$ { - deny all; - } -} - -server { - listen 443; - server_name fusionpbx; - ssl on; - ssl_certificate /etc/ssl/certs/nginx.crt; - ssl_certificate_key /etc/ssl/private/nginx.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!ADH:!MD5:!aNULL; - - #letsencrypt - location /.well-known/acme-challenge { - root /var/www/letsencrypt; - } - - #REST api - if ($uri ~* ^.*/api/.*$) { - rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; - break; - } - - #algo - rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last; - - #mitel - rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; - rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; - - #grandstream - rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; - rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml; - #grandstream-wave softphone by ext because Android doesn't pass MAC. - rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1; - - #aastra - rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; - #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; - - #yealink common - rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; - - #yealink mac - rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; - - #polycom - rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; - #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; - rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml"; - - #cisco - rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; - - #Escene - rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; - rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last; - - #Vtech - rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1; - rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml; - - #Digium - rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg"; - rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg"; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - client_max_body_size 80M; - client_body_buffer_size 128k; - - location / { - root /var/www/fusionpbx; - index index.php; - } - - # Allow the upgrade routines to run longer than normal - location = /core/upgrade/index.php { - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; - fastcgi_read_timeout 15m; - } - - location ~ \.php$ { - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - #fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; - } - - # Disable viewing .htaccess & .htpassword & .db - location ~ .htaccess { - deny all; - } - location ~ .htpassword { - deny all; - } - location ~^.+.(db)$ { - deny all; - } -} + +server { + listen 127.0.0.1:80; + server_name 127.0.0.1; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + client_max_body_size 80M; + client_body_buffer_size 128k; + + location / { + root /var/www/fusionpbx; + index index.php; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + } + + # Allow the upgrade routines to run longer than normal + location = /core/upgrade/index.php { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + fastcgi_read_timeout 15m; + } + + # Disable viewing .htaccess & .htpassword & .db & .git + location ~ .htaccess { + deny all; + } + location ~ .htpassword { + deny all; + } + location ~^.+.(db)$ { + deny all; + } + location ~ /\.git { + deny all; + } + location ~ /\.lua { + deny all; + } + location ~ /\. { + deny all; + } +} + +server { + listen 80; + server_name fusionpbx; + + #redirect letsencrypt to dehydrated + location ^~ /.well-known/acme-challenge { + default_type "text/plain"; + auth_basic "off"; + alias /var/www/dehydrated; + } + + #rewrite rule - send to https with an exception for provisioning + if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) { + rewrite ^(.*) https://$host$1 permanent; + break; + } + + #REST api + if ($uri ~* ^.*/api/.*$) { + rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; + break; + } + + #algo + rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last; + + #mitel + rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; + rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; + + #grandstream + rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; + rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml; + rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last; + #grandstream-wave softphone by ext because Android doesn't pass MAC. + rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1; + + #aastra + rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; + #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; + + #yealink + #rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2; + rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; + + #polycom + rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; + #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; + rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml"; + + #cisco + rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; + + #Escene + rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; + rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last; + + #Vtech + rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1; + rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml; + + #Digium + rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg"; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg"; + + #Snom + rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + client_max_body_size 80M; + client_body_buffer_size 128k; + + location / { + root /var/www/fusionpbx; + index index.php; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + } + + # Allow the upgrade routines to run longer than normal + location = /core/upgrade/index.php { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + fastcgi_read_timeout 15m; + } + + # Disable viewing .htaccess & .htpassword & .db & .git + location ~ .htaccess { + deny all; + } + location ~ .htpassword { + deny all; + } + location ~^.+.(db)$ { + deny all; + } + location ~ /\.git { + deny all; + } + location ~ /\.lua { + deny all; + } + location ~ /\. { + deny all; + } +} + +server { + listen 443 ssl; + #listen 443 ssl http2; + server_name fusionpbx; + + ssl_certificate /etc/ssl/certs/nginx.crt; + ssl_certificate_key /etc/ssl/private/nginx.key; + ssl_protocols TLSv1.2 TLSv1.3; + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_session_cache shared:SSL:40m; + ssl_session_timeout 2h; + ssl_session_tickets off; + + #redirect letsencrypt to dehydrated + location ^~ /.well-known/acme-challenge { + default_type "text/plain"; + auth_basic "off"; + alias /var/www/dehydrated; + } + + #REST api + if ($uri ~* ^.*/api/.*$) { + rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; + break; + } + + #message media + rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last; + + #algo + rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last; + + #mitel + rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; + rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; + + #grandstream + rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; + rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml; + rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last; + #grandstream-wave softphone by ext because Android doesn't pass MAC. + rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1; + + #aastra + rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; + #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; + + #yealink + #rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2; + rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; + + #polycom + rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; + #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; + rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml"; + + #cisco + rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; + + #Escene + rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; + rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last; + + #Vtech + rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1; + rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml; + + #Digium + rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg"; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg"; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + client_max_body_size 80M; + client_body_buffer_size 128k; + + location / { + root /var/www/fusionpbx; + index index.php; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + } + + # Allow the upgrade routines to run longer than normal + location = /core/upgrade/index.php { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + fastcgi_read_timeout 15m; + } + + # Disable viewing .htaccess & .htpassword & .db & .git + location ~ .htaccess { + deny all; + } + location ~ .htpassword { + deny all; + } + location ~^.+.(db)$ { + deny all; + } + location ~ /\.git { + deny all; + } + location ~ /\.lua { + deny all; + } + location ~ /\. { + deny all; + } +} diff --git a/devuan/resources/php.sh b/devuan/resources/php.sh index 5b4e704..ed90af8 100755 --- a/devuan/resources/php.sh +++ b/devuan/resources/php.sh @@ -6,27 +6,56 @@ cd "$(dirname "$0")" #includes . ./config.sh . ./colors.sh +. ./environment.sh #send a message verbose "Configuring PHP" -#update config if source is being used -if [ ."$php_version" = ."5" ]; then - verbose "version 5.x" - php_ini_file='/etc/php5/fpm/php.ini' +#set php version +#chimaera - bullseye +#beowolf - buster +if [ ."$os_codename" = ."beowolf" ]; then + php_version=7.3 fi -if [ ."$php_version" = ."7" ]; then - verbose "version 7.0" - php_ini_file='/etc/php/7.0/fpm/php.ini' +if [ ."$os_codename" = ."chimaera" ]; then + php_version=7.4 +fi + +#install dependencies +apt-get install -y nginx +if [ ."$php_version" = ."" ]; then + apt-get install -y php php-cli php-fpm php-pgsql php-sqlite3 php-odbc php-curl php-imap php-xml php-gd +fi +if [ ."$php_version" = ."7.3" ]; then + apt-get install -y php7.3 php7.3-cli php7.3-fpm php7.3-pgsql php7.3-sqlite3 php7.3-odbc php7.3-curl php7.3-imap php7.3-xml php7.3-gd php7.3-mbstring +fi +if [ ."$php_version" = ."7.4" ]; then + apt-get install -y php7.4 php7.4-cli php7.4-dev php7.4-fpm php7.4-pgsql php7.4-sqlite3 php7.4-odbc php7.4-curl php7.4-imap php7.4-xml php7.4-gd php7.4-mbstring +fi + +#update config if source is being used +if [ ."$php_version" = ."7.3" ]; then + verbose "version 7.3" + php_ini_file='/etc/php/7.3/fpm/php.ini' +fi +if [ ."$php_version" = ."7.4" ]; then + verbose "version 7.4" + php_ini_file='/etc/php/7.4/fpm/php.ini' fi sed 's#post_max_size = .*#post_max_size = 80M#g' -i $php_ini_file sed 's#upload_max_filesize = .*#upload_max_filesize = 80M#g' -i $php_ini_file +sed 's#;max_input_vars = .*#max_input_vars = 8000#g' -i $php_ini_file sed 's#; max_input_vars = .*#max_input_vars = 8000#g' -i $php_ini_file +#install ioncube +if [ .$cpu_architecture = .'x86' ]; then + . ./ioncube.sh +fi + #restart php-fpm -if [ ."$php_version" = ."5" ]; then - /usr/sbin/service php5-fpm restart +if [ ."$php_version" = ."7.3" ]; then + /usr/sbin/service php7.3-fpm restart fi -if [ ."$php_version" = ."7" ]; then - /usr/sbin/service php7.0-fpm restart +if [ ."$php_version" = ."7.4" ]; then + /usr/sbin/service php7.4-fpm restart fi diff --git a/devuan/resources/postgresql.sh b/devuan/resources/postgresql.sh index 129ba9d..faeab1f 100755 --- a/devuan/resources/postgresql.sh +++ b/devuan/resources/postgresql.sh @@ -9,21 +9,25 @@ cd "$(dirname "$0")" . ./environment.sh #send a message -verbose "Installing PostgreSQL" +echo "Install PostgreSQL" -#use the system database repo for arm -if [ .$cpu_architecture = .'arm' ]; then - database_repo="sip247" -fi +#generate a random password +password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64) -apt-get install -q -y sudo +#install message +echo "Install PostgreSQL and create the database and users\n" #included in the distribution if [ ."$database_repo" = ."system" ]; then - apt-get install -q -y postgresql + if [ ."$database_host" = ."127.0.0.1" ] || [ ."$database_host" = ."::1" ] ; then + apt-get install -q -y sudo postgresql + else + apt-get install -q -y sudo postgresql-client + fi fi #postgres official repository +##TODO would newer versions work without systemd? if [ ."$database_repo" = ."official" ]; then verbose "Using official repos" echo 'deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main' > /etc/apt/sources.list.d/pgdg.list @@ -33,6 +37,7 @@ if [ ."$database_repo" = ."official" ]; then fi #Add PostgreSQL and BDR REPO +##TODO would newer versions work without systemd? if [ ."$database_repo" = ."2ndquadrant" ]; then verbose "Using 2ndquadrant.com repos" echo 'deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main' >> /etc/apt/sources.list.d/postgresql.list @@ -43,12 +48,36 @@ if [ ."$database_repo" = ."2ndquadrant" ]; then apt-get install -y postgresql-bdr-9.4 postgresql-bdr-9.4-bdr-plugin postgresql-bdr-contrib-9.4 fi -#sip247 arm repository -if [ ."$database_repo" = ."sip247" ]; then - echo 'deb http://repo.sip247.com/debian/postgresql-armhf jessie main' > /etc/apt/sources.list.d/pgsql-sip247.list - wget --quiet -O - http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add - - apt-get -q update && apt-get upgrade -y - apt-get install -y postgresql +#init.d +if [ ."$database_host" = ."127.0.0.1" ] || [ ."$database_host" = ."::1" ] ; then + /usr/sbin/service postgresql restart fi -service postgresql restart +#install the database backup +#cp backup/fusionpbx-backup /etc/cron.daily +#cp backup/fusionpbx-maintenance /etc/cron.daily +#chmod 755 /etc/cron.daily/fusionpbx-backup +#chmod 755 /etc/cron.daily/fusionpbx-maintenance +#sed -i "s/zzz/$password/g" /etc/cron.daily/fusionpbx-backup +#sed -i "s/zzz/$password/g" /etc/cron.daily/fusionpbx-maintenance + +#move to /tmp to prevent a red herring error when running sudo with psql +cwd=$(pwd) +cd /tmp + +if [ ."$database_host" = ."127.0.0.1" ] || [ ."$database_host" = ."::1" ] ; then + # add the databases, users and grant permissions to them + sudo -u postgres psql -c "CREATE DATABASE fusionpbx;"; + sudo -u postgres psql -c "CREATE DATABASE freeswitch;"; + sudo -u postgres psql -c "CREATE ROLE fusionpbx WITH SUPERUSER LOGIN PASSWORD '$password';" + sudo -u postgres psql -c "CREATE ROLE freeswitch WITH SUPERUSER LOGIN PASSWORD '$password';" + sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE fusionpbx to fusionpbx;" + sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE freeswitch to fusionpbx;" + sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE freeswitch to freeswitch;" + # ALTER USER fusionpbx WITH PASSWORD 'newpassword'; +fi + +cd $cwd + +#set the ip address +#server_address=$(hostname -I) diff --git a/devuan/resources/reset_admin_password.sh b/devuan/resources/reset_admin_password.sh index 3d3b487..75bd60c 100755 --- a/devuan/resources/reset_admin_password.sh +++ b/devuan/resources/reset_admin_password.sh @@ -6,7 +6,6 @@ cd "$(dirname "$0")" #includes . ./config.sh . ./colors.sh -. ./environment.sh #count the users admin_users=$(sudo -u postgres psql fusionpbx -Atc "select count(*) from v_users JOIN v_user_groups USING (domain_uuid) where username='$system_username' and group_name = 'superadmin'") @@ -20,7 +19,7 @@ else for admin_uuid in $admin_uuids; do user_salt=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); if [ .$system_password = .'random' ]; then - user_password="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 12 | xargs)" + user_password=$(dd if=/dev/urandom bs=1 count=12 2>/dev/null | base64 | sed 's/[=\+//]//g') else user_password=$system_password fi diff --git a/devuan/resources/sngrep.sh b/devuan/resources/sngrep.sh index 8386405..6c42cf5 100755 --- a/devuan/resources/sngrep.sh +++ b/devuan/resources/sngrep.sh @@ -18,8 +18,5 @@ if [ ."$cpu_architecture" = ."arm" ]; then cd /usr/src/sngrep && make install else #package install - echo 'deb http://packages.irontec.com/debian jessie main' > /etc/apt/sources.list.d/sngrep.list - wget http://packages.irontec.com/public.key -q -O - | apt-key add - - apt-get -q update apt-get -y -q install -y --force-yes sngrep fi diff --git a/devuan/resources/switch.sh b/devuan/resources/switch.sh index ebaa5f5..71ac821 100755 --- a/devuan/resources/switch.sh +++ b/devuan/resources/switch.sh @@ -5,10 +5,13 @@ cd "$(dirname "$0")" #includes . ./config.sh +. ./colors.sh +. ./environment.sh -verbose "Installing FreeSWITCH" - +#TODO fix or remove source installation if [ .$switch_source = .true ]; then + echo 'Building from source on devuan will most liley fail, aborting.' + exit 1 if [ ."$switch_branch" = "master" ]; then switch/source-master.sh else diff --git a/devuan/resources/switch/dsn.sh b/devuan/resources/switch/dsn.sh new file mode 100755 index 0000000..1ee1320 --- /dev/null +++ b/devuan/resources/switch/dsn.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +#includes +. ../config.sh + +#set the date +now=$(date +%Y-%m-%d) + +#get the database password +if [ .$database_password = .'random' ]; then + read -p "Enter the database password: " database_password +fi + +#set PGPASSWORD +export PGPASSWORD=$database_password + +#enable auto create schemas +sed -i /etc/freeswitch/autoload_configs/switch.conf.xml -e s:'::' +sed -i /etc/freeswitch/autoload_configs/switch.conf.xml -e s:'::' + +#enable odbc-dsn in the xml +sed -i /etc/freeswitch/autoload_configs/db.conf.xml -e s:'::' +sed -i /etc/freeswitch/autoload_configs/fifo.conf.xml -e s:'::' +sed -i /etc/freeswitch/autoload_configs/switch.conf.xml -e s:'::' + +#enable odbc-dsn in the sip profiles +sudo -u postgres psql -h $database_host -p $database_port -U fusionpbx -d fusionpbx -c "update v_sip_profile_settings set sip_profile_setting_enabled = 'true' where sip_profile_setting_name = 'odbc-dsn';"; + +#add the dsn variables +sudo -u postgres psql -h $database_host -p $database_port -U fusionpbx -d fusionpbx -c "insert into v_vars (var_uuid, var_name, var_value, var_category, var_enabled, var_order, var_description, var_hostname) values ('785d7013-1152-4a44-aa15-28336d9b36f9', 'dsn_system', 'pgsql://hostaddr=$database_host port=$database_port dbname=fusionpbx user=fusionpbx password=$database_password options=', 'DSN', 'true', '0', null, null);"; +sudo -u postgres psql -h $database_host -p $database_port -U fusionpbx -d fusionpbx -c "insert into v_vars (var_uuid, var_name, var_value, var_category, var_enabled, var_order, var_description, var_hostname) values ('0170e737-b453-40ea-99f2-f1375474e5ce', 'dsn', 'sqlite:///dev/shm/core.db', 'DSN', 'true', '0', null, null);"; +sudo -u postgres psql -h $database_host -p $database_port -U fusionpbx -d fusionpbx -c "insert into v_vars (var_uuid, var_name, var_value, var_category, var_enabled, var_order, var_description, var_hostname) values ('32e3e364-a8ef-4fe0-9d02-c652d5122bbf', 'dsn_callcenter', 'sqlite:///dev/shm/callcenter.db', 'DSN', 'true', '0', null, null);"; + +#update the vars.xml file +echo "" >> /etc/freeswitch/vars.xml +echo "" >> /etc/freeswitch/vars.xml +echo "" >> /etc/freeswitch/vars.xml +echo "" >> /etc/freeswitch/vars.xml + +#remove the sqlite database files +dbs="/var/lib/freeswitch/db/core.db /var/lib/freeswitch/db/fifo.db /var/lib/freeswitch/db/call_limit.db /var/lib/freeswitch/db/sofia_reg_*" +for db in ${dbs}; +do + if [ -f $db ]; then + echo "Deleting $db"; + rm $db + fi +done + +#flush memcache +/usr/bin/fs_cli -x 'memcache flush' + +#restart freeswitch +/usr/sbin/service freeswitch restart diff --git a/devuan/resources/switch/etc.default.freeswitch b/devuan/resources/switch/etc.default.freeswitch new file mode 100644 index 0000000..41cd075 --- /dev/null +++ b/devuan/resources/switch/etc.default.freeswitch @@ -0,0 +1,2 @@ +# /etc/default/freeswitch +DAEMON_OPTS="-nonat" diff --git a/devuan/resources/switch/source/freeswitch.init b/devuan/resources/switch/freeswitch.init similarity index 93% rename from devuan/resources/switch/source/freeswitch.init rename to devuan/resources/switch/freeswitch.init index 2ef5b5e..2b81a4c 100755 --- a/devuan/resources/switch/source/freeswitch.init +++ b/devuan/resources/switch/freeswitch.init @@ -2,10 +2,10 @@ ### -*- mode:shell-script; indent-tabs-mode:nil; sh-basic-offset:2 -*- ### BEGIN INIT INFO # Provides: freeswitch -# Required-Start: $network $remote_fs $local_fs -# Required-Stop: $network $remote_fs $local_fs -# Should-Start: postgresql mysql memcached mongodb -# Should-Stop: postgresql mysql memcached mongodb +# Required-Start: $network $remote_fs $local_fs postgresql +# Required-Stop: $network $remote_fs $local_fs postgresql +# Should-Start: mysql memcached mongodb +# Should-Stop: mysql memcached mongodb # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: FreeSWITCH Softswitch @@ -18,7 +18,7 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC=freeswitch NAME=freeswitch DAEMON=/usr/bin/freeswitch -USER=freeswitch +USER=www-data DAEMON_ARGS="-u $USER -ncwait" CONFDIR=/etc/$NAME RUNDIR=/var/run/$NAME @@ -130,4 +130,4 @@ case "$1" in ;; esac -exit 0 \ No newline at end of file +exit 0 diff --git a/devuan/resources/switch/package-all.sh b/devuan/resources/switch/package-all.sh index a895cec..a281625 100755 --- a/devuan/resources/switch/package-all.sh +++ b/devuan/resources/switch/package-all.sh @@ -8,11 +8,17 @@ cd "$(dirname "$0")" . ../colors.sh . ../environment.sh -apt-get -q update && apt-get install -y -q ntp curl memcached haveged +apt-get update && apt-get install -y ntp curl memcached haveged apt-transport-https +apt-get update && apt-get install -y wget lsb-release gnupg2 if [ ."$cpu_architecture" = ."x86" ]; then wget -O - https://files.freeswitch.org/repo/deb/debian-release/fsstretch-archive-keyring.asc | apt-key add - - echo "deb http://files.freeswitch.org/repo/deb/debian-release/ `lsb_release -sc` main" > /etc/apt/sources.list.d/freeswitch.list - echo "deb-src http://files.freeswitch.org/repo/deb/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list + echo "deb http://files.freeswitch.org/repo/deb/debian-release/ ${os_codename_debian} main" > /etc/apt/sources.list.d/freeswitch.list + echo "deb-src http://files.freeswitch.org/repo/deb/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list fi -apt-get -q update && apt-get install -y -q freeswitch-meta-all freeswitch-all-dbg gdb +if [ ."$cpu_architecture" = ."arm" ]; then + wget -O - https://files.freeswitch.org/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub | apt-key add - + echo "deb http://files.freeswitch.org/repo/deb/rpi/debian-release/ ${os_codename_debian} main" > /etc/apt/sources.list.d/freeswitch.list + echo "deb-src http://files.freeswitch.org/repo/deb/rpi/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list +fi +apt-get update && apt-get install -y freeswitch-meta-all freeswitch-all-dbg gdb diff --git a/devuan/resources/switch/package-master-all.sh b/devuan/resources/switch/package-master-all.sh index 9dce196..d23ec9a 100755 --- a/devuan/resources/switch/package-master-all.sh +++ b/devuan/resources/switch/package-master-all.sh @@ -1,7 +1,6 @@ #!/bin/sh -apt-get update && apt-get install -y -q ntp curl memcached haveged +apt-get update && apt-get install -y ntp curl memcached haveged curl https://files.freeswitch.org/repo/deb/debian/freeswitch_archive_g0.pub | apt-key add - echo "deb http://files.freeswitch.org/repo/deb/freeswitch-1.6/ jessie main" > /etc/apt/sources.list.d/freeswitch.list echo "deb http://files.freeswitch.org/repo/deb/debian-unstable/ jessie main" >> /etc/apt/sources.list.d/freeswitch.list -apt-get update && apt-get install -y -q freeswitch-meta-all freeswitch-all-dbg gdb - +apt-get update && apt-get install -y freeswitch-meta-all freeswitch-all-dbg gdb diff --git a/devuan/resources/switch/package-master.sh b/devuan/resources/switch/package-master.sh index 2b01697..3313307 100755 --- a/devuan/resources/switch/package-master.sh +++ b/devuan/resources/switch/package-master.sh @@ -1,25 +1,28 @@ #!/bin/sh -apt-get update && apt-get install -y -q curl memcached haveged +apt-get update && apt-get install -y curl memcached haveged curl https://files.freeswitch.org/repo/deb/debian/freeswitch_archive_g0.pub | apt-key add - echo "deb http://files.freeswitch.org/repo/deb/freeswitch-1.6/ jessie main" > /etc/apt/sources.list.d/freeswitch.list echo "deb http://files.freeswitch.org/repo/deb/debian-unstable/ jessie main" >> /etc/apt/sources.list.d/freeswitch.list apt-get update -apt-get install -y -q ntp gdb -apt-get install -y -q freeswitch-meta-bare freeswitch-conf-vanilla freeswitch-sysvinit freeswitch-mod-commands freeswitch-meta-codecs freeswitch-mod-console freeswitch-mod-logfile freeswitch-mod-distributor -apt-get install -y -q freeswitch-lang-en freeswitch-mod-say-en freeswitch-sounds-en-us-callie -apt-get install -y -q freeswitch-mod-enum freeswitch-mod-cdr-csv freeswitch-mod-event-socket freeswitch-mod-sofia freeswitch-mod-sofia-dbg freeswitch-mod-loopback -apt-get install -y -q freeswitch-mod-conference freeswitch-mod-db freeswitch-mod-dptools freeswitch-mod-expr freeswitch-mod-fifo libyuv-dev freeswitch-mod-httapi -apt-get install -y -q freeswitch-mod-hash freeswitch-mod-esl freeswitch-mod-esf freeswitch-mod-fsv freeswitch-mod-valet-parking freeswitch-mod-dialplan-xml freeswitch-dbg -apt-get install -y -q freeswitch-mod-sndfile freeswitch-mod-native-file freeswitch-mod-local-stream freeswitch-mod-tone-stream freeswitch-mod-lua freeswitch-meta-mod-say -apt-get install -y -q freeswitch-mod-xml-cdr freeswitch-mod-verto freeswitch-mod-callcenter freeswitch-mod-rtc freeswitch-mod-png freeswitch-mod-json-cdr freeswitch-mod-shout -apt-get install -y -q freeswitch-mod-sms freeswitch-mod-sms-dbg freeswitch-mod-cidlookup freeswitch-mod-memcache -apt-get install -y -q freeswitch-mod-imagick freeswitch-mod-tts-commandline freeswitch-mod-directory freeswitch-mod-flite -apt-get install -y -q freeswitch-music-default +apt-get install -y gnupg gnupg2 +apt-get install -y wget lsb-release +apt-get install -y ntp gdb +apt-get install -y freeswitch-meta-bare freeswitch-conf-vanilla freeswitch-mod-commands freeswitch-meta-codecs freeswitch-mod-console freeswitch-mod-logfile freeswitch-mod-distributor +apt-get install -y freeswitch-lang-en freeswitch-mod-say-en freeswitch-sounds-en-us-callie +apt-get install -y freeswitch-mod-enum freeswitch-mod-cdr-csv freeswitch-mod-event-socket freeswitch-mod-sofia freeswitch-mod-sofia-dbg freeswitch-mod-loopback +apt-get install -y freeswitch-mod-conference freeswitch-mod-db freeswitch-mod-dptools freeswitch-mod-expr freeswitch-mod-fifo freeswitch-mod-httapi +apt-get install -y freeswitch-mod-hash freeswitch-mod-esl freeswitch-mod-esf freeswitch-mod-fsv freeswitch-mod-valet-parking freeswitch-mod-dialplan-xml freeswitch-dbg +apt-get install -y freeswitch-mod-sndfile freeswitch-mod-native-file freeswitch-mod-local-stream freeswitch-mod-tone-stream freeswitch-mod-lua freeswitch-meta-mod-say +apt-get install -y freeswitch-mod-xml-cdr freeswitch-mod-verto freeswitch-mod-callcenter freeswitch-mod-rtc freeswitch-mod-png freeswitch-mod-json-cdr freeswitch-mod-shout +apt-get install -y freeswitch-mod-sms freeswitch-mod-sms-dbg freeswitch-mod-cidlookup freeswitch-mod-memcache +apt-get install -y freeswitch-mod-imagick freeswitch-mod-tts-commandline freeswitch-mod-directory freeswitch-mod-flite +apt-get install -y freeswitch-mod-pgsql +apt-get install -y freeswitch-music-default #remove the music package to protect music on hold from package updates mkdir -p /usr/share/freeswitch/sounds/temp mv /usr/share/freeswitch/sounds/music/*000 /usr/share/freeswitch/sounds/temp -apt-get remove -y -q freeswitch-music-default +apt-get remove -y freeswitch-music-default mkdir -p /usr/share/freeswitch/sounds/music/default mv /usr/share/freeswitch/sounds/temp/* /usr/share/freeswitch/sounds/music/default rm -R /usr/share/freeswitch/sounds/temp diff --git a/devuan/resources/switch/package-permissions.sh b/devuan/resources/switch/package-permissions.sh index 8d7d0ea..f9aded7 100755 --- a/devuan/resources/switch/package-permissions.sh +++ b/devuan/resources/switch/package-permissions.sh @@ -1,8 +1,15 @@ -#default permissions -# Devaun packages set this up correctly -#chown -R freeswitch:freeswitch /var/lib/freeswitch +#move to script directory so all relative paths work +cd "$(dirname "$0")" -# I'm not sure this is the best place to put non-packaged files - leaving it as is for now -chown -R freeswitch:freeswitch /usr/share/freeswitch -touch /var/log/freeswitch/freeswitch.log -chown -R freeswitch:freeswitch /var/log/freeswitch +#includes +. ../config.sh + +#default permissions +chown -R www-data:www-data /etc/freeswitch +chown -R www-data:www-data /var/lib/freeswitch/recordings +chown -R www-data:www-data /var/lib/freeswitch/storage +chown -R www-data:www-data /var/lib/freeswitch/db +chown -R www-data:www-data /usr/share/freeswitch +chown -R www-data:www-data /var/log/freeswitch +chown -R www-data:www-data /var/run/freeswitch +chown -R www-data:www-data /var/cache/fusionpbx diff --git a/devuan/resources/switch/package-release.sh b/devuan/resources/switch/package-release.sh index 226bc1c..7209dbb 100755 --- a/devuan/resources/switch/package-release.sh +++ b/devuan/resources/switch/package-release.sh @@ -8,34 +8,42 @@ cd "$(dirname "$0")" . ../colors.sh . ../environment.sh -apt-get -qq -y install curl memcached haveged +apt-get update && apt-get install -y curl memcached haveged apt-transport-https +apt-get update && apt-get install -y gnupg gnupg2 +apt-get update && apt-get install -y wget lsb-release + +if [ ."$cpu_architecture" = ."x86" ]; then + wget --http-user=signalwire --http-password=$switch_token -O /usr/share/keyrings/signalwire-freeswitch-repo.gpg https://freeswitch.signalwire.com/repo/deb/debian-release/signalwire-freeswitch-repo.gpg + echo "machine freeswitch.signalwire.com login signalwire password $switch_token" > /etc/apt/auth.conf + echo "deb [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/debian-release/ ${os_codename_debian} main" > /etc/apt/sources.list.d/freeswitch.list + echo "deb-src [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list +fi if [ ."$cpu_architecture" = ."arm" ]; then - echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list - curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add - - apt-get -q update -else - echo "deb http://files.freeswitch.org/repo/deb/freeswitch-1.6/ jessie main" > /etc/apt/sources.list.d/freeswitch.list - curl http://files.freeswitch.org/repo/deb/freeswitch-1.6/key.gpg | apt-key add - - apt-get -q update + wget --http-user=signalwire --http-password=$switch_token -O - https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub | apt-key add - + echo "machine freeswitch.signalwire.com login signalwire password $switch_token" > /etc/apt/auth.conf + echo "deb https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ ${os_codename_debian} main" > /etc/apt/sources.list.d/freeswitch.list + echo "deb-src https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list fi -apt-get -qq -y install gdb ntp -apt-get -qq -y install freeswitch-meta-bare freeswitch-conf-vanilla freeswitch-sysvinit freeswitch-mod-commands freeswitch-meta-codecs freeswitch-mod-console freeswitch-mod-logfile freeswitch-mod-distributor -apt-get -qq -y install freeswitch-lang-en freeswitch-mod-say-en freeswitch-sounds-en-us-callie -apt-get -qq -y install freeswitch-mod-enum freeswitch-mod-cdr-csv freeswitch-mod-event-socket freeswitch-mod-sofia freeswitch-mod-sofia-dbg freeswitch-mod-loopback -apt-get -qq -y install freeswitch-mod-conference freeswitch-mod-db freeswitch-mod-dptools freeswitch-mod-expr freeswitch-mod-fifo libyuv-dev freeswitch-mod-httapi -apt-get -qq -y install freeswitch-mod-hash freeswitch-mod-esl freeswitch-mod-esf freeswitch-mod-fsv freeswitch-mod-valet-parking freeswitch-mod-dialplan-xml freeswitch-dbg -apt-get -qq -y install freeswitch-mod-sndfile freeswitch-mod-native-file freeswitch-mod-local-stream freeswitch-mod-tone-stream freeswitch-mod-lua freeswitch-meta-mod-say -apt-get -qq -y install freeswitch-mod-xml-cdr freeswitch-mod-verto freeswitch-mod-callcenter freeswitch-mod-rtc freeswitch-mod-png freeswitch-mod-json-cdr freeswitch-mod-shout -apt-get -qq -y install freeswitch-mod-sms freeswitch-mod-sms-dbg freeswitch-mod-cidlookup freeswitch-mod-memcache -apt-get -qq -y install freeswitch-mod-imagick freeswitch-mod-tts-commandline freeswitch-mod-directory freeswitch-mod-flite -apt-get -qq -y install freeswitch-music-default -apt-get remove -q -y freeswitch-systemd +apt-get update +apt-get install -y gdb ntp +apt-get install -y freeswitch-meta-bare freeswitch-conf-vanilla freeswitch-mod-commands freeswitch-mod-console freeswitch-mod-logfile +apt-get install -y freeswitch-lang-en freeswitch-mod-say-en freeswitch-sounds-en-us-callie +apt-get install -y freeswitch-mod-enum freeswitch-mod-cdr-csv freeswitch-mod-event-socket freeswitch-mod-sofia freeswitch-mod-sofia-dbg freeswitch-mod-loopback +apt-get install -y freeswitch-mod-conference freeswitch-mod-db freeswitch-mod-dptools freeswitch-mod-expr freeswitch-mod-fifo freeswitch-mod-httapi +apt-get install -y freeswitch-mod-hash freeswitch-mod-esl freeswitch-mod-esf freeswitch-mod-fsv freeswitch-mod-valet-parking freeswitch-mod-dialplan-xml freeswitch-dbg +apt-get install -y freeswitch-mod-sndfile freeswitch-mod-native-file freeswitch-mod-local-stream freeswitch-mod-tone-stream freeswitch-mod-lua freeswitch-meta-mod-say +apt-get install -y freeswitch-mod-xml-cdr freeswitch-mod-verto freeswitch-mod-callcenter freeswitch-mod-rtc freeswitch-mod-png freeswitch-mod-json-cdr freeswitch-mod-shout +apt-get install -y freeswitch-mod-sms freeswitch-mod-sms-dbg freeswitch-mod-cidlookup freeswitch-mod-memcache +apt-get install -y freeswitch-mod-imagick freeswitch-mod-tts-commandline freeswitch-mod-directory +apt-get install -y freeswitch-mod-flite freeswitch-mod-distributor freeswitch-meta-codecs +apt-get install -y freeswitch-mod-pgsql +apt-get install -y freeswitch-music-default #remove the music package to protect music on hold from package updates mkdir -p /usr/share/freeswitch/sounds/temp mv /usr/share/freeswitch/sounds/music/*000 /usr/share/freeswitch/sounds/temp apt-get remove -y freeswitch-music-default mkdir -p /usr/share/freeswitch/sounds/music/default -mv /usr/share/freeswitch/sounds/temp/* /usr/share/freeswitch/sounds/music/default +mv -u /usr/share/freeswitch/sounds/temp/* /usr/share/freeswitch/sounds/music/default rm -R /usr/share/freeswitch/sounds/temp diff --git a/devuan/resources/switch/package-sysvinit.sh b/devuan/resources/switch/package-sysvinit.sh index 31daee1..cdc838a 100755 --- a/devuan/resources/switch/package-sysvinit.sh +++ b/devuan/resources/switch/package-sysvinit.sh @@ -1,6 +1,5 @@ -update-rc.d freeswitch enable -# -# If freeswitch is not restarted with the new config before finish.sh is run, -# upgrade_domains.php will not set the paths correctly on the default domain -# -service freeswitch restart \ No newline at end of file +cp "$(dirname $0)/freeswitch.init" /etc/init.d/freeswitch +cp "$(dirname $0)/etc.default.freeswitch" /etc/default/freeswitch + +/usr/sbin/update-rc.d freeswitch enable +/usr/sbin/service freeswitch restart diff --git a/devuan/resources/switch/source-sysvinit.sh b/devuan/resources/switch/source-sysvinit.sh index bfc4ebb..cdc838a 100755 --- a/devuan/resources/switch/source-sysvinit.sh +++ b/devuan/resources/switch/source-sysvinit.sh @@ -1,6 +1,5 @@ -cp "$(dirname $0)/source/freeswitch.init" /etc/init.d/freeswitch -cp "$(dirname $0)/source/etc.default.freeswitch" /etc/default/freeswitch -update-rc.d freeswitch enable -service freeswitch restart +cp "$(dirname $0)/freeswitch.init" /etc/init.d/freeswitch +cp "$(dirname $0)/etc.default.freeswitch" /etc/default/freeswitch -echo "Please configure the sysvinit start up script from the source dir, test, and contribute code. Thank you." \ No newline at end of file +/usr/sbin/update-rc.d freeswitch enable +/usr/sbin/service freeswitch restart diff --git a/devuan/resources/switch/source/etc.default.freeswitch b/devuan/resources/switch/source/etc.default.freeswitch deleted file mode 100755 index e4d275f..0000000 --- a/devuan/resources/switch/source/etc.default.freeswitch +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/default/freeswitch -FS_USER="www-data" -FS_GROUP="www-data" -DAEMON_OPTS="-nonat -ncwait -u www-data -g www-data -run /var/run/freeswitch" - -# this is the packaged version. But since the source install does not work. I've not tested any of this. -# /etc/default/freeswitch -#DAEMON_OPTS="-nonat" \ No newline at end of file