~hacktivista/leechbox

d0bf813c946a3ce44a9b956181ed9ae3bdece89b — Felix Freeman 6 months ago master
Initial commit. Working Leechbox
2 files changed, 533 insertions(+), 0 deletions(-)

A copypaste.txt
A openssl.cnf
A  => copypaste.txt +409 -0
@@ 1,409 @@
# By Felix Freeman <libsys@hacktivista.org> 2021
# License: CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/

# Instrucciones descarga e instalación FreedomBox en español
- https://wiki.debian.org/es/FreedomBox/Download

# Manual de usuario FreedomBox en español
- https://wiki.debian.org/es/FreedomBox/Manual

# SSL certificate

# Prepare environment
mkdir ~/ca/
cd ~/ca/
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber

wget https://git.hacktivista.org/leechbox/blob/master/openssl.cnf

# Change SSL directory on config file
dir="$HOME/ca"
sed -i -Ee "s#^(dir += ).+#\1$dir#" openssl.cnf

# Create root key
openssl genrsa -aes256 -out private/ca.key 4096
chmod 400 private/ca.key
# Root certificate
openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -subj "/O=Network/CN=Network Root CA" -out certs/ca.crt
chmod 444 certs/ca.crt
# Verify certificate
openssl x509 -noout -text -in certs/ca.crt

# Create server key
openssl genrsa -out private/freedombox.key 2048
chmod 400 private/freedombox.key
# Create server CSR
openssl req -config openssl.cnf -key private/freedombox.key -new -sha256 -subj "/C=XB/CN=*.freedombox.local" -addext "subjectAltName = DNS:*.freedombox.local, DNS:freedombox.local, DNS:*.youtube.com, DNS:youtube.com, DNS: *.youtube-nocookie.com, DNS: youtube-nocookie.com, DNS:youtu.be, DNS:*.google.cl, DNS:google.cl, DNS:*.twitter.com, DNS:twitter.com, DNS:*.instagram.com, DNS:instagram.com, DNS:instagr.am" -out csr/freedombox.csr
# Sign server certificate
openssl ca -config openssl.cnf -extensions server_cert -days 365 -notext -md sha256 -in csr/freedombox.csr -out certs/freedombox.crt
chmod 444 certs/freedombox.crt

# Install the root certificate (NOT THE KEY) on your network computers
sudo trust anchor --store certs/ca.crt
# For other distros check https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate

# Copy freedombox cert to your freedombox
scp certs/freedombox.crt private/freedombox.key me@freedombox.local:

# Now go back to the server
sudo sh -c 'chown root:root freedombox.* && mv freedombox.key /etc/ssl/private/freedombox.local.key && mv freedombox.crt /etc/ssl/certs/freedombox.local.crt'
sudo -i

# Apply SSL certs to local network cert
sed -i -e "s/ssl-cert-snakeoil\.pem/freedombox.local.crt/" -e "s/ssl-cert-snakeoil\.key/freedombox.local.key/" /etc/apache2/sites-available/default-ssl.conf

# Move Apache ssl conf to 000-*
mv /etc/apache2/sites-enabled/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

# Configure DNS
apt install dnsmasq
https://freedombox.local/_cockpit/network/firewall # enable port 53
myip=$(ip address show dev eth0 | sed -nE '/inet /{ s/.*inet (([0-9]{1,3}\.?)+).*/\1/p }')
cat << EOF | tee -a /etc/dnsmasq.conf
no-resolv

server=9.9.9.9
server=1.1.1.1

address=/freedombox.local/youtube.com/instagram.com/twitter.com/$myip
addn-hosts=/etc/dnsmasq.hosts
EOF
echo "$myip youtu.be. instagr.am. www.google.cl. google.cl." | tee /etc/dnsmasq.hosts
echo 'DNSMASQ_EXCEPT=lo' | tee -a /etc/default/dnsmasq
systemctl restart dnsmasq

# Configure DNS pointing to Freedombox on Arch
cat << EOF | sudo tee -a /etc/systemd/resolved.conf
DNS=192.168.10.2
Domains=~.
EOF
sudo systemctl enable --now systemd-resolved.service
# or: sudo systemctl restart systemd-resolved.service


# CloudTube

https://git.sr.ht/~cadence/tube-docs/tree/main/item/docs

apt install python3-pip npm git
usermod -s /bin/bash cloudtube
sudo -iu cloudtube

git clone https://git.sr.ht/~cadence/NewLeaf
cd NewLeaf
pip3 install --user -r requirements.txt
bash -l
cat << EOF > configuration.py
website_origin = "http://127.0.0.1:3000"
bind_host = "127.0.0.1"
bind_port = 3001
EOF
exit
cat << EOF > /etc/systemd/system/newleaf.service
[Unit]
Description=NewLeaf

[Service]
User=cloudtube
Group=cloudtube
Type=simple
ExecStart=/usr/bin/python3 /home/cloudtube/NewLeaf/index.py
WorkingDirectory=/home/cloudtube/NewLeaf

# Restart timing
Restart=always
RestartSec=60

# Disable logs
StandardOutput=null
StandardError=null
SyslogIdentifier=newleaf

[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now newleaf

sudo -iu cloudtube
git clone https://git.sr.ht/~cadence/cloudtube
cd cloudtube
npm install
cat << EOF > config/config.js
module.exports = {
  user_settings: {
    instance: {
      default: "http://localhost:3001"
    }
  }
}
EOF
exit
cat << EOF > /etc/systemd/system/cloudtube.service
[Unit]
Description=cloudtube website

[Service]
User=cloudtube
Group=cloudtube
Type=simple
ExecStart=/usr/bin/node /home/cloudtube/cloudtube/server.js
WorkingDirectory=/home/cloudtube/cloudtube

# Restart timing
Restart=always
RestartSec=60

SyslogIdentifier=cloudtube

[Install]
WantedBy=default.target
EOF
systemctl enable --now cloudtube
cat << EOF > /etc/apache2/sites-available/cloudtube.conf
<VirtualHost *:80>
	ServerName cloudtube.freedombox.local
	ServerAlias www.youtube.com m.youtube.com youtube.com youtu.be youtube-nocookie.com www.youtube-nocookie.com

	Redirect / https://%{SERVER_NAME}/
</VirtualHost>
<IfModule mod_ssl.c>
	<VirtualHost *:443>
		ServerName youtu.be

		SSLEngine on
		SSLCertificateFile  /etc/ssl/certs/freedombox.local.crt
		SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key

		RedirectMatch /(.*) https://www.youtube.com/watch?v=$1
	</VirtualHost>

	<VirtualHost *:443>
		ServerName cloudtube.freedombox.local
		ServerAlias www.youtube.com m.youtube.com youtube.com youtube-nocookie.com www.youtube-nocookie.com

		ServerAdmin sir@hacktivista.com

		ErrorLog \${APACHE_LOG_DIR}/error.log
		CustomLog \${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
		SSLCertificateFile  /etc/ssl/certs/freedombox.local.crt
		SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key

		<Location "/embed/">
			RedirectMatch /embed/(.*) /watch?v=$1
		</Location>

		ProxyPass / http://127.0.0.1:10412/
	</VirtualHost>
</IfModule>
EOF
ln -s /etc/apache2/sites-available/cloudtube.conf /etc/apache2/sites-enabled/
sudo systemctl reload apache2

# Bibliogram
apt update && apt install fish net-tools graphicsmagick -y
useradd bibliogram -m -r -g nogroup -s /usr/sbin/nologin -k /dev/null -d /opt/bibliogram
cd /opt/bibliogram
alias subg='sudo -u bibliogram'
subg git clone https://git.sr.ht/~cadence/bibliogram-updater .
subg ./run.fish # y https://bibliogram.freedombox.local 10407 y n no
bind 'set disable-completion on'
cat << EOF > /etc/systemd/system/bibliogram.service
[Unit]
Description=bibliogram

[Service]
User=bibliogram
Group=nogroup
Type=simple
ExecStart=/usr/bin/fish run.fish
WorkingDirectory=/opt/bibliogram

# Restart timing
Restart=always
RestartSec=60

SyslogIdentifier=bibliogram

[Install]
WantedBy=default.target
EOF
systemctl daemon-reload
systemctl enable --now bibliogram

cat << EOF > /etc/apache2/sites-available/bibliogram.conf
<VirtualHost *:80>
	ServerName bibliogram.freedombox.local
	ServerAlias www.instagram.com instagram.com instagr.am

	Redirect / https://%{SERVER_NAME}/
</VirtualHost>
<VirtualHost *:443>
    ServerName bibliogram.freedombox.local
    ServerAlias www.instagram.com instagram.com instagr.am

    ServerAdmin sir@hacktivista.com

    ErrorLog \${APACHE_LOG_DIR}/error.log
    CustomLog \${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/freedombox.local.crt
    SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key

    ProxyPass / http://127.0.0.1:10407/
</VirtualHost>
EOF
bind 'set disable-completion off'
ln -s /etc/apache2/sites-available/bibliogram.conf /etc/apache2/sites-enabled/
sudo systemctl reload apache2

# Nitter
apt install pwgen
sudo -iu fbx
mkdir src
cd src
wget https://nim-lang.org/download/nim-1.4.6.tar.xz
tar xf nim-1.4.6.tar.xz
rm nim-1.4.6.tar.xz
cd nim-1.4.6
sh build.sh
bin/nim c koch
./koch boot -d:release
./koch tools
exit
echo 'PATH="/home/fbx/src/nim-1.4.6/bin:$PATH"' | tee /etc/profile.d/nim.sh
sed -n '/secure_path/{ s#"$#:/home/fbx/src/nim-1.4.6/bin"#p }' /etc/sudoers | tee /etc/sudoers.d/nim
bash -l
useradd nitter -m -r -s /usr/sbin/nologin -k /dev/null -d /opt/nitter
apt install libsass-dev redis-server
cd /opt/nitter
alias sunt='sudo -u nitter'
sunt git clone https://github.com/zedeus/nitter .
sunt nimble build -d:release
sunt nimble scss
vim nitter.conf # address 127.0.0.1, port 17732, https true, hostname nitter.freedombox.local, hmacKey :.!pwgen -s 32 1
cat << EOF > /etc/systemd/system/nitter.service
[Unit]
Description=Nitter (An alternative Twitter front-end)
After=syslog.target
After=network.target

[Service]
Type=simple

# set user and group
User=nitter
Group=nitter

# configure location
WorkingDirectory=/opt/nitter
ExecStart=/opt/nitter/nitter

Restart=always
RestartSec=15

[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now redis-server
systemctl enable --now nitter
bind 'set disable-completion on'
cat << EOF > /etc/apache2/sites-available/nitter.conf
<VirtualHost *:80>
	ServerName nitter.freedombox.local
	ServerAlias www.twitter.com twitter.com

	Redirect / https://%{SERVER_NAME}/
</VirtualHost>
<VirtualHost *:443>
    ServerName nitter.freedombox.local
    ServerAlias www.twitter.com twitter.com

    ServerAdmin sir@hacktivista.com

    ErrorLog \${APACHE_LOG_DIR}/error.log
    CustomLog \${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/freedombox.local.crt
    SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:17732/ nocanon
    ProxyPassReverse / http://127.0.0.1:17732/
    AllowEncodedSlashes On
</VirtualHost>
EOF
bind 'set disable-completion off'
ln -s /etc/apache2/sites-available/nitter.conf /etc/apache2/sites-enabled/
sudo systemctl reload apache2

# Whoogle

apt-get install -y libcurl4-openssl-dev libssl-dev libffi-dev
useradd whoogle -g nogroup -m -r -s /usr/sbin/nologin -k /dev/null -d /opt/whoogle
cd /opt/whoogle
alias user='sudo -u whoogle'
user git clone https://github.com/benbusby/whoogle-search.git src
user pip3 install --user -r src/requirements.txt
cat << EOF > /etc/systemd/system/whoogle.service
[Unit]
Description=Whoogle

[Service]
Environment=WHOOGLE_CONFIG_ALTS=0
Environment=WHOOGLE_CONFIG_LANGUAGE=lang_es
Environment=WHOOGLE_CONFIG_GET_ONLY=0
Environment=WHOOGLE_CONFIG_URL=https://whoogle.freedombox.local

Type=simple

User=whoogle

WorkingDirectory=/opt/whoogle/src
ExecStart=/usr/bin/python3 -um app --host 127.0.0.1 --port 5000
ExecReload=/bin/kill -HUP $MAINPID

Restart=always
RestartSec=3

SyslogIdentifier=whoogle

[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now whoogle

bind 'set disable-completion on'
cat << EOF > /etc/apache2/sites-available/whoogle.conf
<VirtualHost *:80>
	ServerName whoogle.freedombox.local
	ServerAlias www.google.cl google.cl

	Redirect / https://%{SERVER_NAME}/
</VirtualHost>
<VirtualHost *:443>
	ServerName whoogle.freedombox.local
	ServerAlias www.google.cl google.cl

    ServerAdmin sir@hacktivista.com

    ErrorLog \${APACHE_LOG_DIR}/error.log
    CustomLog \${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/freedombox.local.crt
    SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key

    ProxyPass / http://127.0.0.1:5000/
</VirtualHost>
EOF
bind 'set disable-completion off'
ln -s /etc/apache2/sites-available/whoogle.conf /etc/apache2/sites-enabled/
sudo systemctl reload apache2

A  => openssl.cnf +124 -0
@@ 1,124 @@
# OpenSSL CA configuration file.
#
# License: CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/
# Copyright (c) 2021, Felix Freeman <libsys@hacktivista.org>
# Copyright (c) 2013-2015, Jamie Nguyen <j@jamielinux.com>
#
# Has been modified, find originals on:
# https://jamielinux.com/docs/openssl-certificate-authority/

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = CHANGEME
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key
certificate       = $dir/certs/ca.crt

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
copy_extensions   = copy
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning