summaryrefslogtreecommitdiffstats
path: root/wiki/src/blueprint/mumble-server
blob: 86efca9daab3cbcc4c8fdde7542157b0f2069d53 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/bin/sh

PERSISTENCE=/live/persistence/TailsData_unlocked
MUMBLE="${PERSISTENCE}/mumble-server"
ONION=/var/lib/tor/mumble-server
CONFIG=/etc/mumble-server.ini
PORT=64738

# Ad-hoc option handling

if echo "${@}" | grep -qw -- '--listen-on-lan'; then
    MUMBLE_LISTEN_ON_LAN=yes
fi

# Install mumble-server

apt-get --yes --quiet --quiet install mumble-server || \
    ( echo 'Please run `sudo apt-get update` and retry' >&2; exit 1 )

# Generate persistent password for Mumble server

install -o mumble-server -g mumble-server -m 700 -d "${MUMBLE}"
[ -f "${MUMBLE}/password" ] || pwgen 32 1 > "${MUMBLE}/password"
PASSWORD="$(cat "${MUMBLE}/password")"

# Configure mumble-server

DATABASE="${MUMBLE}/mumble-server.sqlite"
sed -i "s%^database=/var/lib/mumble-server/mumble-server.sqlite%database=${DATABASE}%" "${CONFIG}"
sed -i "s%^serverpassword=$%serverpassword=${PASSWORD}%" "${CONFIG}"
if [ -n "${MUMBLE_LISTEN_ON_LAN}" ]; then
    sed -i "s%^host=%#host=%" "${CONFIG}"
else
    sed -i "s%^#host=$%host=127.0.0.1%" "${CONFIG}"
fi

# Extract fingerprint from SQLite database

apt-get --yes --quiet --quiet install sqlite3

systemctl start mumble-server # To generate the database
chown mumble-server:mumble-server "${DATABASE}"
systemctl stop  mumble-server # To unlock database

FINGERPRINT="$(sqlite3 "${DATABASE}" "select value from config where key = 'certificate';" | openssl x509 -fingerprint | head -n 1 | cut -d '=' -f 2)"

# Configure Tor hidden service

install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor/mumble-server
install -o debian-tor -g debian-tor -m 700 -d "${PERSISTENCE}/tor"
install -o debian-tor -g debian-tor -m 700 -d "${PERSISTENCE}/tor/mumble-server"

grep --quiet "^/dev/mapper/TailsData_unlocked ${ONION}" /proc/mounts || mount --bind "${PERSISTENCE}/tor/mumble-server" "${ONION}"
grep --quiet "^HiddenServiceDir ${ONION}$" /etc/tor/torrc || echo "HiddenServiceDir ${ONION}" >> /etc/tor/torrc
grep --quiet "^HiddenServicePort ${PORT}$" /etc/tor/torrc || echo "HiddenServicePort ${PORT}" >> /etc/tor/torrc


# Restart Tor and Mumble server

systemctl start mumble-server
systemctl reload tor@default

[ -e "${ONION}/hostname" ] || inotifywait -e create "${ONION}"
HOSTNAME="$(cat "${ONION}/hostname")"

# Drop previous mumble-server firewall exceptions

systemctl reload ferm

# Allow local connections

iptables -I OUTPUT --out-interface lo --protocol tcp --dport "${PORT}" --jump ACCEPT

# Allow LAN connections if requested

if [ -n "${MUMBLE_LISTEN_ON_LAN}" ]; then
    for range in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16; do
        for proto in tcp udp; do
            iptables -A INPUT --source "${range}" --protocol "${proto}" --dport "${PORT}" --jump ACCEPT
        done
    done
fi

# Output connection information

echo "Hostname:	${HOSTNAME}"
echo "Fingerprint:	${FINGERPRINT}"
echo "Password:	${PASSWORD}"