# ==================== # - Install schleuder3 manually # ==================== # - See README.md of repository: # - # - https://0xacab.org/schleuder/schleuder-deb # - # - Requirements # - # - ruby >=2.1 # - gnupg >=2.0 # - gpgme # - sqlite3 # - openssl # - apt-get install ruby-dev gnupg2 libgpgme-dev libsqlite3-dev libssl-dev build-essential apt-get install haveged # - Additionally these rubygems are required (will be installed automatically unless present): # - # - rake # - active_record # - sqlite3 # - thor # - thin # - mail-gpg # - sinatra # - sinatra-contrib # ----- # - Installing Schleuder # ----- mkdir /usr/local/src/schleuder3 cd /usr/local/src/schleuder3 # - Download the gem and the OpenPGP-signature and verify: # - wget https://0xacab.org/schleuder/schleuder/raw/master/gems/schleuder-3.2.1.gem wget https://0xacab.org/schleuder/schleuder/raw/master/gems/schleuder-3.2.1.gem.sig gpg --recv-key 0xB3D190D5235C74E1907EACFE898F2C91E2E6E1F3 gpg --verify schleuder-3.2.1.gem.sig # - If all went well install the gem: # - gem install schleuder-3.2.1.gem # - Set up schleuder: # - schleuder install # - Output command 'schleuder install': # - root@schleuder3:/usr/local/src/schleuder3 # schleuder install -- create_table("lists", {:force=>:cascade}) -> 0.0119s -- create_table("subscriptions", {:force=>:cascade}) -> 0.0060s -- add_index("subscriptions", ["email", "list_id"], {:name=>"index_subscriptions_on_email_and_list_id", :unique=>true}) -> 0.0053s -- add_index("subscriptions", ["list_id"], {:name=>"index_subscriptions_on_list_id"}) -> 0.0056s -- initialize_schema_migrations_table() -> 0.0113s NOTE: The database was prepared using sqlite. If you prefer to use a different DBMS please edit the 'database'-section in /etc/schleuder/schleuder.yml, create the database, install the corresponding ruby-library (e.g. `gem install mysql`) and run this current command again Private key written to: /etc/schleuder/schleuder-private-key.pem Certificate written to: /etc/schleuder/schleuder-certificate.pem Fingerprint of generated certificate: 9c70d382a0780904b2cd3a71b453ef689ea06ce18f46258bb668399742d2a794 Have this fingerprint included into the configuration-file of all clients that want to connect to your Schleuder API. ! Warning: this process was run as root — please make sure the above files are accessible by the user that is running `schleuder-api-daemon`. Schleuder has been set up. You can now create a new list using `schleuder-cli`. We hope you enjoy! # ----- # - Installing schleuder-cli (to manage lists from the command line) # ----- cd /usr/local/src/schleuder3 # - Download the gem and the OpenPGP-signature and verify: # - wget https://0xacab.org/schleuder/schleuder-cli/raw/master/gems/schleuder-cli-0.1.0.gem wget https://0xacab.org/schleuder/schleuder-cli/raw/master/gems/schleuder-cli-0.1.0.gem.sig gpg --recv-key 0xB3D190D5235C74E1907EACFE898F2C91E2E6E1F3 gpg --verify schleuder-cli-0.1.0.gem.sig cd /etc/postfix ln -s /var/lib/gems/2.3.0/gems/schleuder-3.2.1/etc/postfix/schleuder_sqlite.cf cat < /etc/postfix/transport_schleuder cryptolists.mail36.net schleuder: EOF postmap btree:/etc/postfix/transport_schleuder/ if ! grep -A 3 -E "^\s*transport_maps" /etc/postfix/main.cf | grep -q "btree:/etc/postfix/transport_schleuder" ; then perl -i -n -p -e "s#^(\s*transport_maps\s*=.*)#\1\n btree:/etc/postfix/transport_schleuder#" /etc/postfix/main.cf fi groupadd -r schleuder useradd -r -d /var/lib/schleuder -s /bin/false -g schleuder schleuder chown -R schleuder:schleuder /var/lib/schleuder /etc/schleuder systemctl stop postfix rm -fr /var/lib/postfix/verify_cache.db systemctl start postfix # ----- # - Configure schleuder-api-daemon systemd service # ----- cp /var/lib/gems/2.3.0/gems/schleuder-3.2.1/etc/schleuder-api-daemon.service /etc/systemd/system/ systemctl daemon-reload systemctl enable schleuder-api-daemon.service systemctl start schleuder-api-daemon.service # --- # - Enable user schleuder for managing lists # --- backup_date="$(date +%Y-%m-%d-%H%M)" schleuder_config="/etc/schleuder/schleuder.yml" user_schleuder_config="/var/lib/schleuder/.schleuder-cli/schleuder-cli.yml" # - Create API Key for user schleuder # - api_key="$(schleuder new_api_key)" # - Add the generated API Key to the list of valid api keys at # - configuration file $schleuder_config # - if ! grep -q "$api_key" 2> /dev/null $schleuder_config ; then perl -i.$backup_date -n -p \ -e "s/(^(\s*)valid_api_keys:.*)/\1\n\2 - ${api_key}/" \ $schleuder_config fi # - Add generated API Key to schleuder's configuration file # - '${user_schleuder_config}' # - # - If no configuration file present, create a new default one. # - have_dot_schleuder_cli_yml=true if [[ ! -d "~schleuder/.schleuder-cli" ]] ; then have_dot_schleuder_cli_yml=false elif [[ ! -f "~schleuder/.schleuder-cli/schleuder-cli.yml" ]] ; then # - If the directory is present, no default configuration file (see below) # - will be written # - mv "~schleuder/.schleuder-cli" "~schleuder/.schleuder-cli.${backup_date}" have_dot_schleuder_cli_yml=false fi if ! $have_dot_schleuder_cli_yml ; then # Creates a default configuration file '${user_schleuder_config}' # su - schleuder -s /bin/bash -c "/usr//bin/schleuder-cli lists list > /dev/null 2>&1" fi # - Now, add the API Key.. # - perl -i.$backup_date -n -p \ -e "s/^(\s*api_key:).*/\1 ${api_key}/" \ ${user_schleuder_config} # - Get tls fingerprint of configured certificate # - cert_fingerprint="$(schleuder cert fingerprint | awk '{print$4}')" # - Add the fingerprint to schleuder users private configuration file # - if ! grep -q "$cert_fingerprint" 2> /dev/null ${user_schleuder_config} ; then perl -i.$backup_date -n -p \ -e "s/^(\s*tls_fingerprint:).*/\1 ${cert_fingerprint}/" \ ${user_schleuder_config} fi # - Restart 'schleuder-api-daemon' # - systemctl restart schleuder-api-daemon # ----- # - Maintenance # ----- # - Please take care to have the following commands run by the user that owns the # - directory of schleuder lists (by default /var/lib/schleuder/lists) to avoid # - running into file permission problems! # - Schleuder can check all keys that are present in the list’s keyrings for # - (upcoming) expiration dates, revocation, or other reasons for not being # - usable. # - # - Note: take care tcp port 11371 is open for calling pgp-keyservers # - # - Call this command weekly from cron to automate the check and have the # - results sent to the respective list-admins: # - # - schleuder check_keys # - su schleuder -c "/usr/local/bin/schleuder check_keys" -s /bin/bash # - Schleuder can also refresh all keys in the same manner. Each key of each # - list will be refreshed from a keyserver one by one. If you’re using gpg 2.1, # - it’s possible to configure a TOR onion service to be used as keyserver! See # - the config for an example. # - # - Call this command weekly from cron to automate the check and have the results # - sent to the respective list-admins: # - # - schleuder refresh_keys # - su schleuder -c "/usr/local/bin/schleuder schleuder refresh_keys" -s /bin/bash