# ====================
# - Install schleuder3 manually
# ====================


# - See README.md of repository:
# -
# -    https://0xacab.org/schleuder/schleuder-deb
# -

# - Requirements
# -
# -    ruby >=2.1
# -    gnupg >=2.0
# -    gpgme
# -    sqlite3
# -    openssl
# -
apt-get install ruby-dev gnupg2 libgpgme-dev libsqlite3-dev libssl-dev build-essential

apt-get install haveged

# - Additionally these rubygems are required (will be installed automatically unless present):
# -
# -    rake
# -    active_record
# -    sqlite3
# -    thor
# -    thin
# -    mail-gpg
# -    sinatra
# -    sinatra-contrib


# -----
# - Installing Schleuder
# -----

mkdir /usr/local/src/schleuder3

cd /usr/local/src/schleuder3


# - Download the gem and the OpenPGP-signature and verify:
# -
wget https://0xacab.org/schleuder/schleuder/raw/master/gems/schleuder-3.2.1.gem
wget https://0xacab.org/schleuder/schleuder/raw/master/gems/schleuder-3.2.1.gem.sig

gpg --recv-key 0xB3D190D5235C74E1907EACFE898F2C91E2E6E1F3
gpg --verify schleuder-3.2.1.gem.sig


# - If all went well install the gem:
# -
gem install schleuder-3.2.1.gem


# - Set up schleuder:
# -
schleuder install

# - Output command 'schleuder install':
# -
root@schleuder3:/usr/local/src/schleuder3 # schleuder install
-- create_table("lists", {:force=>:cascade})
   -> 0.0119s
-- create_table("subscriptions", {:force=>:cascade})
   -> 0.0060s
-- add_index("subscriptions", ["email", "list_id"], {:name=>"index_subscriptions_on_email_and_list_id", :unique=>true})
   -> 0.0053s
-- add_index("subscriptions", ["list_id"], {:name=>"index_subscriptions_on_list_id"})
   -> 0.0056s
-- initialize_schema_migrations_table()
   -> 0.0113s
NOTE: The database was prepared using sqlite. If you prefer to use a different DBMS please edit the 'database'-section in /etc/schleuder/schleuder.yml, create the database, install the corresponding ruby-library (e.g. `gem install mysql`) and run this current command again
Private key written to: /etc/schleuder/schleuder-private-key.pem
Certificate written to: /etc/schleuder/schleuder-certificate.pem
Fingerprint of generated certificate: 9c70d382a0780904b2cd3a71b453ef689ea06ce18f46258bb668399742d2a794
Have this fingerprint included into the configuration-file of all clients that want to connect to your Schleuder API.
! Warning: this process was run as root — please make sure the above files are accessible by the user that is running `schleuder-api-daemon`.
Schleuder has been set up. You can now create a new list using `schleuder-cli`.
We hope you enjoy!



# -----
# - Installing  schleuder-cli (to manage lists from the command line)
# -----

cd /usr/local/src/schleuder3



# - Download the gem and the OpenPGP-signature and verify:
# -
wget https://0xacab.org/schleuder/schleuder-cli/raw/master/gems/schleuder-cli-0.1.0.gem
wget https://0xacab.org/schleuder/schleuder-cli/raw/master/gems/schleuder-cli-0.1.0.gem.sig

gpg --recv-key 0xB3D190D5235C74E1907EACFE898F2C91E2E6E1F3
gpg --verify schleuder-cli-0.1.0.gem.sig


cd /etc/postfix
ln -s /var/lib/gems/2.3.0/gems/schleuder-3.2.1/etc/postfix/schleuder_sqlite.cf

cat <<EOF > /etc/postfix/transport_schleuder
cryptolists.mail36.net schleuder:
EOF

postmap btree:/etc/postfix/transport_schleuder/

if ! grep -A 3 -E "^\s*transport_maps" /etc/postfix/main.cf | grep -q "btree:/etc/postfix/transport_schleuder" ; then
   perl -i -n -p -e "s#^(\s*transport_maps\s*=.*)#\1\n   btree:/etc/postfix/transport_schleuder#" /etc/postfix/main.cf
fi



groupadd -r schleuder
useradd -r -d /var/lib/schleuder -s /bin/false -g schleuder schleuder
chown -R schleuder:schleuder /var/lib/schleuder /etc/schleuder

systemctl stop postfix
rm -fr /var/lib/postfix/verify_cache.db
systemctl start postfix


# -----
# - Configure schleuder-api-daemon systemd service
# -----

cp /var/lib/gems/2.3.0/gems/schleuder-3.2.1/etc/schleuder-api-daemon.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable schleuder-api-daemon.service
systemctl start schleuder-api-daemon.service



# ---
# - Enable user schleuder for managing lists
# ---

backup_date="$(date +%Y-%m-%d-%H%M)"
schleuder_config="/etc/schleuder/schleuder.yml"
user_schleuder_config="/var/lib/schleuder/.schleuder-cli/schleuder-cli.yml"

# - Create API Key for user schleuder
# -
api_key="$(schleuder new_api_key)"

# - Add the generated API Key to the list of valid api keys at
# - configuration file $schleuder_config
# -
if ! grep -q "$api_key" 2> /dev/null $schleuder_config ; then
   perl -i.$backup_date -n -p \
      -e "s/(^(\s*)valid_api_keys:.*)/\1\n\2  - ${api_key}/" \
      $schleuder_config
fi


# - Add generated API Key to schleuder's configuration file
# - '${user_schleuder_config}'
# -

# - If no configuration file present, create a new default one.
# -
have_dot_schleuder_cli_yml=true
if [[ ! -d "~schleuder/.schleuder-cli" ]] ; then
   have_dot_schleuder_cli_yml=false
elif [[ ! -f "~schleuder/.schleuder-cli/schleuder-cli.yml" ]] ; then

   # - If the directory is present, no default configuration file (see below)
   # - will be written
   # -
   mv "~schleuder/.schleuder-cli" "~schleuder/.schleuder-cli.${backup_date}"

   have_dot_schleuder_cli_yml=false
fi

if ! $have_dot_schleuder_cli_yml ; then

   # Creates a default configuration file '${user_schleuder_config}'
   #
   su - schleuder -s /bin/bash -c "/usr//bin/schleuder-cli lists list > /dev/null 2>&1"

fi

# - Now, add the API Key..
# -
perl -i.$backup_date -n -p \
   -e "s/^(\s*api_key:).*/\1 ${api_key}/" \
   ${user_schleuder_config}


# - Get tls fingerprint of configured certificate
# -
cert_fingerprint="$(schleuder cert fingerprint | awk '{print$4}')"

# - Add the fingerprint to schleuder users private configuration file
# -
if ! grep -q "$cert_fingerprint" 2> /dev/null ${user_schleuder_config} ; then
   perl -i.$backup_date -n -p \
      -e "s/^(\s*tls_fingerprint:).*/\1 ${cert_fingerprint}/" \
      ${user_schleuder_config}
fi


# - Restart 'schleuder-api-daemon'
# -
systemctl restart schleuder-api-daemon



# -----
# - Maintenance
# -----

# - Please take care to have the following commands run by the user that owns the
# - directory of schleuder lists (by default /var/lib/schleuder/lists) to avoid
# - running into file permission problems!

# - Schleuder can check all keys that are present in the list’s keyrings for
# - (upcoming) expiration dates, revocation, or other reasons for not being
# - usable.
# -
# - Note: take care tcp port 11371 is open for calling pgp-keyservers
# -
# - Call this command weekly from cron to automate the check and have the
# - results sent to the respective list-admins:
# -
# -    schleuder check_keys
# -
su schleuder -c "/usr/local/bin/schleuder check_keys" -s /bin/bash

# - Schleuder can also refresh all keys in the same manner. Each key of each
# - list will be refreshed from a keyserver one by one. If you’re using gpg 2.1,
# - it’s possible to configure a TOR onion service to be used as keyserver! See
# - the config for an example.
# -
# - Call this command weekly from cron to automate the check and have the results
# - sent to the respective list-admins:
# -
# -    schleuder refresh_keys
# -
su schleuder -c "/usr/local/bin/schleuder schleuder refresh_keys" -s /bin/bash


