Merge pull request 'Whonix installation and onion-grater profile' (#715) from nyxnor/cwtch-ui:whonix into trunk
continuous-integration/drone/push Build is pending
Details
continuous-integration/drone/push Build is pending
Details
Reviewed-on: #715
This commit is contained in:
commit
042b1287ff
|
@ -1,57 +1,73 @@
|
||||||
# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern
|
## Keep profiles in sync:
|
||||||
|
## - https://git.openprivacy.ca/cwtch.im/cwtch-ui/src/branch/trunk/linux/cwtch-whonix.yml
|
||||||
|
## - https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml
|
||||||
|
|
||||||
|
---
|
||||||
- exe-paths:
|
- exe-paths:
|
||||||
- ''
|
- '*'
|
||||||
users:
|
users:
|
||||||
- '*'
|
- '*'
|
||||||
hosts:
|
hosts:
|
||||||
- '*'
|
- '*'
|
||||||
commands:
|
commands:
|
||||||
AUTHCHALLENGE:
|
SETEVENTS:
|
||||||
- 'SAFECOOKIE .*'
|
- 'CIRC WARN ERR'
|
||||||
SETEVENTS:
|
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
|
||||||
- 'CIRC WARN ERR'
|
GETINFO:
|
||||||
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
|
- pattern: 'network-liveness'
|
||||||
GETINFO:
|
response:
|
||||||
- 'net/listeners/socks'
|
- pattern: '250-network-liveness=.*'
|
||||||
- '.*'
|
replacement: '250-network-liveness=up'
|
||||||
GETCONF:
|
- pattern: 'status/bootstrap-phase'
|
||||||
- 'DisableNetwork'
|
response:
|
||||||
SETCONF:
|
- pattern: '250-status/bootstrap-phase=*'
|
||||||
- 'DisableNetwork.*'
|
replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"'
|
||||||
ADD_ONION:
|
GETCONF:
|
||||||
- '.*'
|
- pattern: 'DisableNetwork'
|
||||||
DEL_ONION:
|
response:
|
||||||
- '.+'
|
- pattern: '250 DisableNetwork=.*'
|
||||||
HSFETCH:
|
replacement: '250 DisableNetwork=0'
|
||||||
- '.+'
|
ADD_ONION:
|
||||||
events:
|
## {{{ Host: [::], Ports: 15000-15378
|
||||||
CIRC:
|
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])'
|
||||||
suppress: true
|
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
|
||||||
ORCONN:
|
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])'
|
||||||
suppress: true
|
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
|
||||||
INFO:
|
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])'
|
||||||
suppress: true
|
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
|
||||||
NOTICE:
|
## }}}
|
||||||
suppress: true
|
DEL_ONION:
|
||||||
WARN:
|
- '.+'
|
||||||
suppress: true
|
HSFETCH:
|
||||||
ERR:
|
- '.+'
|
||||||
suppress: true
|
events:
|
||||||
HS_DESC:
|
CIRC:
|
||||||
response:
|
suppress: true
|
||||||
- pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
|
ORCONN:
|
||||||
replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
|
suppress: true
|
||||||
- pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*'
|
INFO:
|
||||||
replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
|
suppress: true
|
||||||
- pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+'
|
NOTICE:
|
||||||
replacement: '650 HS_DESC UPLOADED {} {} redacted'
|
suppress: true
|
||||||
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH'
|
WARN:
|
||||||
replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
|
suppress: true
|
||||||
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
|
ERR:
|
||||||
replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
|
suppress: true
|
||||||
- pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
|
HS_DESC:
|
||||||
replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
|
response:
|
||||||
- pattern: '.*'
|
- pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
|
||||||
replacement: ''
|
replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
|
||||||
HS_DESC_CONTENT:
|
- pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*'
|
||||||
suppress: true
|
replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
|
||||||
|
- pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+'
|
||||||
|
replacement: '650 HS_DESC UPLOADED {} {} redacted'
|
||||||
|
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH'
|
||||||
|
replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
|
||||||
|
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
|
||||||
|
replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
|
||||||
|
- pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
|
||||||
|
replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
|
||||||
|
- pattern: '.*'
|
||||||
|
replacement: ''
|
||||||
|
HS_DESC_CONTENT:
|
||||||
|
suppress: true
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
INSTALL_PREFIX=$HOME/.local
|
||||||
|
INSTALL_PREFIX=$INSTALL_PREFIX DESKTOP_PREFIX=$INSTALL_PREFIX ./install.sh
|
||||||
|
|
||||||
|
# Open incoming ports
|
||||||
|
echo "Opening Cwtch firewall for incoming traffic on ports 15000 to 15378"
|
||||||
|
sudo mkdir -p /usr/local/etc/whonix_firewall.d
|
||||||
|
echo "EXTERNAL_OPEN_PORTS+=\" \$(seq 15000 15378) \"" | \
|
||||||
|
sudo tee /usr/local/etc/whonix_firewall.d/40_cwtch.conf >/dev/null
|
||||||
|
sudo whonix_firewall
|
||||||
|
|
||||||
|
# Set launch options
|
||||||
|
sed -i "s|env LD|env CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true LD|" $INSTALL_PREFIX/bin/cwtch
|
||||||
|
|
||||||
|
# Inform about steps to be done in the gateway
|
||||||
|
echo "Complete installation in the Whonix-Gateway with the following command:"
|
||||||
|
echo " $ sudo onion-grater-add 40_cwtch"
|
||||||
|
|
||||||
|
echo "Launch Cwtch in the Whonix-Workstation with:"
|
||||||
|
echo " $ $INSTALL_PREFIX/bin/cwtch"
|
Loading…
Reference in New Issue