postinst 6.56 KB
Newer Older
1
2
#!/bin/bash
#
3
4
5
6
7
8
9

set -e

#
# Skip, if we are not in "configure" state
#
if [ "$1" != "configure" ]; then
10
11
        echo "I: Skipping configuration"
        exit 0
12
13
fi

14
15
16
17
#
# Enable the MOTD
#

18
19
if [ -f /etc/motd ] ; then
  echo "I: Enabling dynamic MOTD"
Paul Cammish's avatar
Paul Cammish committed
20
  mv /etc/motd /etc/motd.dpkg-sympl-orig
21
22
23
  ln -s /run/motd /etc/motd
fi

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#
# Double check this file gets installed with the correct permissions
#
if ( ! dpkg-statoverride --list /etc/sudoers.d/sympl > /dev/null ) ; then
  dpkg-statoverride --add --update root root 0440 /etc/sudoers.d/sympl
fi

#
# Shadow passwords must be on.
#
shadowconfig on

#
#  If there isn't a Sympl account, add it.
#
if ( ! grep ^sympl: /etc/passwd 2>/dev/null >/dev/null ); then

  adduser --home=/home/sympl --shell=/bin/bash --disabled-login --gecos='Sympl Administrator,,,' sympl

  #
  #  Now set the password for Sympl to that used by root.
  #
  usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" sympl

48
49
50
51
52
53
54
55
56
  #
  # If the root user has authorized_keys, copy them to the new Sympl user
  #
  if [ -f /root/.ssh/authorized_keys ]; then
    mkdir -p /home/sympl/.ssh
    cp /root/.ssh/authorized_keys /home/sympl/.ssh/authorized_keys
    chown sympl:sympl /home/sympl/.ssh/authorized_keys
  fi

57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
  #
  #  If we have an adm group - which we should - add the Sympl user to it.
  #
  if ( getent group adm >/dev/null ); then
    adduser sympl adm
  fi
  
  #
  #  Ensure the Sympl user is added to the www-data group too 
  #
  if ( getent group www-data >/dev/null ); then
    adduser sympl www-data
  fi

fi

#
# Add a stat override for the /srv directory.
#
if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then
  dpkg-statoverride --add --update sympl sympl 2755 /srv
fi

#
81
# Set the hostname, preferring the FQDN if it's there.
82
#
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# We default to what it's been set to at the moment, rather than
#   what's in /etc/hostname, as its easy to change one but forget the other.
#
if hostname --fqdn > /dev/null ; then
  _HOSTNAME="$( hostname --fqdn )"
else
  _HOSTNAME="$( hostname )"
fi
echo "I: Hostname is $_HOSTNAME"

#
# Append ".localdomain" if HOSTNAME has no dots
# (which is unlikely to happen with a clean install)
#
if ! [[ "$_HOSTNAME" =~ ^[_a-z0-9-]+\.([_a-z0-9-]+\.?)+$ ]] ; then
  echo "I: Hostname is not an FQDN, changing to $_HOSTNAME.localdomain."
  _HOSTNAME="$_HOSTNAME.localdomain"
fi

#
# If the full hostname isn't now in /etc/hosts, then add it
# 
# This assumes that theres only one entry for each IP, and doesn't deal with
#   partially mangled hosts files, but will deal with someone changing the
#   hostname but not also changing /etc/hosts
#
109
110
111
112
113
114
115
116
117
118
119
120
#if [ $( grep -c $_HOSTNAME '/etc/hosts' ) == 0 ]; then
#  echo "I: Updating hostname configuration with complete name."
#  if hostname -i > /dev/null ; then
#    hostname_ips="$( hostname -i )"
#  else
#    hostname_ips="127.0.1.1"
#  fi
#  sed -i "s|^$hostname_ips|# $hostname_ips|" '/etc/hosts'
#  sed -i "1i$hostname_ips\t$_HOSTNAME $( echo $_HOSTNAME | cut -d '.' -f 1 )" '/etc/hosts'
#  export HOSTNAME="$_HOSTNAME"
#  hostname -b "$_HOSTNAME"
#fi
121
122

#
123
# Enforce using the full hostname
124
#
125
#echo "I: Checking hostname configuration files."
126
127
128
129
#if [ "$HOSTNAME" != "$_HOSTNAME" ]; then export HOSTNAME="$_HOSTNAME"; fi
#if [ "$( hostname )" != "$_HOSTNAME" ]; then hostname -b "$_HOSTNAME" ; fi
#if [ "$( cat /etc/hostname )" != "$_HOSTNAME" ]; then echo "$_HOSTNAME" > "/etc/hostname" ; fi 
#if [ -f "/etc/mailname" ] && [ "$( cat "/etc/mailname" )" != "$_HOSTNAME" ]; then echo "$_HOSTNAME" > "/etc/mailname" ; fi
130
131

#
132
#  If there are no existing directories beneath /srv/ create the defaults.
133
#
134
if [ ! -e "/srv/$_HOSTNAME" ] ; then
135
136
  #
  # Create the standard directories
137
138
139
140
141
142
143
144
145
  # 
  mkdir -p /srv/$_HOSTNAME/public/htdocs
  mkdir -p /srv/$_HOSTNAME/public/logs
  mkdir -p /srv/$_HOSTNAME/config
  mkdir -p /srv/$_HOSTNAME/mailboxes/root

  # With the right permissions
  chown -R sympl:sympl /srv/$_HOSTNAME
  chown -R www-data:www-data /srv/$_HOSTNAME/public
146
147
148
fi

#
149
# We'd like to generate a certificate for the hostname.  Naturally this will go in /srv/$_HOSTNAME
150
#
151
if [ -d "/srv/$_HOSTNAME/config" ] ; then
152
153
154
  #
  # Generate certificates for this host
  #
155
  if ! ( sympl-ssl --verbose $_HOSTNAME ) ; then
156
    echo "W: SSL certificate generation failed. Retrying with a self-signed certificate..."
157
158
    echo selfsigned > /srv/$_HOSTNAME/config/ssl-provider
    sympl-ssl --verbose $_HOSTNAME || true
159
160
161
162
  fi
fi

#
163
# Not interested in linking from /etc/$_HOSTNAME/config/ssl.*
164
#
165
ssl_current_dir="/srv/$_HOSTNAME/config/ssl/current"
166
167
168
169
170
171
172
173

#
# If there are no cerificates in /etc/ssl, symlink those from this directory.
# This is race-tastic.
#
if [ ! -e "/etc/ssl/ssl.key" ] &&
    [ ! -e "/etc/ssl/ssl.crt" ] &&
    [ ! -e "/etc/ssl/ssl.combined" ] &&
174
    ( sympl-ssl --no-generate --no-rollover $_HOSTNAME ) &&
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
    [ -e "$ssl_current_dir/ssl.key" ] && 
    [ -e "$ssl_current_dir/ssl.crt" ] && 
    [ -e "$ssl_current_dir/ssl.combined" ] ; then

  echo "I: Symlinking SSL certificate and key from $ssl_current_dir to /etc/ssl"
  ln -s "$ssl_current_dir"/ssl.{key,crt,combined} /etc/ssl/

  #
  # Move existing bundle out of the way.
  #
  if [ -e /etc/ssl/ssl.bundle ] ; then
    echo "W: Moving old SSL bundle to /etc/ssl/ssl.bundle.$$"
    mv /etc/ssl/ssl.bundle /etc/ssl/ssl.bundle.$$        # ugh
  fi

  #
  # Link any new bundle in again.
  #
  if [ -e "$ssl_current_dir/ssl.bundle" ] ; then
    echo "I: Symlinking SSL bundle from $ssl_current_dir to /etc/ssl"
    ln -s "$ssl_current_dir/ssl.bundle" /etc/ssl/ssl.bundle
  fi

fi

200
201
202
203
# Run sympl-filesystem-security to enforce permissions
sympl-filesystem-security

# Create htop defaults
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
if [ ! -f /home/sympl/.config/htop/htoprc ]; then
  mkdir -p /home/sympl/.config/htop/
  echo "hide_threads=0
hide_kernel_threads=1
hide_userland_threads=1
shadow_other_users=0
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=1
header_margin=0
detailed_cpu_time=1
cpu_count_from_zero=0
update_process_names=1
account_guest_in_cpu_meter=1" > /home/sympl/.config/htop/htoprc
  chown sympl:sympl -R /home/sympl/.config
fi

if [ ! -f /root/.config/htop/htoprc ]; then
  mkdir -p /root/.config/htop/
  echo "hide_threads=0
hide_kernel_threads=1
hide_userland_threads=1
shadow_other_users=0
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=1
header_margin=0
detailed_cpu_time=1
cpu_count_from_zero=0
update_process_names=1
account_guest_in_cpu_meter=1" > /root/.config/htop/htoprc
  chown root:root /root/.config/htop/htoprc
fi

Paul Cammish's avatar
Paul Cammish committed
244
245
246
# Remove rogue symlink
if [ -L /etc/cron.hourly/00-sympl-ssl ]; then rm /etc/cron.hourly/00-sympl-ssl; fi 

247

248
#DEBHELPER#
249

250
exit 0