Fix key file name.

[bacula-cn.git] / debian / postinst

#!/bin/sh
# postinst script for bacula-cn
#
# see: dh_installdeb(1)

set -e

# Source debconf library.
. /usr/share/debconf/confmodule

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

generate_fd_config() {
    FD_CONFIG=/etc/bacula/bacula-fd.conf

    if [ -s $FD_CONFIG ] && grep -q 'PKI Keypair' $FD_CONFIG; then
        echo $FD_CONFIG already exists, skipping.
    else
        umask 077
      
        if [ -e $FD_CONFIG -a ! -e $FD_CONFIG.bak ]; then
            cp -av $FD_CONFIG $FD_CONFIG.bak
        fi

        echo Generating $FD_CONFIG
        CONFIG_CHANGED=1
        cat >$FD_CONFIG <<EOF
#
# List Directors who are permitted to contact this File daemon
#
Director {
  Name = sysbackup-dir
  Password = "$PASS_FD"

  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  # Allow only the Director to connect
  TLS Allowed CN = "sysbackup.carnet.hr"
  TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
  # This is a server certificate. It is used by connecting
  # directors to verify the authenticity of this file daemon
  TLS Certificate = "/etc/bacula/bacula-fd.pem"
  TLS Key = "/etc/bacula/bacula-fd.pem"
  TLS DH File = "/etc/bacula/dh1024.pem"
}

#
# "Global" File daemon configuration specifications
#
FileDaemon {                          # this is me
  Name = $HOST-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  FDAddress = $IP

  # you need these TLS entries so the FD and SD can communicate
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
  TLS Certificate = "/etc/bacula/bacula-fd.pem"
  TLS Key = "/etc/bacula/bacula-fd.pem"

  # you need these PKI entries to encrypt data before sending it to backup
  PKI Signatures = Yes            # Enable Data Signing
  PKI Encryption = Yes            # Enable Data Encryption
  PKI Keypair = "/etc/bacula/bacula-fd.pem"    # Public and Private Keys
}

# Send all messages except skipped files back to Director
Messages {
  Name = Standard
  director = sysbackup-dir = all, !skipped, !restored
}
EOF
    fi
}

generate_bconsole_config() {
    BCONSOLE_CONFIG=/etc/bacula/bconsole.conf

    if [ -s $BCONSOLE_CONFIG ] && grep -q 'sysbackup-dir' $BCONSOLE_CONFIG; then
        echo $BCONSOLE_CONFIG already exists, skipping.
    else
        umask 077

        if [ -e $BCONSOLE_CONFIG -a ! -e $BCONSOLE_CONFIG.bak ]; then
            cp -av $BCONSOLE_CONFIG $BCONSOLE_CONFIG.bak
        fi

        echo Generating $BCONSOLE_CONFIG
        CONFIG_CHANGED=1
        cat >$BCONSOLE_CONFIG <<EOF
#
# Bacula User Agent (or Console) Configuration File
#

Director {
  Name = sysbackup-dir
  DIRport = 9101
  address = sysbackup.carnet.hr
  Password = "$PASS_BCONSOLE"

  # you need these TLS entries so the bconsole and Director can communicate
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
  TLS Certificate = "/etc/bacula/bacula-fd.pem"
  TLS Key = "/etc/bacula/bacula-fd.pem"
}
EOF
    fi
}

generate_dh() {
    DH_FILE=/etc/bacula/dh1024.pem

    if [ -s $DH_FILE ]; then
        echo $DH_FILE already exists, skipping.
    else
        umask 077

        echo Generating $DH_FILE
        openssl dhparam -out $DH_FILE -5 1024
    fi
}

generate_cert() {
    CERT_FILE=/etc/bacula/bacula-fd.pem

    if [ -s $CERT_FILE ]; then
        echo $CERT_FILE already exists, skipping.
    else
        umask 077

        echo Generating $CERT_FILE
        CONFIG_CHANGED=1
        openssl req -new -newkey rsa:2048 -nodes -keyout $CERT_FILE \
            -subj "/C=HR/ST=Croatia/O=CARNet/OU=sysbackup/CN=$IP" \
            -x509 -extensions usr_cert -days $((365*5)) \
            -out $CERT_FILE
    fi
}

restart_bacula() {
    if [ -x "/etc/init.d/bacula-fd" ]; then
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
            invoke-rc.d bacula-fd restart || exit $?
        else
            /etc/init.d/bacula-fd restart || exit $?
        fi
    fi
}

send_mail() {
    REQUEST_FILE=/etc/bacula/bacula-fd.txt
    GPG_HOME=/var/lib/bacula-cn/gpg

    BOUNDARY=$( head -20 /dev/urandom | openssl dgst -sha1 )
    GPG="gpg --homedir $GPG_HOME --batch --encrypt --armour --recipient rt@tt.carnet.hr --always-trust"

    if [ -z "$CONFIG_CHANGED" ]; then
        echo Config has not changed, skipping request.
        return
    fi

    umask 077
    chmod 0700 $GPG_HOME
    echo Generating request in $REQUEST_FILE

    # Header
    cat > $REQUEST_FILE <<EOF
From: $CONTACT
To: sysbackup@carnet.hr
Subject: Backup za $HOST
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="$BOUNDARY"

This is a message with multiple parts in MIME format.
--$BOUNDARY
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Ime posluzitelja: $HOST
IP adresa: $IP
Kontakt adresa: $CONTACT
EOF

# attachment: disk sizes
cat >> $REQUEST_FILE <<EOF
--$BOUNDARY
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="df.txt.gpg"

EOF

  df -h | $GPG >> $REQUEST_FILE

# attachment: client config
cat >> $REQUEST_FILE <<EOF
--$BOUNDARY
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="$HOST-fd.conf.gpg"

EOF

    cat <<EOF | $GPG >> $REQUEST_FILE
# Requested by $CONTACT on $DATE
Client {
  Name = $HOST-fd
  Address = $IP
  Password = "$PASS_FD"         # password for bacula-fd(8)
  @/etc/bacula/include/client-debian-default.conf

  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = "/etc/bacula/clients.d/$HOST-fd.pem"
  TLS Certificate = "/etc/bacula/bacula.pem"
  TLS Key = "/etc/bacula/bacula.key"
}

Job {
  Name = "$HOST"
  Client = $HOST-fd
  JobDefs = "Job_SysBackup"
}

Console {
  Name = $HOST-acl
  Password = "$PASS_BCONSOLE"         # password for bconsole(8)
  JobACL = $HOST, RestoreFiles
  ClientACL = $HOST-fd
  @/etc/bacula/include/acl-default.conf
}
EOF

# attachment: client certificate
cat >> $REQUEST_FILE <<EOF
--$BOUNDARY
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="$HOST-fd.pem.gpg"

EOF

    sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' /etc/bacula/bacula-fd.pem \
    | $GPG >> $REQUEST_FILE

cat >> $REQUEST_FILE <<EOF
--$BOUNDARY--
EOF

    # Send it
    echo Mailing request from $REQUEST_FILE
    sendmail -t -oi < $REQUEST_FILE
}

load_config() {
    db_get bacula-cn/hostname
    HOST=$RET

    db_get bacula-cn/ip
    IP=$RET

    db_get bacula-cn/contact
    CONTACT=$RET

    db_stop

    PASS_FD=$( head -20 /dev/urandom | openssl dgst -sha1 )
    PASS_BCONSOLE=$( head -20 /dev/urandom | openssl dgst -sha1 )

    DATE=$( date '+%Y-%m-%d' )

    CONFIG_CHANGED=
}

case "$1" in
    configure)
        load_config

        generate_cert
        generate_dh
        generate_fd_config
        generate_bconsole_config

        restart_bacula
        send_mail
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0