+#!/bin/sh
+# postinst script for bacula-cn
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# Source debconf library.
+. /usr/share/debconf/confmodule
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+generate_fd_config() {
+ FD_CONFIG=/etc/bacula/bacula-fd.conf
+
+ if [ -s $FD_CONFIG ] && grep -q 'PKI Keypair' $FD_CONFIG; then
+ echo $FD_CONFIG already exists, skipping.
+ else
+ umask 077
+
+ if [ -e $FD_CONFIG -a ! -e $FD_CONFIG.bak ]; then
+ cp -av $FD_CONFIG $FD_CONFIG.bak
+ fi
+
+ echo Generating $FD_CONFIG
+ CONFIG_CHANGED=1
+ cat >$FD_CONFIG <<EOF
+#
+# List Directors who are permitted to contact this File daemon
+#
+Director {
+ Name = sysbackup-dir
+ Password = "$PASS_FD"
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ # Allow only the Director to connect
+ TLS Allowed CN = "sysbackup.carnet.hr"
+ TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
+ # This is a server certificate. It is used by connecting
+ # directors to verify the authenticity of this file daemon
+ TLS Certificate = "/etc/bacula/bacula-fd.pem"
+ TLS Key = "/etc/bacula/bacula-fd.pem"
+ TLS DH File = "/etc/bacula/dh1024.pem"
+}
+
+#
+# "Global" File daemon configuration specifications
+#
+FileDaemon { # this is me
+ Name = $HOST-fd
+ FDport = 9102 # where we listen for the director
+ WorkingDirectory = /var/lib/bacula
+ Pid Directory = /var/run/bacula
+ Maximum Concurrent Jobs = 20
+ FDAddress = $IP
+
+ # you need these TLS entries so the FD and SD can communicate
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
+ TLS Certificate = "/etc/bacula/bacula-fd.pem"
+ TLS Key = "/etc/bacula/bacula-fd.pem"
+
+ # you need these PKI entries to encrypt data before sending it to backup
+ PKI Signatures = Yes # Enable Data Signing
+ PKI Encryption = Yes # Enable Data Encryption
+ PKI Keypair = "/etc/bacula/bacula-fd.pem" # Public and Private Keys
+}
+
+# Send all messages except skipped files back to Director
+Messages {
+ Name = Standard
+ director = sysbackup-dir = all, !skipped, !restored
+}
+EOF
+ fi
+}
+
+generate_bconsole_config() {
+ BCONSOLE_CONFIG=/etc/bacula/bconsole.conf
+
+ if [ -s $BCONSOLE_CONFIG ] && grep -q 'sysbackup-dir' $BCONSOLE_CONFIG; then
+ echo $BCONSOLE_CONFIG already exists, skipping.
+ else
+ umask 077
+
+ if [ -e $BCONSOLE_CONFIG -a ! -e $BCONSOLE_CONFIG.bak ]; then
+ cp -av $BCONSOLE_CONFIG $BCONSOLE_CONFIG.bak
+ fi
+
+ echo Generating $BCONSOLE_CONFIG
+ CONFIG_CHANGED=1
+ cat >$BCONSOLE_CONFIG <<EOF
+#
+# Bacula User Agent (or Console) Configuration File
+#
+
+Director {
+ Name = sysbackup-dir
+ DIRport = 9101
+ address = sysbackup.carnet.hr
+ Password = "$PASS_BCONSOLE"
+
+ # you need these TLS entries so the bconsole and Director can communicate
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
+ TLS Certificate = "/etc/bacula/bacula-fd.pem"
+ TLS Key = "/etc/bacula/bacula-fd.pem"
+}
+EOF
+ fi
+}
+
+generate_dh() {
+ DH_FILE=/etc/bacula/dh1024.pem
+
+ if [ -s $DH_FILE ]; then
+ echo $DH_FILE already exists, skipping.
+ else
+ umask 077
+
+ echo Generating $DH_FILE
+ openssl dhparam -out $DH_FILE -5 1024
+ fi
+}
+
+generate_cert() {
+ CERT_FILE=/etc/bacula/bacula-fd.pem
+
+ if [ -s $CERT_FILE ]; then
+ echo $CERT_FILE already exists, skipping.
+ else
+ umask 077
+
+ echo Generating $CERT_FILE
+ CONFIG_CHANGED=1
+ openssl req -new -newkey rsa:2048 -nodes -keyout $CERT_FILE \
+ -subj "/C=HR/ST=Croatia/O=CARNet/OU=sysbackup/CN=$IP" \
+ -x509 -extensions usr_cert -days $((365*5)) \
+ -out $CERT_FILE
+ fi
+}
+
+restart_bacula() {
+ if [ -x "/etc/init.d/bacula-fd" ]; then
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+ invoke-rc.d bacula-fd restart || exit $?
+ else
+ /etc/init.d/bacula-fd restart || exit $?
+ fi
+ fi
+}
+
+send_mail() {
+ REQUEST_FILE=/etc/bacula/bacula-fd.txt
+ GPG_HOME=/var/lib/bacula-cn/gpg
+
+ BOUNDARY=$( head -20 /dev/urandom | openssl dgst -sha1 )
+ GPG="gpg --homedir $GPG_HOME --batch --encrypt --armour --recipient rt@tt.carnet.hr --always-trust"
+
+ if [ -z "$CONFIG_CHANGED" ]; then
+ echo Config has not changed, skipping request.
+ return
+ fi
+
+ umask 077
+ chmod 0700 $GPG_HOME
+ echo Generating request in $REQUEST_FILE
+
+ # Header
+ cat > $REQUEST_FILE <<EOF
+From: $CONTACT
+To: sysbackup@carnet.hr
+Subject: Backup za $HOST
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="$BOUNDARY"
+
+This is a message with multiple parts in MIME format.
+--$BOUNDARY
+Content-Type: text/plain
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
+
+Ime posluzitelja: $HOST
+IP adresa: $IP
+Kontakt adresa: $CONTACT
+EOF
+
+# attachment: disk sizes
+cat >> $REQUEST_FILE <<EOF
+--$BOUNDARY
+Content-Type: text/plain
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline; filename="df.txt.gpg"
+
+EOF
+
+ df -h | $GPG >> $REQUEST_FILE
+
+# attachment: client config
+cat >> $REQUEST_FILE <<EOF
+--$BOUNDARY
+Content-Type: text/plain
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline; filename="$HOST-fd.conf.gpg"
+
+EOF
+
+ cat <<EOF | $GPG >> $REQUEST_FILE
+# Requested by $CONTACT on $DATE
+Client {
+ Name = $HOST-fd
+ Address = $IP
+ Password = "$PASS_FD" # password for bacula-fd(8)
+ @/etc/bacula/include/client-debian-default.conf
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "/etc/bacula/clients.d/$HOST-fd.pem"
+ TLS Certificate = "/etc/bacula/bacula.pem"
+ TLS Key = "/etc/bacula/bacula.pem"
+}
+
+Job {
+ Name = "$HOST"
+ Client = $HOST-fd
+ JobDefs = "Job_SysBackup"
+}
+
+Console {
+ Name = $HOST-acl
+ Password = "$PASS_BCONSOLE" # password for bconsole(8)
+ JobACL = $HOST, RestoreFiles
+ ClientACL = $HOST-fd
+ @/etc/bacula/include/acl-default.conf
+}
+EOF
+
+# attachment: client certificate
+cat >> $REQUEST_FILE <<EOF
+--$BOUNDARY
+Content-Type: text/plain
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline; filename="$HOST-fd.pem.gpg"
+
+EOF
+
+ sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' /etc/bacula/bacula-fd.pem \
+ | $GPG >> $REQUEST_FILE
+
+cat >> $REQUEST_FILE <<EOF
+--$BOUNDARY--
+EOF
+
+ # Send it
+ echo Mailing request from $REQUEST_FILE
+ sendmail -t -oi < $REQUEST_FILE
+}
+
+load_config() {
+ db_get bacula-cn/hostname
+ HOST=$RET
+
+ db_get bacula-cn/ip
+ IP=$RET
+
+ db_get bacula-cn/contact
+ CONTACT=$RET
+
+ db_stop
+
+ PASS_FD=$( head -20 /dev/urandom | openssl dgst -sha1 )
+ PASS_BCONSOLE=$( head -20 /dev/urandom | openssl dgst -sha1 )
+
+ DATE=$( date '+%Y-%m-%d' )
+
+ CONFIG_CHANGED=
+}
+
+case "$1" in
+ configure)
+ load_config
+
+ generate_cert
+ generate_dh
+ generate_fd_config
+ generate_bconsole_config
+
+ restart_bacula
+ send_mail
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0