[proftpd-cn.git] / debian / postinst

#!/bin/sh
# postinst script for proftpd-cn
#
# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
#

case "$1" in
    configure|reconfigure)
      # continue below
    ;;

    *)
        exit 0
    ;;
esac

# created:     2002-11-15 Bozo Juretic <bjuretic@srce.hr>
# last update: 2007-05-14 Zoran Dzelajlija <zoran.dzelajlija@carnet.hr>
# last update: 2011-04-24 Dinko Korunic <kreator@carnet.hr>

# Source debconf library.
. /usr/share/debconf/confmodule

# Import CN toolsa
. /usr/share/carnet-tools/functions.sh

FTP_CONF=/etc/proftpd/proftpd.conf
FTP_TMP=`mktemp /etc/proftpd/proftpd.conf.XXXXXX`
FTP_OLD=/var/backups/proftpd.conf.bak
SSL_CERT=/etc/ssl/certs/ftpd.pem
SSL_KEY=/etc/ssl/private/ftpd.pem

# Backup stare konfiguracije
cp_backup_conffile $FTP_CONF
cp -p $FTP_CONF $FTP_TMP

# Onemogucavanje Anonymous ftp pristupa
disable_anonymous()
{
    if grep -qi "^<Anonymous" $FTP_TMP; then
        echo "CN: Anonymous access has been disabled in $FTP_CONF." 
        # Brisanje Anonymous linija
        sed -n -i -e '/<Anonymous /,/\/Anon/!p' $FTP_TMP
    fi
}

# Popravi razne stvari u confu
fix_conf()
{
    if [ -f $FTP_TMP ]; then
        # Stare list opcije
        sed -i -e 's/lsdefaultoptions/ListOptions/i' $FTP_TMP 

        # Stari tcpwin
        sed -i -e "s/tcpreceivewindow/SocketOptions rcvbuf/i" \
            -e "s/tcpsendwindow/SocketOptions sndbuf/i" $FTP_TMP

        # Scoreboard
        sed -i -e "s/\(scoreboardpath.*\)/#\n#ScoreboardPath is deprecated in 1.2.9, use ScoreboardFile instead\n#\1\n#\n#ScoreboardFile\t\/var\/run\/proftpd\/proftpd.scoreboard\n#/i" $FTP_TMP

        # Ubaci pravi hostname
        CARNET_HOSTNAME=`hostname`
        CARNET_DOMAINNAME=`hostname --domain`
            sed -i -e "s/^ServerName.*\"Debian\"/ServerName \"$CARNET_HOSTNAME.$CARNET_DOMAINNAME\"/i" $FTP_TMP 

        # Upali DelayEngine
        sed -i -e 's/^#.*DelayEngine.*/DelayEngine on/i' $FTP_TMP

        # Omoguci da bude standalone servis
        sed -i -e 's/^\(ServerType.*\)inetd/\1standalone/' $FTP_TMP
        update-inetd --disable ftp || true
        db_set shared/proftpd/inetd_or_standalone "standalone"
        db_go || true
        db_stop
    fi
}

# Dodaj TLS konfiguraciju ako je potrebna
add_tls()
{
    if [ -f $FTP_TMP ]; then
        cp-update proftpd-cn $FTP_TMP <<EOF
<IfModule mod_tls.c>
  TLSEngine on
  TLSLog /var/log/proftpd/tls.log
  TLSProtocol SSLv23

  # Are clients required to use FTP over TLS when talking to this server?
  TLSRequired off

  # Server's certificate
  TLSRSACertificateFile $SSL_CERT
  TLSRSACertificateKeyFile $SSL_KEY

  # CA the server trusts
  #TLSCACertificateFile /etc/ftpd/root.cert.pem

  # Authenticate clients that want to use FTP over TLS?
  TLSVerifyClient off

  # Allow SSL/TLS renegotiations when the client requests them, but
  # do not force the renegotations.  Some clients do not support
  # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
  # clients will close the data connection, or there will be a timeout
  # on an idle data connection.
  TLSRenegotiate required off
</IfModule>
EOF
    fi
}

# include za slucaj da sistemac nije prihvatio izmjene od Debiana
include_modules()
{
    if [ -f $FTP_TMP ] ; then
        if ! egrep -qi "^[[:space:]]*Include.*/etc/proftpd/modules.conf" $FTP_TMP ; then
            printf "#\n# Includes required DSO modules. This is mandatory in proftpd 1.3\n#\nInclude\t/etc/proftpd/modules.conf\n\n" >$FTP_TMP.tmp.$$
            cat $FTP_TMP >>$FTP_TMP.tmp.$$
            cp_mv $FTP_TMP.tmp.$$ $FTP_TMP
        fi
    fi
}

# Generiranje SSL certifikata
make_ssl_cert()
{
    if [ \( ! -f $SSL_CERT \) -o \( ! -f $SSL_KEY \) ] ; then
        echo "CN: Generating SSL certificate... "
        HOSTNAME=`hostname -s`
        FQDN=`hostname -f`
        MAILNAME=`cat /etc/mailname 2> /dev/null || hostname -f`
        (openssl req -new -x509 -days 365 -nodes -out $SSL_CERT -keyout $SSL_KEY >/dev/null 2>&1 <<EOF
.
.
.
FTP server
$hostname.$domainname
$fqdn
root@$mailname
EOF
)
        echo "CN: Self-signed SSL certificate generated in $SSL_CERT."
        echo "CN: Please note that the certificate will expire in one year."
    fi
}

# purge starog proftpd-common paketa bi napravio rusvaj
defuse_old_postrm()
{
    if [ -f /var/lib/dpkg/info/proftpd-common.postrm ]; then
        cp_check_and_sed '^[^#]*(update-rc.d|update-inetd|/var/run/proftpd)' \
            '/update-rc.d/d; /update-inetd/d; /var\/run\/proftpd/d' \
            /var/lib/dpkg/info/proftpd-common.postrm || true
    fi
}

defuse_old_postrm
disable_anonymous
make_ssl_cert
fix_conf
add_tls
include_modules

if [ -z "$2" ]; then
        echo "CN: Proftpd-cn is configured with disabled anonymous FTP access,"
        echo "CN: for the security reasons."
fi

if ! cmp -s $FTP_TMP $FTP_CONF; then
        echo "CN: Original configuration file is saved in $FTP_OLD."
        cp_mv $FTP_TMP $FTP_CONF
else
        rm -f $FTP_TMP
fi

echo "CN: Restarting proftpd..."

if [ -x /usr/sbin/invoke-rc.d ]; then
        invoke-rc.d proftpd restart
else
        /etc/init.d/proftpd restart
fi

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0