2 # postinst script for bacula-cn
4 # see: dh_installdeb(1)
8 # Source debconf library.
9 . /usr/share/debconf/confmodule
11 # summary of how this script can be called:
12 # * <postinst> `configure' <most-recently-configured-version>
13 # * <old-postinst> `abort-upgrade' <new version>
14 # * <conflictor's-postinst> `abort-remove' `in-favour' <package>
16 # * <postinst> `abort-remove'
17 # * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
18 # <failed-install-package> <version> `removing'
19 # <conflicting-package> <version>
20 # for details, see http://www.debian.org/doc/debian-policy/ or
21 # the debian-policy package
23 generate_fd_config() {
24 FD_CONFIG=/etc/bacula/bacula-fd.conf
26 if [ -s $FD_CONFIG ] && grep -q 'PKI Keypair' $FD_CONFIG; then
27 echo $FD_CONFIG already exists, skipping.
31 if [ -e $FD_CONFIG -a ! -e $FD_CONFIG.bak ]; then
32 cp -av $FD_CONFIG $FD_CONFIG.bak
35 echo Generating $FD_CONFIG
39 # List Directors who are permitted to contact this File daemon
48 # Allow only the Director to connect
49 TLS Allowed CN = "sysbackup.carnet.hr"
50 TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
51 # This is a server certificate. It is used by connecting
52 # directors to verify the authenticity of this file daemon
53 TLS Certificate = "/etc/bacula/bacula-fd.pem"
54 TLS Key = "/etc/bacula/bacula-fd.pem"
55 TLS DH File = "/etc/bacula/dh1024.pem"
59 # "Global" File daemon configuration specifications
61 FileDaemon { # this is me
63 FDport = 9102 # where we listen for the director
64 WorkingDirectory = /var/lib/bacula
65 Pid Directory = /var/run/bacula
66 Maximum Concurrent Jobs = 20
69 # you need these TLS entries so the FD and SD can communicate
72 TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
73 TLS Certificate = "/etc/bacula/bacula-fd.pem"
74 TLS Key = "/etc/bacula/bacula-fd.pem"
76 # you need these PKI entries to encrypt data before sending it to backup
77 PKI Signatures = Yes # Enable Data Signing
78 PKI Encryption = Yes # Enable Data Encryption
79 PKI Keypair = "/etc/bacula/bacula-fd.pem" # Public and Private Keys
82 # Send all messages except skipped files back to Director
85 director = sysbackup-dir = all, !skipped, !restored
91 generate_bconsole_config() {
92 BCONSOLE_CONFIG=/etc/bacula/bconsole.conf
94 if [ -s $BCONSOLE_CONFIG ] && grep -q 'Console {' $BCONSOLE_CONFIG; then
95 echo $BCONSOLE_CONFIG already exists, skipping.
99 if [ -e $BCONSOLE_CONFIG -a ! -e $BCONSOLE_CONFIG.bak ]; then
100 cp -av $BCONSOLE_CONFIG $BCONSOLE_CONFIG.bak
103 echo Generating $BCONSOLE_CONFIG
105 cat >$BCONSOLE_CONFIG <<EOF
107 # Bacula User Agent (or Console) Configuration File
113 address = sysbackup.carnet.hr
114 Password = "__INVALID__" # not used
116 # you need these TLS entries so the bconsole and Director can communicate
119 TLS CA Certificate File = "/etc/bacula/sysbackup.pem"
120 TLS Certificate = "/etc/bacula/bacula-fd.pem"
121 TLS Key = "/etc/bacula/bacula-fd.pem"
126 Password = "$PASS_BCONSOLE"
133 DH_FILE=/etc/bacula/dh1024.pem
135 if [ -s $DH_FILE ]; then
136 echo $DH_FILE already exists, skipping.
140 echo Generating $DH_FILE
141 openssl dhparam -out $DH_FILE -5 1024
146 CERT_FILE=/etc/bacula/bacula-fd.pem
148 if [ -s $CERT_FILE ]; then
149 echo $CERT_FILE already exists, skipping.
153 echo Generating $CERT_FILE
155 openssl req -new -newkey rsa:2048 -nodes -keyout $CERT_FILE \
156 -subj "/C=HR/ST=Croatia/O=CARNet/OU=sysbackup/CN=$IP" \
157 -x509 -extensions usr_cert -days $((365*5)) \
163 if [ -x "/etc/init.d/bacula-fd" ]; then
164 if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
165 invoke-rc.d bacula-fd restart || exit $?
167 /etc/init.d/bacula-fd restart || exit $?
173 REQUEST_FILE=/etc/bacula/bacula-fd.txt
174 GPG_HOME=/var/lib/bacula-cn/gpg
176 BOUNDARY=$( head -20 /dev/urandom | openssl dgst -sha1 )
177 GPG="gpg --homedir $GPG_HOME --batch --encrypt --armour --recipient rt@tt.carnet.hr --always-trust"
179 if [ -z "$CONFIG_CHANGED" ]; then
180 echo Config has not changed, skipping request.
186 echo Generating request in $REQUEST_FILE
189 cat > $REQUEST_FILE <<EOF
191 To: sysbackup@carnet.hr
192 Subject: Backup za $HOST
194 Content-Type: multipart/mixed; boundary="$BOUNDARY"
196 This is a message with multiple parts in MIME format.
198 Content-Type: text/plain
199 Content-Transfer-Encoding: 7bit
200 Content-Disposition: inline
202 Ime posluzitelja: $HOST
204 Kontakt adresa: $CONTACT
207 # attachment: disk sizes
208 cat >> $REQUEST_FILE <<EOF
210 Content-Type: text/plain
211 Content-Transfer-Encoding: 7bit
212 Content-Disposition: inline; filename="df.txt.gpg"
216 df -h | $GPG >> $REQUEST_FILE
218 # attachment: client config
219 cat >> $REQUEST_FILE <<EOF
221 Content-Type: text/plain
222 Content-Transfer-Encoding: 7bit
223 Content-Disposition: inline; filename="$HOST-fd.conf.gpg"
227 cat <<EOF | $GPG >> $REQUEST_FILE
228 # Requested by $CONTACT on $DATE
232 Password = "$PASS_FD" # password for bacula-fd(8)
233 @/etc/bacula/include/client-debian-default.conf
237 TLS CA Certificate File = "/etc/bacula/clients.d/$HOST-fd.pem"
238 TLS Certificate = "/etc/bacula/bacula.pem"
239 TLS Key = "/etc/bacula/bacula.key"
245 JobDefs = "Job_SysBackup"
250 Password = "$PASS_BCONSOLE" # password for bconsole(8)
251 JobACL = $HOST, RestoreFiles
253 @/etc/bacula/include/acl-default.conf
257 # attachment: client certificate
258 cat >> $REQUEST_FILE <<EOF
260 Content-Type: text/plain
261 Content-Transfer-Encoding: 7bit
262 Content-Disposition: inline; filename="$HOST-fd.pem.gpg"
266 sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' /etc/bacula/bacula-fd.pem \
267 | $GPG >> $REQUEST_FILE
269 cat >> $REQUEST_FILE <<EOF
274 echo Mailing request from $REQUEST_FILE
275 sendmail -t -oi < $REQUEST_FILE
279 db_get bacula-cn/hostname
285 db_get bacula-cn/contact
290 PASS_FD=$( head -20 /dev/urandom | openssl dgst -sha1 )
291 PASS_BCONSOLE=$( head -20 /dev/urandom | openssl dgst -sha1 )
293 DATE=$( date '+%Y-%m-%d' )
305 generate_bconsole_config
311 abort-upgrade|abort-remove|abort-deconfigure)
315 echo "postinst called with unknown argument \`$1'" >&2
320 # dh_installdeb will replace this with shell code automatically
321 # generated by other debhelper scripts.