#!/bin/bash
#
# postinst script for linuxmuster-base
# thomas@linuxmuster.net
# 20260423
# GPL v3
#

# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
#

# get environment
source /etc/os-release || exit 1
source /usr/share/linuxmuster/environment.sh || exit 1
datestr="$(date +%Y%m%d%H%M)"

# os version specific
case "$VERSION_ID" in
  24.04|26.04) ntpgrp="ntpsec" ;;
  22.04) ntpgrp="ntp" ;;
  *) echo "Wrong os version $VERSION_ID." ; exit 1 ;;
esac


case "$1" in

 configure)

  # Note: Python package installation is now handled by dh_python3
  # paramiko is now a proper Debian dependency (python3-paramiko)
  # Bytecode compilation is handled automatically by dh_python3

  # create ssl-cert group
  groupadd --force --system ssl-cert

  # set permissions
  # linuxmuster ssl certs 
  chgrp ssl-cert "$SSLDIR" -R
  chmod 750 "$SSLDIR"
  # linuxmuster secrets directory
  for i in "$SECRETDIR" "$BINDUSERSECRET" "$DNSADMINSECRET"; do
    [ -e "$i" ] && chgrp dhcpd "$i"
    if [ -d "$i" ]; then
      chmod 750 "$i"
    else
      [ -e "$i" ] && chmod 440 "$i"
    fi
  done
  # samba sysvol directory
  sysvol="/var/lib/samba/sysvol"
  [ -d "$sysvol" ] && find "$sysvol" -type d -exec chmod 775 '{}' \;
  # samba ntp socket directory
  mkdir -p "$NTPSOCKDIR"
  chgrp "$ntpgrp" "$NTPSOCKDIR"
  chmod 750 "$NTPSOCKDIR"
  # samba spool directory
  smbspool="/var/spool/samba"
  if [ ! -d "$smbspool" ]; then
    rm -f "$smbspool"
    mkdir -p "$smbspool"
    chmod 1777 "$smbspool"
  fi

  # skip subsequent actions on configured systems
  [ -s "$SETUPINI" ] || exit 0

  # provide cacert.pem for clients if not present
  if [ -n "$domainname" -a -s "$CACERT" ]; then
    sysvoltlsdir="$(echo "$SYSVOLTLSDIR" | sed -e 's|@@domainname@@|'"$domainname"'|')"
    sysvolpemfile="$sysvoltlsdir/$(basename "$CACERT")"
    [ -d "$sysvoltlsdir" ] || mkdir -p "$sysvoltlsdir"
    if [ -d "$sysvoltlsdir" -a ! -e "$sysvolpemfile" ]; then
      echo "Providing $sysvolpemfile."
      cp "$CACERT" "$sysvolpemfile"
    fi
  fi

  # update certificate creation configs
  for tpl in "$TPLDIR"/*_cert_ext.cnf; do
    conf="$(head -1 "$tpl" | cut -d' ' -f2)"
    if [ ! -e "$conf" ] || ! grep -q subjectAltName "$conf"; then
      echo "Updating $conf."
      sed -e "s|@@serverip@@|$serverip|
              s|@@firewallip@@|$firewallip|
              s|@@servername@@|$servername|g
              s|@@domainname@@|$domainname|" "$tpl" > "$conf"
    fi
  done

  # update apparmor profiles
  for tpl in "$TPLDIR"/*.apparmor.d; do
    conf="$(head -1 "$tpl" | cut -d' ' -f2)"
    [ -s "$conf" ] || continue
    tpl_ver="$(grep -P '(?<!\d)\d{8}(?!\d)' "$tpl" | grep ^# | head -1 | cut -d' ' -f2)"
    conf_ver="$(grep -P '(?<!\d)\d{8}(?!\d)' "$conf" | grep ^# | head -1 | cut -d' ' -f2)"
    if [[ $conf_ver -ne $tpl_ver ]]; then
      echo "Updating $(basename "$conf")."
      cp "$conf" "${conf}.${confver}"
      cp "$tpl" "$conf"
      aa_reboot="yes"
    fi
  done
  if [[ "$aa_reboot" = "yes" ]]; then
    echo "You need to restart the server to apply the updated apparmor configuration."
  fi

  # enable ntp service, change firewall name to ip (#88)
  if timedatectl status | grep -qi 'active: yes'; then
    echo "Disabling timesyncd service."
    timedatectl set-ntp false
  fi
  ntp_logdir="/var/log/ntpsec"
  if [ ! -d "$ntp_logdir" ]; then
    mkdir -p "$ntp_logdir"
    chown ntpsec:ntpsec "$ntp_logdir"
    ntp_restart="yes"
  fi
  if systemctl status ntp | grep -qi 'inactive (dead)'; then
    echo "Enabling & starting ntp service."
    systemctl enable ntp.service
    systemctl start ntp.service
  fi
  # update ntp.conf
  tpl="$TPLDIR/ntp.conf"
  tpl_ver="$(grep -P '(?<!\d)\d{8}(?!\d)' "$tpl" | grep ^# | head -1 | cut -d' ' -f2)"
  conf="$(head -1 "$tpl" | cut -d' ' -f2)"
  conf_ver="$(grep -P '(?<!\d)\d{8}(?!\d)' "$conf" | grep ^# | head -1 | cut -d' ' -f2)"
  if [[ $conf_ver -ne $tpl_ver ]]; then
    linuxmuster-update-ntpconf
    ntp_restart="no"
  fi
  [ "$ntp_restart" = "yes" ] && systemctl restart ntpsec.service

 ;;

 abort-upgrade|abort-remove|abort-deconfigure)
 ;;

 *)
  echo "postinst called with unknown argument \`$1'" >&2
  exit 1
 ;;

esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0
