#!/bin/bash
# postinst script for linuxmuster-ipfire
#
# thomas@linuxmuster.net
# 04.11.2015
# GPL v3
#
# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
#


case "$1" in
    configure)

     MINCORE="94"
     echo "$MINCORE" > /var/lib/linuxmuster-ipfire/mincore

     MAXCORE="102"
     echo "$MAXCORE" > /var/lib/linuxmuster-ipfire/maxcore

     [ -e /usr/share/linuxmuster/config/dist.conf ] && . /usr/share/linuxmuster/config/dist.conf

     # do nothing if linuxmuster.net ist not yet installed
     [ -e "$INSTALLED" ] || exit 0

     . $HELPERFUNCTIONS
     SETUPSCRIPT="linuxmuster-ipfire --setup --first"

     if ! test_pwless_fw; then
      echo "You have to do first an initial setup of IPFire by inkoving"
      echo "# $SETUPSCRIPT"
      exit 0
     fi

     # test if firewall is IPFire, get current version
     ipfrel="$CACHEDIR/ipfire-release"
     if get_ipcop /etc/system-release "$ipfrel"; then
      curver="$(cat "$ipfrel" | awk '{ print $2 }')"
      curcore="$(cat "$ipfrel" | awk '{ print $5 }' | sed 's/core//')"
      echo "IPFire $curver core $curcore detected!"
      if [ "$curcore" -lt "$MINCORE" ]; then
       echo "### Your current IPFire core update level is less than $MINCORE!"
       echo "### Please upgrade your IPFire ASAP!"
       upgrade_needed="yes"
      fi
     else
      echo "This is probably not an IPFire firewall!"
      echo "Don't forget to invoke the setup script"
      echo "$SETUPSCRIPT"
      echo "later when IPFire is installed!"
      exit 0
     fi

     # test for ecdsa ssh key and upload it if necessary
     if ! exec_ipcop grep -q ^ecdsa-sha2-nistp256 /root/.ssh/authorized_keys; then
      echo -n "Uploading ecdsa key ... "
      ecdsakey="/root/.ssh/id_ecdsa"
      ecdsapubkey="$ecdsakey".pub
      [ -e "$ecdsakey" ] || ssh-keygen -N '' -q -t ecdsa -f "$ecdsakey"
      put_ipcop "$ecdsapubkey" "$ecdsapubkey"
      exec_ipcop "cat $ecdsapubkey >> /root/.ssh/authorized_keys"
      exec_ipcop "rm $ecdsapubkey"
      echo "Done!"
     fi

     # update linuxmuster.net scripts on IPFire
     echo -n "Uploading linuxmuster.net configuration scripts to IPFire ... "
     exec_ipcop /bin/rm -rf /var/linuxmuster ; RC="$?"
     put_ipcop /var/lib/linuxmuster-ipfire /var/linuxmuster ; [ "$?" != "0" ] && RC="$?"
     if [ "$RC" = "0" ]; then
      echo "Ok!"
     else
      echo "Failed!"
      exit 0
     fi

     # remove lan subnet from proxy acls
     subnets="/var/ipfire/proxy/advanced/acls/src_subnets.acl"
     if exec_ipcop /bin/grep -q "$internalnet" "$subnets"; then
      echo "Removing obsolete lan subnet from proxy acls."
      exec_ipcop /bin/sed "/^$internalnet/d" -i "$subnets"
     fi

     # repair ipfire path in ovpn.cnf (#200)
     ovpncnf="/var/ipfire/ovpn/openssl/ovpn.cnf"
     if exec_ipcop /bin/grep -q ipcop "$ovpncnf"; then
      echo "Fixing ifpire path in ovpn config."
      exec_ipcop /bin/sed -e "s/ipcop/ipfire/g" -i "$ovpncnf"
     fi

     # test for obsolete allowedmacs file
     # if present do the whole mac to ip stuff
     if [ -e "$CACHEDIR/allowedmacs" ]; then

      echo "Removing obsolete mac based firewall stuff."
      rm -f "$CACHEDIR/allowedmacs"

      # convert macs to ips for ip based external firewall
      searchstr="$(head -1 $BLOCKEDHOSTSINTERNET)"
      if validmac "$searchstr"; then
       echo "Converting blocked mac addresses to ips because external firewall has changed."
       macs="$(cat $BLOCKEDHOSTSINTERNET)"
       rm $BLOCKEDHOSTSINTERNET
       touch $BLOCKEDHOSTSINTERNET
       for i in $macs; do
        if validip "$i"; then
         echo "$i" >> $BLOCKEDHOSTSINTERNET
        else
         get_ip "$i"
         echo "$RET" >> $BLOCKEDHOSTSINTERNET
        fi
       done

       # remove banned mac files on ipfire
       bannedmac="/var/ipfire/proxy/advanced/acls/src_banned_mac.acl"
       exec_ipcop /bin/rm -f "$bannedmac"
       exec_ipcop /usr/bin/touch "$bannedmac"
       exec_ipcop /bin/chown nobody:nobody "$bannedmac"
      fi

     fi # allowed_macs

     # reload firewall
     if [ -z "$upgrade_needed" ]; then
      echo -n "Reloading firewall rules ... "
      if $SCRIPTSDIR/internet_on_off.sh &> /dev/null; then
       echo "Done!"
      else
       echo "Failed!"
      fi
     else
      echo "### Note: You have to run \"dpkg-reconfigure linuxmuster-ipfire\" after IPFire upgrade."
     fi
     ;;

    abort-upgrade|abort-remove|abort-deconfigure) ;;

    *)
     echo "postinst called with unknown argument \`$1'" >&2
     exit 1
     ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0
