#!/bin/bash
# postinst script 
#
# see: dh_installdeb(1)

#set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

apply_settings()
{
    # patching /etc/nsswitch.conf
    grep "^passwd:.*sss.*" /etc/nsswitch.conf >/dev/null || \
        sed -i -e "s/^\(passwd:.*\)/\1 sss/" /etc/nsswitch.conf

    grep "^group:.*sss.*" /etc/nsswitch.conf >/dev/null || \
        sed -i -e "s/^\(group:.*\)/\1 sss/" /etc/nsswitch.conf

    # apply configs to /etc/pam.d/common-*
    pam-auth-update --package sss cauth --force
}



case "$1" in
    configure)
        apply_settings || true

        # fix permissions for sssd stuff
        chmod 0755 /etc/cauth
        chmod 0600 /etc/sssd/sssd.conf
        chmod 0644 /etc/ldap/certs/cafile.pem
        chmod 0600 /etc/security/yandex-access.conf

        # making /sbin/nologin symlink to allow nologin shell works properly CAUTH-1194
        if [ ! -e /sbin/nologin ]; then
            ln -sf $(which nologin) /sbin/nologin || true
        fi

        # In case this system is running systemd, we need to ensure that all
        # necessary tmpfiles (if any) are created before starting.
        if [ -d /run/systemd/system ] ; then
            systemd-tmpfiles --create /usr/lib/tmpfiles.d/sssd.conf >/dev/null || true
        else
            cp -f /usr/share/yandex-cauth/yandex-cauth.conf /etc/init/yandex-cauth.conf
            mkdir -p -m0770 /var/run/sssd || true
        fi

        # SSSD cache MUST be placed to RAM (tmpfs)
        # to work properly under heavy IO loads
        service sssd stop || true
        rm -f /dev/shm/*.ldb || true
        rm -rf /var/lib/sss/db || true
        ln -sfT /var/run/sssd /var/lib/sss/db || true
        service sssd start || true

        # patching sshd_config before first agent.sh run
        /usr/sbin/cauth-patch-sshd.sh || true

        # run agent.sh in case we are passing server setup process
        /usr/sbin/agent.sh || true

        # regenerate monrun tasks if monrun installed
        [ -x /usr/sbin/regenerate-monrun-tasks ] && /usr/sbin/regenerate-monrun-tasks || true

        # clean old files from other cauth packages
        rm -f /etc/sudoers.d/cauth /etc/sudoers.d/yandex-search-cauth-serveradmins /etc/cron.d/cauth-client-scripts || true
        rm -rf /etc/cauth/spool || true
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0

