#!/bin/bash
# postinst script 
#
# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

apply_settings()
{
    # empty /etc/legal
    > /etc/legal


    # patch PAM settings
    pam-auth-update --package yandex-search-common-settings


    # we do not allow users crontab, so disable it with empty cron.allow
    touch /etc/cron.allow


    # set up environment
    grep -q "TMPDIR" /etc/environment || \
        echo "TMPDIR=/var/tmp" >> /etc/environment

    # disable nis
    test -f /etc/nsswitch.conf && sed -i 's/netgroup:.*/netgroup:       files/' /etc/nsswitch.conf


    # disable fstrim-all
    # replace /etc/cron.weekly/fstrim with stub as it is a conffile for package util-linux and we use --force-confold for install/update
    test -f /etc/cron.weekly/fstrim && cat <<EOF> /etc/cron.weekly/fstrim
#!/bin/sh
# disabled due to HOSTMAN-1039, SPI-24922
EOF


    # add wheel group
    if ! getent group wheel >/dev/null ; then
        sed -i -e "s/\(^root:x:0:.*\)/\\1\nwheel:x:0:/" /etc/group
    fi


    # setup host-specific configs
    _my_fqdn=$(uname -n)
    _my_postfix_cf="/etc/postfix/main.cf"
    _my_root_mail="root-search@yandex-team.ru"

    #postfix
    if [ -n "${_my_fqdn}" ] ; then
        echo "${_my_fqdn}" > /etc/mailname
        sed -i "s/%%HOSTNAME%%/${_my_fqdn}/g" ${_my_postfix_cf}
        sed -i "s/myhostname =.*/myhostname = ${_my_fqdn}/g" ${_my_postfix_cf}
        sed -i "s/mydestination =.*/mydestination = ${_my_fqdn}, localhost/g" ${_my_postfix_cf}
    fi

    if grep -q "relayhost.*=" ${_my_postfix_cf} ; then
        sed -i "s/relayhost.*=.*/relayhost = outbound-relay.yandex.net/" ${_my_postfix_cf}
    else
        echo "relayhost = outbound-relay.yandex.net" >> ${_my_postfix_cf}
    fi

    grep -q "^root.*:.*yandex.*" /etc/aliases || \
        ( echo "root: ${_my_root_mail}" >> /etc/aliases ; newaliases )
	

    # enable autofix filesystems if unclean mount was detected
    grep -q "^FSCKFIX.*=.*yes" /etc/default/rcS || \
        (sed -i -r -e "/.*FSCKFIX.*/d" /etc/default/rcS ;echo "FSCKFIX=yes" >> /etc/default/rcS)


    # tune grub
    sed -i -r -e "/.*GRUB_HIDDEN_TIMEOUT.*/d" /etc/default/grub

    sed -i -r -e "s/ quiet//" /etc/default/grub

    grep -q "^GRUB_TIMEOUT=5" /etc/default/grub || \
        (sed -i -r -e "/.*GRUB_TIMEOUT.*=/d" /etc/default/grub ; echo "GRUB_TIMEOUT=5" >> /etc/default/grub)

    grep -q "^GRUB_TERMINAL=console" /etc/default/grub || \
        (sed -i -r -e "/.*GRUB_TERMINAL.*=/d" /etc/default/grub ; echo "GRUB_TERMINAL=console" >> /etc/default/grub)

    grep -q "^GRUB_RECORDFAIL_TIMEOUT=2" /etc/default/grub || \
        (sed -i -r -e "/.*GRUB_RECORDFAIL_TIMEOUT.*=/d" /etc/default/grub ;  echo "GRUB_RECORDFAIL_TIMEOUT=2" >> /etc/default/grub)

    grep -q "GRUB_CMDLINE_LINUX_DEFAULT=.*consoleblank=0" /etc/default/grub || \
        sed -i -r -e "s/GRUB_CMDLINE_LINUX_DEFAULT=\"/GRUB_CMDLINE_LINUX_DEFAULT=\"consoleblank=0 /" /etc/default/grub


    # tune mdadm
    if [ -f /etc/initramfs-tools/conf.d/mdadm ] ; then 
        grep -q "^BOOT_DEGRADED=true" /etc/initramfs-tools/conf.d/mdadm || \
            sed -i -r -e "s/.*BOOT_DEGRADED=.*/BOOT_DEGRADED=true/" /etc/initramfs-tools/conf.d/mdadm
    else
        echo "BOOT_DEGRADED=true" > /etc/initramfs-tools/conf.d/mdadm
    fi

    grep -q "^AUTOCHECK=false" /etc/default/mdadm || \
        sed -i -r -e "s/.*AUTOCHECK.*=.*/AUTOCHECK=false/" /etc/default/mdadm ; 

    grep -q "^MAILADDR.*yandex.*" /etc/mdadm/mdadm.conf || \
        sed -i "s/^MAILADDR.*/MAILADDR ${_my_root_mail}/g" /etc/mdadm/mdadm.conf


    # symlinks for mtab
    ln -sf /proc/self/mounts /etc/mtab


    # allow cores
    grep -q "soft core" /etc/security/limits.conf || \
        echo '* soft core 0' >> /etc/security/limits.conf

    grep -q "hard core" /etc/security/limits.conf || \
        echo '* hard core unlimited' >> /etc/security/limits.conf


    # increase login timeout
    sed -i 's/LOGIN_TIMEOUT.*60/LOGIN_TIMEOUT 180/' /etc/login.defs


    # tune sshd_config
    sed -i -e "s/^PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
    sed -i -e "s/^#PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
    sed -i -e "s/.*MaxStartups .*/MaxStartups 100/" /etc/ssh/sshd_config
    sed -i -e "s/LogLevel.*/LogLevel VERBOSE/" /etc/ssh/sshd_config
    sed -i -e "s/^#LogLevel.*/LogLevel VERBOSE/" /etc/ssh/sshd_config
    # disable password authentication, see HOSTMAN-530 for details
    sed -i -e "s/^PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
    sed -i -e "s/^#PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
    if ! grep -q  '^PasswordAuthentication no$' /etc/ssh/sshd_config
    then
        echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
    fi


    # tune ssh_config
    sed -i -e "s/.* ForwardAgent .*/    ForwardAgent yes/" /etc/ssh/ssh_config
    sed -i -e "s/.* RhostsRSAAuthentication .*/    RhostsRSAAuthentication yes/" /etc/ssh/ssh_config
    sed -i -e "s/.* RSAAuthentication .*/    RSAAuthentication no/" /etc/ssh/ssh_config
    sed -i -e "s/.* StrictHostKeyChecking .*/    StrictHostKeyChecking no/" /etc/ssh/ssh_config

    if grep -q UserKnownHostsFile /etc/ssh/ssh_config; then
        sed -i -e "s/.* UserKnownHostsFile .*/    UserKnownHostsFile \/dev\/null/" /etc/ssh/ssh_config
    else
        echo '    UserKnownHostsFile /dev/null' >> /etc/ssh/ssh_config
    fi

    if grep -q GlobalKnownHostsFile /etc/ssh/ssh_config; then
        sed -i -e "s/.* GlobalKnownHostsFile .*/    GlobalKnownHostsFile \/dev\/null/" /etc/ssh/ssh_config
    else
        echo '    GlobalKnownHostsFile /dev/null' >> /etc/ssh/ssh_config
    fi

    if grep -q LogLevel /etc/ssh/ssh_config; then
        sed -i -e "s/.* LogLevel .*/    LogLevel info/" /etc/ssh/ssh_config
    else
        echo '    LogLevel info' >> /etc/ssh/ssh_config
    fi


    # force correct permissions for dirs in /place
    install -d -m1777 /place/coredumps
    install -d -m0775 /place/berkanavt
    install -d -m0775 /place/db


    # move /var/tmp to /place/vartmp
    if [ ! -L /var/tmp -a -d /place ] ;then
        if [ ! -d /place/vartmp/ ] ;then
            mv /var/tmp /place/vartmp ; chmod 1777 /place/vartmp ; ln -sf /place/vartmp /var/tmp
        else
            mv /var/tmp/* /place/vartmp/ ; chmod 1777 /place/vartmp ; rm -rf /var/tmp ; ln -sf /place/vartmp /var/tmp
        fi
    fi
}

case "$1" in
    configure)
        apply_settings || true
        service ssh restart || true
        service postfix restart || true
        update-initramfs -u || true
        update-grub || true
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0

