/
privacyidea-apache2.postinst
197 lines (169 loc) · 6.14 KB
/
privacyidea-apache2.postinst
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#!/bin/sh
# see: dh_installdeb(1)
# OS level
set -e
# source debconf library
. /usr/share/debconf/confmodule
# Source dbconfig-common functions
if [ -f /usr/share/dbconfig-common/dpkg/postinst.pgsql ]; then
. /usr/share/dbconfig-common/dpkg/postinst.pgsql
fi
USERNAME=privacyidea
CERTDAYS=1095
CERTKEYSIZE=4096
MYSQLFIX=/etc/mysql/conf.d/pi-maxkeylengthfix.cnf
if test -f /etc/default/privacyidea; then
. /etc/default/privacyidea
# If the daemon user was changed,
# we set other access rights
USERNAME=$USER
fi
create_user() {
useradd -r $USERNAME -m || true
}
create_files() {
mkdir -p /var/log/privacyidea
mkdir -p /var/lib/privacyidea
mkdir -p /etc/privacyidea/scripts
touch /var/log/privacyidea/privacyidea.log
/opt/privacyidea/bin/pi-manage create_enckey || true > /dev/null
/opt/privacyidea/bin/pi-manage create_tables || true > /dev/null
#/opt/privacyidea/bin/pi-manage createdb || true > /dev/null
/opt/privacyidea/bin/pi-manage create_audit_keys || true > /dev/null
chown -R $USERNAME /var/log/privacyidea
chown -R $USERNAME /var/lib/privacyidea
chown -R $USERNAME /etc/privacyidea
chmod 600 /etc/privacyidea/enckey
chmod 600 /etc/privacyidea/private.pem
# we need to change access right, otherwise each local user could call
# pi-manage
chgrp root /etc/privacyidea/pi.cfg
chmod 640 /etc/privacyidea/pi.cfg
}
create_certificate() {
if [ ! -e /etc/privacyidea/server.pem ]; then
# This is the certificate when running with paster...
cd /etc/privacyidea
openssl genrsa -out server.key $CERTKEYSIZE
openssl req -new -key server.key -out server.csr -subj "/CN=privacyidea"
openssl x509 -req -days $CERTDAYS -in server.csr -signkey server.key -out server.crt
cat server.crt server.key > server.pem
rm -f server.crt server.key
chown privacyidea server.pem
chmod 400 server.pem
fi
if [ ! -e /etc/ssl/certs/privacyideaserver.pem ]; then
# This is the certificate when running with apache or nginx
KEY=/etc/ssl/private/privacyideaserver.key
CSR=`mktemp`
CERT=/etc/ssl/certs/privacyideaserver.pem
openssl genrsa -out $KEY $CERTKEYSIZE
openssl req -new -key $KEY -out $CSR -subj "/CN=`hostname`"
openssl x509 -req -days $CERTDAYS -in $CSR -signkey $KEY -out $CERT
rm -f $CSR
chmod 400 $KEY
fi
}
adapt_pi_cfg() {
if [ -z "$(grep '^PI_PEPPER' /etc/privacyidea/pi.cfg)" ]; then
# PEPPER does not exist, yet
PEPPER="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
echo "PI_PEPPER = '$PEPPER'" >> /etc/privacyidea/pi.cfg
fi
if [ -z "$(grep '^SECRET_KEY' /etc/privacyidea/pi.cfg)" ]; then
# SECRET_KEY does not exist, yet
SECRET="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
echo "SECRET_KEY = '$SECRET'" >> /etc/privacyidea/pi.cfg
fi
if [ -n "$(grep '^SQLALCHEMY_DATABASE_URI\s*=\s*.mysql:.*$' /etc/privacyidea/pi.cfg)" ]; then
# We found an old mysql config file
sed -i -e s/"\(^SQLALCHEMY_DATABASE_URI\s*=\s*.\)mysql:\(.*\)$"/"\1mysql+pymysql:\2"/g /etc/privacyidea/pi.cfg
echo "# The SQLALCHEMY_DATABASE_URI was updated during the update to privacyIDEA 3.2" >> /etc/privacyidea/pi.cfg
fi
}
create_database() {
# Create the file with the MySQL Barracuda fix, if it does not exist
if [ ! -f $MYSQLFIX ]; then
printf "[mariadb]\ninnodb_large_prefix=on\ninnodb_file_format=Barracuda\n" > /etc/mysql/conf.d/pi-maxkeylengthfix.cnf
systemctl restart mysql
fi
# create the MYSQL database
if [ !$(grep "^SQLALCHEMY_DATABASE_URI" /etc/privacyidea/pi.cfg || true) ]; then
USER=$(grep "^user" /etc/mysql/debian.cnf | sort -u | awk '{print $3}')
PASSWORD=$(grep "^password" /etc/mysql/debian.cnf | sort -u | awk '{print $3}')
NPW="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c12)"
mysql -u $USER --password=$PASSWORD -e "create database pi;" || true
mysql -u $USER --password=$PASSWORD -e "create user 'pi'@'localhost' IDENTIFIED BY '$NPW';"
mysql -u $USER --password=$PASSWORD -e "grant all privileges on pi.* to 'pi'@'localhost';"
echo "SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://pi:$NPW@localhost/pi?charset=utf8'" >> /etc/privacyidea/pi.cfg
echo "DB created"
fi
}
enable_apache() {
a2enmod wsgi headers ssl rewrite
if [ ! -h /etc/apache2/sites-enabled/privacyidea.conf ]; then
rm -f /etc/apache2/sites-enabled/*
a2ensite privacyidea
ln -s /etc/ssl/certs/privacyideaserver.pem /etc/ssl/certs/privacyidea-bundle.crt || true
ln -s /etc/ssl/private/privacyideaserver.key /etc/ssl/private/privacyidea.key || true
fi
if [ ! -h /etc/apache2/sites-enabled/privacyidea-venv.conf ]; then
a2ensite privacyidea-venv
fi
}
update_db() {
# Upgrade the database
/opt/privacyidea/bin/privacyidea-schema-upgrade /opt/privacyidea/lib/privacyidea/migrations > /dev/null
}
create_gpg() {
if [ "jammy" = $(lsb_release -cs) ] && [ -n $(pgrep rngd) ]; then
echo "killing rngd process..."
killall -9 rngd || true
fi
mkdir -p /etc/privacyidea/gpg
rngd -r /dev/urandom
/opt/privacyidea/bin/pi-manage create_pgp_keys || true
chown -R $USERNAME /etc/privacyidea/gpg
killall -9 rngd
}
set_path() {
# Allow pi-manage to be called from everywhere
ln -sf /opt/privacyidea/bin/pi-manage /usr/bin/
ln -sf /opt/privacyidea/bin/privacyidea-diag /usr/bin/
ln -sf /opt/privacyidea/bin/privacyidea-token-janitor /usr/bin/
}
case "$1" in
configure)
export PATH=$PATH:/opt/privacyidea/bin
create_user
adapt_pi_cfg
create_database
enable_apache
create_files
create_certificate
#update-rc.d apache2 defaults
service apache2 restart
if [ -z "$2" ]; then
# We are in the install step
# So we stamp the DB
touch /tmp/pi-install
/opt/privacyidea/bin/pi-manage db stamp -d /opt/privacyidea/lib/privacyidea/migrations/ head
else
# We are in an update step
touch /tmp/pi-upgrade
update_db
fi
create_gpg
set_path
;;
abort-upgrade|abort-remove|abort-deconfigure)
exit 0
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
#DEBHELPER#
db_stop
exit 0