#!/bin/bash
set -e
# Read the commandline options
# Only 'configure' is handled with processing, other actions
# are ignored for now
ACTION=${1}
ARG_VERSION=${2}
# Local variables
APACHE_USER="www-data";
APACHE_CONF_DIR="/etc/apache2";
APACHE_WWW_DIR="/var/www";
SEARCH_SSL_CONF_PATH="${APACHE_CONF_DIR}/sites-available/search.dataone.org-ssl.conf";
SSL_CERT_PATH="/etc/ssl/certs/_.dataone.org.crt";
SSL_KEY_PATH="/etc/ssl/private/_.dataone.org.key";
SSL_INTCERT_PATH="/etc/ssl/certs/geotrust_intermediate.crt";
D1_LOG_DIR="/var/log/dataone";
D1_LOG_FILE="dataone-search-ui.install.log";
FQDN=$(hostname -f);
TEST_ENV="false";
if [[ FQDN =~ "test" ]]; then
let TEST_ENV="true";
fi
# logError()
# redirect stdout to stderr
function logError()
{
echo -e "$@" 1>&2
}
# log()
# append stdout to a logfile
function log()
{
#
# Set Up logging
# Reminder: don't echo to stdout, it messes up debconf
#
if [ ! -e ${D1_LOG_DIR} ]; then
mkdir -p ${D1_LOG_DIR}
chown www-data:ssl-cert ${D1_LOG_DIR}
fi
now=$(date "+%Y-%m-%d %H:%M:%S %Z: ")
echo -e "${now} postinst $@" >> ${D1_LOG_DIR}/${D1_LOG_FILE}
}
# configure_firewall()
# Configure the UFW firewall to open HTTP/S
function configure_firewall() {
log "configure_firewall() called.";
ufw allow ssh;
ufw allow http;
ufw allow https;
ufw --force enable;
}
# verify_ssl_configuration()
# Ensure SSL certs/key are in place
function verify_ssl_configuration() {
log "verify_ssl_configuration() called.";
let verified=0;
# Switch to verifying test certs in test environments
if [[ "${TEST_ENV}" == "true" ]]; then
SSL_KEY_PATH="/etc/ssl/private/_.test.dataone.org.key";
SSL_CERT_PATH="/etc/ssl/certs/_.test.dataone.org.crt";
fi
# Missing the SSL server key?
if [[ ! -e ${SSL_KEY_PATH} ]]; then
log "The expected SSL key file ${SSL_KEY_PATH} is missing.";
verified=1;
else
chmod go-rwx ${SSL_KEY_PATH}; # Ensure the key is private
chmod u-wx ${SSL_KEY_PATH}; # Ensure the key is read-only
fi
# Missing the SSL server cert?
if [[ ! -e ${SSL_CERT_PATH} ]]; then
log "The expected SSL cert file ${SSL_CERT_PATH} is missing.";
verified=1;
fi
# Missing the SSL intermediate servers cert?
if [[ ! -e ${SSL_INTCERT_PATH} ]]; then
log "The expected SSL intermediate cert file ${SSL_INTCERT_PATH} is missing.";
verified=1;
else
c_rehash $(dirname ${SSL_CERT_PATH}); # Index the certs directory
fi
if [[ ! verified ]]; then
echo -e \
"SSL configuration error: \nPlease ensure the following files are in place and have correct permissions:\n${SSL_KEY_PATH}\n${SSL_CERT_PATH}\n${SSL_INTCERT_PATH}";
fi
verified; # Return the verified value as an exit code
}
# enable_apache_modules()
# Enable Apache modules needed for the installation
function enable_apache_modules() {
log "enable_apache_modules() called.";
a2enmod headers;
a2enmod proxy;
a2enmod proxy_http;
a2enmod ssl;
}
# configure_servername()
# Configure the Apache virtual host name based on the system hostname
function configure_servername() {
sed -i.bak -e 's/HOSTNAME/${FQDN}/' SEARCH_SSL_CONF_PATH;
}
# main()
# simulate a main function
function main() {
log "dataone-search-ui.postinst called with action: ${ACTION} and version: ${ARG_VERSION}"
case "${ACTION}" in
abort-remove)
log "Removal aborted."
;;
abort-upgrade)
log "Upgrade aborted."
;;
abort-deconfigure)
log "Deconfigure aborted."
;;
configure)
log "Configure called."
if [ -z "$ARG_VERSION" ]; then
FIRSTINST="yes"
else
UPGRADE="yes"
fi
if [[ "${FIRSTINST}" == "yes" ]]; then
configure_firewall
verify_ssl_configuration
enable_apache_modules
configure_server_name
else
# Handle upgrade tasks here
fi
;;
esac
exit 0
}
# Entry point: Call the main function
main