#! /bin/bash

#   Copyright (c) 1999-2001  Jason Gunthorpe <jgg@debian.org>
#   Copyright (c) 2002-2003,2006  Ryan Murray <rmurray@debian.org>
#   Copyright (c) 2004-2005  Joey Schulze <joey@infodrom.org>
#   Copyright (c) 2008,2011 Peter Palfrader <peter@palfrader.org>
#   Copyright (c) 2008 Stephen Gran <sgran@debian.org>
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

set -e

# Without effect on the commandline
if [ -z "$TERM" -o "$TERM" = "dumb" ]
then
    exec > /dev/null 2>&1
    sleep $(( $RANDOM % 120 ))
else
    verbose=-v
fi

tempdir=''
tempfile=''
tempfile2=''

cleanup ()
{
  rm -f lock
  rm -rf $tempdir
  rm -f  $tempfile
  rm -f  $tempfile2
}

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin
export PATH
HOST=`hostname -f`
SYNCHOST=`ud-config synchost`;
LOCALSYNCON=`ud-config localsyncon`;
EMAILAPPEND=`ud-config emailappend`;
cd /tmp/
cd /var/lib/misc || cd /var/state/glibc/ || cd /var/db/
lockfile -r 1 -l 3600 lock
trap cleanup exit

case $HOST in
$LOCALSYNCON)
    udhost=
    ;;
*)
    udhost="sshdist@$SYNCHOST:"
    ;;
esac

tempfile=$(mktemp)
tempfile2=$(mktemp)

if [ -e /var/lib/misc/thishost/dns-sshfp ]; then
  cp /var/lib/misc/thishost/dns-sshfp $tempfile
fi

if [ -e /var/lib/misc/thishost/dns-zone ]; then
  cp /var/lib/misc/thishost/dns-zone $tempfile2
fi

rsync ${verbose} --delete-after --times -e 'ssh -i /etc/ssh/ssh_host_rsa_key -o ControlPath=/var/run/.ud-replicate.ssh.socket -o ControlMaster=auto -o ControlPersist=2h -o BatchMode=yes' -rp "${udhost}/var/cache/userdir-ldap/hosts/$HOST" .

makedb "$HOST/passwd.tdb" -o passwd.db.t
if [ -s "$HOST/shadow.tdb" ]
then
    (umask 027 && makedb "$HOST/shadow.tdb" -o shadow.db.t)
    chown root.shadow shadow.db.t
    chmod 0640 shadow.db.t
    mv -f shadow.db.t shadow.db
fi
makedb "$HOST/group.tdb" -o group.db.t
mv -f passwd.db.t passwd.db
mv -f group.db.t group.db
if [ -e "$HOST/ssh-rsa-shadow" ]; then
	ln -sf $HOST/ssh-rsa-shadow .
	ln -sf `pwd -P`/ssh-rsa-shadow /etc/ssh
else
	rm -f ssh-rsa-shadow /etc/ssh/ssh-rsa-shadow
fi
ln -sf $HOST/ssh_known_hosts .
ln -sf `pwd -P`/ssh_known_hosts /etc/ssh

if [ -e ${HOST}/ssh-keys.tar.gz ]; then
  export TMPDIR='/tmp/'
  tempdir=$(mktemp -d)
  tar -C "$tempdir" -xf ${HOST}/ssh-keys.tar.gz
  mkdir -p userkeys
  chmod 755 $tempdir
  rsync -a --delete-after $tempdir/ userkeys/
fi

if [ -e ${HOST}/web-passwords ]; then
	chown root:www-data ${HOST}/web-passwords
	chmod 0640 ${HOST}/web-passwords
fi

CHROOTS=""
if [ -x /usr/bin/dchroot ]; then
	CHROOTS=`dchroot --listpaths`
elif [ -x /usr/bin/dchroot-dsa ]; then
	CHROOTS=$(dchroot-dsa -i | grep Location | awk '{print $2}')
fi
if [ -n "$CHROOTS" ]; then
	for c in $CHROOTS; do
		if [ "$c" = "/" ] || [ "$c" = "" ]; then
			echo "$0 WTF: \$c is '' or '/' here." 2>&1
			exit 1
		fi
		if [ -x "$c/usr/bin/makedb" ]
		then
			mkdir -p "$c/var/lib/misc/$HOST"

			# remove extra stuff from earlier times and so
			find "$c/var/lib/misc/$HOST" -mindepth 1 \
				! -name group.tdb -a \
				! -name passwd.tdb -a \
				! -name ssh_known_hosts \
				-print0 | xargs --no-run-if-empty -0 rm -f
			rsync -a ${verbose} $HOST/group.tdb $HOST/passwd.tdb $HOST/ssh_known_hosts "$c/var/lib/misc/$HOST"

			# clean up from the times we supposedly did shadow stuff in chroots
			rm -f "$c/var/lib/misc/shadow.db"

			# from failed makedb runs earlier.
			rm -f "$c/var/lib/misc/passwd.db.t" \
			      "$c/var/lib/misc/group.db.t"
			# build passwd information
			chroot "$c" makedb "/var/lib/misc/$HOST/passwd.tdb" -o /var/lib/misc/passwd.db.t
			chroot "$c" makedb "/var/lib/misc/$HOST/group.tdb" -o /var/lib/misc/group.db.t
			mv -f "$c/var/lib/misc/passwd.db.t" "$c/var/lib/misc/passwd.db"
			mv -f "$c/var/lib/misc/group.db.t" "$c/var/lib/misc/group.db"

			ln -sf "$HOST/ssh_known_hosts" "$c/var/lib/misc/"
			if [ -d "$c/etc/ssh" ]; then
				ln -sf ../../var/lib/misc/ssh_known_hosts "$c/etc/ssh"
			elif [ -L "$c/etc/ssh" ] && [ "`readlink \"$c/etc/ssh\"`" = "../../var/lib/misc/ssh_known_hosts" ]; then
				# clean up past mistakes
				rm -f "$c/etc/ssh"
			fi
		fi
	done
fi

if [ -d "/etc/exim4" -a -e "$HOST/bsmtp" ]; then
	if perl -e 'exit !((stat "/etc/exim4/bsmtp")[9] < time()-3600)'; then
		cp "$HOST/bsmtp" /etc/exim4/bsmtp
	fi
fi
if [ -d "/etc/postfix" -a -f "$HOST/forward-alias" ]; then
	sed -e "s/:/@$EMAILAPPEND/" $HOST/forward-alias > /etc/postfix/debian
	/usr/sbin/postmap hash:/etc/postfix/debian < /etc/postfix/debian || true
fi

rebuild_zones=0
if [ -e /var/lib/misc/thishost/dns-sshfp ]; then
  if ! cmp -s /var/lib/misc/thishost/dns-sshfp "$tempfile"; then
    rebuild_zones=1
  fi
fi

if [ -e /var/lib/misc/thishost/dns-zone ]; then
  if ! cmp -s /var/lib/misc/thishost/dns-zone "$tempfile2"; then
    rebuild_zones=1
  fi
fi

if [ "${rebuild_zones}" -gt 0 ]; then
  sudo -u dnsadm /srv/dns.debian.org/bin/update
fi

if [ -d "/etc/freeradius" -a -e "$HOST/rtc-passwords" ]; then
	if ! cmp -s "$HOST/rtc-passwords" /var/local/rtc-passwords.freerad; then
		install -o freerad -g freerad -m 400 "$HOST/rtc-passwords" /var/local/rtc-passwords.freerad
		service freeradius reload
	fi
fi
if [ -d "/etc/reTurn" -a -e "$HOST/rtc-passwords" ]; then
	if ! cmp -s "$HOST/rtc-passwords" /var/local/rtc-passwords.return; then
		install -o return -g return -m 400 "$HOST/rtc-passwords" /var/local/rtc-passwords.return
		service resiprocate-turn-server reload
	fi
fi
if [ -d "/etc/prosody" -a -e "$HOST/rtc-passwords" ]; then
	if ! cmp -s "$HOST/rtc-passwords" /var/local/rtc-passwords.prosody; then
		install -o prosody -g prosody -m 400 "$HOST/rtc-passwords" /var/local/rtc-passwords.prosody
		service prosody reload
	fi
fi
