Checkpoint while shuffling stuff around for new installation scheme.

Installation of everything but Debian packages is probably broken, and
Debian packages are too at the moment due to (probably) minor errors
in buildtools/debian-skeleton, but enough has changed that this really
needs a snapshot checked in for backup.

svn path=/branches/tk705/; revision=6257

8 files changed, 77 insertions, 127 deletions

diff --git a/buildtools/debian-skeleton/rpki-ca.install b/buildtools/debian-skeleton/rpki-ca.install
index ffae5103..90f4eecf 100644
--- a/buildtools/debian-skeleton/rpki-ca.install
+++ b/buildtools/debian-skeleton/rpki-ca.install
@@ -1,4 +1,3 @@
-etc/rpki/rpki-confgen.xml
 usr/lib/rpki
 usr/sbin
 usr/share/rpki
diff --git a/buildtools/debian-skeleton/rpki-ca.postinst b/buildtools/debian-skeleton/rpki-ca.postinst
index 18fef863..9bd1f96d 100644
--- a/buildtools/debian-skeleton/rpki-ca.postinst
+++ b/buildtools/debian-skeleton/rpki-ca.postinst
@@ -5,51 +5,25 @@
 
 set -e
 
-setup_rpkid_user() {
-    if ! getent passwd rpkid >/dev/null
-    then
-	useradd -g rpkid -M -N -d /nonexistent -s /sbin/nologin -c "RPKI certification authority engine(s)" rpkid
-    fi
-}
-
-setup_rpkid_group() {
-    if ! getent group rpkid >/dev/null
-    then
-	groupadd rpkid
-    fi
-}
-
 setup_apache() {
     /usr/lib/rpki/rpkigui-apache-conf-gen --install --verbose
 }
 
-setup_rpki_conf() {
-    # Update /etc/rpki.conf.sample for this system, and copy it to
-    # /etc/rpki.conf if no configuration file exists yet.
-
-    # We don't (yet) have the ability to merge in settings from an
-    # existing rpki.conf, so we generate a new secret_key and a new
-    # SQL password every time, but that's harmless so long as we're
-    # careful not to overwrite an existing configuration.
-
-    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml			\
-	--autoconf							\
-	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`		\
-	--set myrpki::rpkid_server_host=`hostname -f`			\
-	--set myrpki::pubd_server_host=`hostname -f`			\
-	--set myrpki::shared_sql_engine=postgresql			\
-	--pwgen myrpki::shared_sql_password				\
-	--pwgen web_portal::secret-key					\
-	--write-conf /etc/rpki.conf.sample
-
-    if test ! -f /etc/rpki.conf
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki.rp.xml			\
+	--set myrpki::run_rpkid=yes					\
+	--set myrpki::run_pubd=yes					\
+	--write-xml  /etc/rpki/rpki.ca.xml				\
+	--write-conf /etc/rpki/rpki.ca.sample.conf
+
+    if test ! -f /etc/rpki.conf || cmp -s /etc/rpki.conf /etc/rpki/rpki.rp.sample.conf
     then
-	cp -p /etc/rpki.conf.sample /etc/rpki.conf
+	cp -p /etc/rpki/rpki.ca.conf.sample /etc/rpki.conf
     fi
 }
 
 setup_sql() {
-    #rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf create
     rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
 }
 
@@ -66,12 +40,7 @@ setup_cron() {
     t=$(hexdump -n 1 -e '"%u"' /dev/urandom) && echo "$(($t % 60)) */2 * * * nobody /usr/lib/rpki/rpkigui-import-routes" > /etc/cron.d/rpkigui-routeviews
     chmod 644 /etc/cron.d/rpkigui-routeviews
     ln -sf /usr/lib/rpki/rpkigui-check-expired /etc/cron.daily/rpkigui-check-expired
-
-    # This should be user rpkid, but I don't have permissions set up
-    # properly for that yet.  Arguably this should be integrated with
-    # rpkigui-check-expired anyway, not there yet either.
-
-    echo "30 3 * * * root /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
+    echo "30 3 * * * rpki /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
     chmod 644 /etc/cron.d/rpki-update-bpki
 }
 
@@ -90,10 +59,8 @@ setup_cron() {
 
 case "$1" in
     configure)
-	setup_rpkid_group
-	setup_rpkid_user
 	setup_apache
-	setup_rpki_conf
+	setup_config
 	setup_sql
 	setup_bpki
 	setup_django
diff --git a/buildtools/debian-skeleton/rpki-ca.postrm b/buildtools/debian-skeleton/rpki-ca.postrm
index 372847f2..c49492fe 100644
--- a/buildtools/debian-skeleton/rpki-ca.postrm
+++ b/buildtools/debian-skeleton/rpki-ca.postrm
@@ -22,13 +22,11 @@ set -e
 case "$1" in
 
     purge)
-	sql=/etc/rpki/drop_databases.sql
-	if test -f $sql
+	if cmp -s /etc/rpki.conf /etc/rpki/rpki.ca.sample.conf
 	then
-	    #mysql --defaults-file=/etc/mysql/debian.cnf --execute "source $sql"
-	    sudo -u postgres psql -f $sql
+	    cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf
 	fi
-	rm -f /etc/rpki.conf /etc/rpki.conf.sample $sql
+	rm -f /etc/rpki/rpki.ca.sample.conf /etc/rpki/rpki.ca.xml
 	rm -f /etc/rpki/apache.conf /etc/rpki/apache.cer /etc/rpki/apache.key
     ;;
 
diff --git a/buildtools/debian-skeleton/rpki-ca.prerm b/buildtools/debian-skeleton/rpki-ca.prerm
index 2754ed43..3f44ea4d 100644
--- a/buildtools/debian-skeleton/rpki-ca.prerm
+++ b/buildtools/debian-skeleton/rpki-ca.prerm
@@ -31,53 +31,13 @@ case "$1" in
 	rm -f /usr/share/rpki/rpkid.cer
 	rm -f /usr/share/rpki/rpkid.key
 
-	# Record what will be needed to drop the databases completely,
-	# while we still have the necessary configuration data, but
-	# postpone dropping the databases until the postrm script,
-	# since that's where we find out whether this is a purge.
-
-	#rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf script-drop /etc/rpki/drop_databases.sql
-	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
-
 	# Clean up our cron jobs.
 
 	rm -f /etc/cron.d/rpkigui-routeviews
 	rm -f /etc/cron.daily/rpkigui-check-expired
 	rm -f /etc/cron.d/rpki-update-bpki
 
-	# Clean up what we did to Apache.  Modern version of this is
-	# just invocation of a Python script, but for now we also
-	# retain code needed to clean up nasty mess we created in the
-	# past, to avoid breaking old installations on upgrade.
-
-	# Remove the old stuff first, if the containing file even exists.
-
-	f=/etc/apache2/sites-available/default-ssl
-	if test -r $f
-	then
-	    awk < $f > ${f}.tmp '
-		BEGIN {
-		    conf_file = "/etc/rpki/apache.conf";
-		    conf_regexp = "^[ \t]*Include[ \t]+" conf_file "[ \t]*$";
-		}
-		$0 !~ conf_regexp {
-		    print;
-		}'
-
-	    if cmp -s ${f}.tmp ${f}.orig
-	    then
-		mv -f ${f}.orig $f
-		rm -f ${f}.tmp
-	    else
-		mv -f ${f}.tmp $f
-	    fi
-	fi
-
-	# At this point we've cleaned up our Apache config mess.
-	# Not sure whether we should do "service apache2 reload"
-	# here, one could make a case either way.  Skip for now.
-
-	# Now remove the new stuff.
+	# Clean up what we did to Apache.
 
 	/usr/lib/rpki/rpkigui-apache-conf-gen --remove --verbose
 
diff --git a/buildtools/debian-skeleton/rpki-rp.install b/buildtools/debian-skeleton/rpki-rp.install
index ce17bb14..fe0073a2 100644
--- a/buildtools/debian-skeleton/rpki-rp.install
+++ b/buildtools/debian-skeleton/rpki-rp.install
@@ -1,4 +1,4 @@
-etc/rcynic.conf
+etc/rpki/rpki-confgen.xml
 etc/rpki/trust-anchors
 etc/xinetd.d/rpki-rtr
 usr/bin
diff --git a/buildtools/debian-skeleton/rpki-rp.postinst b/buildtools/debian-skeleton/rpki-rp.postinst
index b9f666a2..ae95e7b2 100644
--- a/buildtools/debian-skeleton/rpki-rp.postinst
+++ b/buildtools/debian-skeleton/rpki-rp.postinst
@@ -5,54 +5,63 @@
 
 set -e
 
-setup_groups() {
-    if ! getent group rcynic >/dev/null
+setup_user() {
+    if ! getent group rpki >/dev/null
     then
-	groupadd rcynic
+	groupadd rpki
     fi
-    if ! getent group rpkirtr >/dev/null
+    if ! getent passwd rpki >/dev/null
     then
-	groupadd rpkirtr
+	useradd -g rpki -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI system software" rpki
     fi
 }
 
-setup_users() {
-    if ! getent passwd rcynic >/dev/null
-    then
-	useradd -g rcynic -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI validation system" rcynic
-    fi
-    if ! getent passwd rpkirtr >/dev/null
-    then
-	useradd -g rpkirtr -M -N -d /var/rcynic/rpki-rtr -s /sbin/nologin -c "RPKI router server" rpkirtr
-    fi
-    usermod -a -G rpkirtr rcynic
+setup_directories() {
+    install -o rpki -g rpki -d /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets /var/www/html/rcynic
 }
 
-setup_directories() {
-    install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr
-    if test -d /var/www/html && test -d /var/www/rcynic && test ! -d /var/www/html/rcynic
-    then
-	mv /var/www/rcynic /var/www/html/rcynic
-    elif test -d /var/www/html
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml		\
+	--autoconf						\
+	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`	\
+	--set myrpki::rpkid_server_host=`hostname -f`		\
+	--set myrpki::pubd_server_host=`hostname -f`		\
+	--set myrpki::shared_sql_engine=postgresql		\
+	--set myrpki::rcynic_sql_database=rpki			\
+	--set myrpki::rpkid_sql_database=rpki			\
+	--set myrpki::irdbd_sql_database=rpki			\
+	--set myrpki::pubd_sql_database=rpki			\
+	--pwgen myrpki::shared_sql_password			\
+	--pwgen web_portal::secret-key				\
+	--set myrpki::run_rpkid=no				\
+	--set myrpki::run_pubd=no				\
+	--write-xml  /etc/rpki/rpki.rp.xml			\
+	--write-conf /etc/rpki/rpki.rp.sample.conf
+
+    if test ! -f /etc/rpki.conf
     then
-	install -o rcynic -g rcynic -d /var/www/html/rcynic
+	cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf
     fi
-    install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
+}
+
+setup_sql() {
+    rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
 }
 
 # We want to pick a *random* minute for rcynic to run, to spread load
 # on repositories, which is why we don't just use a package crontab.
 
-setup_rcynic_cron() {
-    if test "X`crontab -l -u rcynic 2>/dev/null`" = "X"
+setup_cron() {
+    if test "X`crontab -l -u rpki 2>/dev/null`" = "X"
     then
 	awk -v t=`hexdump -n 2 -e '"%u\n"' /dev/urandom` '
             BEGIN {printf "MAILTO=root\n%u * * * *\texec /usr/bin/rcynic-cron\n", t % 60}' |
-	crontab -u rcynic -
+	crontab -u rpki -
     fi
 }
 
-setup_rpkirtr_listener() {
+setup_xinetd() {
     if test -f /var/run/xinetd.pid
     then
 	kill -HUP `cat /var/run/xinetd.pid`
@@ -74,11 +83,12 @@ setup_rpkirtr_listener() {
 
 case "$1" in
     configure)
-	setup_groups
-	setup_users
+	setup_user
 	setup_directories
-	setup_rcynic_cron
-	setup_rpkirtr_listener
+	setup_config
+	setup_sql
+	setup_cron
+	setup_xinetd
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/buildtools/debian-skeleton/rpki-rp.postrm b/buildtools/debian-skeleton/rpki-rp.postrm
index ad4ed1b9..7236d7a5 100644
--- a/buildtools/debian-skeleton/rpki-rp.postrm
+++ b/buildtools/debian-skeleton/rpki-rp.postrm
@@ -23,6 +23,13 @@ case "$1" in
 
     purge)
 	rm -rf /var/rcynic
+	sql=/etc/rpki/drop_databases.sql
+	if test -f $sql
+	then
+	    sudo -u postgres psql -f $sql
+	    rm -f $sql
+	fi
+	rm -f /etc/rpki/rpki.rp.sample.conf /etc/rpki/rpki.rp.xml /etc/rpki.conf
     ;;
 
     remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/buildtools/debian-skeleton/rpki-rp.prerm b/buildtools/debian-skeleton/rpki-rp.prerm
index 37b111f2..b7e7cbde 100644
--- a/buildtools/debian-skeleton/rpki-rp.prerm
+++ b/buildtools/debian-skeleton/rpki-rp.prerm
@@ -20,16 +20,25 @@ set -e
 case "$1" in
     remove)
 
-	crontab -l -u rcynic 2>/dev/null | awk '
+	# Record what will be needed to drop the databases completely,
+	# while we still have the necessary configuration data, but
+	# postpone dropping the databases until the postrm script,
+	# since that's where we find out whether this is a purge.
+
+	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
+
+	# Clean up our cron job.
+
+	crontab -l -u rpki 2>/dev/null | awk '
 	    $0 !~ "exec /usr/bin/rcynic-cron" {
 		line[++n] = $0;
 	    }
 	    END {
 		if (n)
 		    for (i = 1; i <= n; i++)
-			print line[i] | "crontab -u rcynic -";
+			print line[i] | "crontab -u rpki -";
 		else
-		    system("crontab -u rcynic -r");
+		    system("crontab -u rpki -r");
 	    }'
 	;;