13 files changed, 244 insertions, 202 deletions

diff --git a/buildtools/debian-skeleton/control b/buildtools/debian-skeleton/control
index a91c21ca..f8e1b846 100644
--- a/buildtools/debian-skeleton/control
+++ b/buildtools/debian-skeleton/control
@@ -1,8 +1,15 @@
+# Source package requires lxml because it builds an initial rpki.conf.
+
+# rp package requires xinetd for historical reasons, could use "rpki-rtr server" instead.
+
+# Division between rp and ca packages is somewhat arbitrary, and becomes less relevant as we move more and
+# more of the code from C into Python.  Some day we may just collapse down to a single binary package again.
+
 Source: rpki
 Section: net
 Priority: extra
 Maintainer: Rob Austein <sra@hactrn.net>
-Build-Depends: debhelper (>= 8.0.0), autotools-dev, rsync, rrdtool, xsltproc, python (>= 2.7), python-all-dev, python-setuptools, python-lxml, libxml2-utils, mysql-client, mysql-server, python-mysqldb, python-vobject, python-yaml, python-django (>= 1.3.7), python-django-south (>= 0.7.5)
+Build-Depends: debhelper (>= 8.0.0), autotools-dev, python (>= 2.7), python-all-dev, python-setuptools, python-lxml
 Standards-Version: 3.9.3
 Homepage: http://trac.rpki.net/
 Vcs-Svn: http://subvert-rpki.hactrn.net/
@@ -11,7 +18,7 @@ X-Python-Version: 2.7
 
 Package: rpki-rp
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.7), rrdtool, rsync, xinetd, apache2, ssl-cert
+Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.7), apache2, ssl-cert, python-lxml, postgresql, postgresql-client, python-psycopg2, python-django (>= 1.8.0), python-tornado, rrdtool, rsync, xinetd
 Description: rpki.net relying party tools
  "Relying party" validation tools from the rpki.net toolkit.
  See the online documentation at http://rpki.net/.
@@ -19,7 +26,7 @@ Replaces: rpki-ca (<= 0.5767)
 
 Package: rpki-ca
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, rpki-rp (= ${binary:Version}), xsltproc, python (>= 2.7), python-lxml, libxml2-utils, mysql-client, mysql-server, python-mysqldb, python-vobject, python-yaml, python-django (>= 1.3.7), python-django-south (>= 0.7.5), apache2, libapache2-mod-wsgi, python-netifaces, ssl-cert
+Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.7), apache2, ssl-cert, python-lxml, postgresql, postgresql-client, python-psycopg2, python-django (>= 1.8.0), python-tornado, libapache2-mod-wsgi, python-vobject, python-yaml, python-netifaces, rpki-rp (= ${binary:Version}), lsb-base (>= 3.2-14)
 Description: rpki.net certification authority tools
  "Certification authority" tools for issuing RPKI certificates and
  related objects using the rpki.net toolkit.
diff --git a/buildtools/debian-skeleton/rpki-ca.default b/buildtools/debian-skeleton/rpki-ca.default
new file mode 100644
index 00000000..94a92844
--- /dev/null
+++ b/buildtools/debian-skeleton/rpki-ca.default
@@ -0,0 +1,10 @@
+# Defaults for rpki-ca initscript
+# sourced by /etc/init.d/rpki-ca
+# installed at /etc/default/rpki-ca by the maintainer scripts
+
+#
+# This is a POSIX shell fragment
+#
+
+# Additional arguments that are passed to rpki-nanny.
+DAEMON_ARGS=""
diff --git a/buildtools/debian-skeleton/rpki-ca.init.d b/buildtools/debian-skeleton/rpki-ca.init.d
new file mode 100644
index 00000000..22feba38
--- /dev/null
+++ b/buildtools/debian-skeleton/rpki-ca.init.d
@@ -0,0 +1,115 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          rpki-ca
+# Required-Start:    $local_fs $network $remote_fs $syslog postgresql
+# Required-Stop:     $local_fs $network $remote_fs $syslog postgresql
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: RPKI CA Servers
+### END INIT INFO
+
+# Author: Rob Austein <sra@hactrn.net>
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="rpki-ca"
+NAME=rpki-nanny
+PIDDIR=/var/run/rpki
+LOGDIR=/var/log/rpki
+DAEMON=/usr/lib/rpki/$NAME
+SCRIPTNAME=/etc/init.d/rpki-ca
+PIDFILE=$PIDDIR/$NAME.pid
+
+# Exit if the package is not installed
+test -x "$DAEMON" || exit 0
+
+# Read configuration variable file if it is present
+test -r /etc/default/rpki-ca && . /etc/default/rpki-ca
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+    # Return
+    #   0 if daemon has been started
+    #   1 if daemon was already running
+    #   2 if daemon could not be started
+
+    test -f /etc/rpki.conf || return 2
+
+    for dir in $PIDDIR $LOGDIR /usr/share/rpki/publication /usr/share/rpki/rrdp-publication
+    do
+	test -d $dir || install -d -o rpki -g rpki $dir || return 2
+    done
+
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME --test > /dev/null || return 1
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME -- $DAEMON_ARGS    || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+
+    start-stop-daemon --stop --quiet --oknodo --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+}
+
+case "$1" in
+    start)
+	test "$VERBOSE" != no && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+	    0|1) test "$VERBOSE" != no && log_end_msg 0 ;;
+	    2)   test "$VERBOSE" != no && log_end_msg 1 ;;
+	esac
+	;;
+    stop)
+	test "$VERBOSE" != no && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	    0|1) test "$VERBOSE" != no && log_end_msg 0 ;;
+	    2)   test "$VERBOSE" != no && log_end_msg 1 ;;
+	esac
+	;;
+    status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+    restart|force-reload)
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	    0|1)
+		do_start
+		case "$?" in
+		    0) log_end_msg 0 ;;
+		    1) log_end_msg 1 ;; # Old process is still running
+		    *) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	    *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+    *)
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/buildtools/debian-skeleton/rpki-ca.install b/buildtools/debian-skeleton/rpki-ca.install
index ffae5103..62cf9922 100644
--- a/buildtools/debian-skeleton/rpki-ca.install
+++ b/buildtools/debian-skeleton/rpki-ca.install
@@ -1,4 +1,5 @@
-etc/rpki/rpki-confgen.xml
 usr/lib/rpki
-usr/sbin
+usr/sbin/irbe_cli
+usr/sbin/rpkic
+usr/sbin/rpkigui-query-routes
 usr/share/rpki
diff --git a/buildtools/debian-skeleton/rpki-ca.postinst b/buildtools/debian-skeleton/rpki-ca.postinst
index c94e052c..4c72d148 100644
--- a/buildtools/debian-skeleton/rpki-ca.postinst
+++ b/buildtools/debian-skeleton/rpki-ca.postinst
@@ -5,73 +5,46 @@
 
 set -e
 
-setup_rpkid_user() {
-    if ! getent passwd rpkid >/dev/null
-    then
-	useradd -g rpkid -M -N -d /nonexistent -s /sbin/nologin -c "RPKI certification authority engine(s)" rpkid
-    fi
-}
-
-setup_rpkid_group() {
-    if ! getent group rpkid >/dev/null
-    then
-	groupadd rpkid
-    fi
+setup_directories() {
+    install -o rpki -g rpki -d /usr/share/rpki/bpki /usr/share/rpki/publication /usr/share/rpki/rrdp-publication
 }
 
 setup_apache() {
     /usr/lib/rpki/rpkigui-apache-conf-gen --install --verbose
 }
 
-setup_rpki_conf() {
-    # Update /etc/rpki.conf.sample for this system, and copy it to
-    # /etc/rpki.conf if no configuration file exists yet.
-
-    # We don't (yet) have the ability to merge in settings from an
-    # existing rpki.conf, so we generate a new secret_key and a new
-    # SQL password every time, but that's harmless so long as we're
-    # careful not to overwrite an existing configuration.
-
-    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml			\
-	--autoconf							\
-	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`		\
-	--set myrpki::rpkid_server_host=`hostname -f`			\
-	--set myrpki::pubd_server_host=`hostname -f`			\
-	--pwgen myrpki::shared_sql_password				\
-	--pwgen web_portal::secret-key					\
-	--write-conf /etc/rpki.conf.sample
-
-    if test ! -f /etc/rpki.conf
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki.rp.xml			\
+	--set myrpki::run_rpkid=yes					\
+	--set myrpki::run_pubd=yes					\
+	--write-xml  /etc/rpki/rpki.ca.xml				\
+	--write-conf /etc/rpki/rpki.ca.conf.sample
+
+    if test ! -f /etc/rpki.conf || cmp -s /etc/rpki.conf /etc/rpki/rpki.rp.conf.sample
     then
-	cp -p /etc/rpki.conf.sample /etc/rpki.conf
+	cp -p /etc/rpki/rpki.ca.conf.sample /etc/rpki.conf
     fi
 }
 
-setup_mysql() {
-    rpki-sql-setup --create-if-missing --mysql-defaults /etc/mysql/debian.cnf
-    rpki-sql-setup --apply-upgrades --verbose
+setup_sql() {
+    rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
+    sudo -u rpki rpki-manage migrate rpkidb --settings rpki.django_settings.rpkid 
+    sudo -u rpki rpki-manage migrate pubdb  --settings rpki.django_settings.pubd  
+    sudo -u rpki rpki-manage migrate irdb   --settings rpki.django_settings.irdb  
+    sudo -u rpki rpki-manage migrate        --settings rpki.django_settings.gui   
 }
 
 setup_bpki() {
     rpkic initialize_server_bpki
 }
 
-setup_django() {
-    rpki-manage syncdb --noinput
-    rpki-manage migrate app
-}
-
 setup_cron() {
-    t=$(hexdump -n 1 -e '"%u"' /dev/urandom) && echo "$(($t % 60)) */2 * * * nobody /usr/lib/rpki/rpkigui-import-routes" > /etc/cron.d/rpkigui-routeviews
-    chmod 644 /etc/cron.d/rpkigui-routeviews
-    ln -sf /usr/lib/rpki/rpkigui-check-expired /etc/cron.daily/rpkigui-check-expired
-
-    # This should be user rpkid, but I don't have permissions set up
-    # properly for that yet.  Arguably this should be integrated with
-    # rpkigui-check-expired anyway, not there yet either.
-
-    echo "30 3 * * * root /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
-    chmod 644 /etc/cron.d/rpki-update-bpki
+    t=$(( $(hexdump -n 1 -e '"%u"' /dev/urandom) % 60 )) || exit
+    echo "$t */2 * * *	rpki	/usr/lib/rpki/rpkigui-import-routes"	> /etc/cron.d/rpkigui-routeviews
+    echo "@daily	rpki	/usr/lib/rpki/rpkigui-check-expired"	> /etc/cron.d/rpkigui-check-expired
+    echo "30 3 * * *	rpki	/usr/sbin/rpkic update_bpki"		> /etc/cron.d/rpki-update-bpki
+    chmod 644 /etc/cron.d/rpkigui-routeviews /etc/cron.d/rpkigui-check-expired /etc/cron.d/rpki-update-bpki
 }
 
 # summary of how this script can be called:
@@ -89,13 +62,11 @@ setup_cron() {
 
 case "$1" in
     configure)
-	setup_rpkid_group
-	setup_rpkid_user
+	setup_directories
 	setup_apache
-	setup_rpki_conf
-	setup_mysql
+	setup_config
+	setup_sql
 	setup_bpki
-	setup_django
 	setup_cron
     ;;
 
diff --git a/buildtools/debian-skeleton/rpki-ca.postrm b/buildtools/debian-skeleton/rpki-ca.postrm
index c93f84df..c9418cdb 100644
--- a/buildtools/debian-skeleton/rpki-ca.postrm
+++ b/buildtools/debian-skeleton/rpki-ca.postrm
@@ -22,12 +22,11 @@ set -e
 case "$1" in
 
     purge)
-	sql=/etc/rpki/drop_databases.sql
-	if test -f $sql
+	if cmp -s /etc/rpki.conf /etc/rpki/rpki.ca.conf.sample
 	then
-	    mysql --defaults-file=/etc/mysql/debian.cnf --execute "source $sql"
+	    cp -p /etc/rpki/rpki.rp.conf.sample /etc/rpki.conf
 	fi
-	rm -f /etc/rpki.conf /etc/rpki.conf.sample $sql
+	rm -f /etc/rpki/rpki.ca.conf.sample /etc/rpki/rpki.ca.xml
 	rm -f /etc/rpki/apache.conf /etc/rpki/apache.cer /etc/rpki/apache.key
     ;;
 
diff --git a/buildtools/debian-skeleton/rpki-ca.prerm b/buildtools/debian-skeleton/rpki-ca.prerm
index 8b4d3945..c341502b 100644
--- a/buildtools/debian-skeleton/rpki-ca.prerm
+++ b/buildtools/debian-skeleton/rpki-ca.prerm
@@ -21,62 +21,19 @@ case "$1" in
     remove)
 
 	# Clean up BPKI files.  These all come from SQL, so we can
-	# regenerate them easily if appropriate.
+	# regenerate them easily, if appropriate.
 
-	rm -f /usr/share/rpki/ca.cer
-	rm -f /usr/share/rpki/irbe.cer
-	rm -f /usr/share/rpki/irdbd.cer
-	rm -f /usr/share/rpki/pubd.cer
-	rm -f /usr/share/rpki/pubd.key
-	rm -f /usr/share/rpki/rpkid.cer
-	rm -f /usr/share/rpki/rpkid.key
-
-	# Record what will be needed to drop the databases completely,
-	# while we still have the necessary configuration data, but
-	# postpone dropping the databases until the postrm script,
-	# since that's where we find out whether this is a purge.
-
-	rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf --script-drop >/etc/rpki/drop_databases.sql
+	rm -rf /usr/share/rpki/bpki
 
 	# Clean up our cron jobs.
 
 	rm -f /etc/cron.d/rpkigui-routeviews
-	rm -f /etc/cron.daily/rpkigui-check-expired
+	rm -f /etc/cron.d/rpkigui-check-expired
 	rm -f /etc/cron.d/rpki-update-bpki
 
-	# Clean up what we did to Apache.  Modern version of this is
-	# just invocation of a Python script, but for now we also
-	# retain code needed to clean up nasty mess we created in the
-	# past, to avoid breaking old installations on upgrade.
-
-	# Remove the old stuff first, if the containing file even exists.
-
-	f=/etc/apache2/sites-available/default-ssl
-	if test -r $f
-	then
-	    awk < $f > ${f}.tmp '
-		BEGIN {
-		    conf_file = "/etc/rpki/apache.conf";
-		    conf_regexp = "^[ \t]*Include[ \t]+" conf_file "[ \t]*$";
-		}
-		$0 !~ conf_regexp {
-		    print;
-		}'
-
-	    if cmp -s ${f}.tmp ${f}.orig
-	    then
-		mv -f ${f}.orig $f
-		rm -f ${f}.tmp
-	    else
-		mv -f ${f}.tmp $f
-	    fi
-	fi
-
-	# At this point we've cleaned up our Apache config mess.
-	# Not sure whether we should do "service apache2 reload"
-	# here, one could make a case either way.  Skip for now.
-
-	# Now remove the new stuff.
+	rm -f /etc/cron.daily/rpkigui-check-expired
+
+	# Clean up what we did to Apache.
 
 	/usr/lib/rpki/rpkigui-apache-conf-gen --remove --verbose
 
diff --git a/buildtools/debian-skeleton/rpki-ca.upstart b/buildtools/debian-skeleton/rpki-ca.upstart
deleted file mode 100644
index 36a792ee..00000000
--- a/buildtools/debian-skeleton/rpki-ca.upstart
+++ /dev/null
@@ -1,53 +0,0 @@
-# RPKI CA Service
-
-description     "RPKI CA Servers"
-author		"Rob Austein <sra@hactrn.net>"
-
-# This is almost certainly wrong.  Suggestions on how to improve this
-# welcome, but please first read the Python code to understand what it
-# is doing.
-
-# Our only real dependencies are on mysqld and our config file.
-
-start on started mysql
-stop on stopping mysql
-
-pre-start script
-    if  test -f /etc/rpki.conf &&
-	test -f /usr/share/rpki/ca.cer &&
-	test -f /usr/share/rpki/irbe.cer &&
-	test -f /usr/share/rpki/irdbd.cer &&
-	test -f /usr/share/rpki/rpkid.cer &&
-	test -f /usr/share/rpki/rpkid.key
-    then
-        install -m 755 -o rpkid -g rpkid -d /var/run/rpki /usr/share/rpki/publication
-
-	# This should be running as user rpkid, but I haven't got all
-	# the pesky details worked out yet.  Most testing to date has
-	# either been all under a single non-root user or everything
-	# as root, so, eg, running "rpkic initialize" as root will not
-	# leave things in a sane state for rpkid running as user
-	# rpkid.
-	#
-	# In the interest of debugging the rest of this before trying
-	# to break new ground, run daemons as root for the moment,
-	# with the intention of coming back to fix this later.
-	#
-	#sudo -u rpkid /usr/sbin/rpki-start-servers
-	/usr/sbin/rpki-start-servers
-
-    else
-	stop
-	exit 0
-    fi
-end script
-
-post-stop script
-    for i in rpkid pubd irdbd rootd
-    do
-	if test -f /var/run/rpki/$i.pid
-	then
-	    kill `cat /var/run/rpki/$i.pid`
-	fi
-    done
-end script
diff --git a/buildtools/debian-skeleton/rpki-rp.install b/buildtools/debian-skeleton/rpki-rp.install
index ce17bb14..8490936a 100644
--- a/buildtools/debian-skeleton/rpki-rp.install
+++ b/buildtools/debian-skeleton/rpki-rp.install
@@ -1,6 +1,11 @@
-etc/rcynic.conf
+etc/rpki/rpki-confgen.xml
 etc/rpki/trust-anchors
 etc/xinetd.d/rpki-rtr
 usr/bin
 usr/lib/python2.7
+usr/sbin/rpki-confgen
+usr/sbin/rpki-generate-root-certificate
+usr/sbin/rpki-manage
+usr/sbin/rpki-sql-backup
+usr/sbin/rpki-sql-setup
 var/rcynic
diff --git a/buildtools/debian-skeleton/rpki-rp.postinst b/buildtools/debian-skeleton/rpki-rp.postinst
index b9f666a2..a3c1bb68 100644
--- a/buildtools/debian-skeleton/rpki-rp.postinst
+++ b/buildtools/debian-skeleton/rpki-rp.postinst
@@ -5,54 +5,64 @@
 
 set -e
 
-setup_groups() {
-    if ! getent group rcynic >/dev/null
+setup_user() {
+    if ! getent group rpki >/dev/null
     then
-	groupadd rcynic
+	groupadd rpki
     fi
-    if ! getent group rpkirtr >/dev/null
+    if ! getent passwd rpki >/dev/null
     then
-	groupadd rpkirtr
+	useradd -g rpki -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI system software" rpki
     fi
 }
 
-setup_users() {
-    if ! getent passwd rcynic >/dev/null
-    then
-	useradd -g rcynic -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI validation system" rcynic
-    fi
-    if ! getent passwd rpkirtr >/dev/null
-    then
-	useradd -g rpkirtr -M -N -d /var/rcynic/rpki-rtr -s /sbin/nologin -c "RPKI router server" rpkirtr
-    fi
-    usermod -a -G rpkirtr rcynic
+setup_directories() {
+    install -o rpki -g rpki -d /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets /var/www/html/rcynic
 }
 
-setup_directories() {
-    install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr
-    if test -d /var/www/html && test -d /var/www/rcynic && test ! -d /var/www/html/rcynic
-    then
-	mv /var/www/rcynic /var/www/html/rcynic
-    elif test -d /var/www/html
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml		\
+	--autoconf						\
+	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`	\
+	--set myrpki::rpkid_server_host=`hostname -f`		\
+	--set myrpki::pubd_server_host=`hostname -f`		\
+	--set myrpki::shared_sql_engine=postgresql		\
+	--set myrpki::rcynic_sql_database=rpki			\
+	--set myrpki::rpkid_sql_database=rpki			\
+	--set myrpki::irdbd_sql_database=rpki			\
+	--set myrpki::pubd_sql_database=rpki			\
+	--pwgen myrpki::shared_sql_password			\
+	--pwgen web_portal::secret-key				\
+	--set myrpki::run_rpkid=no				\
+	--set myrpki::run_pubd=no				\
+	--write-xml  /etc/rpki/rpki.rp.xml			\
+	--write-conf /etc/rpki/rpki.rp.conf.sample
+
+    if test ! -f /etc/rpki.conf
     then
-	install -o rcynic -g rcynic -d /var/www/html/rcynic
+	cp -p /etc/rpki/rpki.rp.conf.sample /etc/rpki.conf
     fi
-    install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
+}
+
+setup_sql() {
+    rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
+    sudo -u rpki rpki-manage migrate rcynicdb --settings rpki.django_settings.rcynic 
 }
 
 # We want to pick a *random* minute for rcynic to run, to spread load
 # on repositories, which is why we don't just use a package crontab.
 
-setup_rcynic_cron() {
-    if test "X`crontab -l -u rcynic 2>/dev/null`" = "X"
+setup_cron() {
+    if test "X`crontab -l -u rpki 2>/dev/null`" = "X"
     then
 	awk -v t=`hexdump -n 2 -e '"%u\n"' /dev/urandom` '
             BEGIN {printf "MAILTO=root\n%u * * * *\texec /usr/bin/rcynic-cron\n", t % 60}' |
-	crontab -u rcynic -
+	crontab -u rpki -
     fi
 }
 
-setup_rpkirtr_listener() {
+setup_xinetd() {
     if test -f /var/run/xinetd.pid
     then
 	kill -HUP `cat /var/run/xinetd.pid`
@@ -74,11 +84,12 @@ setup_rpkirtr_listener() {
 
 case "$1" in
     configure)
-	setup_groups
-	setup_users
+	setup_user
 	setup_directories
-	setup_rcynic_cron
-	setup_rpkirtr_listener
+	setup_config
+	setup_sql
+	setup_cron
+	setup_xinetd
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/buildtools/debian-skeleton/rpki-rp.postrm b/buildtools/debian-skeleton/rpki-rp.postrm
index ad4ed1b9..ff8eafab 100644
--- a/buildtools/debian-skeleton/rpki-rp.postrm
+++ b/buildtools/debian-skeleton/rpki-rp.postrm
@@ -23,6 +23,13 @@ case "$1" in
 
     purge)
 	rm -rf /var/rcynic
+	sql=/etc/rpki/drop_databases.sql
+	if test -f $sql
+	then
+	    sudo -u postgres psql -f $sql
+	    rm -f $sql
+	fi
+	rm -f /etc/rpki/rpki.rp.conf.sample /etc/rpki/rpki.rp.xml /etc/rpki.conf
     ;;
 
     remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/buildtools/debian-skeleton/rpki-rp.prerm b/buildtools/debian-skeleton/rpki-rp.prerm
index 37b111f2..b7e7cbde 100644
--- a/buildtools/debian-skeleton/rpki-rp.prerm
+++ b/buildtools/debian-skeleton/rpki-rp.prerm
@@ -20,16 +20,25 @@ set -e
 case "$1" in
     remove)
 
-	crontab -l -u rcynic 2>/dev/null | awk '
+	# Record what will be needed to drop the databases completely,
+	# while we still have the necessary configuration data, but
+	# postpone dropping the databases until the postrm script,
+	# since that's where we find out whether this is a purge.
+
+	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
+
+	# Clean up our cron job.
+
+	crontab -l -u rpki 2>/dev/null | awk '
 	    $0 !~ "exec /usr/bin/rcynic-cron" {
 		line[++n] = $0;
 	    }
 	    END {
 		if (n)
 		    for (i = 1; i <= n; i++)
-			print line[i] | "crontab -u rcynic -";
+			print line[i] | "crontab -u rpki -";
 		else
-		    system("crontab -u rcynic -r");
+		    system("crontab -u rpki -r");
 	    }'
 	;;
 
diff --git a/buildtools/debian-skeleton/rules b/buildtools/debian-skeleton/rules
index ea2b043f..4849f2de 100644
--- a/buildtools/debian-skeleton/rules
+++ b/buildtools/debian-skeleton/rules
@@ -8,7 +8,10 @@ export DH_VERBOSE=1
 	dh $@ --with python2
 
 override_dh_auto_configure:
-	dh_auto_configure -- --disable-target-installation --enable-python-install-layout=deb
+	dh_auto_configure -- --disable-target-installation --enable-python-install-layout=deb --disable-runtime-dependencies --enable-wsgi-daemon-mode=rpki
+
+override_dh_auto_build:
+	dh_auto_build -- SUDO=/usr/bin/sudo RRDTOOL=/usr/bin/rrdtool
 
 override_dh_auto_test:
 	@true