11 files changed, 99 insertions, 172 deletions

diff --git a/buildtools/build-ubuntu-ports.py b/buildtools/build-debian-packages.py
index 19f61f6d..19f61f6d 100644
--- a/buildtools/build-ubuntu-ports.py
+++ b/buildtools/build-debian-packages.py
diff --git a/buildtools/debian-skeleton/rpki-ca.install b/buildtools/debian-skeleton/rpki-ca.install
index ffae5103..90f4eecf 100644
--- a/buildtools/debian-skeleton/rpki-ca.install
+++ b/buildtools/debian-skeleton/rpki-ca.install
@@ -1,4 +1,3 @@
-etc/rpki/rpki-confgen.xml
 usr/lib/rpki
 usr/sbin
 usr/share/rpki
diff --git a/buildtools/debian-skeleton/rpki-ca.postinst b/buildtools/debian-skeleton/rpki-ca.postinst
index 18fef863..9bd1f96d 100644
--- a/buildtools/debian-skeleton/rpki-ca.postinst
+++ b/buildtools/debian-skeleton/rpki-ca.postinst
@@ -5,51 +5,25 @@
 
 set -e
 
-setup_rpkid_user() {
-    if ! getent passwd rpkid >/dev/null
-    then
-	useradd -g rpkid -M -N -d /nonexistent -s /sbin/nologin -c "RPKI certification authority engine(s)" rpkid
-    fi
-}
-
-setup_rpkid_group() {
-    if ! getent group rpkid >/dev/null
-    then
-	groupadd rpkid
-    fi
-}
-
 setup_apache() {
     /usr/lib/rpki/rpkigui-apache-conf-gen --install --verbose
 }
 
-setup_rpki_conf() {
-    # Update /etc/rpki.conf.sample for this system, and copy it to
-    # /etc/rpki.conf if no configuration file exists yet.
-
-    # We don't (yet) have the ability to merge in settings from an
-    # existing rpki.conf, so we generate a new secret_key and a new
-    # SQL password every time, but that's harmless so long as we're
-    # careful not to overwrite an existing configuration.
-
-    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml			\
-	--autoconf							\
-	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`		\
-	--set myrpki::rpkid_server_host=`hostname -f`			\
-	--set myrpki::pubd_server_host=`hostname -f`			\
-	--set myrpki::shared_sql_engine=postgresql			\
-	--pwgen myrpki::shared_sql_password				\
-	--pwgen web_portal::secret-key					\
-	--write-conf /etc/rpki.conf.sample
-
-    if test ! -f /etc/rpki.conf
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki.rp.xml			\
+	--set myrpki::run_rpkid=yes					\
+	--set myrpki::run_pubd=yes					\
+	--write-xml  /etc/rpki/rpki.ca.xml				\
+	--write-conf /etc/rpki/rpki.ca.sample.conf
+
+    if test ! -f /etc/rpki.conf || cmp -s /etc/rpki.conf /etc/rpki/rpki.rp.sample.conf
     then
-	cp -p /etc/rpki.conf.sample /etc/rpki.conf
+	cp -p /etc/rpki/rpki.ca.conf.sample /etc/rpki.conf
     fi
 }
 
 setup_sql() {
-    #rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf create
     rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
 }
 
@@ -66,12 +40,7 @@ setup_cron() {
     t=$(hexdump -n 1 -e '"%u"' /dev/urandom) && echo "$(($t % 60)) */2 * * * nobody /usr/lib/rpki/rpkigui-import-routes" > /etc/cron.d/rpkigui-routeviews
     chmod 644 /etc/cron.d/rpkigui-routeviews
     ln -sf /usr/lib/rpki/rpkigui-check-expired /etc/cron.daily/rpkigui-check-expired
-
-    # This should be user rpkid, but I don't have permissions set up
-    # properly for that yet.  Arguably this should be integrated with
-    # rpkigui-check-expired anyway, not there yet either.
-
-    echo "30 3 * * * root /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
+    echo "30 3 * * * rpki /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
     chmod 644 /etc/cron.d/rpki-update-bpki
 }
 
@@ -90,10 +59,8 @@ setup_cron() {
 
 case "$1" in
     configure)
-	setup_rpkid_group
-	setup_rpkid_user
 	setup_apache
-	setup_rpki_conf
+	setup_config
 	setup_sql
 	setup_bpki
 	setup_django
diff --git a/buildtools/debian-skeleton/rpki-ca.postrm b/buildtools/debian-skeleton/rpki-ca.postrm
index 372847f2..c49492fe 100644
--- a/buildtools/debian-skeleton/rpki-ca.postrm
+++ b/buildtools/debian-skeleton/rpki-ca.postrm
@@ -22,13 +22,11 @@ set -e
 case "$1" in
 
     purge)
-	sql=/etc/rpki/drop_databases.sql
-	if test -f $sql
+	if cmp -s /etc/rpki.conf /etc/rpki/rpki.ca.sample.conf
 	then
-	    #mysql --defaults-file=/etc/mysql/debian.cnf --execute "source $sql"
-	    sudo -u postgres psql -f $sql
+	    cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf
 	fi
-	rm -f /etc/rpki.conf /etc/rpki.conf.sample $sql
+	rm -f /etc/rpki/rpki.ca.sample.conf /etc/rpki/rpki.ca.xml
 	rm -f /etc/rpki/apache.conf /etc/rpki/apache.cer /etc/rpki/apache.key
     ;;
 
diff --git a/buildtools/debian-skeleton/rpki-ca.prerm b/buildtools/debian-skeleton/rpki-ca.prerm
index 2754ed43..3f44ea4d 100644
--- a/buildtools/debian-skeleton/rpki-ca.prerm
+++ b/buildtools/debian-skeleton/rpki-ca.prerm
@@ -31,53 +31,13 @@ case "$1" in
 	rm -f /usr/share/rpki/rpkid.cer
 	rm -f /usr/share/rpki/rpkid.key
 
-	# Record what will be needed to drop the databases completely,
-	# while we still have the necessary configuration data, but
-	# postpone dropping the databases until the postrm script,
-	# since that's where we find out whether this is a purge.
-
-	#rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf script-drop /etc/rpki/drop_databases.sql
-	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
-
 	# Clean up our cron jobs.
 
 	rm -f /etc/cron.d/rpkigui-routeviews
 	rm -f /etc/cron.daily/rpkigui-check-expired
 	rm -f /etc/cron.d/rpki-update-bpki
 
-	# Clean up what we did to Apache.  Modern version of this is
-	# just invocation of a Python script, but for now we also
-	# retain code needed to clean up nasty mess we created in the
-	# past, to avoid breaking old installations on upgrade.
-
-	# Remove the old stuff first, if the containing file even exists.
-
-	f=/etc/apache2/sites-available/default-ssl
-	if test -r $f
-	then
-	    awk < $f > ${f}.tmp '
-		BEGIN {
-		    conf_file = "/etc/rpki/apache.conf";
-		    conf_regexp = "^[ \t]*Include[ \t]+" conf_file "[ \t]*$";
-		}
-		$0 !~ conf_regexp {
-		    print;
-		}'
-
-	    if cmp -s ${f}.tmp ${f}.orig
-	    then
-		mv -f ${f}.orig $f
-		rm -f ${f}.tmp
-	    else
-		mv -f ${f}.tmp $f
-	    fi
-	fi
-
-	# At this point we've cleaned up our Apache config mess.
-	# Not sure whether we should do "service apache2 reload"
-	# here, one could make a case either way.  Skip for now.
-
-	# Now remove the new stuff.
+	# Clean up what we did to Apache.
 
 	/usr/lib/rpki/rpkigui-apache-conf-gen --remove --verbose
 
diff --git a/buildtools/debian-skeleton/rpki-rp.install b/buildtools/debian-skeleton/rpki-rp.install
index ce17bb14..fe0073a2 100644
--- a/buildtools/debian-skeleton/rpki-rp.install
+++ b/buildtools/debian-skeleton/rpki-rp.install
@@ -1,4 +1,4 @@
-etc/rcynic.conf
+etc/rpki/rpki-confgen.xml
 etc/rpki/trust-anchors
 etc/xinetd.d/rpki-rtr
 usr/bin
diff --git a/buildtools/debian-skeleton/rpki-rp.postinst b/buildtools/debian-skeleton/rpki-rp.postinst
index b9f666a2..ae95e7b2 100644
--- a/buildtools/debian-skeleton/rpki-rp.postinst
+++ b/buildtools/debian-skeleton/rpki-rp.postinst
@@ -5,54 +5,63 @@
 
 set -e
 
-setup_groups() {
-    if ! getent group rcynic >/dev/null
+setup_user() {
+    if ! getent group rpki >/dev/null
     then
-	groupadd rcynic
+	groupadd rpki
     fi
-    if ! getent group rpkirtr >/dev/null
+    if ! getent passwd rpki >/dev/null
     then
-	groupadd rpkirtr
+	useradd -g rpki -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI system software" rpki
     fi
 }
 
-setup_users() {
-    if ! getent passwd rcynic >/dev/null
-    then
-	useradd -g rcynic -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI validation system" rcynic
-    fi
-    if ! getent passwd rpkirtr >/dev/null
-    then
-	useradd -g rpkirtr -M -N -d /var/rcynic/rpki-rtr -s /sbin/nologin -c "RPKI router server" rpkirtr
-    fi
-    usermod -a -G rpkirtr rcynic
+setup_directories() {
+    install -o rpki -g rpki -d /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets /var/www/html/rcynic
 }
 
-setup_directories() {
-    install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr
-    if test -d /var/www/html && test -d /var/www/rcynic && test ! -d /var/www/html/rcynic
-    then
-	mv /var/www/rcynic /var/www/html/rcynic
-    elif test -d /var/www/html
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml		\
+	--autoconf						\
+	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`	\
+	--set myrpki::rpkid_server_host=`hostname -f`		\
+	--set myrpki::pubd_server_host=`hostname -f`		\
+	--set myrpki::shared_sql_engine=postgresql		\
+	--set myrpki::rcynic_sql_database=rpki			\
+	--set myrpki::rpkid_sql_database=rpki			\
+	--set myrpki::irdbd_sql_database=rpki			\
+	--set myrpki::pubd_sql_database=rpki			\
+	--pwgen myrpki::shared_sql_password			\
+	--pwgen web_portal::secret-key				\
+	--set myrpki::run_rpkid=no				\
+	--set myrpki::run_pubd=no				\
+	--write-xml  /etc/rpki/rpki.rp.xml			\
+	--write-conf /etc/rpki/rpki.rp.sample.conf
+
+    if test ! -f /etc/rpki.conf
     then
-	install -o rcynic -g rcynic -d /var/www/html/rcynic
+	cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf
     fi
-    install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
+}
+
+setup_sql() {
+    rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
 }
 
 # We want to pick a *random* minute for rcynic to run, to spread load
 # on repositories, which is why we don't just use a package crontab.
 
-setup_rcynic_cron() {
-    if test "X`crontab -l -u rcynic 2>/dev/null`" = "X"
+setup_cron() {
+    if test "X`crontab -l -u rpki 2>/dev/null`" = "X"
     then
 	awk -v t=`hexdump -n 2 -e '"%u\n"' /dev/urandom` '
             BEGIN {printf "MAILTO=root\n%u * * * *\texec /usr/bin/rcynic-cron\n", t % 60}' |
-	crontab -u rcynic -
+	crontab -u rpki -
     fi
 }
 
-setup_rpkirtr_listener() {
+setup_xinetd() {
     if test -f /var/run/xinetd.pid
     then
 	kill -HUP `cat /var/run/xinetd.pid`
@@ -74,11 +83,12 @@ setup_rpkirtr_listener() {
 
 case "$1" in
     configure)
-	setup_groups
-	setup_users
+	setup_user
 	setup_directories
-	setup_rcynic_cron
-	setup_rpkirtr_listener
+	setup_config
+	setup_sql
+	setup_cron
+	setup_xinetd
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/buildtools/debian-skeleton/rpki-rp.postrm b/buildtools/debian-skeleton/rpki-rp.postrm
index ad4ed1b9..7236d7a5 100644
--- a/buildtools/debian-skeleton/rpki-rp.postrm
+++ b/buildtools/debian-skeleton/rpki-rp.postrm
@@ -23,6 +23,13 @@ case "$1" in
 
     purge)
 	rm -rf /var/rcynic
+	sql=/etc/rpki/drop_databases.sql
+	if test -f $sql
+	then
+	    sudo -u postgres psql -f $sql
+	    rm -f $sql
+	fi
+	rm -f /etc/rpki/rpki.rp.sample.conf /etc/rpki/rpki.rp.xml /etc/rpki.conf
     ;;
 
     remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/buildtools/debian-skeleton/rpki-rp.prerm b/buildtools/debian-skeleton/rpki-rp.prerm
index 37b111f2..b7e7cbde 100644
--- a/buildtools/debian-skeleton/rpki-rp.prerm
+++ b/buildtools/debian-skeleton/rpki-rp.prerm
@@ -20,16 +20,25 @@ set -e
 case "$1" in
     remove)
 
-	crontab -l -u rcynic 2>/dev/null | awk '
+	# Record what will be needed to drop the databases completely,
+	# while we still have the necessary configuration data, but
+	# postpone dropping the databases until the postrm script,
+	# since that's where we find out whether this is a purge.
+
+	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
+
+	# Clean up our cron job.
+
+	crontab -l -u rpki 2>/dev/null | awk '
 	    $0 !~ "exec /usr/bin/rcynic-cron" {
 		line[++n] = $0;
 	    }
 	    END {
 		if (n)
 		    for (i = 1; i <= n; i++)
-			print line[i] | "crontab -u rcynic -";
+			print line[i] | "crontab -u rpki -";
 		else
-		    system("crontab -u rcynic -r");
+		    system("crontab -u rpki -r");
 	    }'
 	;;
 
diff --git a/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in b/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in
index 4c687f38..8942fd1a 100644
--- a/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in
+++ b/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in
@@ -3,47 +3,25 @@
 case $2 in
 
 PRE-INSTALL)
-    if /usr/sbin/pw groupshow "rcynic" 2>/dev/null
+    if /usr/sbin/pw groupshow "rpki" 2>/dev/null
     then
-        echo "You already have a group \"rcynic\", so I will use it."
-    elif /usr/sbin/pw groupadd rcynic
+        echo "You already have a group \"rpki\", so I will use it."
+    elif /usr/sbin/pw groupadd rpki
     then
-        echo "Added group \"rcynic\"."
+        echo "Added group \"rpki\"."
     else
-        echo "Adding group \"rcynic\" failed..."
+        echo "Adding group \"rpki\" failed..."
         echo "Please create it, then try again."
         exit 1
     fi
-    if /usr/sbin/pw usershow "rcynic" 2>/dev/null
+    if /usr/sbin/pw usershow "rpki" 2>/dev/null
     then
-        echo "You already have a user \"rcynic\", so I will use it."
-    elif /usr/sbin/pw useradd rcynic -g rcynic -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"
+        echo "You already have a user \"rpki\", so I will use it."
+    elif /usr/sbin/pw useradd rpki -g rpki -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI system daemons"
     then
-        echo "Added user \"rcynic\"."
+        echo "Added user \"rpki\"."
     else
-        echo "Adding user \"rcynic\" failed..."
-        echo "Please create it, then try again."
-        exit 1
-    fi
-    if /usr/sbin/pw groupshow "rpkirtr" 2>/dev/null
-    then
-        echo "You already have a group \"rpkirtr\", so I will use it."
-    elif /usr/sbin/pw groupadd rpkirtr
-    then
-        echo "Added group \"rpkirtr\"."
-    else
-        echo "Adding group \"rpkirtr\" failed..."
-        echo "Please create it, then try again."
-        exit 1
-    fi
-    if /usr/sbin/pw usershow "rpkirtr" 2>/dev/null
-    then
-        echo "You already have a user \"rpkirtr\", so I will use it."
-    elif /usr/sbin/pw useradd rpkirtr -g rpkirtr -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI router server"
-    then
-        echo "Added user \"rpkirtr\"."
-    else
-        echo "Adding user \"rpkirtr\" failed..."
+        echo "Adding user \"rpki\" failed..."
         echo "Please create it, then try again."
         exit 1
     fi
@@ -55,25 +33,24 @@ POST-INSTALL)
 	echo "Creating /var/rcynic"
 	/usr/bin/install -o root -g wheel -d /var/rcynic
     fi
-    for dir in /var/rcynic/data /var/rcynic/rpki-rtr
+    for dir in /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets
     do
-	/usr/bin/install -o rcynic -g rcynic -d $dir
+	/usr/bin/install -o rpki -g rpki -d $dir
     done
-    /usr/bin/install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
-    if test ! -f /usr/local/etc/rcynic.conf
+    if test ! -f /usr/local/etc/rpki.conf
     then
-	/bin/cp -p /usr/local/etc/rcynic.conf.sample /usr/local/etc/rcynic.conf
+	/bin/cp -p /usr/local/etc/rpki.conf.sample /usr/local/etc/rpki.conf
     fi
     htmldir=/usr/local/www/apache%%APACHE_VERSION%%/data/rcynic
-    /usr/bin/install -o rcynic -g rcynic -d $htmldir
-    if test "X`/usr/bin/crontab -l -u rcynic 2>/dev/null`" != "X"
+    /usr/bin/install -o rpki -g rpki -d $htmldir
+    if test "X`/usr/bin/crontab -l -u rpki 2>/dev/null`" != "X"
     then
-	echo "rcynic user already has a crontab, leaving it alone"
+	echo "rpki user already has a crontab, leaving it alone"
     else
-	echo "Setting up rcynic's crontab to run rcynic-cron script"
+	echo "Setting up rpki's crontab to run rcynic-cron script"
 	/usr/bin/awk -v t=`/usr/bin/hexdump -n 2 -e '"%u\n"' /dev/random` '
             BEGIN {printf "MAILTO=root\n%u * * * *\texec  /usr/local/bin/rcynic-cron\n", t % 60}' |
-	/usr/bin/crontab -u rcynic -
+	/usr/bin/crontab -u rpki -
     fi
     echo "Setting up rpki-rtr listener under inetd"
     if /usr/bin/egrep -q '^rpki-rtr' /etc/services
@@ -101,7 +78,7 @@ POST-INSTALL)
     if /usr/bin/egrep -q "rpki-rtr[ 	]+stream[ 	]+tcp[ 	]" /etc/inetd.conf
     then
         echo "You already have an /etc/inetd.conf entry for rpki-rtr on TCPv4, so I will use it."
-    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp	nowait	rpkirtr	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
+    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp	nowait	rpki	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
     then
         echo "Added rpki-rtr for TCPv4 to /etc/inetd.conf."
     else
@@ -111,7 +88,7 @@ POST-INSTALL)
     if /usr/bin/egrep -q "rpki-rtr[ 	]+stream[ 	]+tcp6[ 	]" /etc/inetd.conf
     then
         echo "You already have an /etc/inetd.conf entry for rpki-rtr on TCPv6, so I will use it."
-    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp6	nowait	rpkirtr	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
+    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp6	nowait	rpki	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
     then
         echo "Added rpki-rtr for TCPv6 to /etc/inetd.conf."
     else
diff --git a/buildtools/rpki-pbuilder.py b/buildtools/rpki-pbuilder.py
index 32247ff8..1d45e862 100644
--- a/buildtools/rpki-pbuilder.py
+++ b/buildtools/rpki-pbuilder.py
@@ -201,7 +201,7 @@ class Release(object):
                     os.unlink(os.path.join(dsc_dir, fn))
             run("rm", "-rf", "debian", cwd = args.svn_tree)
             run(sys.executable, "buildtools/make-version.py", cwd = args.svn_tree)
-            run(sys.executable, "buildtools/build-ubuntu-ports.py", "--version-suffix", self.release, cwd = args.svn_tree)
+            run(sys.executable, "buildtools/build-debian-packages.py", "--version-suffix", self.release, cwd = args.svn_tree)
             run("dpkg-buildpackage", "-S", "-us", "-uc", "-rfakeroot", cwd = args.svn_tree)
 
         if not os.path.exists(self.basefile):