4 files changed, 137 insertions, 7 deletions

diff --git a/buildtools/debian-skeleton/rpki-ca.install b/buildtools/debian-skeleton/rpki-ca.install
index 2a68ddb3..bf926af0 100644
--- a/buildtools/debian-skeleton/rpki-ca.install
+++ b/buildtools/debian-skeleton/rpki-ca.install
@@ -1,4 +1,4 @@
-etc/rpki.conf.sample
+etc/rpki/rpki-confgen.xml
 etc/rpki/apache.conf
 usr/lib
 usr/sbin
diff --git a/buildtools/debian-skeleton/rpki-ca.postinst b/buildtools/debian-skeleton/rpki-ca.postinst
index 68daa7b7..8b93c2bd 100644
--- a/buildtools/debian-skeleton/rpki-ca.postinst
+++ b/buildtools/debian-skeleton/rpki-ca.postinst
@@ -20,7 +20,7 @@ setup_rpkid_group() {
 }
 
 setup_apache() {
-    # edit existing file
+    # Edit existing file
     f=/etc/apache2/sites-available/default-ssl
     conf=/etc/rpki/apache.conf
     cmd=no
@@ -53,15 +53,46 @@ setup_apache() {
     fi
 }
 
-setup_django() {
-    # we can't perform automatic upgrade when rpki.conf isn't present
-    if test -f /etc/rpki.conf
+setup_rpki_conf() {
+    # Update /etc/rpki.conf.sample for this system, and copy it to
+    # /etc/rpki.conf if no configuration file exists yet.
+
+    # We don't (yet) have the ability to merge in settings from an
+    # existing rpki.conf, so we generate a new secret_key and a new
+    # SQL password every time, but that's harmless so long as we're
+    # careful not to overwrite an existing configuration.
+
+    mysql_passwd=`python -c 'import random, string; print "".join(random.choice(string.uppercase + string.lowercase + string.digits) for _ in xrange(16))'`
+    secret_key=`python -c 'import random, string; print "".join(random.choice(string.uppercase + string.lowercase + string.digits) for _ in xrange(50))'`
+
+    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml			\
+	--autoconf							\
+	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`		\
+	--set myrpki::rpkid_server_host=`hostname -f`			\
+	--set myrpki::pubd_server_host=`hostname -f`			\
+	--set myrpki::shared_sql_password="$mysql_passwd"		\
+	--set web_portal::secret-key="$secret_key"			\
+	--write-conf /etc/rpki.conf.sample
+
+    if test ! -f /etc/rpki.conf
     then
-	rpki-manage syncdb
-	rpki-manage migrate app
+	cp -p /etc/rpki.conf.sample /etc/rpki.conf
     fi
 }
 
+setup_mysql() {
+    rpki-sql-setup --missing_only --mysql_defaults /etc/mysql/debian.cnf
+}
+
+setup_bpki() {
+    rpkic initialize_server_bpki
+}
+
+setup_django() {
+    rpki-manage syncdb --noinput
+    rpki-manage migrate app
+}
+
 setup_cron() {
     t=$(hexdump -n 1 -e '"%u"' /dev/urandom) && echo "$(($t % 60)) */2 * * * nobody /usr/share/rpki/routeviews.sh" > /etc/cron.d/rpkigui-routeviews
     chmod 644 /etc/cron.d/rpkigui-routeviews
@@ -86,6 +117,9 @@ case "$1" in
 	setup_rpkid_group
 	setup_rpkid_user
 	setup_apache
+	setup_rpki_conf
+	setup_mysql
+	setup_bpki
 	setup_django
 	setup_cron
     ;;
diff --git a/buildtools/debian-skeleton/rpki-ca.postrm b/buildtools/debian-skeleton/rpki-ca.postrm
new file mode 100644
index 00000000..14c14dab
--- /dev/null
+++ b/buildtools/debian-skeleton/rpki-ca.postrm
@@ -0,0 +1,48 @@
+#!/bin/sh
+# postrm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+
+    purge)
+
+	# If we had an rpki-purge-sql script, we might call it here to
+	# whack the SQL databases before we whack the configuration
+	# file that tells us what their names and passwords are.  Then
+	# again, we might not.
+
+	rm -f /etc/rpki.conf /etc/rpki.conf.sample
+    ;;
+
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/buildtools/debian-skeleton/rpki-ca.prerm b/buildtools/debian-skeleton/rpki-ca.prerm
new file mode 100644
index 00000000..5b83de2f
--- /dev/null
+++ b/buildtools/debian-skeleton/rpki-ca.prerm
@@ -0,0 +1,48 @@
+#!/bin/sh
+# prerm script for rpki-ca
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    remove)
+	rm -f /usr/share/rpki/ca.cer
+	rm -f /usr/share/rpki/irbe.cer
+	rm -f /usr/share/rpki/irdbd.cer
+	rm -f /usr/share/rpki/pubd.cer
+	rm -f /usr/share/rpki/pubd.key
+	rm -f /usr/share/rpki/rpkid.cer
+	rm -f /usr/share/rpki/rpkid.key
+	;;
+
+    upgrade|deconfigure)
+    ;;
+
+    failed-upgrade)
+    ;;
+
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0