From 4041050498d2eb2da476eb043bba37f00a80a140 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 5 Sep 2021 08:10:00 +0200 Subject: Adding tsig debconf handling for dehydrated-nsupdate. Signed-off-by: Daniel Baumann --- debian/open-infrastructure-dehydrated-tools.config | 4 ++ .../open-infrastructure-dehydrated-tools.postinst | 55 ++++++++++++++++++++++ .../open-infrastructure-dehydrated-tools.templates | 10 ++++ 3 files changed, 69 insertions(+) diff --git a/debian/open-infrastructure-dehydrated-tools.config b/debian/open-infrastructure-dehydrated-tools.config index 8d636fd..6c7a683 100644 --- a/debian/open-infrastructure-dehydrated-tools.config +++ b/debian/open-infrastructure-dehydrated-tools.config @@ -63,4 +63,8 @@ db_settitle open-infrastructure-dehydrated-tools/title db_input low open-infrastructure-dehydrated-tools/register "${REGISTER}" || true db_go +db_settitle open-infrastructure-dehydrated-tools/title +db_input low open-infrastructure-dehydrated-tools/tsig "${TSIG}" || true +db_go + db_stop diff --git a/debian/open-infrastructure-dehydrated-tools.postinst b/debian/open-infrastructure-dehydrated-tools.postinst index f6c71c7..083c2ac 100755 --- a/debian/open-infrastructure-dehydrated-tools.postinst +++ b/debian/open-infrastructure-dehydrated-tools.postinst @@ -81,6 +81,9 @@ case "${1}" in db_get open-infrastructure-dehydrated-tools/ocsp-must-staple OCSP_MUST_STAPLE="${RET}" # boolean + db_get open-infrastructure-dehydrated-tools/tsig + TSIG="${RET}" # string (w/ empty) + db_stop case "${AUTO_CLEANUP}" in @@ -230,6 +233,58 @@ EOF dehydrated --register --accept-terms ;; esac + + if [ -n "${TSIG}" ] + then + case "${TSIG}" in + *:*) + # tsig is a string + echo "${TSIG}" > /etc/dehydrated/tsig.key + chmod 0600 /etc/dehydrated/tsig.key + + TSIG_FILE="/etc/dehydrated/tsig.key" + ;; + + */*) + # tsig is a path + TSIG_FILE="${TSIG}" + ;; + + *) + echo "'${TSIG}' is neither a valid tsig nor a path to an existing file - ignoring" + ;; + esac + fi + + if [ -n "${TSIG_FILE}" ] + then + DEFAULT_FILE="/etc/default/dehydrated-nsupdate" + + if [ ! -e "${DEFAULT_FILE}" ] + then + +cat > "${DEFAULT_FILE}" << EOF +# ${DEFAULT_FILE} + +TSIG_KEYFILE="${TSIG_FILE}" +EOF + + fi + + cp -a -f "${DEFAULT_FILE}" "${DEFAULT_FILE}.tmp" + + # If the admin deleted or commented some variables but then set + # them via debconf, (re-)add them to the config file. + + test -z "${TSIG_FILE}" || \ + grep -Eq '^ *TSIG_KEYFILE=' "${DEFAULT_FILE}" || \ + echo "TSIG_KEYFILE=" >> "${DEFAULT_FILE}" + + sed -e "s|^ *TSIG_KEYFILE=.*|TSIG_KEYFILE=\"${TSIG_FILE}\"|" \ + < "${DEFAULT_FILE}" > "${DEFAULT_FILE}.tmp" + + mv -f "${DEFAULT_FILE}.tmp" "${DEFAULT_FILE}" + fi ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/debian/open-infrastructure-dehydrated-tools.templates b/debian/open-infrastructure-dehydrated-tools.templates index bf7fec4..947e5eb 100644 --- a/debian/open-infrastructure-dehydrated-tools.templates +++ b/debian/open-infrastructure-dehydrated-tools.templates @@ -73,3 +73,13 @@ Default: false Description: dehydrated register: Should a 'dehydrated --register --accept-terms' be executed now to create an account for this system with your CA. + +Template: open-infrastructure-dehydrated-tools/tsig +Type: string +Default: +Description: dehydrated TSIG: + When using the dehydrated-nsupdate hook, a TSIG can be used. If you like + to do so, please enter either the path to the TSIG file or the TSIG string + itself (format as used by nsupdate -y in algorithm:name:base64). + . + If unsure, leave empty (default). -- cgit v1.2.3