#
# rbm-ssh-keysync-server.postinst
#
+# vim:set foldmethod=marker:
+#
+
+is_initial_configuration() { # {{{
+# Check if this is the initial configuration and not an upgrade of an
+# existing configuration
+# Usage: if is_initial_configuration "$@"; then ... fi from top level
+
+ # Plain installation
+ if [ "$1" = configure ] && [ -z "$2" ]; then
+ return 0
+ fi
+ # Configuration via dpkg-reconfigure
+ if [ "$1" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]; then
+ return 0
+ fi
+ return 1
+}
+
+# }}}
# Create ssh-keysync management user, if not allready there
if ! getent passwd skeysync > /dev/null; then
useradd -m -d /var/cache/ssh-keysync -c "ssh-keysync Keymaster" skeysync
fi
-# set feasible rights
-chown skeysync.root /var/cache/ssh-keysync
-chmod 755 /var/cache/ssh-keysync
+# Create ssh-keysync management group, if no allready there
+if ! getent group skeysync > /dev/null; then
+ addgroup --system skeysync
+fi
+
+# Set primary group of the ssh-keysync user to skeysync if not allready done.
+if [ `id -n -g skeysync` != skeysync ]; then
+ usermod -g skeysync skeysync
+fi
+
+# If you have a 'fai' user, you might want to let this user write to
+# /var/cache/ssh-keysync, so we put him into the group
+if getent passwd fai > /dev/null; then
+ if [ `id -n -G fai | grep -c skeysync` == 0 ]; then
+ adduser fai skeysync
+ fi
+fi
# create public directory that will be shared by a webserver (apache by
# default) to let the clients access the generated ssh_knonw_hosts files.
mkdir -p /var/cache/ssh-keysync/pub
-# let the skeysync user write to the output dir
-chown skeysync /var/cache/ssh-keysync/pub
+# set feasible rights to allow every member of 'skeysync'
+# to write in /var/cache/ssh-keysync
+find /var/cache/ssh-keysync -type d -exec chmod 2775 {} \;
+find /var/cache/ssh-keysync -type f -exec chmod 664 {} \;
+find /var/cache/ssh-keysync -exec chown skeysync:skeysync {} \;
+
+##
+# Call automagic upgrade script if this package is upgraded
+if ! is_initial_configuration "$@"; then
+ /usr/bin/upgrade_sshkeysyc
+fi