root/packages/fuss-server/fuss-server @ fd015c8b2452a0021ff6b4a8929919985126c286

#!/bin/bash
#
# fuss-server: script to configure a FUSS Server.
#
# Copyright (C) 2007-2012 Simone Piccardi <piccardi@truelite.it>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#
set -e

# 
# To avoid localizations hassles
# 
export LANG=C

##
## Defining used files, directories and program
##
ETC_DIR=/etc/fuss-server/
CONF_FILE=$ETC_DIR/fuss-server.conf
SERV_FUNC=$ETC_DIR/service-functions
CONF_CMD=/usr/sbin/fuss-server-config
CA_DIR=$ETC_DIR/Credentials
TEMPL_DIR=/usr/share/fuss-server/templates
SCRIPT_DIR=/usr/share/fuss-server/scripts
TEMP_DIR=/tmp/fuss-server

FUSS_SER_VERS=$(dpkg -l fuss-server | grep fuss-server| awk '{print $3}')
echo "Running fuss-server $FUSS_SER_VERS"

#
# define an exit function with "cannot handle" message
#
unhandle_exit () {
    echo "This package cannot handle this happening, stopping"
    exit 1
}

# Service functions, they must be present
if [ -f "$SERV_FUNC" ]; then
    . "$SERV_FUNC"
else
    echo "Something wrong, missing service functions file $SERV_FUNC"
    echo "you need to purge and reinstall the package"
    exit 1
fi

case "$1" in
    create)
    ##
    ## Read and check configuration variables, they mut be defined
    ##
    if [ -f "$CONF_FILE" ]; then
        . "$CONF_FILE"
    else
        echo "Something wrong, missing configuration file $CONF_FILE"
        echo "try a fuss-server purge or reintall the package"
        exit 1
    fi
    # checking mandatory configuration variables
    while [ -z "$LOCALNET" ]; do 
        echo "Variable LOCALNET must be configured, please enter value"
        $CONF_CMD
        . "$CONF_FILE"
    done
    while [ -z "$DOMAIN" ]; do 
        echo "Variable DOMAIN must be configured, please enter value"
        $CONF_CMD
        . "$CONF_FILE"
    done
    while [ -z "$WORKGROUP" ]; do
        echo "Variable WORKGROUP must be configured, please enter value"
        $CONF_CMD
        . "$CONF_FILE"
    done
    if [ -z "$MASTER_PASS" ]; then 
        echo "Variable MASTER_PASS must be configured, please enter value"
        $CONF_CMD
        . "$CONF_FILE"
    fi
    while [ -z "$GEOPLACE" ]; do
        echo "Variable GEOPLACE must be configured, please enter value"
        $CONF_CMD
        . "$CONF_FILE"
    done
    while [ -z "$DHCP_RANGE" ]; do
        echo "Variable DHCP_RANGE must be configured, please enter value"
        $CONF_CMD
        . "$CONF_FILE"
    done
    # check correctness of values
    cidr_check $LOCALNET
    if [ "$OK" = no ]; then
        echo "Error on LOCALNET variable: $LOCALNET"
        resetconf LOCALNET
        $CONF_CMD
        . "$CONF_FILE"
    fi
    for i in $DHCP_RANGE; do
        ip_check $i 
        if [ "$OK" = no ]; then
            echo "Error on DHCP_RANGE variable: $DHCP_RANGE"
            resetconf DHCP_RANGE
            $CONF_CMD
            . "$CONF_FILE"
            break
        fi
    done
    if ! echo $DOMAIN | grep -E "^[[:alnum:]]+\.[[:alnum:]]+$" >/dev/null; then
        resetconf DOMAIN
        $CONF_CMD
        . "$CONF_FILE"
    fi
    if echo $WORKGROUP | grep -E "[^[:alnum:]]" > /dev/null; then
        resetconf WORKGROUP
        $CONF_CMD
        . "$CONF_FILE"
    fi
    # check for "prolematic" chars
    if echo $MASTER_PASS | grep '/' > /dev/null; then
        resetconf MASTER_PASS
        $CONF_CMD
        . "$CONF_FILE"
    fi

    # check internal that interfaces definition is coerent with LAN
    for i in $LOCALNET; do 
        INT_IF=$(ip route | grep "$i" | awk '{print $3}')
        if [ -z "$INT_IF" ]; then
            echo "No interface found for $i network"
            exit 1
        fi
        if ! echo "$INTERN_IFACES" | grep "$INT_IF"; then
            echo "Configured internal interface $INTERN_IFACES do not"
            echo "match LAN address $i on interface $INT_IF"
            exit 1
        fi
    done

    ######################
    ## Initial settings ##
    ######################
    #
    # Setting other variables for configuration 
    #
    BASE=`echo $DOMAIN | 
       awk -F"." '{OFS=""; ORS=","; for (i=1; i <= NF; i++) print "dc=",$i}' | 
       sed -re 's/,$//g'`
    DOM=`echo $BASE | cut -d'=' -f2| cut -d, -f1`
    HOST=`hostname`
    FQDN=`hostname`'.'$DOMAIN
    # define master password for LDAP, services and CA
    export PASS="$MASTER_PASS"
    # create uuencoded password for LDAP
    NEWPASS=`slappasswd -s $PASS`
    TODAY=`date +%F-%X`
    export TODAY
    echo "Dominio $DOMAIN, Base $BASE, Workgroup $WORKGROUP"
    if [ ! -d $TEMP_DIR ]; then
        mkdir -p $TEMP_DIR
        chmod 700 $TEMP_DIR
    fi


    ###############################
    ## Network LAN configuration ##
    ###############################
    #
    # check if configured as static, otherwise remove configs
    #
#    if ! grep -E "iface.+$INTERN_IFACES.+static" /etc/network/interfaces; then
#       backfile /etc/network/interfaces
#       # remove previous config, if is there
#       sed -r -e "/^iface.+$INTERN_IFACES.*/,/(^iface|^$)/{d}" \
#           > $TEMP_DIR/interfaces 
#       # append new config
#       echo -e "iface $INTERN_IFACES inet static" >> $TEMP_DIR/interfaces
#       IP=$(netmask -r ) 
#       echo -e "" >> $TEMP_DIR/interfaces
        

    ############################
    ## Firewall configuration ##
    ############################

    # adding to runlevel
    echo "Configuring Firewall, local net is $LOCALNET"
    if [ -x  /etc/init.d/firewall ]; then
        update-rc.d firewall defaults 41 80 >/dev/null
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
                invoke-rc.d firewall start
        else
                /etc/init.d/firewall start || exit 0
        fi
    fi

    #############################
    ## Filesever configuration ##
    #############################
    ##
    ## CA configuration
    ##
    # to do just the first time, leave as is if already exists
    if [ ! -d "$CA_DIR/demoCA" ]; then 
        echo "#####################################"
        echo "#   Creating CA and Certificates    #"
        echo "#####################################"
        mkdir -p $CA_DIR 
        chmod 700 $CA_DIR
        cd $CA_DIR  
        rm -f *.pem
        cat $TEMPL_DIR/certif \
            | sed -e "s/Firenze/$GEOPLACE/g" \
            | sed -e "s/<WORKGRP>/$WORKGROUP/g" \
            | sed -e "s/FQDN/$FQDN/g" \
            > $CA_DIR/certif
        echo "Generating CA certificate"
        export SSLEAY_CONFIG="-config $TEMPL_DIR/openssl.cnf"
        $SCRIPT_DIR/CA.sh -newca <<EOF

IT
FI
Firenze
Truelite Srl
Truelite Srl CA
ca.truelite.it
info@truelite.it



EOF
        echo "Generating server certificate"
        $SCRIPT_DIR/CA.sh -newreq <<EOF 
IT
Italia
$GEOPLACE
$WORKGROUP
File Server
$FQDN
root@localhost



EOF
        echo "Signing server certificate"
        $SCRIPT_DIR/CA.sh -sign <<EOF
y
y
EOF
        echo "Unlock server certificate key"
        if [ -e newkey.pem ]; then 
            chmod 600 $CA_DIR/newkey.pem
            openssl rsa -passin env:PASS < newkey.pem > nopasskey.pem
        else
            chmod 600 $CA_DIR/newreq.pem
            openssl rsa -passin env:PASS < newreq.pem > nopasskey.pem
        fi
        # copying certificates and keys
        backfile /etc/ssl/certs/cacert.pem 
        backfile /etc/ssl/certs/fuss-server-cert.pem
        backfile /etc/ssl/private/fuss-server-key.pem

        cp -af $CA_DIR/demoCA/cacert.pem /etc/ssl/certs/cacert.pem
        cp -af $CA_DIR/newcert.pem /etc/ssl/certs/fuss-server-cert.pem
        cp -af $CA_DIR/nopasskey.pem /etc/ssl/private/fuss-server-key.pem
        chmod 640 /etc/ssl/private/fuss-server-key.pem
        chgrp ssl-cert /etc/ssl/private/fuss-server-key.pem
    fi

    ##
    ## LDAP configuration
    ##
    echo "##########################################"
    echo "#   Configuring LDAP server and client   #"
    echo "##########################################"
    # Source the init script configuration
    if [ -f "/etc/default/slapd" ]; then
        . /etc/default/slapd
    fi
    # stop nslcd service if installed (to avoid timeouts on slapd down)
    if [ -x /etc/init.d/nslcd ]; then 
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
            invoke-rc.d nslcd stop
        else
            /etc/init.d/nslcd stop || exit 0
        fi
    fi
    # stop slapd service
    if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
        invoke-rc.d slapd stop
    else
        /etc/init.d/slapd stop || exit 0
    fi
    echo "SLAPD stopped" 

    # previous LDAP DB backup
    LDAP_BACK="/var/backups/old-ldap_backup-$TODAY"
    umask 0077
    if ! slapcat > $LDAP_BACK ; then
        echo "WARNING: cannot backup old LDAP tree"
        echo "OLD DB will be reused, if BASE or PASSWORD has been changed"
        echo "there will be troubles and installation will probably fails"
    else
        echo "LDAP tree backup saved in $LDAP_BACK"
    fi
    umask 0022

    # setup the default location of the slapd config file
    if [ -z "$SLAPD_CONF" ]; then
        SLAPD_CONF="/etc/ldap/slapd.conf"
    fi

    if [ -e $SLAPD_CONF ]; then 
        # check multiple database
        if [ $(grep ^database $SLAPD_CONF|wc -l) -ne 1 ]; then 
            echo "There are multiple databases!"
            unhandle_exit
         fi
        # check multiple tree
        if [ $(grep ^suffix $SLAPD_CONF|wc -l) -ne 1 ]; then 
            echo "There are multiple LDAP trees! "
            unhandle_exit
        fi      
    else
        echo "WARNING: cannot find $SLAPD_CONF"
        if [ -d /etc/ldap/slapd.d ]; then
            echo "Use the new idiot cn=config thing removing it"
            mv /etc/ldap/slapd.d /etc/ldap/slapd.d-dpgk-inst
        else
            echo "Cannot try to backup the LDAP DB"
            unhandle_exit
        fi
    fi

    # install Samba schema if not present
    if [ ! -f /etc/ldap/schema/samba.schema ]; then 
        echo "Installing Samba schema"
        zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz \
            > /etc/ldap/schema/samba.schema
    else
        echo "Something wrong, cannot find Samba schema "
    fi

    # backup previous config and set the new one
    backfile /etc/default/slapd
    add_var_def /etc/default/slapd SLAPD_SERVICES "ldap://127.0.0.1 ldaps://"

    echo "Using $BASE as tree suffix"
    backfile $SLAPD_CONF
    cat $TEMPL_DIR/slapd.conf \
        | sed -re "s/(.*)(dc=domain,dc=local)(.*)/\1$BASE\3/g" \
        > $SLAPD_CONF
    if [ $? -ne 0 ] ; then
        echo "Error on LDAP configuration file creation"
        echo "Using suffix $BASE, dc=$DOM and password $PASS"
        unhandle_exit
    else
        echo "LDAP configuration created"
    fi

    # permission correction
    if [ -n "$SLAPD_USER" ] && [ -n "$SLAPD_GROUP" ] ; then
        chmod 640  "$SLAPD_CONF"
        chgrp "$SLAPD_GROUP" "$SLAPD_CONF"
        if ! getent group|grep ssl-cert|cut -d: -f4| grep -q "$SLAPD_USER"; then
            adduser "$SLAPD_USER" ssl-cert
        fi
    fi

#
# function noisy_slapadd: run slapadd and output the ldif file if
# something goes wrong. Taken from slapd postinst script
#
# Usage: noisy_slapadd < ldif-file
#
noisy_slapadd() {
        local ldif_tmp

        ldif_tmp=$(tempfile -d $TEMP_DIR -p trlpkg)
        cat > "$ldif_tmp"
        if ! slapadd "$@" < "$ldif_tmp"; then
                echo >&2 "Failed to slapadd this data: "
                cat >&2  < "$ldif_tmp" 
                rm "$ldif_tmp"
                exit 1
        fi
        rm "$ldif_tmp"
}



# create initial tree structure
echo "Initial install: erasing previous LDAP data if present"

# get data dir from configuration
LDAP_DATA_DIR=$(grep ^directory $SLAPD_CONF | awk '{print $2}'| tr -d \"\')


# create uuencoded password value for initial LDAP tree
NEWPASS=`slappasswd -s $PASS`
if [ -d "$LDAP_DATA_DIR" ]; then
    rm -f $LDAP_DATA_DIR/*
    cp -f $TEMPL_DIR/DB_CONFIG $LDAP_DATA_DIR
    echo "Installing inital DB using suffix $BASE on $LDAP_DATA_DIR"
    # add data, use slapd postinst script method (beware of starting tab!)
    cat <<-EOF | noisy_slapadd
        dn: $BASE
        objectClass: top
        objectClass: dcObject
        objectClass: organization
        o: $WORKGROUP
        dc: $DOM

        dn: cn=admin,$BASE
        objectClass: simpleSecurityObject
        objectClass: organizationalRole
        cn: admin
        description: LDAP administrator
        userPassword: $NEWPASS

        EOF
    # permission correction
    if [ -n "$SLAPD_USER" ] || [ -n "$SLAPD_GROUP" ]; then
        echo -n "chowning database directory ($SLAPD_USER:$SLAPD_GROUP)... "
        [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$LDAP_DATA_DIR"
        [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$LDAP_DATA_DIR"
        echo "done";
    fi
    echo "Initial tree for LDAP created"
fi



    # server restart
    if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
        invoke-rc.d slapd start
    else
        /etc/init.d/slapd start || exit 0
    fi


    ##
    ## Create LDAP client library config file
    ##
    LDAP_LIB_CFG=${LDAP_LIB_CFG:-/etc/ldap/ldap.conf}
    backfile $LDAP_LIB_CFG

    cat $TEMPL_DIR/ldap.conf \
        | sed -re "s/(.*)(dc=domain,dc=local)(.*)/\1$BASE\3/g" \
        > $LDAP_LIB_CFG

    if [ $? -ne 0 ] ; then
        echo "Error on LDAP client configuration creation"
        echo "Using suffix $BASE"
    else
        echo "New LDAP client configuration created"
    fi

    ##
    ## Config LDAP user authentication
    ##
    # config nsswitch
    backfile /etc/nsswitch.conf
    cp -f $TEMPL_DIR/nsswitch.conf /etc/nsswitch.conf
    

    # create nslcd.conf (new access method, valid for Squeeze)
    NSS_LDAPD=${NSS_LDAPD:-/etc/nslcd.conf}
    if [ -f "$NSS_LDAPD" ]; then
        backfile $NSS_LDAPD
        cat $TEMPL_DIR/nslcd.conf  \
            | sed -re "s/(.*)(dc=truelite,dc=srl)(.*)/\1$BASE\3/g" \
            > $NSS_LDAPD
    fi

    # put LDAP in common-* to enable PAM using it
    backfile /etc/pam.d/common-account
    backfile /etc/pam.d/common-password 
    backfile /etc/pam.d/common-session
    backfile /etc/pam.d/common-auth
    cp $TEMPL_DIR/common-* /etc/pam.d/

    # restart nscd service if installed
    if [ -x /etc/init.d/nscd ]; then 
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
            invoke-rc.d nscd restart
        else
            /etc/init.d/nscd restart || exit 0
        fi
    fi


    ##
    ## SAMBA configuration
    ##

    # creating Samba directories
    SAMBADIR=/home/samba
    PROFILES=$SAMBADIR/profiles
    NETLOGON=$SAMBADIR/netlogon
    if [ ! -d "SAMBDIR"  ]; then 
        if [ ! -d $PROFILES ] ; then
            mkdir -p $PROFILES
            chmod 1777 $PROFILES
            echo "Created profile directory $PROFILES"
        fi
        if [ ! -d $NETLOGON ] ; then
            mkdir -p $NETLOGON
            echo "Created profile directory $NETLOGON"
        fi
    fi

    echo "Stopping Samba for reconfiguration"    
    /etc/init.d/samba stop
    # creating Samba config file
    backfile /etc/samba/smb.conf
    cat $TEMPL_DIR/smb.conf \
        | sed -re "s/(.*)TRUELITE/\1 $WORKGROUP/g" \
        | sed -re "s/(.*)(dc=domain,dc=local)(.*)/\1$BASE\3/g" \
        > /etc/samba/smb.conf
    if [ $? -ne 0 ] ; then
        echo "Error on Samba configuration creation"
        echo "Using workgroup $WORKGROUP and suffix $BASE"
    else
        echo "New Samba config created for domain $WORKGROUP"
    fi
    # clearing previuos data
    rm -fR /var/lib/samba/*
    echo "Setting LDAP passwd"
    smbpasswd -w $PASS

    echo "Starting Samba after configuration"
    /etc/init.d/samba start || echo "Samba restart failed"

    # configuring IDEALX script
    SID=`net getlocalsid | cut -d: -f2 | awk '{print $1}'`
    echo "Setting IDEALX scripts, SID is: $SID"
    backfile /etc/smbldap-tools/smbldap_bind.conf
    cat $TEMPL_DIR/smbldap_bind.conf \
        | sed -re "s/(.*)(dc=domain,dc=local)(.*)/\1$BASE\3/g" \
        | sed -re "s/(.*)(<PASSWORD>)(.*)/\1$PASS\3/g" \
        > /etc/smbldap-tools/smbldap_bind.conf 
    chmod 600 /etc/smbldap-tools/smbldap_bind.conf 

    backfile /etc/smbldap-tools/smbldap.conf
    cat $TEMPL_DIR/smbldap.conf \
        | sed -re "s/#SID.*/SID=\"$SID\"/g" \
        | sed -re "s/(.*)(dc=domain,dc=local)(.*)/\1$BASE\3/g" \
        | sed -re "s/(.*)TRUELITE/\1$WORKGROUP/g" \
        | sed -re "s/(.*)domain.local/\1$DOMAIN/g" \
        > /etc/smbldap-tools/smbldap.conf

    echo "Populate LDAP tree" 
    # select smbldap-tool version, > 0.8, use $1
    VERSION=`dpkg -l|grep smbldap|awk '{print $3}'`
    VAL=`echo $VERSION | awk -F"." '{print ($1>0, $2>8)}'`
    WIN_ADM="admin"
    if [ "$VAL" = "0 0" ]; then
        echo "Old (<0.8) smbldap-populate version"
        /usr/sbin/smbldap-populate -a $WIN_ADM -u 2000 -g 2000
        /usr/sbin/smbldap-usermod -u 0 $WIN_ADM
        /usr/sbin/smbldap-passwd $WIN_ADM <<EOF
$PASS
$PASS
EOF
    else
        echo "New (>0.8) smbldap-populate version"
        /usr/sbin/smbldap-populate -a $WIN_ADM -u 2000 -g 2000 <<EOF
$PASS
$PASS
EOF
    fi

    # Samba defaults for italian privacy laws
    #pdbedit -P "maximum password age" -C $(( 175 * 86400 )) # 175 giorni
    #pdbedit -P "password history"     -C 3
    #pdbedit -P "min password length"  -C 9

    ##
    ## APACHE config for exporting client config files
    ##
    # generating LDAP configuration files for clients
    echo "Generating client configs with ldaps://$FQDN"
    DATA_CONF=/var/www/fuss-data-conf
    mkdir -p $DATA_CONF
    cp -a /etc/ssl/certs/cacert.pem $DATA_CONF/
    cat /etc/ldap/ldap.conf \
        | sed -re "/^host/I d" \
        | sed -re "/^uri/I d" \
        | sed -re "/^#uri/I a uri   ldaps://$FQDN" \
        > $DATA_CONF/ldap.conf
    # generating root user SSH key for clusterssh use 
    echo "#############################################"
    echo "## Generating SSH root key for cluster ssh ##"
    echo "#############################################"
    backfile /root/.ssh/id_dsa
    backfile /root/.ssh/id_dsa.pub
    rm -f /root/.ssh/id_dsa*
    ssh-keygen -t dsa -P "" -f /root/.ssh/id_dsa
    cp /root/.ssh/id_dsa.pub $DATA_CONF/
    cp /root/.ssh/id_dsa* $CA_DIR/


    # recreating Apache default virtual host (to enable SSL)
    backfile /etc/apache2/sites-available/default 
    cp -f $TEMPL_DIR/apache_default \
        /etc/apache2/sites-available/default
    echo "Enabling SSL for Apache2"
    a2enmod ssl
    echo "Set Apache2 listening on ports 80 e 443"
    backfile /etc/apache2/ports.conf
    backfile /etc/default/apache2
    echo -e "Listen 80\nListen 443" > /etc/apache2/ports.conf
    echo "NO_START=0" > /etc/default/apache2
    echo "Apache2 restart after setup:"
    apache2ctl restart || echo "Apache restart failed"

    ##
    ## Modify /etc/fstab to enable ACL support
    ##
    backfile /etc/fstab
    if [ ! -z "`mount | grep /home`" ]; then
        if [ ! -z "`mount | grep /home | grep acl`" ]; then
            echo "ACL attive"
        else
            if [ ! -z "`mount | grep /home | grep ext3`" ]; then
                echo "Attivo le ACL per la partizione /home"
                TEMP_FILE=$(tempfile -d $TEMP_DIR -p fstab)
                cat /etc/fstab \
                | sed -re "s|(^[^#].*)(/home)([ \t]+[^ \t]+[ \t]+[^ \t]+)(.*)|\1\2\3,acl\4|g" \
                > $TEMP_FILE
                if [ -s "$TEMP_FILE" ]; then
                    cp -f $TEMP_FILE /etc/fstab
                    rm -f $TEMP_FILE
                    mount -o remount /home
                else
                    echo "Produced an empty fstab file, doing nothing" 
                fi
            else
                echo "ACL support is working for ext3 filesystem"
                echo "Please use a better supported filesystem"
            fi
        fi
    else
        echo "###############################################"
        echo "##                                           ##"
        echo "## /home inside /, cannot activate ACL       ##"
        echo "##                                           ##"
        echo "###############################################"
    fi

    ##
    ## NFS configuration
    ##
    NFSON="true"
    if [ $NFSON = "true" ]; then 
        echo "Configuring NFS" 
        # server restart
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
            invoke-rc.d nfs-kernel-server stop
            invoke-rc.d portmap stop
        else
            /etc/init.d/nfs-kernel-server stop
            /etc/init.d/portmap stop || exit 0
        fi
        backfile /etc/exports
        cat $TEMPL_DIR/exports \
            | sed -e "s|<localnet>|$LOCALNET|g" \
            > /etc/exports
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
            invoke-rc.d portmap start
            invoke-rc.d nfs-kernel-server start
        else
            /etc/init.d/portmap start 
            /etc/init.d/nfs-kernel-server start
        fi
        /usr/sbin/exportfs -a
        echo "NFS configured" 
    fi

    # Interface list, better having it from configuration
    if [ ! -z "$INTERN_IFACES" ]; then
        IFACES=$INTERN_IFACES
    else
        IFACES=$(ip route | grep "scope link" \
            | grep -v `ip route | grep default | awk '{print $5}'` \
            | awk '{print $3}')
    fi
    echo "Configured $IFACES, configuration is $INTERN_IFACES"

    #  Creating DNS e DHCP 
    echo "Generating DNS/DHCP key" 
    cd $CA_DIR
    if [ ! -e Ktruelite*.private ]; then
        echo "Key file not found, recreate it"
        echo "this will take some time, you can shorten it"
        echo "by increasing system entropy: press some key, ecc."
        dnssec-keygen -a HMAC-MD5 -b 512 -n HOST truelite
    fi
    CHIAVE=$(cat Ktruelite*.private|grep Key: | cut -d" " -f2)

    ##
    ## BIND configuration
    ##
    echo "Starting DNS configuration, stopping service"
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d bind9 stop
    else
        /etc/init.d/bind9 stop
    fi

    # key file creation
    backfile /etc/bind/rndc.key
    echo "Using Key $CHIAVE"
    cat $TEMPL_DIR/rndc.key \
        | sed -e "s|<chiave>|$CHIAVE|g" \
        > /etc/bind/rndc.key
    
    # direct local zone creation
    MAINIF=$(echo $IFACES | cut -d " " -f 1)
    SERVERIP=$(ip addr show $MAINIF|grep "inet "|awk '{print $2}'|cut -d/ -f1|head -n1)
    NIP=$(ip addr show $MAINIF|grep "inet "|awk '{print $2}'|cut -d/ -f1|wc -l)
    if [ "$NIP" -gt 1 ]; then
        echo "Found multiple IP on $MAINIF, using $SERVERIP"
    fi
    echo "Interfaces $IFACES, main interface $MAINIF, server IP is $SERVERIP"
    cat $TEMPL_DIR/db.local \
        | sed -e "s/domain.local/$DOMAIN/g" \
        | sed -e "s/<FQDN>/$FQDN/g" \
        | sed -e "s/<HOST>/$HOST/g" \
        | sed -e "s/<server-ip>/$SERVERIP/g" \
        > /var/cache/bind/db.local
    echo "Created local zone"
    # insert A records
    for i in $IFACES; do
        ADDR=$(ip addr show $i | grep "inet " | awk '{print $2}' | cut -d/ -f1)
        for j in $ADDR; do
            # adding A records to direct zone
            echo -e "$HOST \t IN \t A \t $j" >> /var/cache/bind/db.local
        done
    done
    # create bind configs for local zones
    backfile /etc/bind/named.conf.local
    cat $TEMPL_DIR/named.conf.local \
        | sed -e "s/domain.local/$DOMAIN/g" \
        | sed -e "s/<FQDN>/$FQDN/g" \
        | sed -e "s|<chiave>|$CHIAVE|g" \
        > /etc/bind/named.conf.local

    # configs on internal interfaces
    for i in $IFACES; do
        NETS=$(/sbin/ip route | grep -v default |grep $i | awk '{print $1}')
        for j in $NETS; do
            reverse $j
            # reverse zone creation
            cat $TEMPL_DIR/db.reverse \
                | sed -e "s/domain.local/$DOMAIN/g" \
                | sed -e "s/<FQDN>/$FQDN/g" \
                > /var/cache/bind/db.$NET
            # adding zone to bind config
            cat $TEMPL_DIR/named.conf.reverse \
                | sed -e "s/<FQDN>/$FQDN/g" \
                | sed -e "s/<reverse>/$ZONE/g" \
                | sed -e "s/<revfile>/$NET/g" \
                >> /etc/bind/named.conf.local
            # adding PTR records to reverse zone
            ADDR=$(ip addr show $i | grep $NET |awk '{print $2}' | cut -d/ -f1)
            for k in $ADDR; do
                revip $k
                echo -e "$REVIP\t IN\t PTR\t $FQDN." >> /var/cache/bind/db.$NET
            done
        done
    done

    # clearing temporary files
    rm -f /var/cache/bind/db.*.jnl
    # clearing permissions
    chmod 2775 /var/cache/bind/
    chgrp bind /var/cache/bind/
    chown bind:bind /var/cache/bind/db.*
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d bind9 start
    else
        /etc/init.d/bind9 start
    fi

    # use localhost as local DNS
    backfile /etc/resolv.conf
    cat $TEMPL_DIR/resolv.conf \
        | sed -e "s/DOMINIO/$DOMAIN/g" \
        > /etc/resolv.conf 
    
    ##
    ## DHCP configuration
    ##    
    echo "Starting DHCP configuration, stopping server"
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d isc-dhcp-server stop
    else
        /etc/init.d/isc-dhcp-server stop
    fi
    # setup /etc/default/dhcp3-server 
    echo "Setting default interfaces for DHCP"
    backfile /etc/default/isc-dhcp-server
    cat $TEMPL_DIR/dhcpd.default \
        | sed -e "s/<ifaces>/$IFACES/g" \
        > /etc/default/isc-dhcp-server

    # create base default config for DHCP
    echo "Creating base configuration"
    backfile /etc/dhcp/dhcpd.conf
    cat $TEMPL_DIR/dhcpd.conf \
        | sed -e "s/<dominio>/$DOMAIN/g" \
        | sed -e "s/<FQDN>/$FQDN/g" \
        | sed -e "s|<chiave>|$CHIAVE|g" \
        > /etc/dhcp/dhcpd.conf

    #
    # Loop for interfaces configuration
    #
    echo "Configuring iface $IFACES"
    NIF=$(echo $IFACES|wc -w)
    if [ "$NIF" -gt 1 ]; then
        echo "We have $NIF different LAN interfaces, experimental setup,"
        echo "we cannot use the IP range given on the configuration request"
        echo "Be sure to check the results !!!"
    fi
    for i in $IFACES; do 
        DNSIP=$(
            ip addr show $i | grep "inet " | head -n1 |
            awk '{print $2}' | cut -d/ -f1
        )
        NIP=$(ip addr show $i|grep "inet "|awk '{print $2}'|cut -d/ -f1|wc -l)
        if [ "$NIP" -gt 1 ]; then
            echo "Found multiple IP on $i, using $DNSIP"
        fi
        NETS=$(ip route | grep -v default |grep $DNSIP | awk '{print $1}')
        NETMASK=$(netmask -s $NETS | cut -d/ -f2)
        SUBNET=$(netmask -s $NETS | cut -d/ -f1)
        if ip route | grep default | grep $i; then 
            ROUTER=$(ip route | grep default | grep $i | awk '{print $3}')
        else
            ROUTER=$DNSIP
        fi
        # compute range for DHCP
        ADDR=$( echo $NETS | cut -d/ -f1)
        SIZE=$(( 1 << ( 32 - $(echo $NETS|cut -d/ -f2) ) ))
        if [ $SIZE -gt 256 ]; then
            SIZE=256
        fi
        INIT=$(echo $ADDR | cut -d. -f 1-3).$(( $SIZE / 4 ))
        END=$(echo $ADDR | cut -d. -f 1-3).$(( $SIZE / 4 + $SIZE / 2 ))

        reverse $NETS

        # using given range only with a single interface
        if [ "$NIF" -eq 1 ]; then
            if [ ! -z "$DHCP_RANGE" ]; then
                RANGE=$DHCP_RANGE
            else
                RANGE="$INIT $END"
            fi
        else
            RANGE="$INIT $END"
        fi

        # creo configurazione specifica per ciascuna interfaccia
        echo "subn $SUBNET, nmask $NETMASK"
        echo "range $RANGE, router $ROUTER, DNS $DNSIP, "
        cat $TEMPL_DIR/dhcpd.iface \
            | sed -e "s/<dns-ip>/$DNSIP/g" \
            | sed -e "s/<router-ip>/$ROUTER/g" \
            | sed -e "s/<subnet>/$SUBNET/g" \
            | sed -e "s/<netmask>/$NETMASK/g" \
            | sed -e "s/<range>/$RANGE/g" \
            | sed -e "s/<dominio>/$DOMAIN/g" \
            | sed -e "s/<FQDN>/$FQDN/g" \
            | sed -e "s/<reverse>/$ZONE/g" \
            >> /etc/dhcp/dhcpd.conf
    done
    # configuration completed, restart server
    echo "Restarting DHCP server"
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d isc-dhcp-server start || echo "DHCP restart failed"
    else
        /etc/init.d/isc-dhcp-server start || echo "DHCP restart failed"
    fi

    ##
    ## SQUID configuration
    ##
    echo "Changing squid configuration..."
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d squid stop
    else
        /etc/init.d/squid stop 
    fi

    # computer memory and disk sizes on avalaible resources
    MEMSIZE=$(( $(free | grep Mem:| awk '{print $2}') / 4096 ))
    DISKSIZE=$(( $(df -m /var/spool/squid | tail -n1 | awk '{print $2}') / 4 ))

    echo "Setting host=$HOST and net=$LOCALNET, mem=$MEMSIZE, disk=$DISKSIZE"
    backfile /etc/squid/squid.conf
    cat $TEMPL_DIR/squid.conf \
        | sed -e "s/<HOSTNAME>/$HOST/g" \
        | sed -e "s/<DOMINIO>/$DOMAIN/g" \
        | sed -e "s/dc=domain,dc=local/$BASE/g" \
        | sed -e "s/<MEMSIZE>/$MEMSIZE/g" \
        | sed -e "s/<DISKSIZE>/$DISKSIZE/g" \
        | sed -e "s/<SERVER-IP>/$SERVERIP/g" \
        | sed -e "s|<localnet>|$LOCALNET|g" \
        > /etc/squid/squid.conf

    echo "restarting squid with new configuration..."
    squid -z
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d squid start 
    else
        /etc/init.d/squid start 
    fi
    # add internet group for access control
    addgroup --system internet

    ##
    ## DansGuardian configuration
    ## 
    echo "changing dansguardian configuration..."
    if [ -f /var/run/dansguardian.pid ]; then
        if ps ax | grep $(cat /var/run/dansguardian.pid) > /dev/null; then
            if which invoke-rc.d >/dev/null 2>&1; then
                invoke-rc.d dansguardian stop
            else
                /etc/init.d/dansguardian stop
            fi
        fi
    fi
    DANSCONF=/etc/dansguardian/
    cd $DANSCONF
    # backup and create configuration
    backfile dansguardian.conf
    cat $TEMPL_DIR/dansguardian.conf \
        | sed -e "s/<SERVER-IP>/$SERVERIP/g" \
        | sed -e "s/<FQDN>/$FQDN/g" \
        > $DANSCONF/dansguardian.conf
    # backup old configs
    backfile dansguardianf1.conf 
    cp -f $TEMPL_DIR/dansguardianf1.conf $DANSCONF/
    DANSLIST=/etc/dansguardian/lists
    cd $DANSLIST
    backfile bannedextensionlist
    backfile bannedmimetypelist
    backfile exceptionsitelist 
    # coping other templates
    cd $TEMPL_DIR/
    cp -f bannedextensionlist $DANSLIST/
    cp -f bannedmimetypelist  $DANSLIST/
    cp -f exceptionsitelist   $DANSLIST/

    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d dansguardian start
    else
        /etc/init.d/dansguardian start
    fi

    #
    # Forced reset of permissions, just to be sure
    #
    chmod 600 /etc/smbldap-tools/smbldap_bind.conf*

    #
    # Remove old fuss-server unused files
    # 
    rm -f /etc/init.d/firewall.sh*
    rm -f /etc/rcS.d/firewall.sh*
    rm -f /etc/init.d/purgezone
    rm -f /etc/rc0.d/purgezone

    unset PASS
    echo "FUSS Server configurations ended" 

    ;;

    purge)
        echo "Removing all previuos configuration from $ETC_DIR"
        BACKDIR=/var/backups/fuss-server
        if [ -d $CA_DIR ]; then 
            tar -f $BACKDIR/Credential$TODAY -r $CA_DIR
            rm -fR $CA_DIR
        fi
        cp -f $TEMPL_DIR/fuss-server.conf $CONF_FILE
    ;;

    *)
        echo "fuss-server called with unknown argument \`$1'" >&2
        echo "     fuss-server create -  install configuration"
        echo "     fuss-server purge  -  clean $ETC_DIR dir"
        exit 1
    ;;
esac

exit 0