#!/bin/sh
set -e

. /usr/share/debconf/confmodule
db_version 2.0

action="$1"

umask 022


get_config_option() {
	option="$1"
	sshd_path=/usr/sbin/sshd

	[ -f /etc/ssh/sshd_config ] || return

	# begin-remove-after: released:forky
	if [ -e /usr/sbin/sshd.session-split ]; then
		sshd_path=/usr/sbin/sshd.session-split
	fi
	# end-remove-after
	"$sshd_path" -G | sed -n "s/^$option //Ip"
}


create_key() {
	msg="$1"
	shift
	hostkeys="$1"
	shift
	file="$1"
	shift

	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
	   [ ! -f "$file" ] ; then
		printf %s "$msg"
		ssh-keygen -q -f "$file" -N '' "$@"
		echo
		if command -v restorecon >/dev/null 2>&1; then
			restorecon "$file" "$file.pub"
		fi
		ssh-keygen -l -f "$file.pub"
	fi
}


create_keys() {
	hostkeys="$(get_config_option HostKey)"

	create_key "Creating SSH2 RSA key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	create_key "Creating SSH2 ED25519 key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
}


new_config=

cleanup() {
	if [ "$new_config" ]; then
		rm -f "$new_config"
	fi
}


create_sshdconfig() {
	# XXX cjwatson 2016-12-24: This debconf template is very confusingly
	# named; its description is "Disable SSH password authentication for
	# root?", so true -> prohibit-password (the upstream default),
	# false -> yes.
	db_get openssh-server/permit-root-login
	permit_root_login="$RET"
	db_get openssh-server/password-authentication
	password_authentication="$RET"

	trap cleanup EXIT
	new_config="$(mktemp)"
	cp -aZ /usr/share/openssh/sshd_config "$new_config"
	if [ "$permit_root_login" != true ]; then
		sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
			"$new_config"
	fi
	if [ "$password_authentication" != true ]; then
		sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
			"$new_config"
	fi
	mkdir -pZ /etc/ssh
	ucf --three-way --debconf-ok \
		--sum-file /usr/share/openssh/sshd_config.md5sum \
		"$new_config" /etc/ssh/sshd_config
	ucfr openssh-server /etc/ssh/sshd_config
}

if [ "$action" = configure ]; then
	create_sshdconfig
	create_keys
	if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
	   [ -f /etc/ssh/moduli.dpkg-bak ]; then
	    # Handle /etc/ssh/moduli being moved from openssh-client to
	    # openssh-server.  If there were no user modifications, then we
	    # don't need to do anything special here; but if there were,
	    # then the dpkg-maintscript-helper calls from openssh-client's
	    # maintainer scripts will have saved the old file as .dpkg-bak,
	    # which we now move back into place.
	    mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
	fi
	if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
	   deb-systemd-helper --quiet was-enabled ssh.socket && \
	   [ -d /run/systemd/system ]
	then
		# migrate to systemd socket activation.
		systemctl unmask ssh.service
		systemctl disable ssh.service
	fi
	# begin-remove-after: released:forky
	if [ -e /usr/sbin/sshd.session-split ]; then
		# We're ready to restart the listener process so that it
		# executes sshd-session rather than sshd for new
		# connections, so we can remove this diversion now.  This
		# starts a brief window where new connections will fail
		# (ending when the service is restarted), but at least it's
		# all contained within this postinst.
		#
		# See openssh-server.preinst for why we use this odd package
		# name.
		echo "Finishing upgrade from pre-9.8 monolithic sshd ..."
		dpkg-divert --package openssh-client --remove --no-rename \
			--divert /usr/sbin/sshd.session-split /usr/sbin/sshd
		mv -f /usr/sbin/sshd.session-split /usr/sbin/sshd
	fi
	# end-remove-after
fi

# Automatically added by dh_installsysusers/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
   systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} openssh-server.conf
fi
# End automatically added section
# Automatically added by dh_installtmpfiles/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -x "$(command -v systemd-tmpfiles)" ]; then
		systemd-tmpfiles ${DPKG_ROOT:+--root="$DPKG_ROOT"} --create openssh-server.conf || true
	fi
fi
# End automatically added section
# Automatically added by dh_runit/2.16.4
# Unlike postrm, I can be sure, that runit-helper is present on
# postinst.
#start: remove after trixie
if  [ ! -e /usr/lib/runit-helper/runit-helper ]; then
    #should not happen
    echo "warning: can't find runit-helper, postinst action skipped!"
    echo "warning: runit-helper: please report this bug"
fi
#end: remove after trixie
if [ -z "${DPKG_ROOT:-}" ] && [ -x /usr/lib/runit-helper/runit-helper ]; then
    NAME='ssh' ENABLE='yes' ONUPGRADE='restart' /usr/lib/runit-helper/runit-helper postinst "$@"
fi
# End automatically added section
# Automatically added by dh_installdeb/13.24.2
dpkg-maintscript-helper rm_conffile /etc/network/if-up.d/openssh-server 1:7.9p1-1\~ -- "$@"
# End automatically added section
# Automatically added by dh_installinit/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -z "$DPKG_ROOT" ] && [ -x "/etc/init.d/ssh" ]; then
		update-rc.d ssh defaults >/dev/null
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		invoke-rc.d --skip-systemd-native ssh $_dh_action || exit 1
	fi
fi
# End automatically added section
# Automatically added by dh_installsystemd/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# The following line should be removed in trixie or trixie+1
	deb-systemd-helper unmask 'ssh.service' >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled 'ssh.service'; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable 'ssh.service' >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state 'ssh.service' >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by dh_installsystemd/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		deb-systemd-invoke $_dh_action 'ssh.service' >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by dh_installsystemd/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if deb-systemd-helper debian-installed 'ssh.socket'; then
		# The following line should be removed in trixie or trixie+1
		deb-systemd-helper unmask 'ssh.socket' >/dev/null || true

		if deb-systemd-helper --quiet was-enabled 'ssh.socket'; then
			# Create new symlinks, if any.
			deb-systemd-helper enable 'ssh.socket' >/dev/null || true
		fi
	fi

	# Update the statefile to add new symlinks (if any), which need to be cleaned
	# up on purge. Also remove old symlinks.
	deb-systemd-helper update-state 'ssh.socket' >/dev/null || true
fi
# End automatically added section
# Automatically added by dh_installsystemd/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		deb-systemd-invoke $_dh_action 'ssh.socket' >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by dh_installsystemd/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# The following line should be removed in trixie or trixie+1
	deb-systemd-helper unmask 'sshd-keygen.service' >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled 'sshd-keygen.service'; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable 'sshd-keygen.service' >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state 'sshd-keygen.service' >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by dh_installsystemd/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		deb-systemd-invoke $_dh_action 'sshd-keygen.service' >/dev/null || true
	fi
fi
# End automatically added section


db_stop

exit 0