#!/bin/bash
# lmz-settings-manual
#  Manual changes to the paedML Linux system
#
# Depends: UDM
#
# Copyright (C) 2013-2018 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

set -u
set -e

eval "$(ucr shell ldap/base \
	domainname \
	hostname \
	ucsschool/ldap/default/groupprefix/admins \
	repository/online/component/3.2-8-errata $(: workaround for issue 4372) \
	repository/online/component/4.1-5-errata/username $(: enable UCS 4.1-5 Extended Security Maintenance LMZ issue 1955) \
	repository/online/component/4.1-5-errata/password $(: enable UCS 4.1-5 Extended Security Maintenance LMZ issue 1955) \
	repository/online/component/4.1-5-errata $(: enable UCS 4.1-5 Extended Security Maintenance LMZ issue 1955) \
	repository/online/component/4.3-5-errata/username \
	repository/online/component/4.3-5-errata/password \
	repository/online/component/4.3-5-errata \
	version/patchlevel \
	version/version \
	repository/online/component/lmz/username \
	repository/online/component/lmz/password \
	)"

msg () { # {{{1
	echo -e "$(date): $@"
}

dn_exists () { # {{{1
	univention-ldapsearch -s base -b "${1}" dn -LLL 2>/dev/null | grep -q '^dn:'
}

# Start execution {{{1

TMPFILE="$(mktemp)"
trap "rm -f '$TMPFILE'" 0               # EXIT
trap "rm -f '$TMPFILE'; exit 1" 2       # INT
trap "rm -f '$TMPFILE'; exit 1" 1 15    # HUP TERM

# enable UCS 4.3-5 Extended Security Maintenance Issue #22847
if [ "${version_version}" = '4.3' ]; then
	set +u
	if [ -z "${repository_online_component_4_3_5_errata_username}" ] && [ -z "${repository_online_component_4_3_5_errata_password}" ]; then
		ucr set repository/online/component/4.3-5-errata/username="${repository_online_component_lmz_username}" repository/online/component/4.3-5-errata/password="${repository_online_component_lmz_password}"
	fi
	# enable only if necessary
	if [ "${version_patchlevel}" = '5' ] && [ "${repository_online_component_4_3_5_errata}" != 'enabled' ]; then
		ucr set repository/online/component/4.3-5-errata='enabled'
	fi
	if [ "${version_patchlevel}" != '5' ] && [ "${repository_online_component_4_3_5_errata}" != 'false' ]; then
		ucr set repository/online/component/4.3-5-errata='false'
	fi
	set -u
fi

# enable UCS 4.1-5 Extended Security Maintenance LMZ issue 1955
if [ "${version_version}" = '4.1' ]; then
	set +u
	if [ -z "${repository_online_component_4_1_5_errata_username}" ] && [ -z "${repository_online_component_4_1_5_errata_password}" ]; then
		ucr set repository/online/component/4.1-5-errata/username="${repository_online_component_lmz_username}" repository/online/component/4.1-5-errata/password="${repository_online_component_lmz_password}"
	fi
	# enable only if necessary
	if [ "${version_patchlevel}" = '5' ] && [ "${repository_online_component_4_1_5_errata}" != 'enabled' ]; then
		ucr set repository/online/component/4.1-5-errata='enabled'
	fi
	if [ "${version_patchlevel}" != '5' ] && [ "${repository_online_component_4_1_5_errata}" != 'false' ]; then
		ucr set repository/online/component/4.1-5-errata='false'
	fi
	set -u
fi

# workaround for issue Support-Netz Redmine 1774 {{{1
if [ "${version_version}" = '3.3' ] || [ "${version_version}" = '3.2' ]; then
	set +u
	if [ -z "${repository_online_component_3_3_1_errata_username}" ] && [ -z "${repository_online_component_3_3_1_errata_password}" ]; then
		ucr set repository/online/component/3.3-1-errata/username="${repository_online_component_lmz_username}" repository/online/component/3.3-1-errata/password="${repository_online_component_lmz_password}"
	fi
	set -u
fi

# workaround for issue 4372 {{{1
if [ "${version_version}" = '3.2' ] && [ "${version_patchlevel}" = '8' ]; then
	set +u
	if [ -z "${repository_online_component_3_2_8_errata}" ]; then
		ucr set version/patchlevel='7'
	fi
	set -u
fi

# import PAEDAGOGIK network {{{1
if ! dn_exists "cn=schule-10.1.0.0,cn=networks,ou=schule,${ldap_base}"; then
	cat > "${TMPFILE}" << END
schule	10.1.0.0/24	10.1.0.32-10.1.0.229	10.1.0.11	10.1.0.1	10.1.0.1
END

	msg "Creating network PAEDAGOGIK"
	/usr/share/ucs-school-import/scripts/import_networks "${TMPFILE}"
fi

# import sicheres Lehrernetz network {{{1
if ! dn_exists "cn=schule-10.1.1.0,cn=networks,ou=schule,${ldap_base}"; then
	cat > "${TMPFILE}" << END
schule	10.1.1.0/24	10.1.1.10-10.1.1.229	10.1.1.1	10.1.0.1	10.1.0.1
END

	msg "Creating network sicheres Lehrernetz"
	/usr/share/ucs-school-import/scripts/import_networks "${TMPFILE}"
fi

# import small Schülernetz network {{{1
if ! dn_exists "cn=schule-10.1.2.0,cn=networks,ou=schule,${ldap_base}"; then
	cat > "${TMPFILE}" << END
schule	10.1.2.0/24	10.1.2.2-10.1.2.229	10.1.2.1	10.1.0.1	10.1.0.1
END

	msg "Creating network small Schülernetz"
	/usr/share/ucs-school-import/scripts/import_networks "${TMPFILE}"
fi

# import big Schülernetz network {{{1
if ! dn_exists "cn=schule-10.2.0.0,cn=networks,ou=schule,${ldap_base}"; then
	cat > "${TMPFILE}" << END
schule	10.2.0.0/16	10.2.0.2-10.2.251.255	10.2.0.1	10.1.0.1	10.1.0.1
END

	msg "Creating network big Schülernetz"
	/usr/share/ucs-school-import/scripts/import_networks "${TMPFILE}"
fi

# Create firewall computer object {{{1
msg "Creating firewall computer object"
if ! dn_exists "cn=firewall,cn=computers,${ldap_base}"; then
	udm computers/ipmanagedclient create --ignore_exists --position "cn=computers,${ldap_base}" \
		--set name=firewall \
		--set description="pfSense, FreeBSD" \
		--set ip=10.1.0.11 \
		--set dnsEntryZoneForward="zoneName=paedml-linux.lokal,cn=dns,${ldap_base}" \
		--set dnsEntryZoneReverse="zoneName=0.1.10.in-addr.arpa,cn=dns,${ldap_base}" \
		--option nagios
	sleep 3 # wait for listener modules to complete their tasks
fi

if [ ! -e /etc/univention/ssl/firewall.paedml-linux.lokal ]; then
	univention-certificate new -name firewall.paedml-linux.lokal
fi
if [ ! -e /etc/univention/ssl/firewall ]; then
	ln -s /etc/univention/ssl/firewall.paedml-linux.lokal /etc/univention/ssl/firewall
fi

# Create nas-backup computer object {{{1
msg "Creating nas-backup computer object"
if ! dn_exists "cn=nas-backup,cn=computers,${ldap_base}"; then
	udm computers/ipmanagedclient create --ignore_exists --position "cn=computers,${ldap_base}" \
		--set name=nas-backup \
		--set description="NAS System" \
		--set ip=10.1.0.12 \
		--set dnsEntryZoneForward="zoneName=paedml-linux.lokal,cn=dns,${ldap_base}" \
		--set dnsEntryZoneReverse="zoneName=0.1.10.in-addr.arpa,cn=dns,${ldap_base}" \
		--option nagios
fi

# create programme.bat {{{1
msg "Creating programme.bat"
if [ ! -e "/var/lib/samba/sysvol/${domainname}/scripts/programme.bat" ] || grep -q "Programme /DELETE" "/var/lib/samba/sysvol/${domainname}/scripts/programme.bat"; then
	cat > "/var/lib/samba/sysvol/${domainname}/scripts/programme.bat" << END
@echo off
@net use K: /DELETE
@net use K: \\\\${hostname}\\Programme /PERSISTENT:NO ""
exit /b 0
END
fi
if [ ! -x "/var/lib/samba/sysvol/${domainname}/scripts/programme.bat" ]; then
	chmod a+x "/var/lib/samba/sysvol/${domainname}/scripts/programme.bat"
fi

# Disable password complexity {{{1
msg "Disabling Samba password complexity"
samba-tool domain passwordsettings set --complexity=off

# Remove pcpatch from s4-connector ignore list {{{1
msg "Removing pcpatch from s4-connector ignore list"
ucr set connector/s4/mapping/user/ignorelist='root,ucs-s4sync'

# Delete global PDF printer {{{1
if dn_exists "cn=PDFDrucker,cn=printers,${ldap_base}"; then
	msg "Deleting global PDFDrucker"
	udm shares/printer remove --dn "cn=PDFDrucker,cn=printers,${ldap_base}" || true
fi

# connect PDF printer {{{1
msg "Creating pdfprinter.vbs"
if [ ! -e "/var/lib/samba/sysvol/${domainname}/scripts/pdfprinter.vbs" ]; then
	cat > "/var/lib/samba/sysvol/${domainname}/scripts/pdfprinter.vbs" << END
Dim objWshNetwork
Set objWshNetwork = CreateObject("WScript.Network")
wscript.echo "Adding printer \\\\${hostname}\\PDFDrucker"
objWshNetwork.AddWindowsPrinterConnection "\\\\${hostname}\\PDFDrucker"
END
fi
if [ ! -x "/var/lib/samba/sysvol/${domainname}/scripts/pdfprinter.vbs" ]; then
	chmod a+x "/var/lib/samba/sysvol/${domainname}/scripts/pdfprinter.vbs"
fi

# change group of pdfPrinterShare to link it to the user's desktop {{{1
dn_pdfPrinterShare="cn=pdfPrinterShare,cn=shares,${ldap_base}"
if dn_exists "${dn_pdfPrinterShare}"; then
	msg "Changing group of pdfPrinterShare to Domain Users schule"
	udm shares/share modify --dn "${dn_pdfPrinterShare}" \
		--set group="$(getent group "Domain Users schule"|awk -F: '{print $3}')"
fi

# rename samba share pdfPrinterShare {{{1
dn_pdfPrinterShare="cn=pdfPrinterShare,cn=shares,${ldap_base}"
if dn_exists "${dn_pdfPrinterShare}"; then
	msg "Rename sambaName of pdfPrinterShare to PDF Drucker"
	udm shares/share modify --dn "${dn_pdfPrinterShare}" \
		--set sambaName="PDF Drucker"
fi

# rename samba share homes_lehrer {{{1
dn_homes_lehrer="cn=homes_lehrer,cn=shares,ou=schule,${ldap_base}"
if dn_exists "${dn_homes_lehrer}"; then
	msg "Rename sambaName of homes_lehrer to Home-Verzeichnisse Lehrer"
	udm shares/share modify --dn "${dn_homes_lehrer}" \
		--set sambaName="Home-Verzeichnisse Lehrer"
fi

# rename samba share homes_schueler {{{1
dn_homes_schueler="cn=homes_schueler,cn=shares,ou=schule,${ldap_base}"
if dn_exists "${dn_homes_schueler}"; then
	msg "Rename sambaName of homes_schueler to Home-Verzeichnisse Schueler"
	udm shares/share modify --dn "${dn_homes_schueler}" \
		--set sambaName="Home-Verzeichnisse Schueler"
fi

# msg "Allowing access to lmz-bw.de without authentication"
# if ! grep -q "^acl LMZ" /etc/squid3/local.conf; then
# 	echo "acl LMZ dstdomain .lmz-bw.de" >> /etc/squid3/local.conf
# 	echo "http_access allow LMZ" >> /etc/squid3/local.conf
# 	systemctl restart squid.service
# fi

# Squid: Set DIRECT for local access (issue 5053) {{{1
msg "Set DIRECT for local access"
ucr set proxy/pac/exclude/expressions/enabled=yes \
	proxy/pac/exclude/expressions/expressionlist="*.$(ucr get domainname)" \
	proxy/pac/exclude/networks/enabled=yes \
	proxy/pac/exclude/networks/networklist=10.1.0.0 \
	proxy/pac/exclude/localhost=yes

# Hide windows-profiles directory {{{1
msg "Hiding windows-profiles directory"
if [ ! -f /etc/samba/local.conf ] || ! grep -q "^include = /etc/samba/lmz-hide-windows-profiles.conf" /etc/samba/local.conf; then
	# if local.conf is otherwise empty, grep's exit code is 1 - workaround with "true"
	echo "include = /etc/samba/lmz-hide-windows-profiles.conf" >> /etc/samba/local.conf
	ucr commit /etc/samba/smb.conf
	systemctl reload smbd.service
fi

# Set MX {{{1
msg "Setting MX for ${domainname}"
udm dns/forward_zone modify --dn "zoneName=${domainname},cn=dns,${ldap_base}" \
	--set mx="\"10\" \"${hostname}.${domainname}\""

# Fix Issue #651 {{{1
univention-ldapsearch -LLL -x -b "cn=dns,${ldap_base}" aRecord=192.168.1.99 dn | ldapsearch-wrapper | ldapsearch-decode64  | while read dn; do
	ldapmodify -x -D "cn=admin,${ldap_base}" -y /etc/ldap.secret << END
${dn}
changetype: modify
delete: aRecord
aRecord: 192.168.1.99
-
END
done

# Set wpad alias {{{1
msg "Setting wpad DNS alias for ${domainname}"
udm computers/domaincontroller_master modify \
	--dn "cn=${hostname},cn=dc,cn=computers,${ldap_base}" \
	--append dnsEntryZoneAlias="${domainname} zoneName=${domainname},cn=dns,${ldap_base} wpad"

# Set wpad alias {{{1
msg "Removing NFS option from shares"
univention-ldapsearch -LLL "(&(univentionObjectType=shares/share)(objectClass=univentionShareNFS)(objectClass=univentionShareSamba))" dn \
	| ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's/^dn: //p' | while read dn; do
	msg "Removing NFS option from share: ${dn}"
	udm shares/share modify --dn "${dn}" --option=samba
done

# Set no_mbcache option in kernel {{{1
msg "Check if no_mbcache option in kernel is set"
if ! (tune2fs -l /dev/dm-0 | grep -q "^Mount options:.*no_mbcache.*") && ! (tune2fs -l /dev/dm-1 | grep -q "^Mount options:.*no_mbcache.*") && ! (tune2fs -l /dev/dm-2 | grep -q "^Mount options:.*no_mbcache.*"); then
    msg "Set no_mbcache option in kernel"
    tune2fs -E mount_opts=no_mbcache /dev/dm-0
    tune2fs -E mount_opts=no_mbcache /dev/dm-1
    tune2fs -E mount_opts=no_mbcache /dev/dm-2
    ucr set cron/auto_reboot/time="15 22 * * *" cron/auto_reboot/command="jitter 3600 test /var/lib/apt/lists/lock && test /var/lib/dpkg/lock && ucr unset cron/auto_reboot/time cron/auto_reboot/command && reboot"
fi

# Deactivate update modul from Schulkonsole {{{1
msg "Deactivate update modul (only view) from Schulkonsole"
udm policies/umc modify \
	--dn "cn=default-umc-all,cn=UMC,cn=policies,dc=paedml-linux,dc=lokal" \
	--remove allow="cn=updater-all,cn=operations,cn=UMC,cn=univention,dc=paedml-linux,dc=lokal"

# create nagios checks {{{1
msg "Create Nagios check for /home"
if ! dn_exists "cn=LMZ_DISK_HOME,cn=nagios,${ldap_base}"; then
    # create nagios service
    udm nagios/service create --ignore_exists \
        --position "cn=nagios,${ldap_base}" \
        --set name="LMZ_DISK_HOME" \
        --set checkCommand="check_disk" \
        --set checkArgs="25%!10%!/home" \
        --set checkPeriod=24x7 \
        --set normalCheckInterval=10 \
        --set retryCheckInterval=1 \
        --set maxCheckAttempts=10 \
        --set notificationInterval=180 \
        --set notificationPeriod=24x7 \
        --set notificationOptionRecovered=1 \
        --set notificationOptionWarning=1 \
        --set notificationOptionUnreachable=1 \
        --set notificationOptionCritical=1 \
        --set useNRPE=1 \
        --set description="check if /home is out of diskspace"
    # add service to host
    udm nagios/service modify \
        --dn "cn=LMZ_DISK_HOME,cn=nagios,${ldap_base}" \
        --append "assignedHosts=cn=server,cn=dc,cn=computers,${ldap_base}"
fi
msg "Create Nagios check for /var"
if ! dn_exists "cn=LMZ_DISK_VAR,cn=nagios,${ldap_base}"; then
    # create nagios service
    udm nagios/service create --ignore_exists \
        --position "cn=nagios,${ldap_base}" \
        --set name="LMZ_DISK_VAR" \
        --set checkCommand="check_disk" \
        --set checkArgs="25%!10%!/var" \
        --set checkPeriod=24x7 \
        --set normalCheckInterval=10 \
        --set retryCheckInterval=1 \
        --set maxCheckAttempts=10 \
        --set notificationInterval=180 \
        --set notificationPeriod=24x7 \
        --set notificationOptionRecovered=1 \
        --set notificationOptionWarning=1 \
        --set notificationOptionUnreachable=1 \
        --set notificationOptionCritical=1 \
        --set useNRPE=1 \
        --set description="check if /var is out of diskspace"
    # add service to host
    udm nagios/service modify \
        --dn "cn=LMZ_DISK_VAR,cn=nagios,${ldap_base}" \
        --append "assignedHosts=cn=server,cn=dc,cn=computers,${ldap_base}" \
        --append "assignedHosts=cn=backup,cn=memberserver,cn=computers,${ldap_base}"
fi

# vi: ft=sh:tw=80:sw=4:ts=4:fdm=marker
