#! /bin/sh

set -e

new_install()
{
	# On a fresh install, add the necessary user and group.
	if ! id freerad >/dev/null 2>&1; then
		addgroup --system freerad || true
		groups freerad 2>/dev/null || adduser --system --no-create-home --home /etc/freeradius --ingroup freerad --disabled-password freerad

		# Put user freerad in group shadow, so the daemon can auth
		# locally. Only do this on fresh install as the admin may not
		# want freerad in shadow group if authenticating by another
		# mechanism.
		adduser freerad shadow
	fi

	# Changed in 1.1.5-1 for new installs (we used to start at S50
	# and stop at K50)  We now start at S50 and stop at K19 so we
	# start after services which may be used and stop before them.
	update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . >/dev/null

	# Set up initial permissions on all the FreeRADIUS directories.
	if [ ! -d /var/log/freeradius ]; then
		mkdir -p /var/log/freeradius
	fi

	if [ ! -f /var/log/freeradius/radius.log ]; then
		touch /var/log/freeradius/radius.log
	fi

	if [ ! -f /var/log/freeradius/radwtmp ]; then
		touch /var/log/freeradius/radwtmp
	fi

	if [ ! -d /var/run/freeradius ]; then
		mkdir /var/run/freeradius
	fi

	chown -R freerad:freerad /var/log/freeradius
	chown -R freerad:freerad /var/run/freeradius
	chgrp -R freerad /etc/freeradius
	find /etc/freeradius -type d -print0 | xargs -0 chmod 2750
	find /etc/freeradius -type f -print0 | xargs -0 chmod 0640

	# Relax permissions on local dictionary: it should not contain
	# secrets, and this allows to run radclient with a non-privileged
	# user. At any rate, only do it on fresh install.
	chmod 2751 /etc/freeradius
	chmod 0644 /etc/freeradius/dictionary

	# Create default certificates to enable the EAP modules (tls, ttls,
	# and peap) when the server starts for the first time.
	# Comment the last line when building a package without OpenSSL for
	# the Debian archive.
	chmod 0750 /etc/freeradius/certs/bootstrap
	/etc/freeradius/certs/bootstrap
}

case "$1" in
  configure)
	if [ -z "$2" ]; then
		new_install
		action="start"
	else
		action="restart"
	fi

	if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
		invoke-rc.d freeradius $action || true
	else
		/etc/init.d/freeradius $action
	fi
	;;
  abort-upgrade)
	;;
  abort-remove)
	if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
		invoke-rc.d freeradius start || true
	else
		/etc/init.d/freeradius start
	fi
	;;
  abort-deconfigure)
	;;
esac

#DEBHELPER#

exit 0