340 lines
8.9 KiB
Diff
340 lines
8.9 KiB
Diff
diff --git a/gale-install.in b/gale-install.in
|
|
index 50e8ad8..eec0ed2 100644
|
|
--- a/gale-install.in
|
|
+++ b/gale-install.in
|
|
@@ -29,22 +29,78 @@ testkey_stdin() {
|
|
gkinfo -x 2>/dev/null | qgrep "^Public key: <$1>"
|
|
}
|
|
|
|
-if [ -n "$GALE_SYS_DIR" ]; then
|
|
- SYS_DIR="$GALE_SYS_DIR"
|
|
-elif [ -n "$sysconfdir" ]; then
|
|
- SYS_DIR="$sysconfdir/gale"
|
|
+INST_SYS_DIR="$sysconfdir/gale"
|
|
+
|
|
+if [ `id -u` -eq 0 ]; then
|
|
+ is_root=yes
|
|
+ SYS_DIR=/etc/gale
|
|
+else
|
|
+ is_root=no
|
|
+ SYS_DIR="$HOME/.gale"
|
|
+fi
|
|
+
|
|
+if [ -f /etc/NIXOS ]; then
|
|
+ is_nixos=yes
|
|
+else
|
|
+ is_nixos=no
|
|
+fi
|
|
+
|
|
+if [ -u /run/wrappers/bin/gksign ]; then
|
|
+ cat <<EOM
|
|
+
|
|
+Gale appears to have already been set up via the NixOS module system (check
|
|
+/etc/nixos/configuration.nix).
|
|
+
|
|
+EOM
|
|
+
|
|
+ exit 0
|
|
+fi
|
|
+
|
|
+if [ $is_root = yes ]; then
|
|
+ cat <<EOM
|
|
+
|
|
+You are running gale-install as root, so I'm going to assume you want to set up
|
|
+Gale for system-wide use. Unfortunately, Gale expects to be able to run the
|
|
+"gksign" program via setuid, and we can't change gksign's permissions once it's
|
|
+already been installed because the Nix store is immutable by design.
|
|
+
|
|
+EOM
|
|
+
|
|
+ if [ $is_nixos = no ]; then
|
|
+ cat <<EOM
|
|
+
|
|
+This isn't a NixOS system. Gale can only be installed for a single user on
|
|
+non-NixOS systems. If you want a system-wide installation, you'll have to
|
|
+install Gale the old-fashioned way. Sorry.
|
|
+
|
|
+EOM
|
|
+
|
|
+ exit 1
|
|
+ fi
|
|
+ cat <<EOM
|
|
+
|
|
+This script will generate a domain key for you, and after you get it signed, you
|
|
+can finish the setup process by configuring Gale via the NixOS module system
|
|
+(i.e. /etc/nixos/configuration.nix).
|
|
+
|
|
+EOM
|
|
+
|
|
else
|
|
- echo "Error: cannot locate Gale system configuration directory."
|
|
- exit 1
|
|
+ cat <<EOM
|
|
+
|
|
+Hi. You are running gale-install as a normal user, so I'm going to assume you
|
|
+want to set up Gale for your own (i.e. non-system-wide) use.
|
|
+
|
|
+EOM
|
|
+
|
|
fi
|
|
|
|
-CONF="$SYS_DIR/conf"
|
|
umask 022
|
|
-PATH="$bindir:$sbindir:$PATH:/usr/ucb"
|
|
+PATH="$bindir:$sbindir:$PATH"
|
|
export PATH
|
|
|
|
-if [ -f "$CONF" ]; then
|
|
- exec 3<"$CONF"
|
|
+if [ -n "$SYS_DIR" ] && [ -f "$SYS_DIR/conf" ]; then
|
|
+ exec 3<"$SYS_DIR/conf"
|
|
|
|
while read var value <&3 ; do
|
|
case "$var" in
|
|
@@ -58,52 +114,14 @@ if [ -f "$CONF" ]; then
|
|
exec 3<&-
|
|
fi
|
|
|
|
-USER="`whoami`"
|
|
-if [ -z "$USER" ]; then
|
|
- echo "Error: cannot determine your username."
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-# -----------------------------------------------------------------------------
|
|
-# check directory structure
|
|
-
|
|
-if [ ! -d "$SYS_DIR" ]; then
|
|
- echo "Error: Invalid SYS_DIR: \"$SYS_DIR\"."
|
|
- exit 1
|
|
-fi
|
|
-
|
|
# -----------------------------------------------------------------------------
|
|
-# get settings for important variables: user, domain, server
|
|
+# get settings for important variables: domain, server
|
|
|
|
-[ -n "$CONF_GALE_USER" ] && GALE_USER="$CONF_GALE_USER"
|
|
[ -n "$CONF_GALE_DOMAIN" ] && GALE_DOMAIN="$CONF_GALE_DOMAIN"
|
|
[ -n "$CONF_GALE_SERVER" ] && GALE_SERVER="$CONF_GALE_SERVER"
|
|
|
|
-if [ -z "$GALE_USER" ]; then
|
|
-cat << EOM
|
|
-
|
|
-Hi. You need to denote a user to own the Gale domain secret key. You must
|
|
-trust this user with Gale authentication for your domain; the "gksign" program
|
|
-will run as this user. I recommend using a special "gale" user; if you don't
|
|
-have administrative privileges here, you'll probably have to use your own
|
|
-account. I do not recommend the use of "root".
|
|
-
|
|
-No harm done if you stop this script now to set up such a user.
|
|
-
|
|
-EOM
|
|
-
|
|
- printf "Enter the Gale username: "
|
|
- read GALE_USER
|
|
- if [ -z "$GALE_USER" ]; then
|
|
- echo "Error: Invalid username or no home dir: \"$GALE_USER\"."
|
|
- exit 1
|
|
- fi
|
|
-else
|
|
- echo "Using \"$GALE_USER\" as the Gale owner."
|
|
-fi
|
|
-
|
|
if [ -z "$GALE_DOMAIN" ] ; then
|
|
-cat << EOM
|
|
+ cat << EOM
|
|
|
|
You need to identify the name of your Gale domain for two purposes:
|
|
|
|
@@ -140,97 +158,56 @@ else
|
|
fi
|
|
|
|
# -----------------------------------------------------------------------------
|
|
-# create configuration file
|
|
-
|
|
-if [ ! -f "$CONF" ]; then
|
|
-cat > "$CONF" <<EOM
|
|
-# $CONF -- created by Gale installer; edit to suit.
|
|
-EOM
|
|
+# create configuration file (if this is a single-user setup)
|
|
+
|
|
+if [ $is_root = no ]; then
|
|
+ CONF="$SYS_DIR/conf"
|
|
+
|
|
+ if [ ! -d "$SYS_DIR" ]; then
|
|
+ run mkdir -m 0700 -p "$SYS_DIR"
|
|
+ run mkdir -m 0700 -p "$SYS_DIR/auth"
|
|
+ run mkdir -m 0755 -p "$SYS_DIR/auth/trusted"
|
|
+ run cp -f "$INST_SYS_DIR/auth/trusted/ROOT" "$SYS_DIR/auth/trusted"
|
|
+ run mkdir -m 0700 -p "$SYS_DIR/auth/private"
|
|
+ run mkdir -p "$SYS_DIR/auth/local" "$SYS_DIR/auth/cache"
|
|
+ fi
|
|
|
|
-cat <<EOM
|
|
+ if [ ! -f "$CONF" ]; then
|
|
+ cat <<EOM
|
|
|
|
*** Creating "$CONF".
|
|
Examine and edit this file to your taste and local needs.
|
|
If you want to recreate it from scratch, remove it and re-run this.
|
|
-EOM
|
|
-fi
|
|
-
|
|
-[ -n "$CONF_GALE_USER" ] || cat >> "$CONF" <<EOM
|
|
|
|
-# The user who owns the domain secret key. (Used in installation and upgrade)
|
|
-GALE_USER $GALE_USER
|
|
EOM
|
|
|
|
-[ -n "$CONF_GALE_DOMAIN" ] || cat >> "$CONF" << EOM
|
|
+ cat > "$CONF" <<EOF
|
|
+# $CONF -- created by Gale installer; edit to suit.
|
|
|
|
# The authentication domain to use. (Mandatory)
|
|
GALE_DOMAIN $GALE_DOMAIN
|
|
-EOM
|
|
-
|
|
-# -----------------------------------------------------------------------------
|
|
-# make gksign setuid
|
|
+EOF
|
|
|
|
-gksign="$sbindir/gksign"
|
|
-readlink="`which readlink 2>/dev/null`"
|
|
-[ -x "$readlink" ] && gksignlink="`"$readlink" "$gksign" 2>/dev/null`"
|
|
-[ -f "$gksignlink" ] && gksign="$gksignlink"
|
|
-
|
|
-echo ""
|
|
-if copy chown "$GALE_USER" "$gksign" ; then
|
|
- :
|
|
-else
|
|
- echo "*** We need to chown $GALE_USER '$gksign'."
|
|
- echo " Please run this script as a user that can do so,"
|
|
- echo " or do so yourself and re-run this script."
|
|
- exit 1
|
|
+ fi
|
|
fi
|
|
-run chmod 4755 "$gksign"
|
|
|
|
-# -----------------------------------------------------------------------------
|
|
-# create a domain, if necessary
|
|
+if [ $is_root = no ]; then
|
|
+ GALE_SYS_DIR="$SYS_DIR"
|
|
+ export GALE_SYS_DIR
|
|
|
|
-echo ""
|
|
-if test -u "$gksign" || copy chmod u+s "$gksign" ; then
|
|
- :
|
|
+ testkey "$GALE_DOMAIN" && exit 0
|
|
+ echo "*** You lack a signed key for your domain, \"$GALE_DOMAIN\"."
|
|
+ GALE="$SYS_DIR"
|
|
else
|
|
- echo "*** We need to chmod u+s '$gksign'."
|
|
- echo " Please run this script as a user that can do so,"
|
|
- echo " or do so yourself and re-run this script."
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-testkey "$GALE_DOMAIN" && exit 0
|
|
-echo "*** You lack a signed key for your domain, \"$GALE_DOMAIN\"."
|
|
-
|
|
-if [ "x$GALE_USER" != "x$USER" ]; then
|
|
-cat <<EOM
|
|
-Become user "$GALE_USER" (you are now "$USER") and run this script again
|
|
-to create a new domain; contact your domain administrator if you wish to
|
|
-become part of an existing domain.
|
|
-EOM
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-if [ -z "$HOME" ]; then
|
|
- cd
|
|
- HOME="`pwd`"
|
|
- echo "Warning: \$HOME not set, assuming \"$HOME\"."
|
|
-fi
|
|
-
|
|
-GALE="$HOME/.gale"
|
|
-mkdir -p "$GALE"
|
|
-if [ ! -w "$GALE" ]; then
|
|
- echo "Error: Cannot create \"$GALE\"."
|
|
- exit 1
|
|
+ GALE="`pwd`"
|
|
fi
|
|
|
|
unsigned="$GALE/$GALE_DOMAIN.unsigned"
|
|
signer="`echo "$GALE_DOMAIN" | sed 's%^[^.@:/]*[.@:/]%%'`"
|
|
[ -z "$signer" ] && signer="ROOT"
|
|
|
|
-if [ -f "$unsigned" ]; then
|
|
-
|
|
-cat << EOM
|
|
+if [ $is_root = no ] && [ -f "$unsigned" ]; then
|
|
+ cat << EOM
|
|
|
|
Okay, so we've already been here. Last time, I created the file
|
|
"$unsigned" for you to have signed.
|
|
@@ -275,16 +252,12 @@ EOM
|
|
exit 1
|
|
fi
|
|
|
|
-cat << EOM
|
|
-
|
|
-The domain should be properly configured now. Assuming users can access a
|
|
-version of "gksign" setuid to "$GALE_USER" (this user), they should be
|
|
-able to start running clients and generating IDs for themselves.
|
|
+ cat << EOM
|
|
|
|
-The installation process is complete!
|
|
+The domain should be properly configured now. The installation process is
|
|
+complete!
|
|
|
|
EOM
|
|
-
|
|
exit 0
|
|
fi
|
|
|
|
@@ -300,7 +273,10 @@ printf "Enter the description: "
|
|
read descr
|
|
|
|
echo "We will generate the key now. Have patience."
|
|
-gkgen -r "$GALE/auth/private/$GALE_DOMAIN.gpri" \
|
|
+if [ $is_root = no ]; then
|
|
+ install_gpri=auth/private/
|
|
+fi
|
|
+gkgen -r "$GALE/${install_gpri}$GALE_DOMAIN.gpri" \
|
|
-u "$unsigned" "$GALE_DOMAIN" /"$descr" || exit 1
|
|
|
|
cat << EOM
|
|
@@ -311,8 +284,29 @@ the owner of the "$signer" domain through appropriate means.
|
|
Take care to preseve the file's binary data; you may need to uuencode it.
|
|
|
|
Assuming they trust you with your subdomain, they should pass the key through
|
|
-"gksign" as a filter, returning the signed output to you. When you have this
|
|
-signed key file available, re-run this script, and we will move on to the
|
|
-next step.
|
|
+"gksign" as a filter, returning the signed output to you.
|
|
+
|
|
+EOM
|
|
+
|
|
+if [ $is_nixos = yes ]; then
|
|
+ cat <<EOM
|
|
+
|
|
+When you have this signed key file available, you can finish the setup process
|
|
+by placing the private key and signed public key in a directory (they will be
|
|
+copied) and setting "services.gale.keyPath" in /etc/nixos/configuration.nix.
|
|
|
|
EOM
|
|
+else
|
|
+ cat <<EOM
|
|
+
|
|
+When you have this signed key file available, re-run this script, and we will
|
|
+move on to the next step.
|
|
+
|
|
+*** IMPORTANT ***
|
|
+You must set GALE_SYS_DIR="$GALE_SYS_DIR" in your environment before re-running
|
|
+this script and before running any Gale programs once setup is finished! Make
|
|
+sure to set it now, and consider setting it via your shell initialization files
|
|
+so that you don't forget to do it next login.
|
|
+
|
|
+EOM
|
|
+fi
|