#!/bin/sh

set -e

# Source debconf library.
. /usr/share/debconf/confmodule

daemonuser=plinth
daemongroup=plinth

# Due to a change in sudo, now it runs PAM modules even on password-less
# invocations. This leads to plinth not being able to run root privileges. This
# is because of our own restrictions in /etc/security/access.conf. Since Plinth
# is locked out after upgrade, we need to do this in postinst.
sed -i 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL+' /etc/security/access.conf

case "$1" in
    configure)
        addgroup --system --quiet plinth
        adduser --system --quiet --ingroup plinth --no-create-home --home /var/lib/plinth plinth
        chown plinth: /var/lib/plinth
        chown plinth: /var/lib/plinth/sessions

        if [ ! -e '/var/lib/freedombox/is-freedombox-disk-image' ]; then
            umask 377
            cat /dev/urandom | base64 | head -c16 > /var/lib/plinth/firstboot-wizard-secret
            chown plinth:plinth /var/lib/plinth/firstboot-wizard-secret
            db_subst plinth/firstboot_wizard_secret secret $(cat /var/lib/plinth/firstboot-wizard-secret)
            db_input high plinth/firstboot_wizard_secret || true
            db_go
        fi
        ;;
esac

#DEBHELPER#

exit 0