#/bin/sh
set -e

ID_DIR=/var/backups/.ssh
ID_RSA_AMDUMP=${ID_DIR}/id_rsa_amdump
ID_RSA_AMRECOVER=${ID_DIR}/id_rsa_amrecover

CONFIG=/etc/amanda/DailySet1/amanda.conf
DISKLIST=/etc/amanda/DailySet1/disklist

AUTHORIZED_KEYS=${ID_DIR}/authorized_keys


CLIENTS=`<$DISKLIST perl -e 'while (<>) { chomp; if (/^\s*#/) { next } if (/^\s*$/) { next } @a = split(/\s+/); print "$a[0]\n" }' | sort | uniq`

test `whoami` = root

if [ ! -e $ID_RSA_AMDUMP ]; then
	echo "I: creating $ID_RSA_AMDUMP..."
	mkdir -v -p -m 0700 $ID_DIR
	chown backup.backup $ID_DIR
	su backup -c "ssh-keygen -t rsa -C 'SSH key for Amanda Backup Server `hostname --fqdn`' -N '' -f $ID_RSA_AMDUMP"
else
	echo "I: $ID_RSA_AMDUMP already present"
fi
if grep -q "$ID_RSA_AMDUMP" $CONFIG; then
	echo "I: ssh keys present in $CONFIG"
else
	echo "E: ssh keys missing from $CONFIG"
	exit 1
fi

rm -f ${AUTHORIZED_KEYS}
for client in $CLIENTS; do
	echo "I: configuring client $client..."
	ssh $client mkdir -v -p -m 0700 $ID_DIR
	ssh $client chown backup.backup $ID_DIR

	# from= relaxed (in fact removed) from "`hostname --fqdn`", because
	# the server is visible under the IP of the gateway and not its own
	PREFIX="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=\"/usr/lib/amanda/amandad -auth=ssh amdump\""
	DATA="${PREFIX} `cat ${ID_RSA_AMDUMP}.pub`"
	ssh $client "echo '$DATA' > ${AUTHORIZED_KEYS}"
	ssh $client chown backup.backup ${AUTHORIZED_KEYS}

	ssh $client "rm -f $ID_RSA_AMRECOVER ${ID_RSA_AMRECOVER}.pub"
	ssh $client "su backup -c \"ssh-keygen -t rsa -C 'SSH key for Amanda Backup Client $client' -N '' -f $ID_RSA_AMRECOVER\""

	PUB_DIR=${ID_DIR}/id_rsa_amrecover.pub.d
	mkdir -p -m 0755 ${PUB_DIR}
	scp $client:$ID_RSA_AMRECOVER.pub ${PUB_DIR}/$client

	# from= relaxed to "*.mallorn.de" from "$client", because the clients
	# use the private addresses of the VPN
	PREFIX="from=\"*.mallorn.de\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=\"/usr/lib/amanda/amandad -auth=ssh amindexd amidxtaped\""
	DATA="${PREFIX} `cat ${PUB_DIR}/$client`"
	echo "$DATA" >> ${AUTHORIZED_KEYS}
	ssh $client 'mkdir -v -p -m 0775 /etc/amanda && chown backup.backup /etc/amanda'
	ssh $client 'cat > /etc/amanda/amanda-client.conf' <<-_END_
		# generated by `hostname --fqdn`:`pwd`/`basename $0`
		index_server "`hostname --fqdn`"
		tape_server "`hostname --fqdn`"
		auth "ssh"
		ssh_keys "$ID_RSA_AMRECOVER"
		client_username "backup"
_END_
done
chown backup.backup ${AUTHORIZED_KEYS}