#!/bin/bash

. ${TOOLKIT}-functions.sh


# apparmor isn't a bad idea ... is only implemented like
# a drunk pig :) you cannot disable it, you cannot rely
# on needed dirs, you must manually change system files
# to customize settings .. too many bugs
#
# up to 9.10 was possibile to deinstall apparmor, not is
# not yet possibile .. thanks Mark "because we are on the
# side of users"
#
cleanup_apparmor()
{
	[ -d /etc/apparmor.d/local ] || {
		echo " fixing apparmor: creating dir /etc/apparmor.d/local"
		mkdir /etc/apparmor.d/local
	}

	# repeat test, if some module has changed something
	#
	changed=true
	msg="(no previous mode saved)"
	prev_mode=
	status_file="$CONFDIR/apparmor_mode"

	[ -f $status_file ] && {
		changed=false
		prev_mode=$(cat $status_file)
		msg=
		[ "X$APPARMOR_MODE" != "X$prev_mode" ] && {
			changed=true
			msg="(by config files)"
			[ "X$APPARMOR_MODE_CHANGED" == "X$changed" ] || msg="(by some modules)"
		}
	}


	# packages needed by apparmor + utils
	#
	# note that:
	# - on 9.* we can still remove apparmor pkgs
	# - on 10.* there is no aa-disable
	#
	pkgs="
		apparmor apparmor-utils
		libapparmor1
	"
	remove_pkgs="
		gdm-guest-session
	"

	# 2023-08-27
	# - libapparmor-perl gone starting from daedalus
	case $DISTRIB_CODENAME in
	  daedalus) ;;
	  *) pkgs="$pkgs libapparmor-perl" ;;
	esac

	echo "  APPARMOR: prev_mode=$prev_mode, changed=$changed $msg"
	case $APPARMOR_MODE in
	  enabled)	echo "  APPARMOR: ENABLED"
			$changed && {
				install_pkgs $pkgs
				aa-enforce /etc/apparmor.d/*
			}
			;;
	  complain)	echo "  APPARMOR: COMPLAIN"
			$changed && {
				install_pkgs $pkgs
				aa-complain /etc/apparmor.d/*
			}
			;;
	  disabled)	echo "  APPARMOR: DISABLED"
			$changed && {
				case $DISTRIB_FULL_ID in
				   Ubuntu-9.*)	remove_pkgs $pkgs $remove_pkgs
						;;
				   Ubuntu-10.*)	echo "  Ubuntu-10.04, aa-disable not available, using aa-complain instead"
						aa-complain /etc/apparmor.d/*
						;;
				   *)		aa-disable /etc/apparmor.d/*
						;;
				esac
			}
			;;
	  broken)	echo "  APPARMOR: BROKEN (DOESN'T WORKS ON THIS KERNEL)"
			;;
	  manual)	echo "  APPARMOR: MANUAL"
			;;
	  na|not-avail)	echo "  APPARMOR: N/A (not installed or not available on this system)"
			;;
	  *)		echo "  APPARMOR: error, bad value '$APPARMOR_MODE'"
			echo "            (should be one of: enabled, disabled, complain, broken, manual, na)"
			exit 1
			;;
	esac

	# save current apparmor mode setting
	#
	echo "$APPARMOR_MODE" >$status_file

	return 0
}



udel()
{
	grep -q "^$1:" /etc/passwd || return 0

	fls=$(find / -user $1 2>/dev/null) || :
	[ "X$fls" != "X" ] && {
		putwarning "cleanup - remove user $1" \
		" cannot remove user '$1', there are still"
		" files owned by this user on the system: $fls"
		return 1
	}
	echo " (cleanup) remove user $1"
	userdel $1 || return $?
	return 0
}




# ------------------------------------------------------------
# systemd shit
# ------------------------------------------------------------

remove_systemd=false
getconfirm common.remove_systemd && remove_systemd=true

users=$(grep "^systemd-" /etc/passwd | sed -e 's/:.*//')

[ "$users" != "" ] && {
	if $remove_systemd
	then
		for user in $(grep "^systemd-" /etc/passwd | sed -e 's/:.*//')
		do
			udel $user	|| :
		done
	else
		echo "NOTICE: common.remove_systemd=no; will not remove user(s): " $users
	fi
}

# 2019.10.10 lc
# - do not more remove libsystemd0, openssh-server now relies on this shit
#
pkgs=$(dpkg -l | egrep "  systemd" | sed -e 's/^ii  //' -e 's/ .*//' | grep -v 'libsystemd0') || :

[ "$pkgs" != "" ] && {
	if $remove_systemd
	then
		remove_pkgs $pkgs
	else
		echo "NOTICE: common.remove_systemd=no; will not remove pkg(s): " $pkgs
	fi
}


# ------------------------------------------------------------
# APPARMOR final stage, check for changes
# ------------------------------------------------------------
#
if [ -d /etc/apparmor.d ]
then
	cleanup_apparmor
else
	# not installed/available?
	APPARMOR_MODE="na"
fi


# ------------------------------------------------------------
# motd (from /etc/init* scrips)
# ------------------------------------------------------------
#
# saves file changed flag, motd does not count
#
save_changed=$SOMETHING_CHANGED

# clean old /etc/motd.tail if installed by kusa
[ -f /etc/motd.tail ] && {
	grep -q 'system updated .* kusa-reconf' /etc/motd.tail && rm -f /etc/motd.tail
}

# build temp definition used in motd template
# (ie: fancy formatted subclasses list)
#
(
	echo "[temp]"
	echo "  machine_desc " $(jtconf machine.desc 2>/dev/null || :)
	echo "  subclasses	^^BLOCK^^"
	jtconf sub_classes | fold -w 64 -s | \
		sed -e 's/^/	\\s         /'
	echo "^^BLOCK^^"

) >$MODLOCALDB

installfile motd /etc/motd root:root 444

# custom text can be added to /etc/motd.local or /etc/motd.tail (the latter
# on old Ubuntu systems)
#
[ -f /etc/motd.local ]	&& cat /etc/motd.local >> /etc/motd || :
[ -f /etc/motd.tail ]	&& cat /etc/motd.tail >> /etc/motd || :
 
SOMETHING_CHANGED=$save_changed



# ------------------------------------------------------------
# apt and dpkg cleanup
# ------------------------------------------------------------
#
echo -n "  purging apt cache ... "
apt-get purge >tmp.log 2>&1 || {
	echo -e "\nERROR running apt-get purge:\n"
	cat tmp.log
	exit 1
}
echo "ok"

pkgs=`dpkg -l | grep "^rc " | sed -e 's/^....//' -e 's/ .*//'`
[ "$pkgs" ] && {
	set `echo "$pkgs" | wc -l`
	echo -n "  purging $1 packages ... "
	dpkg --purge $pkgs >tmp.log 2>&1 || {
		echo -e "\nERROR running dpkg --purge:\n"
		cat tmp.log
		exit 1
	}
	echo "ok"
}

docdir=`jtconf www.docs 2>/dev/null` && {
	[ -d $docdir ] && {
		ku-update-server-homepage
	}
}

# ------------------------------------------------------------
# various old stuff cleanups
# ------------------------------------------------------------
#
purgefiles \
	/w/tmp/kubackup-* \
	/etc/xinetd.d/kusacli



$SOMETHING_CHANGED && {
	restart_service xinetd xinetd || :
}


exit 0
