From c5bbcbed83350596cf4fed360286cf767262febe Mon Sep 17 00:00:00 2001
From: Nicolas Arenas <narenas@qindel.com>
Date: Fri, 20 Jun 2025 12:03:21 +0200
Subject: [PATCH] Updates for tls

---
 debian/ogdhcp.postinst    | 146 ++++++++++++++++++++++----------------
 etc/nginxServer.conf.tmpl |   9 +++
 2 files changed, 93 insertions(+), 62 deletions(-)

diff --git a/debian/ogdhcp.postinst b/debian/ogdhcp.postinst
index 10311c9..02d8120 100644
--- a/debian/ogdhcp.postinst
+++ b/debian/ogdhcp.postinst
@@ -1,11 +1,14 @@
 #!/bin/bash
 set -e
 
-
 . /usr/share/debconf/confmodule
 
 KEA_CTRL_AGENT_CONF="/etc/kea/kea-ctrl-agent.conf"
-PUBLIC_DIR=/opt/opengnsys/ogdhcp/api/public
+PUBLIC_DIR="/opt/opengnsys/ogdhcp/api/public"
+APPARMOR_PROFILE="/etc/apparmor.d/usr.sbin.kea-dhcp4"
+APPARMOR_LOCAL_PROFILE="/etc/apparmor.d/local/usr.sbin.kea-dhcp4"
+KEA_CONFIG="/etc/kea/kea-dhcp4.conf"
+
 db_get opengnsys/ogdhcp_interfaces
 OGDHCP_INTERFACES="$RET"
 db_get opengnsys/ogdhcp_ip
@@ -16,62 +19,53 @@ OGBOOT_IP="$RET"
 case "$1" in
     configure)
         echo "Configurando ogdhcp..."
-        
-        # Configuración de kea-ctrl-agent
-        echo "Eliminando autenticación de kea-ctrl-agent..."
-        if [ -e "$KEA_CTRL_AGENT_CONF" ]; then
-            dpkg-divert --package ogdhcp --divert "$KEA_CTRL_AGENT_CONF.dpkg-dist" --rename "$KEA_CTRL_AGENT_CONF"
-            cp -a "$KEA_CTRL_AGENT_CONF.dpkg-dist" "$KEA_CTRL_AGENT_CONF"
-            if grep -q '^[^#]*"authentication": {' "$KEA_CTRL_AGENT_CONF"; then
-                sed -i '/"authentication": {/,/^[[:space:]]*},/ {
-                s/^\([[:space:]]*\)\([^#]\)/\1#\2/
-                }' "$KEA_CTRL_AGENT_CONF"
+
+        # --- KEA CTRL AGENT ---
+        if dpkg -s kea-ctrl-agent > /dev/null 2>&1; then
+            echo "Configurando kea-ctrl-agent..."
+
+            if [ -e "$KEA_CTRL_AGENT_CONF" ]; then
+                dpkg-divert --package ogdhcp --divert "$KEA_CTRL_AGENT_CONF.dpkg-dist" --rename "$KEA_CTRL_AGENT_CONF"
+                cp -a "$KEA_CTRL_AGENT_CONF.dpkg-dist" "$KEA_CTRL_AGENT_CONF"
+
+                echo "Eliminando autenticación de kea-ctrl-agent..."
+                if grep -q '^[^#]*"authentication": {' "$KEA_CTRL_AGENT_CONF"; then
+                    sed -i '/"authentication": {/,/^[[:space:]]*},/ {
+                        s/^\([[:space:]]*\)\([^#]\)/\1#\2/
+                    }' "$KEA_CTRL_AGENT_CONF"
+                fi
             fi
+        else
+            echo "kea-ctrl-agent no está instalado. Se omite configuración."
         fi
 
-        # Configuración de AppArmor
-        APPARMOR_LOCAL_PROFILE="/etc/apparmor.d/local/usr.sbin.kea-dhcp4"
-        echo "Añadiendo permisos personalizados a AppArmor para kea-dhcp4..."
-        mkdir -p "$(dirname "$APPARMOR_LOCAL_PROFILE")"
-        cat > "$APPARMOR_LOCAL_PROFILE" <<EOF
+        # --- APPARMOR + KEA-DHCP4 ---
+        if dpkg -s kea-dhcp4-server > /dev/null 2>&1; then
+            echo "Configurando AppArmor y kea-dhcp4..."
+
+            if [ -e "$APPARMOR_PROFILE" ]; then
+                dpkg-divert --package ogdhcp --divert "${APPARMOR_PROFILE}.dpkg-dist" --rename "$APPARMOR_PROFILE"
+                cp -a "${APPARMOR_PROFILE}.dpkg-dist" "$APPARMOR_PROFILE"
+            fi
+
+            mkdir -p "$(dirname "$APPARMOR_LOCAL_PROFILE")"
+            cat > "$APPARMOR_LOCAL_PROFILE" <<EOF
 /etc/kea/ rw,
 /etc/kea/** rw,
 EOF
 
-        echo "Recargando perfiles de AppArmor..."
-        apparmor_parser -r /etc/apparmor.d/usr.sbin.kea-dhcp4
-        if [ $? -eq 0 ]; then
-            echo "El perfil de AppArmor se recargó correctamente."
-        else
-            echo "Error al recargar el perfil de AppArmor."
-        fi
+            echo "Recargando perfiles de AppArmor..."
+            if apparmor_parser -r "$APPARMOR_PROFILE"; then
+                echo "AppArmor recargado correctamente."
+            else
+                echo "Error al recargar AppArmor."
+            fi
 
-        # Configuración de nginx
-        echo "Configurando nginx..."
-        PHP_VERSION=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
-        if [ ! -f /etc/nginx/sites-available/ogdhcp.conf ]; then
-            cp /opt/opengnsys/ogdhcp/etc/nginxServer.conf.tmpl /etc/nginx/sites-available/ogdhcp.conf
-            sed -i "s|__PHPVERSION__|$PHP_VERSION|g" /etc/nginx/sites-available/ogdhcp.conf
-            sed -i "s|__SERVERIP__|$OGDHCP_IP|g" /etc/nginx/sites-available/ogdhcp.conf
-            sed -i "s|__PUBLICDIR__|$PUBLIC_DIR|g" /etc/nginx/sites-available/ogdhcp.conf
-            ln -s /etc/nginx/sites-available/ogdhcp.conf /etc/nginx/sites-enabled/ogdhcp.conf
-        else
-            echo "El archivo /etc/nginx/sites-available/ogdhcp.conf ya existe."
-        fi
-
-        # Configuración de php-fpm
-        echo "Configurando php-fpm..."
-        if [ ! -f /etc/php/$PHP_VERSION/fpm/pool.d/ogdhcp.conf ]; then
-            cp /opt/opengnsys/ogdhcp/etc/php/fpm/ogdhcp-fpm.conf /etc/php/$PHP_VERSION/fpm/pool.d/ogdhcp.conf
-        fi
-
-        # Configuración de kea-dhcp4
-        echo "Configurando kea-dhcp4..."
-        IFS=',' read -r -a INTERFACES <<< "$OGDHCP_INTERFACES"
-        KEA_CONFIG="/etc/kea/kea-dhcp4.conf"
-        if [ -e "$KEA_CONFIG" ]; then
-            dpkg-divert --package ogdhcp --divert "$KEA_CONFIG.dpkg-dist" --rename "$KEA_CONFIG"
-            cat > "$KEA_CONFIG" <<EOF
+            echo "Configurando archivo kea-dhcp4.conf..."
+            IFS=',' read -r -a INTERFACES <<< "$OGDHCP_INTERFACES"
+            if [ -e "$KEA_CONFIG" ]; then
+                dpkg-divert --package ogdhcp --divert "$KEA_CONFIG.dpkg-dist" --rename "$KEA_CONFIG"
+                cat > "$KEA_CONFIG" <<EOF
 {
     "Dhcp4": {
         "interfaces-config": {
@@ -102,28 +96,56 @@ EOF
     }
 }
 EOF
+            fi
+        else
+            echo "kea-dhcp4-server no está instalado. Se omite configuración."
         fi
-    ;;
-    
-    abort-upgrade|abort-remove|abort-deconfigure)
-    ;;
 
+        # --- NGINX ---
+        echo "Configurando nginx..."
+        PHP_VERSION=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
+        NGINX_CONF="/etc/nginx/sites-available/ogdhcp.conf"
+
+        if [ ! -f "$NGINX_CONF" ]; then
+            cp /opt/opengnsys/ogdhcp/etc/nginxServer.conf.tmpl "$NGINX_CONF"
+            sed -i "s|__PHPVERSION__|$PHP_VERSION|g" "$NGINX_CONF"
+            sed -i "s|__SERVERIP__|$OGDHCP_IP|g" "$NGINX_CONF"
+            sed -i "s|__PUBLICDIR__|$PUBLIC_DIR|g" "$NGINX_CONF"
+            ln -s "$NGINX_CONF" /etc/nginx/sites-enabled/ogdhcp.conf
+        else
+            echo "nginx ya configurado."
+        fi
+
+        # --- PHP-FPM ---
+        echo "Configurando php-fpm..."
+        PHP_FPM_CONF="/etc/php/$PHP_VERSION/fpm/pool.d/ogdhcp.conf"
+        if [ ! -f "$PHP_FPM_CONF" ]; then
+            cp /opt/opengnsys/ogdhcp/etc/php/fpm/ogdhcp-fpm.conf "$PHP_FPM_CONF"
+        fi
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
     *)
         echo "postinst called with unknown argument '$1'" >&2
         exit 1
-    ;;
+        ;;
 esac
 
-
+# Permisos
 chown opengnsys:www-data /opt/opengnsys/
 chown -R opengnsys:www-data /opt/opengnsys/ogdhcp
-chown -R _kea:_kea /etc/kea
 
-# Reiniciar servicios
+# Solo si kea está instalado
+if dpkg -s kea-dhcp4-server > /dev/null 2>&1; then
+    chown -R _kea:_kea /etc/kea
+fi
+
+# Reiniciar servicios (fallar silenciosamente si no existen)
 systemctl daemon-reload
-systemctl restart nginx
-systemctl restart kea-dhcp4-server
-systemctl restart kea-ctrl-agent
-systemctl restart php$PHP_VERSION-fpm
+systemctl restart nginx || true
+systemctl restart php"$PHP_VERSION"-fpm || true
+systemctl restart kea-dhcp4-server || true
+systemctl restart kea-ctrl-agent || true
 
 exit 0
diff --git a/etc/nginxServer.conf.tmpl b/etc/nginxServer.conf.tmpl
index 96d8017..8eacd21 100644
--- a/etc/nginxServer.conf.tmpl
+++ b/etc/nginxServer.conf.tmpl
@@ -5,6 +5,15 @@ server {
     # Raíz del documento para el proyecto Symfony
     root __PUBLICDIR__;
 
+
+    # Certificados SSL
+    ssl_certificate     /opt/opengnsys/ogdhcp/etc/certificates/ogdhcp.crt;
+    ssl_certificate_key /opt/opengnsys/ogdhcp/etc/certificates/ogdhcp.key;
+
+    # CA para validar clientes
+    ssl_client_certificate /opt/opengnsys/ogdhcp/etc/certificates/ca.crt;
+    ssl_verify_client on;
+
     # Bloque para manejar las solicitudes a /ogdhcp
     location /ogdhcp {
         try_files $uri $uri/ /index.php?$query_string;