#!/bin/bash

# simple helper script, which substitutes a token in configuration file with
# system wide crypto policy, if installed. If not, this script just copies the
# configuration file to the runtime file, that will be used by the SSHD daemon.

SSHD_CONFIG="/etc/ssh/sshd_config"
SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config"
CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config"

if [ ! -f "$CRYPTO_POLICIES" ]; then
	# if not installed, copy just the template
	# (to overwrite potential old policy)
	cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
else
	# do the substitution.
	sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \
		"$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
fi

# XXX should be taken care of in SELinux somehow
# set reasonable label if it gets the default (do not overwrite fixed)
ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME

# makes sure we have sane permissions as the original file has.
chmod 600 $SSHD_CONFIG_RUNTIME

# reload the service if requested
if [ "$1" = "reload" ]; then
	/bin/kill -HUP $2
fi