From 1822704b7cb39eb890b81b270143e7d9eb319f2b Mon Sep 17 00:00:00 2001
From: joe <joe@jerkface.net>
Date: Sun, 1 May 2016 22:51:52 +0000
Subject: Handle ipsec.secret

---
 cokiki.hs   | 16 ++++++++++++++--
 lib/Kiki.hs |  9 +++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/cokiki.hs b/cokiki.hs
index f8eed0a..2638677 100644
--- a/cokiki.hs
+++ b/cokiki.hs
@@ -132,17 +132,29 @@ sshServer uid root cmn = whenRoot uid root cmn $ do
     Kiki.importAndRefresh root cmn
 
 strongswan uid root cmn = whenRoot uid root cmn $ do
+    -- (1) /etc/ipsec.conf    <--  'include /var/cache/kiki/config/ipsec.conf'
     -- Parsing as if ssh config, that's not right, but good enough for now.
     ipsecconf <- parseSshConfig . fromMaybe "" <$> maybeReadFile (root "/etc/ipsec.conf")
     let p:gs = groupBy (\_ d -> not $ sshIsDirective "include" d) $ ["#"]:ipsecconf
         got = filter (\(d:ds) -> elem "/var/cache/kiki/config/ipsec.conf" d) gs
     case got of
-        _:_ -> do hPutStrLn stderr "ipsec already configured."
+        _:_ -> do hPutStrLn stderr "ipsec.conf already configured."
         [] -> do let ipsecconf' = drop 1 $ ipsecconf ++ [stmt]
                      stmt = ["include", " ", "/var/cache/kiki/config/ipsec.conf"]
                  hPutStrLn stderr "adding include directive"
                  myWriteFile (root "/etc/ipsec.conf") $ unparseSshConfig ipsecconf'
-    -- etc/ipsec.conf    <--  'include /var/cache/kiki/ipsec.conf'
+
+    -- (2) /etc/ipsec.secrets/ <- include /var/cache/kiki/config/ipsec.secrets
+    -- Parsing as if ssh config, that's not right, but good enough for now.
+    ipsecconf <- parseSshConfig . fromMaybe "" <$> maybeReadFile (root "/etc/ipsec.secrets")
+    let p:gs = groupBy (\_ d -> not $ sshIsDirective "include" d) $ ["#"]:ipsecconf
+        got = filter (\(d:ds) -> elem "/var/cache/kiki/config/ipsec.secrets" d) gs
+    case got of
+        _:_ -> do hPutStrLn stderr "ipsec.secrets already configured."
+        [] -> do let ipsecconf' = drop 1 $ ipsecconf ++ [stmt]
+                     stmt = ["include", " ", "/var/cache/kiki/config/ipsec.secrets"]
+                 hPutStrLn stderr "adding include directive"
+                 myWriteFile (root "/etc/ipsec.secrets") $ unparseSshConfig ipsecconf'
     Kiki.importAndRefresh root cmn
 
 configureTor uid root cmn = whenRoot uid root cmn $ do
diff --git a/lib/Kiki.hs b/lib/Kiki.hs
index 121826b..dc228bb 100644
--- a/lib/Kiki.hs
+++ b/lib/Kiki.hs
@@ -271,6 +271,10 @@ refreshCache rt rootdir = do
             wr f bs
         write = write' writeFile
         writeL = write' L.writeFile
+        writeL077 f bs = do
+            old_umask <- setFileCreationMask 0o077
+            writeL f bs
+            setFileCreationMask old_umask
 
     let names = do wk <- rtWorkingKey rt
                    -- XXX unnecessary signature check
@@ -313,6 +317,11 @@ refreshCache rt rootdir = do
                 (mkpath "ipsec.d/private/" ++ Char8.unpack oname++".pem")
                 "missing ipsec key?"
 
+    -- TODO: probably we should add multiple entries for the case that there
+    -- are multiple secret master-keys each with distinct tor and ipsec keys.
+    writeL077 (mkpath "ipsec.secrets")
+        $ ": RSA /var/cache/kiki/config/ipsec.d/private/" <> oname <> ".pem"
+
     writeSecret "ssh-client"
                 (mkpath "root/.ssh/id_rsa")
                 "missing ssh-client key?"
-- 
cgit v1.2.3