debian/strongswan.config


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

#!/bin/sh -e

. /usr/share/debconf/confmodule

db_input medium strongswan/start_level || true

# disable for now, until we can deal with the don't-edit-conffiles situation
#db_input high strongswan/ikev1 || true
#db_input high strongswan/ikev2 || true

db_input medium strongswan/restart || true

db_input high strongswan/enable-oe || true

db_input high strongswan/create_rsa_key || true
db_go || true

db_get strongswan/create_rsa_key
if [ "$RET" = "true" ]; then
    db_input high strongswan/rsa_key_type || true
    db_go || true

    db_get strongswan/rsa_key_type
    if [ "$RET" = "plain" ]; then
        # create just a plain RSA keypair
        db_input medium strongswan/rsa_key_length || true
        db_go || true
    else
        # extract the RSA keypair from a x509 certificate
        db_input high strongswan/existing_x509_certificate || true
        db_go || true

        # create a new certificate
        db_input medium strongswan/rsa_key_length || true
        db_input high strongswan/x509_self_signed || true
        # we can't allow the country code to be empty - openssl will 
        # refuse to create a certificate this way
        countrycode=""
        while [ -z "$countrycode" ]; do
           db_input medium strongswan/x509_country_code || true
           db_go || true
           db_get strongswan/x509_country_code
           countrycode="$RET"
        done
        db_input medium strongswan/x509_state_name || true
        db_input medium strongswan/x509_locality_name || true
        db_input medium strongswan/x509_organization_name || true
        db_input medium strongswan/x509_organizational_unit || true
        db_input medium strongswan/x509_common_name || true
        db_input medium strongswan/x509_email_address || true
        db_go || true
    fi
else
    db_get strongswan/existing_x509_certificate
    if [ "$RET" = "true" ]; then
        # existing certificate - use it
        db_input critical strongswan/existing_x509_certificate_filename || true
        db_input critical strongswan/existing_x509_key_filename || true
        db_go || true
    fi
fi