summaryrefslogtreecommitdiff
path: root/cfengine
diff options
context:
space:
mode:
Diffstat (limited to 'cfengine')
-rw-r--r--cfengine/cf.generic128
-rw-r--r--cfengine/cf.groups.jones30
-rw-r--r--cfengine/cf.groups.merge34
-rw-r--r--cfengine/cf.groups.xenux30
-rw-r--r--cfengine/cf.isp51
-rw-r--r--cfengine/cf.services11
-rw-r--r--cfengine/cf.services.dns27
-rw-r--r--cfengine/cf.services.file361
-rw-r--r--cfengine/cf.services.ftp35
-rw-r--r--cfengine/cf.services.harden66
-rw-r--r--cfengine/cf.services.web285
-rw-r--r--cfengine/cf.site5
-rw-r--r--cfengine/cf.site.jones62
-rw-r--r--cfengine/cf.site.xenux75
-rwxr-xr-xcfengine/cfengine.conf37
15 files changed, 1237 insertions, 0 deletions
diff --git a/cfengine/cf.generic b/cfengine/cf.generic
new file mode 100644
index 0000000..6315098
--- /dev/null
+++ b/cfengine/cf.generic
@@ -0,0 +1,128 @@
+##############################################################
+#
+# cf.main
+#
+# This file contains generic config stuff
+#
+#################################################################
+
+###
+#
+# BEGIN cf.main
+#
+###
+
+control:
+
+ Access = ( root ) # Only root should run this
+
+ timezone = ( MET CET )
+
+ Repository = ( /var/backups/cfengine )
+
+ OutputPrefix = ( "cf:$(host)" )
+
+ netmask = ( 255.255.255.0 )
+
+# IfElapsed = ( 15 ) # mins
+ IfElapsed = ( 1 ) # mins
+ ExpireAfter = ( 240 ) # 4 timer
+ SplayTime = ( 1 ) # 1 minute
+
+ SensibleSize = ( 1000 )
+ SensibleCount = ( 2 )
+ EditfileSize = ( 40000 )
+
+ MountPattern = ( / )
+ HomePattern = ( home* )
+
+# DeleteNonUserMail = ( true )
+# DeleteNonOwnerMail = ( true )
+ WarnNonOwnerMail = ( true )
+ WarnNonUserMail = ( true )
+
+ #
+ # If we undefine this with cfengine -N longjob
+ # then we switch off all jobs labelled with this class
+ #
+
+ AddClasses = ( longjob )
+
+ CheckAlias = ( "/usr/bin/test" )
+
+ actionsequence = (
+ checktimezone
+ editfiles
+ directories
+ copy
+ tidy
+ shellcommands
+ links
+ processes
+ )
+
+broadcast:
+ ones
+
+tidy:
+ /tmp/ pat=* r=inf A=1
+ /var/tmp pat=* r=inf A=2
+ / pat=core r=1 A=0
+ /etc pat=core r=1 A=0
+
+links:
+ /dev/core -> /proc/kcore
+
+ignore: # Don't check or tidy these directories
+
+ /local/lib/gnu/emacs/lock/
+ /local/tmp
+ ftp
+ projects
+ /local/bin/top
+ /local/lib/tex/fonts
+ /local/iu/etc
+ /local/etc
+ /local/iu/httpd/conf
+ /usr/tmp/locktelelogic
+ /usr/tmp/lockIDE
+ RootMailLog
+ operator
+ lock
+
+ #
+ # Emacs lock files etc
+ #
+
+ !*
+ /local/lib/xemacs
+
+ #
+ # X11 keeps X server data in /tmp/.X11
+ # better not delete this!
+ #
+
+ .X*
+ .ICE*
+ .font*
+ .gnomeicu*
+ .sawfish*
+ darxsock.*
+ mcop*
+ orbit*
+ ssh*
+ .Media*
+
+#####################################################################
+
+disable:
+
+ /etc/hosts.equiv
+# /etc/nologin
+ /usr/lib/sendmail.fc
+
+###
+#
+# END cf.main
+#
+###
diff --git a/cfengine/cf.groups.jones b/cfengine/cf.groups.jones
new file mode 100644
index 0000000..b2f53b5
--- /dev/null
+++ b/cfengine/cf.groups.jones
@@ -0,0 +1,30 @@
+#
+# NB! Avoid adding new groups! We pollute the namespace already...
+#
+groups:
+ jones = ( auryn fuchur bastian argax slamuf pierre cafe3 ror wetware )
+ spiff = ( rornaestved satsbutikken ida )
+ homebase = ( honda jawa nimbus )
+ macvaerk = ( woody )
+ adamatic = ( nat mail2 web rudi ns )
+
+ Standalone_jones = ( auryn fuchur )
+ WWWServer_jones = ( auryn fuchur bastian argax slamuf pierre cafe3 ror wetware rornaestved satsbutikken ida honda jawa woody mail2 web )
+ FTPServer_jones = ( auryn fuchur bastian argax slamuf pierre jawa woody web )
+ NameServer_jones = ( auryn bastian slamuf pierre )
+# FileServer_jones = ( auryn fuchur bastian argax slamuf pierre cafe3 wetware rornaestved satsbutikken ida honda jawa woody )
+# VPNServer_jones = ( )
+ Firewall_jones = ( slamuf pierre cafe3 wetware rornaestved ida woody )
+# CVSServer_jones = ( )
+# GMServer_jones = ( )
+# CDWriter_jones = ( )
+ IMAPServer_jones = ( auryn fuchur bastian slamuf pierre ror rornaestved nimbus woody )
+ MailHub_jones = ( bastian jawa )
+ MailClient_jones = ( auryn fuchur bastian slamuf pierre ror wetware honda jawa woody mail2 )
+
+ wol_jones = ( auryn fuchur slamuf wetware jawa )
+# cc_jones = ( )
+ tdk_jones = ( honda woody )
+# wp_jones = ( )
+ dnai_jones = ( pierre )
+ sunrise_jones = ( cafe3 )
diff --git a/cfengine/cf.groups.merge b/cfengine/cf.groups.merge
new file mode 100644
index 0000000..b38a489
--- /dev/null
+++ b/cfengine/cf.groups.merge
@@ -0,0 +1,34 @@
+#
+# NB! Avoid adding new groups! We pollute the namespace already...
+#
+import:
+ $(cfroot)/cf.groups.jones
+ $(cfroot)/cf.groups.xenux
+
+groups:
+ Standalone = ( Standalone_jones Standalone_xenux )
+ WWWServer = ( WWWServer_jones WWWServer_xenux )
+ FTPServer = ( FTPServer_jones FTPServer_xenux )
+ NameServer = ( NameServer_jones NameServer_xenux )
+ FileServer = ( FileServer_jones FileServer_xenux )
+ VPNServer = ( VPNServer_jones VPNServer_xenux )
+ Firewall = ( Firewall_jones Firewall_xenux )
+ CVSServer = ( CVSServer_jones CVSServer_xenux )
+ GMServer = ( GMServer_jones GMServer_xenux )
+ CDWriter = ( CDWriter_jones CDWriter_xenux )
+ IMAPServer = ( IMAPServer_jones IMAPServer_xenux )
+ MailHub = ( MailHub_jones MailHub_xenux )
+ MailClient = ( MailClient_jones MailClient_xenux )
+
+ # ISP's
+ wol = ( wol_jones wol_xenux )
+ cc = ( cc_jones cc_xenux )
+ tdk = ( tdk_jones tdk_xenux )
+ wp = ( wp_jones wp_xenux )
+ dnai = ( dnai_jones dnai_xenux )
+ sunrise = ( sunrise_jones sunrise_xenux )
+
+ All = ( Hr00 )
+ peaktime = ( Hr10 Hr11 Hr12 Hr13 Hr14 Hr15 )
+ OnTheHour = ( Min00_05 Min5_10 Min10_15 Min15_20 Min20_25 )
+ HalfHour = ( Min30_35 Min35_40 Min40_45 Min45_50 Min50_55 )
diff --git a/cfengine/cf.groups.xenux b/cfengine/cf.groups.xenux
new file mode 100644
index 0000000..baa9ad2
--- /dev/null
+++ b/cfengine/cf.groups.xenux
@@ -0,0 +1,30 @@
+#
+# NB! Avoid adding new groups! We pollute the namespace already...
+#
+groups:
+ xenux = ( ns mail www pc17 pc20 insight )
+ xenux = ( samba pc60 pc61 pc62 pc63 pc64 pc65 pc66 pc67 pc68 pc69 pc70 pc71 pc72 pc73 pc74 pc75 pc76 pc77 pc78 pc79 pc80 )
+ raps = ( aries )
+ grinsted = ( debian-grinsted )
+ mogensen = ( mogl-filer mogl-firewall mogl-mail )
+
+ Standalone_xenux = ( pc17 )
+ WWWServer_xenux = ( pc21 )
+ FTPServer_xenux = ( pc21 )
+ NameServer_xenux = ( ns )
+ FileServer_xenux = ( pc20 freja mogl-filer raps samba )
+ VPNServer_xenux = ( pc20 mogl-firewall raps )
+ Firewall_xenux = ( pc20 mogl-firewall raps )
+ CVSServer_xenux = ( pc17 )
+ GMServer_xenux = ( pc17 )
+ CDWriter_xenux = ( pc17 )
+ IMAPServer_xenux = ( mail )
+ MailHub_xenux = ( mail )
+# MailClient_xenux = ( )
+
+# wol_xenux = ( )
+ cc_xenux = ( freja )
+# tdk_xenux = ( )
+ wp_xenux = ( mail www pc17 pc20 pc21 )
+# dnai_xenux = ( )
+# sunrise_xenux = ( )
diff --git a/cfengine/cf.isp b/cfengine/cf.isp
new file mode 100644
index 0000000..e0d794f
--- /dev/null
+++ b/cfengine/cf.isp
@@ -0,0 +1,51 @@
+##############################################################
+#
+# cf.main.$isp
+#
+# This file contains generic config stuff
+#
+#################################################################
+
+###
+#
+# BEGIN cf.main.$isp
+#
+###
+
+control:
+ wol|cc|wp|tdk|sunrise::
+ timezone = ( MET CET )
+
+ dnai::
+ timezone = ( PST )
+
+resolve:
+ wol:: # Tiscali (World Online) [dk] http://www.worldonline.dk/support/tekinfo/tekinfo.html
+ 212.54.64.170 # ns.worldonline.dk
+ 212.54.64.171 # ns2.worldonline.dk
+
+ cc:: # CyberCity [dk] http://www.cybercity.dk/support/
+ 212.242.40.3 # dns1.cybercity.dk
+ 212.242.40.51 # dns2.cybercity.dk
+
+ wp:: # WebPartner [dk] http://www.webpartner.dk/htdocs/kunde_service/general_info.htm
+ 195.184.96.2 # ns.tjantik.dk
+ 195.184.96.3 # ns2.tjantik.dk
+
+ tdk:: # TeleDanmark [dk] http://internet.opasia.dk/abonnement/netexpres/tech_spec.html
+ 194.239.134.83 # ns3.tele.dk
+ 193.162.153.164 # ns3.inet.tele.dk
+
+ dnai:: # DNAI [us, calif.] http://www.dnai.com/helpdesk/gettingconnected
+ 207.181.192.141 # hopf.dnai.com
+ 207.181.194.14 # ida.bkly.dnai.com
+
+ sunrise:: # Sunrise Freesurf [ch] http://go.sunrise.ch/en/fre_faq/default.asp
+ 194.158.230.53 # dnspn1.spectraweb.ch
+ 194.158.230.54 # dnspn2.spectraweb.ch
+
+###
+#
+# END cf.main.$isp
+#
+###
diff --git a/cfengine/cf.services b/cfengine/cf.services
new file mode 100644
index 0000000..230354a
--- /dev/null
+++ b/cfengine/cf.services
@@ -0,0 +1,11 @@
+import:
+# NameServer::
+# $(cfroot)/cf.services.dns
+ FileServer::
+ $(cfroot)/cf.services.file
+ FTPServer::
+ $(cfroot)/cf.services.ftp
+ WWWServer::
+ $(cfroot)/cf.services.web
+ any::
+ $(cfroot)/cf.services.harden
diff --git a/cfengine/cf.services.dns b/cfengine/cf.services.dns
new file mode 100644
index 0000000..760e30e
--- /dev/null
+++ b/cfengine/cf.services.dns
@@ -0,0 +1,27 @@
+editfiles:
+ { /etc/bind/named.conf
+# BeginGroupIfNoLineContaining "logging "
+ BeginGroupIfNoLineMatching '\<logging[[:space:]]*\{'
+ Append "logging {"
+ Append " category lame-servers { null; };"
+ Append " category cname { null; };"
+ Append " category response-checks { null; };"
+ Append " category statistics { null; };"
+ Append "}"
+ EndGroup
+ WarnIfNoLineMatching '\<logging[[:space:]]*\{'
+ LocateLineMatching '\<logging[[:space:]]*\{'
+ AbortAtLineMatching '\}'
+ -> AppendIfNoLineMatching '\<category[[:blank:]]*lame-servers\>'
+ Append " category lame-servers { null; };"
+ EndGroup
+ BeginGroupIfNoLineMatching '\<category[[:blank:]]*cname\>'
+ Append " category cname { null; };"
+ EndGroup
+ BeginGroupIfNoLineMatching '\<category[[:blank:]]*response-checks\>'
+ Append " category response-checks { null; };"
+ EndGroup
+ BeginGroupIfNoLineMatching '\<category[[:blank:]]*statistics\>'
+ Append " category statistics { null; };"
+ EndGroup
+ }
diff --git a/cfengine/cf.services.file b/cfengine/cf.services.file
new file mode 100644
index 0000000..ee3bdac
--- /dev/null
+++ b/cfengine/cf.services.file
@@ -0,0 +1,361 @@
+control:
+ AddInstallable = ( samba_reload netatalk_reload lprng_reload cups_reload lprng cups )
+
+ #
+ # Variables for shares
+ # You can change the paths here and it will be changed both in
+ # the conf file and in the filesystem - But once it is implemented,
+ # it is not wise to change it - the data in the shares doesn't get
+ # moved!
+ # You can change the rights on the shares in the "directories:"
+ # section.
+ #
+ netlogshare = ( /etc/samba/netlogon )
+ commonsharedir = ( /var/local/filesharing/COMMON )
+ locsharedir = ( /var/local/filesharing/local )
+ datashare = ( /var/local/filesharing/COMMON/data )
+ pgrshare = ( /var/local/filesharing/COMMON/programs )
+ profshare = ( /var/local/filesharing/COMMON/samba/userprofiles )
+ printdir = ( /var/spool/samba )
+
+ #
+ # Variables for lprng
+ #
+
+editfiles:
+ any::
+ #
+ # Samba configuration stuff.
+ #
+ { /etc/samba/smb.conf
+ #
+ # Global stuff
+ #
+ # Remove share declarations from main smb.conf. It is split
+ # up in the following files:
+ # - smb.conf
+ # - smb-shares-COMMON.conf
+ # - smb-shares-$(site).conf
+ # - smb-printers.conf
+ #
+# DeleteLinesAfterThisMatching "^\[homes\]$(n)*.*"
+# ResetSearch "1"
+# CatchAbort
+# ResetSearch "1"
+
+ #
+ # Append the include lines for the files decribed above
+ #
+ AppendIfNoSuchLine "include = smb-shares-COMMON.conf"
+ AppendIfNoSuchLine "include = smb-shares-local.conf"
+ AppendIfNoSuchLine "include = smb-printers.conf"
+ ResetSearch "1"
+
+ #
+ # workgroup = $(site)
+ #
+ LocateLineMatching "^[;[:blank:]]*workgroup[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching '^[[:blank:]]*workgroup[[:blank:]]*=[[:blank:]]*$(site)[[:blank:]]*'
+ ReplaceLineWith ' workgroup = $(site)'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch '^[[:blank:]]*workgroup[[:blank:]]*=[[:blank:]]*$(site)[[:blank:]]*'
+ InsertLine ' workgroup = $(site)'
+ EndGroup
+
+ #
+ # wins support = yes
+ #
+ LocateLineMatching "^[;[:blank:]]*wins support[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*wins support[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ ReplaceLineWith ' wins support = yes'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*wins support[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ InsertLine ' wins support = yes'
+ EndGroup
+
+ #
+ # os level = 65
+ #
+ LocateLineMatching "^[;[:blank:]]*os level[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*os level[[:blank:]]*=[[:blank:]]*65[[:blank:]]*"
+ ReplaceLineWith ' os level = 65'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*os level[[:blank:]]*=[[:blank:]]*65[[:blank:]]*"
+ InsertLine ' os level = 65'
+ EndGroup
+
+ #
+ # domain master = yes
+ #
+ LocateLineMatching "^[;[:blank:]]*domain master[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*domain master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ ReplaceLineWith ' domain master = yes'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*domain master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ InsertLine ' domain master = yes'
+ EndGroup
+
+ #
+ # local master = yes
+ #
+ LocateLineMatching "^[;[:blank:]]*local master[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*local master[[:blank:]]*=[[:blank:]]*yes"
+ ReplaceLineWith ' local master = yes'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*local master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ InsertLine ' local master = yes'
+ EndGroup
+
+ #
+ # logon drive = U:
+ #
+ LocateLineMatching "^[;[:blank:]]*logon drive[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*logon drive[[:blank:]]*=[[:blank:]]*U:[[:blank:]]*"
+ ReplaceLineWith ' logon drive = U:'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*logon drive[[:blank:]]*=[[:blank:]]*U:[[:blank:]]*"
+ InsertLine ' logon drive = U:'
+ EndGroup
+
+ #
+ # logon script = common.bat
+ #
+ LocateLineMatching "^[;[:blank:]]*logon script[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*logon script[[:blank:]]*=[[:blank:]]*common.bat[[:blank:]]*"
+ ReplaceLineWith ' logon script = common.bat'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*logon script[[:blank:]]*=[[:blank:]]*common.bat[[:blank:]]*"
+ InsertLine ' logon script = common.bat'
+ EndGroup
+
+ #
+ # domain logons = yes
+ #
+ LocateLineMatching "^[;[:blank:]]*domain logons[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*domain logons[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ ReplaceLineWith ' domain logons = yes'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*domain logons[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ InsertLine ' domain logons = yes'
+ EndGroup
+
+ #
+ # logon path = \\%N\USERPROFILES\%U
+ #
+ LocateLineMatching "^[;[:blank:]]*logon path[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*logon path[[:blank:]]*=[[:blank:]]*[\\][\\]%N[\\]USERPROFILES[\\]%U[[:blank:]]*"
+ ReplaceLineWith ' logon path = \\%N\USERPROFILES\%U'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*logon path[[:blank:]]*=[[:blank:]]*[\\][\\]%N[\\]USERPROFILES[\\]%U[[:blank:]]*"
+ InsertLine ' logon path = \\%N\USERPROFILES\%U'
+ EndGroup
+
+ #
+ # preferred master = yes
+ #
+ LocateLineMatching "^[;[:blank:]]*preferred master[[:blank:]]*=.*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*preferred master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ ReplaceLineWith ' preferred master = yes'
+ EndGroup
+ CatchAbort
+ BeginGroupIfNoMatch "^[[:blank:]]*preferred master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*"
+ InsertLine ' preferred master = yes'
+ EndGroup
+ DefineClasses "samba_reload"
+ }
+ samba_reload::
+ { /etc/samba/smb.conf
+ LocateLineMatching "^; EDITED BY CFENGINE .*"
+ ReplaceAll '; EDITED BY CFENGINE .*$' With '; EDITED BY CFENGINE $(date)'
+ CatchAbort
+ BeginGroupIfNoMatch "^; EDITED BY CFENGINE .*"
+ Append '; EDITED BY CFENGINE $(date)'
+ EndGroup
+ }
+ any::
+ { /etc/samba/smb-shares-COMMON.conf
+ #
+ # This file contains all the shares common to all installations.
+ # We check if the proper sections are there and add them if they
+ # isn't. We don't check the file line for line.
+ #
+ AutoCreate
+
+ #
+ # [netlogon]
+ #
+ BeginGroupIfNoLineMatching "^\[netlogon\]"
+ Append '[netlogon]'
+ Append ' comment = Network logon'
+ Append ' path = $(netlogshare)'
+ Append ' browsable = no'
+ Append ' writeable = no'
+ Append ' share modes = no'
+ EndGroup
+ #
+ # [userprofiles]
+ #
+ BeginGroupIfNoLineMatching "^\[userprofiles\]"
+ Append '[userprofiles]'
+ Append ' path = $(profshare)'
+ Append ' force user = %u'
+ Append ' writable = yes'
+ Append ' browsable = no'
+ Append ' root preexec = /bin/mkdir $(profshare)/%U \'
+ Append ' /bin/chown %U $(profshare)/%U \'
+ Append ' /bin/chmod 700 $(profshare)/%U'
+ EndGroup
+ #
+ # [homes]
+ #
+ BeginGroupIfNoLineMatching "^\[homes\]"
+ Append '[homes]'
+ Append ' path = /home/%u/shared'
+ Append ' browsable = no'
+ Append ' root preexec = /bin/mkdir /home/%u/shared \'
+ Append ' /bin/chown %U /home/%u/shared \'
+ Append ' /bin/chmod 644 /home/%u/shared'
+ EndGroup
+ #
+ # [programmer]
+ #
+ BeginGroupIfNoLineMatching "^\[programmer\]"
+ Append '[programmer]'
+ Append ' path = $(pgrshare)'
+ Append ' comment = Programmer'
+ Append ' browsable = yes'
+ Append ' guest ok = yes'
+ Append ' writeable = yes'
+ EndGroup
+ #
+ # [dokumenter]
+ #
+ BeginGroupIfNoLineMatching "^\[dokumenter\]"
+ Append '[dokumenter]'
+ Append ' path = $(datashare)'
+ Append ' comment = Fælles dokumenter'
+ Append ' browsable = yes'
+ Append ' guest ok = no'
+ Append ' writeable = yes'
+ EndGroup
+ DefineClasses "samba_reload"
+ }
+ samba_reload::
+ { /etc/samba/smb-shares-COMMON.conf
+ LocateLineMatching "^; EDITED BY CFENGINE .*"
+ ReplaceAll '; EDITED BY CFENGINE .*$' With '; EDITED BY CFENGINE $(date)'
+ CatchAbort
+ BeginGroupIfNoMatch "^; EDITED BY CFENGINE .*"
+ Append '; EDITED BY CFENGINE $(date)'
+ EndGroup
+ }
+ any::
+ #
+ # Local shares special for the site
+ #
+ { /etc/samba/smb-shares-$(site).conf
+ #
+ # We don't make this file dynamically, but instead we copy the contents
+ # of a master file, but only if it's newer than the one installed.
+ #
+ BeginGroupIfFileIsNewer "/etc/local-$(host).$(domain)/samba/smb-shares-$(site).conf"
+ EmptyEntireFilePlease
+ InsertFile "/etc/local-$(host).$(domain)/samba/smb-shares-$(site).conf"
+ Append "# Edited by cfengine $(date)"
+ EndGroup
+ DefineClasses "lprng_reload"
+ }
+ any::
+ #
+ # Printer configuration stuff
+ #
+ { /etc/printcap
+ #
+ # We don't make the printcap dynamically, but instead we copy the contents
+ # of a master file, but only if it's newer than the one installed.
+ #
+ BeginGroupIfFileIsNewer "/etc/local-$(host).$(domain)/printcap"
+ EmptyEntireFilePlease
+ InsertFile "/etc/local-$(host).$(domain)/printcap"
+ Append "# Edited by cfengine $(date)"
+ EndGroup
+ DefineClasses "lprng_reload"
+ }
+ any::
+ { /etc/samba/smb-printers.conf
+ #
+ # This file contains all the printers defined in the Linux printing
+ # system. There shouldn't be any need for setting up additional
+ # printer entries. Manage the printers through the Linux print
+ # system.
+ # We check if the proper sections are there and add them if they
+ # isn't. We don't check the file line for line.
+ #
+ AutoCreate
+
+ #
+ # [printers]
+ #
+ BeginGroupIfNoLineMatching "^\[printers\]"
+ Append '[printers]'
+ Append ' comment = %S printer'
+ Append ' path = $(printdir)'
+ Append ' print command = /usr/bin/lpr -h %s'
+ Append ' lprm command = /usr/bin/lprm -P%S %j'
+ Append ' public = yes'
+ Append ' printable = yes'
+ EndGroup
+ }
+ samba_reload::
+ { /etc/samba/smb-printers.conf
+ LocateLineMatching "^; EDITED BY CFENGINE .*"
+ ReplaceAll '; EDITED BY CFENGINE .*$' With '; EDITED BY CFENGINE $(date)'
+ CatchAbort
+ BeginGroupIfNoMatch "^; EDITED BY CFENGINE .*"
+ Append '; EDITED BY CFENGINE $(date)'
+ EndGroup
+ }
+
+directories:
+ $(netlogshare)
+ mode=755
+ owner=root
+ group=root
+ $(commonsharedir)
+ mode=755
+ owner=root
+ group=root
+ $(pgrshare)
+ mode=775
+ owner=root
+ group=users
+ $(datashare)
+ mode=775
+ owner=root
+ group=users
+ $(profshare)
+ mode=775
+ owner=root
+ group=users
+
+processes:
+ "smb" restart "/etc/init.d/samba restart"
+
+shellcommands:
+ samba_reload::
+ "/etc/init.d/samba force-reload"
+ netatalk_reload::
+ "/etc/init.d/netatalk force-reload"
+ lprng_reload::
+ "/etc/init.d/lprng force-reload"
+ cups_reload::
+ "/etc/init.d/cups force-reload"
diff --git a/cfengine/cf.services.ftp b/cfengine/cf.services.ftp
new file mode 100644
index 0000000..894f566
--- /dev/null
+++ b/cfengine/cf.services.ftp
@@ -0,0 +1,35 @@
+control:
+ AddInstallable = ( proftpd_reload )
+editfiles:
+ { /etc/proftpd.conf
+ DefineClasses "proftpd_reload"
+ AbortAtLineMatching "^[[:blank:]]*VirtualHost[[:blank:]]*.*$"
+ #
+ # LsDefaultOptions "-la"
+ #
+ WarnIfNoLineMatching "^[[:blank:]]*LsDefaultOptions[[:blank:]].*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*LsDefaultOptions[[:blank:]].*$"
+ Append 'LsDefaultOptions "-la" # Added by cfengine'
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*LsDefaultOptions[[:blank:]].*$"
+ BeginGroupIfNoLineMatching '^[[:blank:]]*LsDefaultOptions[[:blank:]]"-la"([[:blank:]]+(#.*)?)?$'
+ ReplaceLineWith 'LsDefaultOptions "-la" # Edited by cfengine'
+ EndGroup
+ #
+ # DefaultRoot ~ users,!staff
+ #
+ WarnIfNoLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]].*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]].*$"
+ Append 'DefaultRoot ~ users,!staff # Added by cfengine'
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]].*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]]+~[[:blank:]]+users,!staff([[:blank:]]+(#.*)?)?$"
+ ReplaceLineWith 'DefaultRoot ~ users,!staff # Edited by cfengine'
+ EndGroup
+ UnsetAbort "^[[:blank:]]*VirtualHost[[:blank:]]*.*$"
+ }
+processes:
+ "proftpd" restart "/etc/init.d/proftpd restart"
+shellcommands:
+ proftpd_reload::
+ "/etc/init.d/proftpd force-reload"
diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden
new file mode 100644
index 0000000..1953c88
--- /dev/null
+++ b/cfengine/cf.services.harden
@@ -0,0 +1,66 @@
+editfiles:
+ { /etc/aide/aide.conf
+ #
+ # Logs = p+n+u+g
+ #
+ # Debian rotates its logfiles, so ignore inode, number of inodes and growing size
+ #
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
+ Append "Logs = p+n+u+g # Added by cfengine"
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=[[:blank:]][\+pug]*([[:blank:]]+(#.*)?)?"
+ ReplaceLineWith "Logs = p+u+g # Edited by cfengine"
+ EndGroup
+ #
+ # Devices = p+i+n+u+g+s+b+md5+sha1
+ #
+ # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
+ #
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
+ Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbcmd5sha1]*([[:blank:]]+(#.*)?)?"
+ ReplaceLineWith "Devices = p+i+n+u+g+s+b+c+md5+sha1 # Edited by cfengine"
+ EndGroup
+ #
+ # #/var/log/aide/...
+ # #/var/log/setuid...
+ #
+ # Treat these as regular logfiles - they are rotated as well
+ #
+ HashCommentLinesMatching "^/var/log/aide/.*"
+ HashCommentLinesMatching "^/var/log/setuid.*"
+ #
+ # #/var/log$ StaticDir
+ #
+ SetCommentStart "#"
+ SetCommentEnd ""
+# bug! CommentLinesMatching "^/var/log\$[[:blank:]]StaticDir.*"
+# LocateLineMatching "^/var/log\$[[:blank:]]StaticDir.*"
+# bug! CommentNLines "1"
+ LocateLineMatching "^/var/log\$[[:blank:]]StaticDir[[:blank:]]*"
+ ReplaceLineWith "#/var/log$ StaticDir"
+ CatchAbort
+ #
+ # !/dev/log
+ # !/dev/xconsole
+ # !/dev/core
+ #
+ LocateLineMatching "^[[:blank:]]*\!/dev/.*"
+ CatchAbort
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
+ GotoLastLine
+ EndGroup
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/log([[:blank:]]+(#.*)?)?"
+ InsertLine "!/dev/log # Added by cfengine"
+ EndGroup
+ DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
+ InsertLine "!/dev/xconsole # Added by cfengine"
+ EndGroup
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
+ InsertLine "!/dev/core # Added by cfengine"
+ EndGroup
+ }
diff --git a/cfengine/cf.services.web b/cfengine/cf.services.web
new file mode 100644
index 0000000..d27c561
--- /dev/null
+++ b/cfengine/cf.services.web
@@ -0,0 +1,285 @@
+control:
+ AddInstallable = ( apache_reload )
+editfiles:
+ { /etc/apache/httpd.conf
+ DefineClasses "apache_reload"
+ #
+ # ServerAdmin webmaster@$(domain)
+ #
+ # (Try to add it _before_ virtual hosts)
+ #
+ WarnIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
+ BeginGroupIfNoLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
+ Append "ServerAdmin webmaster@$(domain)"
+ EndGroup
+ BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
+ LocateLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
+ InsertLine "ServerAdmin webmaster@$(domain)"
+ EndGroup
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]]*webmaster@$(domain)[[:blank:]]*$"
+ ReplaceLineWith "ServerAdmin webmaster@$(domain)"
+ EndGroup
+ #
+ # Make space for cfengine hacks
+ #
+ # (Try to add it _before_ virtual hosts)
+ #
+ ResetSearch "1"
+ BeginGroupIfNoSuchLine "# BEGIN CFENGINE"
+ BeginGroupIfNoLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
+ Append ""
+ Append "# BEGIN CFENGINE"
+ Append "# END CFENGINE"
+ EndGroup
+ BeginGroupIfNoLineMatching "^# BEGIN CFENGINE$"
+ LocateLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
+ IncrementPointer "-1"
+ InsertLine ""
+ InsertLine "# BEGIN CFENGINE"
+ InsertLine "# END CFENGINE"
+ InsertLine ""
+ EndGroup
+ EndGroup
+ #
+ # LoadModule php3_module /usr/lib/apache/1.3/libphp3.so
+ #
+ # <IfModule libphp3.c>
+ # php3_display_errors off
+ # php3_log_errors on
+ # AddType application/x-httpd-php3 .php3
+ # AddType application/x-httpd-php3-source .phps
+ # </IfModule>
+ #
+ BeginGroupIfFileExists "/usr/lib/apache/1.3/libphp3.so"
+ ResetSearch "1"
+# bug! UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php3_module[[:blank:]].*"
+ LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php3_module[[:blank:]]+/usr/lib/apache/1.3/libphp3.so$"
+ ReplaceLineWith "LoadModule php3_module /usr/lib/apache/1.3/libphp3.so"
+ CatchAbort
+ AbortAtLineMatching "^# END CFENGINE$"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ BeginGroupIfNoSuchLine "<IfModule libphp3.c>"
+ InsertLine "<IfModule libphp3.c>"
+ InsertLine "</IfModule>"
+ EndGroup
+ ResetSearch "1"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ LocateLineMatching "^<IfModule libphp3.c>$"
+ BeginGroupIfNoLineMatching "[[:blank:]]*php3_display_errors off"
+ InsertLine " php3_display_errors off"
+ EndGroup
+ BeginGroupIfNoLineMatching "[[:blank:]]*php3_log_errors on"
+ InsertLine " php3_log_errors on"
+ EndGroup
+ BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-php3 .php3"
+ InsertLine " AddType application/x-httpd-php3 .php3"
+ EndGroup
+ BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-source .phps"
+ InsertLine " AddType application/x-httpd-source .phps"
+ EndGroup
+ UnsetAbort "^# END CFENGINE$"
+ EndGroup
+ #
+ # LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
+ #
+ # <IfModule libphp4.c>
+ # php_flag display_errors off
+ # php_flag log_errors on
+ # AddType application/x-httpd-php .php
+ # AddType application/x-httpd-php-source .phps
+ # </IfModule>
+ #
+ BeginGroupIfFileExists "/usr/lib/apache/1.3/libphp4.so"
+ ResetSearch "1"
+# UnCommentLinesMatching "^\#[[:blank:]]*LoadModule[[:blank:]]+php4\_module[[:blank:]].*"
+ LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php4\_module[[:blank:]]+/usr/lib/apache/1.3/libphp4.so$"
+ ReplaceLineWith "LoadModule php4_module /usr/lib/apache/1.3/libphp4.so"
+ CatchAbort
+ AbortAtLineMatching "^# END CFENGINE$"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ BeginGroupIfNoSuchLine "<IfModule libphp4.c>"
+ InsertLine "<IfModule libphp4.c>"
+ InsertLine "</IfModule>"
+ EndGroup
+ ResetSearch "1"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ LocateLineMatching "^<IfModule libphp4.c>$"
+ BeginGroupIfNoLineMatching "^.*php_flag[[:blank:]]*display_errors[[:blank:]]*off$"
+ InsertLine " php_flag display_errors off"
+ EndGroup
+ BeginGroupIfNoLineMatching ".*php_flag log_errors on"
+ InsertLine " php_flag log_errors on"
+ EndGroup
+ BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-php .php"
+ InsertLine " AddType application/x-httpd-php .php"
+ EndGroup
+ BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-source .phps"
+ InsertLine " AddType application/x-httpd-source .phps"
+ EndGroup
+ UnsetAbort "^# END CFENGINE$"
+ EndGroup
+ #
+ # LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so
+ #
+ # <IfModule mod_gzip.c>
+ # mod_gzip_dechunk yes
+ # mod_gzip_keep_workfiles No
+ # mod_gzip_temp_dir /tmp
+ # mod_gzip_minimum_file_size 1002
+ # mod_gzip_maximum_file_size 0
+ # mod_gzip_maximum_inmem_size 1000000
+ # mod_gzip_item_include file "\.htm$"
+ # mod_gzip_item_include file "\.html$"
+ # mod_gzip_item_include mime "text/.*"
+ # mod_gzip_item_include file "\.php$"
+ # mod_gzip_item_include mime "jserv-servlet"
+ # mod_gzip_item_include handler "jserv-servlet"
+ # mod_gzip_item_include mime "application/x-httpd-php.*"
+ # mod_gzip_item_include mime "httpd/unix-directory"
+ # mod_gzip_item_exclude file "\.css$"
+ # mod_gzip_item_exclude file "\.js$"
+ # mod_gzip_item_exclude file "\.wml$"
+ # </IfModule>
+ #
+ BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_gzip.so"
+ ResetSearch "1"
+# SetCommentStart "#"
+# SetCommentEnd ""
+# UnCommentLinesMatching "^\#[[:blank:]]*LoadModule[[:blank:]]+gzip_module[[:blank:]].*"
+ LocateLineMatching "#[[:blank:]]*LoadModule[[:blank:]]+gzip_module[[:blank:]]+/usr/lib/apache/1.3/mod_gzip.so"
+# UnCommentNLines "1"
+ ReplaceLineWith "LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so"
+ CatchAbort
+ AbortAtLineMatching "^# END CFENGINE$"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ BeginGroupIfNoSuchLine "<IfModule mod_gzip.c>"
+ InsertLine "<IfModule mod_gzip.c>"
+ InsertLine "</IfModule>"
+ EndGroup
+ ResetSearch "1"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ LocateLineMatching "^<IfModule mod_gzip.c>$"
+ BeginGroupIfNoLineMatching ' mod_gzip_on yes'
+ InsertLine ' mod_gzip_on yes'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_dechunk yes'
+ InsertLine ' mod_gzip_dechunk yes'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_keep_workfiles No'
+ InsertLine ' mod_gzip_keep_workfiles No'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_temp_dir /tmp'
+ InsertLine ' mod_gzip_temp_dir /tmp'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_minimum_file_size 1002'
+ InsertLine ' mod_gzip_minimum_file_size 1002'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_maximum_file_size 0'
+ InsertLine ' mod_gzip_maximum_file_size 0'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_maximum_inmem_size 1000000'
+ InsertLine ' mod_gzip_maximum_inmem_size 1000000'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.htm\$"'
+ InsertLine ' mod_gzip_item_include file "\.htm$"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.html\$"'
+ InsertLine ' mod_gzip_item_include file "\.html$"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "text/\.\*"'
+ InsertLine ' mod_gzip_item_include mime "text/.*"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.php\$"'
+ InsertLine ' mod_gzip_item_include file "\.php$"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "jserv-servlet"'
+ InsertLine ' mod_gzip_item_include mime "jserv-servlet"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include handler "jserv-servlet"'
+ InsertLine ' mod_gzip_item_include handler "jserv-servlet"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "application/x-httpd-php\.\*"'
+ InsertLine ' mod_gzip_item_include mime "application/x-httpd-php.*"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "httpd/unix-directory"'
+ InsertLine ' mod_gzip_item_include mime "httpd/unix-directory"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.css\$"'
+ InsertLine ' mod_gzip_item_exclude file "\.css$"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.js\$"'
+ InsertLine ' mod_gzip_item_exclude file "\.js$"'
+ EndGroup
+ BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.wml\$"'
+ InsertLine ' mod_gzip_item_exclude file "\.wml$"'
+ EndGroup
+ UnsetAbort "^# END CFENGINE$"
+ EndGroup
+ #
+ # LoadModule index_rss_module /usr/lib/apache/1.3/mod_index_rss.so
+ #
+ # <IfModule mod_index_rss.c>
+ # IndexRSSEngine On
+ # </IfModule>
+ #
+ BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_index_rss.so"
+ ResetSearch "1"
+# bug! UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+index_rss_module[[:blank:]].*"
+ LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+index_rss_module[[:blank:]]+/usr/lib/apache/1.3/mod_index_rss.so$"
+ ReplaceLineWith "LoadModule index_rss_module /usr/lib/apache/1.3/mod_index_rss.so"
+ CatchAbort
+ AbortAtLineMatching "^# END CFENGINE$"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ BeginGroupIfNoSuchLine "<IfModule mod_index_rss.c>"
+ InsertLine "<IfModule mod_index_rss.c>"
+ InsertLine "</IfModule>"
+ EndGroup
+ ResetSearch "1"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ LocateLineMatching "^<IfModule mod_index_rss.c>$"
+ BeginGroupIfNoLineMatching "[[:blank:]]+IndexRSSEngine On"
+ InsertLine " IndexRSSEngine On"
+ EndGroup
+ UnsetAbort "^# END CFENGINE$"
+ EndGroup
+ #
+ # LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so
+ #
+ # <IfModule mod_auth_pam.c>
+ # <Location />
+ # AuthPAM_Enabled Off
+ # </Location>
+ # </IfModule>
+ #
+ BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_auth_pam.so"
+ ResetSearch "1"
+# bug! UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+pam_auth_module[[:blank:]].*"
+ LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+pam_auth_module[[:blank:]]+/usr/lib/apache/1.3/mod_auth_pam.so$"
+ ReplaceLineWith "LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so"
+ CatchAbort
+ AbortAtLineMatching "^# END CFENGINE$"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ BeginGroupIfNoSuchLine "<IfModule mod_auth_pam.c>"
+ InsertLine "<IfModule mod_auth_pam.c>"
+ InsertLine " <Location />"
+ InsertLine " </Location>"
+ InsertLine "</IfModule>"
+ EndGroup
+ ResetSearch "1"
+ LocateLineMatching "^# BEGIN CFENGINE$"
+ LocateLineMatching "^<IfModule mod_auth_pam.c>$"
+ LocateLineMatching "[[:blank:]]+<Location />"
+ BeginGroupIfNoLineMatching "[[:blank:]]+AuthPAM_Enabled Off"
+ InsertLine " AuthPAM_Enabled Off"
+ EndGroup
+ UnsetAbort "^# END CFENGINE$"
+ EndGroup
+ }
+processes:
+ "apache" restart "/etc/init.d/apache restart"
+shellcommands:
+ apache_reload::
+ "/etc/init.d/apache force-reload"
diff --git a/cfengine/cf.site b/cfengine/cf.site
new file mode 100644
index 0000000..2c552b5
--- /dev/null
+++ b/cfengine/cf.site
@@ -0,0 +1,5 @@
+import:
+ jones|macvaerk|homebase|adamatic::
+ $(cfroot)/cf.site.jones
+ xenux|raps|grinsted|mogl::
+ $(cfroot)/cf.site.xenux
diff --git a/cfengine/cf.site.jones b/cfengine/cf.site.jones
new file mode 100644
index 0000000..13bb27b
--- /dev/null
+++ b/cfengine/cf.site.jones
@@ -0,0 +1,62 @@
+##############################################################
+#
+# cf.main.$site
+#
+# This file contains generic config stuff
+#
+#################################################################
+
+###
+#
+# BEGIN cf.main
+#
+###
+
+control:
+ jones::
+ site = ( jones )
+ domain = ( jones.dk )
+ sysadm = ( dr@jones.dk )
+ homebase::
+ site = ( homebase )
+ domain = ( homebase.dk )
+ sysadm = ( teknik@homebase.dk )
+ adamatic::
+ site = ( adamatic )
+ domain = ( a-host.dk )
+ sysadm = ( hostmaster@a-host.dk )
+ macvaerk::
+ site = ( macvaerk )
+ domain = ( macvaerk.com )
+ sysadm = ( hostmaster@macvaerk.com )
+
+ timezone = ( MET CET )
+
+# netmask = ( 255.255.255.0 )
+
+######################################################################
+
+defaultroute:
+ jones::
+ 192.168.1.1
+
+######################################################################
+
+resolve:
+
+ "search macvaerk.com" # last one searched
+ "search homebase.dk" # 2nd ..
+ "search jones.dk" # first one searched
+ DNSServer::
+ 127.0.0.1 # localhost
+ any::
+ 212.54.64.170 # ns.worldonline.dk
+ 212.54.64.171 # ns2.worldonline.dk
+
+######################################################################
+
+###
+#
+# END cf.main.$site
+#
+###
diff --git a/cfengine/cf.site.xenux b/cfengine/cf.site.xenux
new file mode 100644
index 0000000..14e70b5
--- /dev/null
+++ b/cfengine/cf.site.xenux
@@ -0,0 +1,75 @@
+##############################################################
+#
+# cf.main.$site
+#
+# This file contains generic config stuff
+#
+#################################################################
+
+###
+#
+# BEGIN cf.main
+#
+###
+
+control:
+ xenux::
+ site = ( xenux )
+ domain = ( xenux.dk )
+ sysadm = ( root@xenux.dk )
+ xenuxlocal::
+ site = ( xenuxlocal )
+ domain = ( xenux.dk )
+ sysadm = ( root@xenux.dk )
+ raps:: # R-ApS
+ site = ( raps )
+ domain = ( r-aps.dk )
+ sysadm = ( root@r-aps.dk )
+ grinsted:: # Grinsted Public
+ site = ( grinsted )
+ domain = ( public.dk )
+ sysadm = ( root@post.public.dk )
+ mogensen:: # Mogensen & Lassen
+ site = ( mogensen )
+ domain = ( mogensen.com )
+ sysadm = ( root@mogensen.com )
+
+ timezone = ( MET CET )
+
+# netmask = ( 255.255.255.0 )
+
+######################################################################
+
+defaultroute:
+ xenux::
+ 192.184.114.1
+ grinsted::
+ 62.242.55.89
+ mogl::
+ 192.168.11.1
+
+######################################################################
+
+resolve:
+
+ xenux::
+ "search xenux.dk"
+ raps::
+ "search xenux.dk"
+ grinsted::
+ "search grinsted.dk"
+ mogl::
+ "search mogensen.com"
+ DNSServer::
+ 127.0.0.1 # localhost
+ any::
+ 212.54.64.170 # ns.worldonline.dk
+ 212.54.64.171 # ns2.worldonline.dk
+
+######################################################################
+
+###
+#
+# END cf.main.$site
+#
+###
diff --git a/cfengine/cfengine.conf b/cfengine/cfengine.conf
new file mode 100755
index 0000000..e32c8ec
--- /dev/null
+++ b/cfengine/cfengine.conf
@@ -0,0 +1,37 @@
+#####################################################################
+#
+# CFENGINE CONFIGURATION FOR site = jones.dk|xenux.dk
+#
+# This file is for root only.
+#
+######################################################################
+
+###
+#
+# BEGIN cfengine.conf (Only hard classes in this file )
+#
+###
+
+control:
+ cfroot = ( /etc/local-COMMON/cfengine )
+
+import:
+
+ #
+ # Split things up to keep things tidy
+ #
+
+ $(cfroot)/cf.groups.jones
+ $(cfroot)/cf.groups.xenux
+ $(cfroot)/cf.groups.merge
+ $(cfroot)/cf.main
+ $(cfroot)/cf.isp
+ $(cfroot)/cf.site
+ $(cfroot)/cf.services
+# $(cfroot)/cf.motd
+
+###
+#
+# END cfengine.conf
+#
+###