From a06f2d5e639d6a3bdeeb3062ebc754cce287eb19 Mon Sep 17 00:00:00 2001 From: Juri Jensen Date: Wed, 12 Sep 2001 12:03:18 +0000 Subject: Initial revision --- cfengine/cf.generic | 128 ++++++++++++++++ cfengine/cf.groups.jones | 30 ++++ cfengine/cf.groups.merge | 34 +++++ cfengine/cf.groups.xenux | 30 ++++ cfengine/cf.isp | 51 +++++++ cfengine/cf.services | 11 ++ cfengine/cf.services.dns | 27 ++++ cfengine/cf.services.file | 361 ++++++++++++++++++++++++++++++++++++++++++++ cfengine/cf.services.ftp | 35 +++++ cfengine/cf.services.harden | 66 ++++++++ cfengine/cf.services.web | 285 ++++++++++++++++++++++++++++++++++ cfengine/cf.site | 5 + cfengine/cf.site.jones | 62 ++++++++ cfengine/cf.site.xenux | 75 +++++++++ cfengine/cfengine.conf | 37 +++++ 15 files changed, 1237 insertions(+) create mode 100644 cfengine/cf.generic create mode 100644 cfengine/cf.groups.jones create mode 100644 cfengine/cf.groups.merge create mode 100644 cfengine/cf.groups.xenux create mode 100644 cfengine/cf.isp create mode 100644 cfengine/cf.services create mode 100644 cfengine/cf.services.dns create mode 100644 cfengine/cf.services.file create mode 100644 cfengine/cf.services.ftp create mode 100644 cfengine/cf.services.harden create mode 100644 cfengine/cf.services.web create mode 100644 cfengine/cf.site create mode 100644 cfengine/cf.site.jones create mode 100644 cfengine/cf.site.xenux create mode 100755 cfengine/cfengine.conf diff --git a/cfengine/cf.generic b/cfengine/cf.generic new file mode 100644 index 0000000..6315098 --- /dev/null +++ b/cfengine/cf.generic @@ -0,0 +1,128 @@ +############################################################## +# +# cf.main +# +# This file contains generic config stuff +# +################################################################# + +### +# +# BEGIN cf.main +# +### + +control: + + Access = ( root ) # Only root should run this + + timezone = ( MET CET ) + + Repository = ( /var/backups/cfengine ) + + OutputPrefix = ( "cf:$(host)" ) + + netmask = ( 255.255.255.0 ) + +# IfElapsed = ( 15 ) # mins + IfElapsed = ( 1 ) # mins + ExpireAfter = ( 240 ) # 4 timer + SplayTime = ( 1 ) # 1 minute + + SensibleSize = ( 1000 ) + SensibleCount = ( 2 ) + EditfileSize = ( 40000 ) + + MountPattern = ( / ) + HomePattern = ( home* ) + +# DeleteNonUserMail = ( true ) +# DeleteNonOwnerMail = ( true ) + WarnNonOwnerMail = ( true ) + WarnNonUserMail = ( true ) + + # + # If we undefine this with cfengine -N longjob + # then we switch off all jobs labelled with this class + # + + AddClasses = ( longjob ) + + CheckAlias = ( "/usr/bin/test" ) + + actionsequence = ( + checktimezone + editfiles + directories + copy + tidy + shellcommands + links + processes + ) + +broadcast: + ones + +tidy: + /tmp/ pat=* r=inf A=1 + /var/tmp pat=* r=inf A=2 + / pat=core r=1 A=0 + /etc pat=core r=1 A=0 + +links: + /dev/core -> /proc/kcore + +ignore: # Don't check or tidy these directories + + /local/lib/gnu/emacs/lock/ + /local/tmp + ftp + projects + /local/bin/top + /local/lib/tex/fonts + /local/iu/etc + /local/etc + /local/iu/httpd/conf + /usr/tmp/locktelelogic + /usr/tmp/lockIDE + RootMailLog + operator + lock + + # + # Emacs lock files etc + # + + !* + /local/lib/xemacs + + # + # X11 keeps X server data in /tmp/.X11 + # better not delete this! + # + + .X* + .ICE* + .font* + .gnomeicu* + .sawfish* + darxsock.* + mcop* + orbit* + ssh* + .Media* + +##################################################################### + +disable: + + /etc/hosts.equiv +# /etc/nologin + /usr/lib/sendmail.fc + +### +# +# END cf.main +# +### diff --git a/cfengine/cf.groups.jones b/cfengine/cf.groups.jones new file mode 100644 index 0000000..b2f53b5 --- /dev/null +++ b/cfengine/cf.groups.jones @@ -0,0 +1,30 @@ +# +# NB! Avoid adding new groups! We pollute the namespace already... +# +groups: + jones = ( auryn fuchur bastian argax slamuf pierre cafe3 ror wetware ) + spiff = ( rornaestved satsbutikken ida ) + homebase = ( honda jawa nimbus ) + macvaerk = ( woody ) + adamatic = ( nat mail2 web rudi ns ) + + Standalone_jones = ( auryn fuchur ) + WWWServer_jones = ( auryn fuchur bastian argax slamuf pierre cafe3 ror wetware rornaestved satsbutikken ida honda jawa woody mail2 web ) + FTPServer_jones = ( auryn fuchur bastian argax slamuf pierre jawa woody web ) + NameServer_jones = ( auryn bastian slamuf pierre ) +# FileServer_jones = ( auryn fuchur bastian argax slamuf pierre cafe3 wetware rornaestved satsbutikken ida honda jawa woody ) +# VPNServer_jones = ( ) + Firewall_jones = ( slamuf pierre cafe3 wetware rornaestved ida woody ) +# CVSServer_jones = ( ) +# GMServer_jones = ( ) +# CDWriter_jones = ( ) + IMAPServer_jones = ( auryn fuchur bastian slamuf pierre ror rornaestved nimbus woody ) + MailHub_jones = ( bastian jawa ) + MailClient_jones = ( auryn fuchur bastian slamuf pierre ror wetware honda jawa woody mail2 ) + + wol_jones = ( auryn fuchur slamuf wetware jawa ) +# cc_jones = ( ) + tdk_jones = ( honda woody ) +# wp_jones = ( ) + dnai_jones = ( pierre ) + sunrise_jones = ( cafe3 ) diff --git a/cfengine/cf.groups.merge b/cfengine/cf.groups.merge new file mode 100644 index 0000000..b38a489 --- /dev/null +++ b/cfengine/cf.groups.merge @@ -0,0 +1,34 @@ +# +# NB! Avoid adding new groups! We pollute the namespace already... +# +import: + $(cfroot)/cf.groups.jones + $(cfroot)/cf.groups.xenux + +groups: + Standalone = ( Standalone_jones Standalone_xenux ) + WWWServer = ( WWWServer_jones WWWServer_xenux ) + FTPServer = ( FTPServer_jones FTPServer_xenux ) + NameServer = ( NameServer_jones NameServer_xenux ) + FileServer = ( FileServer_jones FileServer_xenux ) + VPNServer = ( VPNServer_jones VPNServer_xenux ) + Firewall = ( Firewall_jones Firewall_xenux ) + CVSServer = ( CVSServer_jones CVSServer_xenux ) + GMServer = ( GMServer_jones GMServer_xenux ) + CDWriter = ( CDWriter_jones CDWriter_xenux ) + IMAPServer = ( IMAPServer_jones IMAPServer_xenux ) + MailHub = ( MailHub_jones MailHub_xenux ) + MailClient = ( MailClient_jones MailClient_xenux ) + + # ISP's + wol = ( wol_jones wol_xenux ) + cc = ( cc_jones cc_xenux ) + tdk = ( tdk_jones tdk_xenux ) + wp = ( wp_jones wp_xenux ) + dnai = ( dnai_jones dnai_xenux ) + sunrise = ( sunrise_jones sunrise_xenux ) + + All = ( Hr00 ) + peaktime = ( Hr10 Hr11 Hr12 Hr13 Hr14 Hr15 ) + OnTheHour = ( Min00_05 Min5_10 Min10_15 Min15_20 Min20_25 ) + HalfHour = ( Min30_35 Min35_40 Min40_45 Min45_50 Min50_55 ) diff --git a/cfengine/cf.groups.xenux b/cfengine/cf.groups.xenux new file mode 100644 index 0000000..baa9ad2 --- /dev/null +++ b/cfengine/cf.groups.xenux @@ -0,0 +1,30 @@ +# +# NB! Avoid adding new groups! We pollute the namespace already... +# +groups: + xenux = ( ns mail www pc17 pc20 insight ) + xenux = ( samba pc60 pc61 pc62 pc63 pc64 pc65 pc66 pc67 pc68 pc69 pc70 pc71 pc72 pc73 pc74 pc75 pc76 pc77 pc78 pc79 pc80 ) + raps = ( aries ) + grinsted = ( debian-grinsted ) + mogensen = ( mogl-filer mogl-firewall mogl-mail ) + + Standalone_xenux = ( pc17 ) + WWWServer_xenux = ( pc21 ) + FTPServer_xenux = ( pc21 ) + NameServer_xenux = ( ns ) + FileServer_xenux = ( pc20 freja mogl-filer raps samba ) + VPNServer_xenux = ( pc20 mogl-firewall raps ) + Firewall_xenux = ( pc20 mogl-firewall raps ) + CVSServer_xenux = ( pc17 ) + GMServer_xenux = ( pc17 ) + CDWriter_xenux = ( pc17 ) + IMAPServer_xenux = ( mail ) + MailHub_xenux = ( mail ) +# MailClient_xenux = ( ) + +# wol_xenux = ( ) + cc_xenux = ( freja ) +# tdk_xenux = ( ) + wp_xenux = ( mail www pc17 pc20 pc21 ) +# dnai_xenux = ( ) +# sunrise_xenux = ( ) diff --git a/cfengine/cf.isp b/cfengine/cf.isp new file mode 100644 index 0000000..e0d794f --- /dev/null +++ b/cfengine/cf.isp @@ -0,0 +1,51 @@ +############################################################## +# +# cf.main.$isp +# +# This file contains generic config stuff +# +################################################################# + +### +# +# BEGIN cf.main.$isp +# +### + +control: + wol|cc|wp|tdk|sunrise:: + timezone = ( MET CET ) + + dnai:: + timezone = ( PST ) + +resolve: + wol:: # Tiscali (World Online) [dk] http://www.worldonline.dk/support/tekinfo/tekinfo.html + 212.54.64.170 # ns.worldonline.dk + 212.54.64.171 # ns2.worldonline.dk + + cc:: # CyberCity [dk] http://www.cybercity.dk/support/ + 212.242.40.3 # dns1.cybercity.dk + 212.242.40.51 # dns2.cybercity.dk + + wp:: # WebPartner [dk] http://www.webpartner.dk/htdocs/kunde_service/general_info.htm + 195.184.96.2 # ns.tjantik.dk + 195.184.96.3 # ns2.tjantik.dk + + tdk:: # TeleDanmark [dk] http://internet.opasia.dk/abonnement/netexpres/tech_spec.html + 194.239.134.83 # ns3.tele.dk + 193.162.153.164 # ns3.inet.tele.dk + + dnai:: # DNAI [us, calif.] http://www.dnai.com/helpdesk/gettingconnected + 207.181.192.141 # hopf.dnai.com + 207.181.194.14 # ida.bkly.dnai.com + + sunrise:: # Sunrise Freesurf [ch] http://go.sunrise.ch/en/fre_faq/default.asp + 194.158.230.53 # dnspn1.spectraweb.ch + 194.158.230.54 # dnspn2.spectraweb.ch + +### +# +# END cf.main.$isp +# +### diff --git a/cfengine/cf.services b/cfengine/cf.services new file mode 100644 index 0000000..230354a --- /dev/null +++ b/cfengine/cf.services @@ -0,0 +1,11 @@ +import: +# NameServer:: +# $(cfroot)/cf.services.dns + FileServer:: + $(cfroot)/cf.services.file + FTPServer:: + $(cfroot)/cf.services.ftp + WWWServer:: + $(cfroot)/cf.services.web + any:: + $(cfroot)/cf.services.harden diff --git a/cfengine/cf.services.dns b/cfengine/cf.services.dns new file mode 100644 index 0000000..760e30e --- /dev/null +++ b/cfengine/cf.services.dns @@ -0,0 +1,27 @@ +editfiles: + { /etc/bind/named.conf +# BeginGroupIfNoLineContaining "logging " + BeginGroupIfNoLineMatching '\ AppendIfNoLineMatching '\' + Append " category lame-servers { null; };" + EndGroup + BeginGroupIfNoLineMatching '\' + Append " category cname { null; };" + EndGroup + BeginGroupIfNoLineMatching '\' + Append " category response-checks { null; };" + EndGroup + BeginGroupIfNoLineMatching '\' + Append " category statistics { null; };" + EndGroup + } diff --git a/cfengine/cf.services.file b/cfengine/cf.services.file new file mode 100644 index 0000000..ee3bdac --- /dev/null +++ b/cfengine/cf.services.file @@ -0,0 +1,361 @@ +control: + AddInstallable = ( samba_reload netatalk_reload lprng_reload cups_reload lprng cups ) + + # + # Variables for shares + # You can change the paths here and it will be changed both in + # the conf file and in the filesystem - But once it is implemented, + # it is not wise to change it - the data in the shares doesn't get + # moved! + # You can change the rights on the shares in the "directories:" + # section. + # + netlogshare = ( /etc/samba/netlogon ) + commonsharedir = ( /var/local/filesharing/COMMON ) + locsharedir = ( /var/local/filesharing/local ) + datashare = ( /var/local/filesharing/COMMON/data ) + pgrshare = ( /var/local/filesharing/COMMON/programs ) + profshare = ( /var/local/filesharing/COMMON/samba/userprofiles ) + printdir = ( /var/spool/samba ) + + # + # Variables for lprng + # + +editfiles: + any:: + # + # Samba configuration stuff. + # + { /etc/samba/smb.conf + # + # Global stuff + # + # Remove share declarations from main smb.conf. It is split + # up in the following files: + # - smb.conf + # - smb-shares-COMMON.conf + # - smb-shares-$(site).conf + # - smb-printers.conf + # +# DeleteLinesAfterThisMatching "^\[homes\]$(n)*.*" +# ResetSearch "1" +# CatchAbort +# ResetSearch "1" + + # + # Append the include lines for the files decribed above + # + AppendIfNoSuchLine "include = smb-shares-COMMON.conf" + AppendIfNoSuchLine "include = smb-shares-local.conf" + AppendIfNoSuchLine "include = smb-printers.conf" + ResetSearch "1" + + # + # workgroup = $(site) + # + LocateLineMatching "^[;[:blank:]]*workgroup[[:blank:]]*=.*" + BeginGroupIfNoLineMatching '^[[:blank:]]*workgroup[[:blank:]]*=[[:blank:]]*$(site)[[:blank:]]*' + ReplaceLineWith ' workgroup = $(site)' + EndGroup + CatchAbort + BeginGroupIfNoMatch '^[[:blank:]]*workgroup[[:blank:]]*=[[:blank:]]*$(site)[[:blank:]]*' + InsertLine ' workgroup = $(site)' + EndGroup + + # + # wins support = yes + # + LocateLineMatching "^[;[:blank:]]*wins support[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*wins support[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + ReplaceLineWith ' wins support = yes' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*wins support[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + InsertLine ' wins support = yes' + EndGroup + + # + # os level = 65 + # + LocateLineMatching "^[;[:blank:]]*os level[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*os level[[:blank:]]*=[[:blank:]]*65[[:blank:]]*" + ReplaceLineWith ' os level = 65' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*os level[[:blank:]]*=[[:blank:]]*65[[:blank:]]*" + InsertLine ' os level = 65' + EndGroup + + # + # domain master = yes + # + LocateLineMatching "^[;[:blank:]]*domain master[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*domain master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + ReplaceLineWith ' domain master = yes' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*domain master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + InsertLine ' domain master = yes' + EndGroup + + # + # local master = yes + # + LocateLineMatching "^[;[:blank:]]*local master[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*local master[[:blank:]]*=[[:blank:]]*yes" + ReplaceLineWith ' local master = yes' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*local master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + InsertLine ' local master = yes' + EndGroup + + # + # logon drive = U: + # + LocateLineMatching "^[;[:blank:]]*logon drive[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*logon drive[[:blank:]]*=[[:blank:]]*U:[[:blank:]]*" + ReplaceLineWith ' logon drive = U:' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*logon drive[[:blank:]]*=[[:blank:]]*U:[[:blank:]]*" + InsertLine ' logon drive = U:' + EndGroup + + # + # logon script = common.bat + # + LocateLineMatching "^[;[:blank:]]*logon script[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*logon script[[:blank:]]*=[[:blank:]]*common.bat[[:blank:]]*" + ReplaceLineWith ' logon script = common.bat' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*logon script[[:blank:]]*=[[:blank:]]*common.bat[[:blank:]]*" + InsertLine ' logon script = common.bat' + EndGroup + + # + # domain logons = yes + # + LocateLineMatching "^[;[:blank:]]*domain logons[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*domain logons[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + ReplaceLineWith ' domain logons = yes' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*domain logons[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + InsertLine ' domain logons = yes' + EndGroup + + # + # logon path = \\%N\USERPROFILES\%U + # + LocateLineMatching "^[;[:blank:]]*logon path[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*logon path[[:blank:]]*=[[:blank:]]*[\\][\\]%N[\\]USERPROFILES[\\]%U[[:blank:]]*" + ReplaceLineWith ' logon path = \\%N\USERPROFILES\%U' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*logon path[[:blank:]]*=[[:blank:]]*[\\][\\]%N[\\]USERPROFILES[\\]%U[[:blank:]]*" + InsertLine ' logon path = \\%N\USERPROFILES\%U' + EndGroup + + # + # preferred master = yes + # + LocateLineMatching "^[;[:blank:]]*preferred master[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*preferred master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + ReplaceLineWith ' preferred master = yes' + EndGroup + CatchAbort + BeginGroupIfNoMatch "^[[:blank:]]*preferred master[[:blank:]]*=[[:blank:]]*yes[[:blank:]]*" + InsertLine ' preferred master = yes' + EndGroup + DefineClasses "samba_reload" + } + samba_reload:: + { /etc/samba/smb.conf + LocateLineMatching "^; EDITED BY CFENGINE .*" + ReplaceAll '; EDITED BY CFENGINE .*$' With '; EDITED BY CFENGINE $(date)' + CatchAbort + BeginGroupIfNoMatch "^; EDITED BY CFENGINE .*" + Append '; EDITED BY CFENGINE $(date)' + EndGroup + } + any:: + { /etc/samba/smb-shares-COMMON.conf + # + # This file contains all the shares common to all installations. + # We check if the proper sections are there and add them if they + # isn't. We don't check the file line for line. + # + AutoCreate + + # + # [netlogon] + # + BeginGroupIfNoLineMatching "^\[netlogon\]" + Append '[netlogon]' + Append ' comment = Network logon' + Append ' path = $(netlogshare)' + Append ' browsable = no' + Append ' writeable = no' + Append ' share modes = no' + EndGroup + # + # [userprofiles] + # + BeginGroupIfNoLineMatching "^\[userprofiles\]" + Append '[userprofiles]' + Append ' path = $(profshare)' + Append ' force user = %u' + Append ' writable = yes' + Append ' browsable = no' + Append ' root preexec = /bin/mkdir $(profshare)/%U \' + Append ' /bin/chown %U $(profshare)/%U \' + Append ' /bin/chmod 700 $(profshare)/%U' + EndGroup + # + # [homes] + # + BeginGroupIfNoLineMatching "^\[homes\]" + Append '[homes]' + Append ' path = /home/%u/shared' + Append ' browsable = no' + Append ' root preexec = /bin/mkdir /home/%u/shared \' + Append ' /bin/chown %U /home/%u/shared \' + Append ' /bin/chmod 644 /home/%u/shared' + EndGroup + # + # [programmer] + # + BeginGroupIfNoLineMatching "^\[programmer\]" + Append '[programmer]' + Append ' path = $(pgrshare)' + Append ' comment = Programmer' + Append ' browsable = yes' + Append ' guest ok = yes' + Append ' writeable = yes' + EndGroup + # + # [dokumenter] + # + BeginGroupIfNoLineMatching "^\[dokumenter\]" + Append '[dokumenter]' + Append ' path = $(datashare)' + Append ' comment = Fælles dokumenter' + Append ' browsable = yes' + Append ' guest ok = no' + Append ' writeable = yes' + EndGroup + DefineClasses "samba_reload" + } + samba_reload:: + { /etc/samba/smb-shares-COMMON.conf + LocateLineMatching "^; EDITED BY CFENGINE .*" + ReplaceAll '; EDITED BY CFENGINE .*$' With '; EDITED BY CFENGINE $(date)' + CatchAbort + BeginGroupIfNoMatch "^; EDITED BY CFENGINE .*" + Append '; EDITED BY CFENGINE $(date)' + EndGroup + } + any:: + # + # Local shares special for the site + # + { /etc/samba/smb-shares-$(site).conf + # + # We don't make this file dynamically, but instead we copy the contents + # of a master file, but only if it's newer than the one installed. + # + BeginGroupIfFileIsNewer "/etc/local-$(host).$(domain)/samba/smb-shares-$(site).conf" + EmptyEntireFilePlease + InsertFile "/etc/local-$(host).$(domain)/samba/smb-shares-$(site).conf" + Append "# Edited by cfengine $(date)" + EndGroup + DefineClasses "lprng_reload" + } + any:: + # + # Printer configuration stuff + # + { /etc/printcap + # + # We don't make the printcap dynamically, but instead we copy the contents + # of a master file, but only if it's newer than the one installed. + # + BeginGroupIfFileIsNewer "/etc/local-$(host).$(domain)/printcap" + EmptyEntireFilePlease + InsertFile "/etc/local-$(host).$(domain)/printcap" + Append "# Edited by cfengine $(date)" + EndGroup + DefineClasses "lprng_reload" + } + any:: + { /etc/samba/smb-printers.conf + # + # This file contains all the printers defined in the Linux printing + # system. There shouldn't be any need for setting up additional + # printer entries. Manage the printers through the Linux print + # system. + # We check if the proper sections are there and add them if they + # isn't. We don't check the file line for line. + # + AutoCreate + + # + # [printers] + # + BeginGroupIfNoLineMatching "^\[printers\]" + Append '[printers]' + Append ' comment = %S printer' + Append ' path = $(printdir)' + Append ' print command = /usr/bin/lpr -h %s' + Append ' lprm command = /usr/bin/lprm -P%S %j' + Append ' public = yes' + Append ' printable = yes' + EndGroup + } + samba_reload:: + { /etc/samba/smb-printers.conf + LocateLineMatching "^; EDITED BY CFENGINE .*" + ReplaceAll '; EDITED BY CFENGINE .*$' With '; EDITED BY CFENGINE $(date)' + CatchAbort + BeginGroupIfNoMatch "^; EDITED BY CFENGINE .*" + Append '; EDITED BY CFENGINE $(date)' + EndGroup + } + +directories: + $(netlogshare) + mode=755 + owner=root + group=root + $(commonsharedir) + mode=755 + owner=root + group=root + $(pgrshare) + mode=775 + owner=root + group=users + $(datashare) + mode=775 + owner=root + group=users + $(profshare) + mode=775 + owner=root + group=users + +processes: + "smb" restart "/etc/init.d/samba restart" + +shellcommands: + samba_reload:: + "/etc/init.d/samba force-reload" + netatalk_reload:: + "/etc/init.d/netatalk force-reload" + lprng_reload:: + "/etc/init.d/lprng force-reload" + cups_reload:: + "/etc/init.d/cups force-reload" diff --git a/cfengine/cf.services.ftp b/cfengine/cf.services.ftp new file mode 100644 index 0000000..894f566 --- /dev/null +++ b/cfengine/cf.services.ftp @@ -0,0 +1,35 @@ +control: + AddInstallable = ( proftpd_reload ) +editfiles: + { /etc/proftpd.conf + DefineClasses "proftpd_reload" + AbortAtLineMatching "^[[:blank:]]*VirtualHost[[:blank:]]*.*$" + # + # LsDefaultOptions "-la" + # + WarnIfNoLineMatching "^[[:blank:]]*LsDefaultOptions[[:blank:]].*$" + BeginGroupIfNoLineMatching "^[[:blank:]]*LsDefaultOptions[[:blank:]].*$" + Append 'LsDefaultOptions "-la" # Added by cfengine' + EndGroup + LocateLineMatching "^[[:blank:]]*LsDefaultOptions[[:blank:]].*$" + BeginGroupIfNoLineMatching '^[[:blank:]]*LsDefaultOptions[[:blank:]]"-la"([[:blank:]]+(#.*)?)?$' + ReplaceLineWith 'LsDefaultOptions "-la" # Edited by cfengine' + EndGroup + # + # DefaultRoot ~ users,!staff + # + WarnIfNoLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]].*$" + BeginGroupIfNoLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]].*$" + Append 'DefaultRoot ~ users,!staff # Added by cfengine' + EndGroup + LocateLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]].*$" + BeginGroupIfNoLineMatching "^[[:blank:]]*DefaultRoot[[:blank:]]+~[[:blank:]]+users,!staff([[:blank:]]+(#.*)?)?$" + ReplaceLineWith 'DefaultRoot ~ users,!staff # Edited by cfengine' + EndGroup + UnsetAbort "^[[:blank:]]*VirtualHost[[:blank:]]*.*$" + } +processes: + "proftpd" restart "/etc/init.d/proftpd restart" +shellcommands: + proftpd_reload:: + "/etc/init.d/proftpd force-reload" diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden new file mode 100644 index 0000000..1953c88 --- /dev/null +++ b/cfengine/cf.services.harden @@ -0,0 +1,66 @@ +editfiles: + { /etc/aide/aide.conf + # + # Logs = p+n+u+g + # + # Debian rotates its logfiles, so ignore inode, number of inodes and growing size + # + BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$" + Append "Logs = p+n+u+g # Added by cfengine" + EndGroup + LocateLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$" + BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=[[:blank:]][\+pug]*([[:blank:]]+(#.*)?)?" + ReplaceLineWith "Logs = p+u+g # Edited by cfengine" + EndGroup + # + # Devices = p+i+n+u+g+s+b+md5+sha1 + # + # Ignore ctime - some devices change ctime when used (ttySx with hylafax) + # + BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$" + Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine" + EndGroup + LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$" + BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbcmd5sha1]*([[:blank:]]+(#.*)?)?" + ReplaceLineWith "Devices = p+i+n+u+g+s+b+c+md5+sha1 # Edited by cfengine" + EndGroup + # + # #/var/log/aide/... + # #/var/log/setuid... + # + # Treat these as regular logfiles - they are rotated as well + # + HashCommentLinesMatching "^/var/log/aide/.*" + HashCommentLinesMatching "^/var/log/setuid.*" + # + # #/var/log$ StaticDir + # + SetCommentStart "#" + SetCommentEnd "" +# bug! CommentLinesMatching "^/var/log\$[[:blank:]]StaticDir.*" +# LocateLineMatching "^/var/log\$[[:blank:]]StaticDir.*" +# bug! CommentNLines "1" + LocateLineMatching "^/var/log\$[[:blank:]]StaticDir[[:blank:]]*" + ReplaceLineWith "#/var/log$ StaticDir" + CatchAbort + # + # !/dev/log + # !/dev/xconsole + # !/dev/core + # + LocateLineMatching "^[[:blank:]]*\!/dev/.*" + CatchAbort + BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*" + GotoLastLine + EndGroup + BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/log([[:blank:]]+(#.*)?)?" + InsertLine "!/dev/log # Added by cfengine" + EndGroup + DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine" + BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?" + InsertLine "!/dev/xconsole # Added by cfengine" + EndGroup + BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?" + InsertLine "!/dev/core # Added by cfengine" + EndGroup + } diff --git a/cfengine/cf.services.web b/cfengine/cf.services.web new file mode 100644 index 0000000..d27c561 --- /dev/null +++ b/cfengine/cf.services.web @@ -0,0 +1,285 @@ +control: + AddInstallable = ( apache_reload ) +editfiles: + { /etc/apache/httpd.conf + DefineClasses "apache_reload" + # + # ServerAdmin webmaster@$(domain) + # + # (Try to add it _before_ virtual hosts) + # + WarnIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*" + BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*" + BeginGroupIfNoLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$" + Append "ServerAdmin webmaster@$(domain)" + EndGroup + BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*" + LocateLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$" + InsertLine "ServerAdmin webmaster@$(domain)" + EndGroup + EndGroup + LocateLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*" + BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]]*webmaster@$(domain)[[:blank:]]*$" + ReplaceLineWith "ServerAdmin webmaster@$(domain)" + EndGroup + # + # Make space for cfengine hacks + # + # (Try to add it _before_ virtual hosts) + # + ResetSearch "1" + BeginGroupIfNoSuchLine "# BEGIN CFENGINE" + BeginGroupIfNoLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$" + Append "" + Append "# BEGIN CFENGINE" + Append "# END CFENGINE" + EndGroup + BeginGroupIfNoLineMatching "^# BEGIN CFENGINE$" + LocateLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$" + IncrementPointer "-1" + InsertLine "" + InsertLine "# BEGIN CFENGINE" + InsertLine "# END CFENGINE" + InsertLine "" + EndGroup + EndGroup + # + # LoadModule php3_module /usr/lib/apache/1.3/libphp3.so + # + # + # php3_display_errors off + # php3_log_errors on + # AddType application/x-httpd-php3 .php3 + # AddType application/x-httpd-php3-source .phps + # + # + BeginGroupIfFileExists "/usr/lib/apache/1.3/libphp3.so" + ResetSearch "1" +# bug! UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php3_module[[:blank:]].*" + LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php3_module[[:blank:]]+/usr/lib/apache/1.3/libphp3.so$" + ReplaceLineWith "LoadModule php3_module /usr/lib/apache/1.3/libphp3.so" + CatchAbort + AbortAtLineMatching "^# END CFENGINE$" + LocateLineMatching "^# BEGIN CFENGINE$" + BeginGroupIfNoSuchLine "" + InsertLine "" + InsertLine "" + EndGroup + ResetSearch "1" + LocateLineMatching "^# BEGIN CFENGINE$" + LocateLineMatching "^$" + BeginGroupIfNoLineMatching "[[:blank:]]*php3_display_errors off" + InsertLine " php3_display_errors off" + EndGroup + BeginGroupIfNoLineMatching "[[:blank:]]*php3_log_errors on" + InsertLine " php3_log_errors on" + EndGroup + BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-php3 .php3" + InsertLine " AddType application/x-httpd-php3 .php3" + EndGroup + BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-source .phps" + InsertLine " AddType application/x-httpd-source .phps" + EndGroup + UnsetAbort "^# END CFENGINE$" + EndGroup + # + # LoadModule php4_module /usr/lib/apache/1.3/libphp4.so + # + # + # php_flag display_errors off + # php_flag log_errors on + # AddType application/x-httpd-php .php + # AddType application/x-httpd-php-source .phps + # + # + BeginGroupIfFileExists "/usr/lib/apache/1.3/libphp4.so" + ResetSearch "1" +# UnCommentLinesMatching "^\#[[:blank:]]*LoadModule[[:blank:]]+php4\_module[[:blank:]].*" + LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php4\_module[[:blank:]]+/usr/lib/apache/1.3/libphp4.so$" + ReplaceLineWith "LoadModule php4_module /usr/lib/apache/1.3/libphp4.so" + CatchAbort + AbortAtLineMatching "^# END CFENGINE$" + LocateLineMatching "^# BEGIN CFENGINE$" + BeginGroupIfNoSuchLine "" + InsertLine "" + InsertLine "" + EndGroup + ResetSearch "1" + LocateLineMatching "^# BEGIN CFENGINE$" + LocateLineMatching "^$" + BeginGroupIfNoLineMatching "^.*php_flag[[:blank:]]*display_errors[[:blank:]]*off$" + InsertLine " php_flag display_errors off" + EndGroup + BeginGroupIfNoLineMatching ".*php_flag log_errors on" + InsertLine " php_flag log_errors on" + EndGroup + BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-php .php" + InsertLine " AddType application/x-httpd-php .php" + EndGroup + BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-source .phps" + InsertLine " AddType application/x-httpd-source .phps" + EndGroup + UnsetAbort "^# END CFENGINE$" + EndGroup + # + # LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so + # + # + # mod_gzip_dechunk yes + # mod_gzip_keep_workfiles No + # mod_gzip_temp_dir /tmp + # mod_gzip_minimum_file_size 1002 + # mod_gzip_maximum_file_size 0 + # mod_gzip_maximum_inmem_size 1000000 + # mod_gzip_item_include file "\.htm$" + # mod_gzip_item_include file "\.html$" + # mod_gzip_item_include mime "text/.*" + # mod_gzip_item_include file "\.php$" + # mod_gzip_item_include mime "jserv-servlet" + # mod_gzip_item_include handler "jserv-servlet" + # mod_gzip_item_include mime "application/x-httpd-php.*" + # mod_gzip_item_include mime "httpd/unix-directory" + # mod_gzip_item_exclude file "\.css$" + # mod_gzip_item_exclude file "\.js$" + # mod_gzip_item_exclude file "\.wml$" + # + # + BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_gzip.so" + ResetSearch "1" +# SetCommentStart "#" +# SetCommentEnd "" +# UnCommentLinesMatching "^\#[[:blank:]]*LoadModule[[:blank:]]+gzip_module[[:blank:]].*" + LocateLineMatching "#[[:blank:]]*LoadModule[[:blank:]]+gzip_module[[:blank:]]+/usr/lib/apache/1.3/mod_gzip.so" +# UnCommentNLines "1" + ReplaceLineWith "LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so" + CatchAbort + AbortAtLineMatching "^# END CFENGINE$" + LocateLineMatching "^# BEGIN CFENGINE$" + BeginGroupIfNoSuchLine "" + InsertLine "" + InsertLine "" + EndGroup + ResetSearch "1" + LocateLineMatching "^# BEGIN CFENGINE$" + LocateLineMatching "^$" + BeginGroupIfNoLineMatching ' mod_gzip_on yes' + InsertLine ' mod_gzip_on yes' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_dechunk yes' + InsertLine ' mod_gzip_dechunk yes' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_keep_workfiles No' + InsertLine ' mod_gzip_keep_workfiles No' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_temp_dir /tmp' + InsertLine ' mod_gzip_temp_dir /tmp' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_minimum_file_size 1002' + InsertLine ' mod_gzip_minimum_file_size 1002' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_maximum_file_size 0' + InsertLine ' mod_gzip_maximum_file_size 0' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_maximum_inmem_size 1000000' + InsertLine ' mod_gzip_maximum_inmem_size 1000000' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.htm\$"' + InsertLine ' mod_gzip_item_include file "\.htm$"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.html\$"' + InsertLine ' mod_gzip_item_include file "\.html$"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "text/\.\*"' + InsertLine ' mod_gzip_item_include mime "text/.*"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.php\$"' + InsertLine ' mod_gzip_item_include file "\.php$"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "jserv-servlet"' + InsertLine ' mod_gzip_item_include mime "jserv-servlet"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include handler "jserv-servlet"' + InsertLine ' mod_gzip_item_include handler "jserv-servlet"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "application/x-httpd-php\.\*"' + InsertLine ' mod_gzip_item_include mime "application/x-httpd-php.*"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "httpd/unix-directory"' + InsertLine ' mod_gzip_item_include mime "httpd/unix-directory"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.css\$"' + InsertLine ' mod_gzip_item_exclude file "\.css$"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.js\$"' + InsertLine ' mod_gzip_item_exclude file "\.js$"' + EndGroup + BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.wml\$"' + InsertLine ' mod_gzip_item_exclude file "\.wml$"' + EndGroup + UnsetAbort "^# END CFENGINE$" + EndGroup + # + # LoadModule index_rss_module /usr/lib/apache/1.3/mod_index_rss.so + # + # + # IndexRSSEngine On + # + # + BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_index_rss.so" + ResetSearch "1" +# bug! UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+index_rss_module[[:blank:]].*" + LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+index_rss_module[[:blank:]]+/usr/lib/apache/1.3/mod_index_rss.so$" + ReplaceLineWith "LoadModule index_rss_module /usr/lib/apache/1.3/mod_index_rss.so" + CatchAbort + AbortAtLineMatching "^# END CFENGINE$" + LocateLineMatching "^# BEGIN CFENGINE$" + BeginGroupIfNoSuchLine "" + InsertLine "" + InsertLine "" + EndGroup + ResetSearch "1" + LocateLineMatching "^# BEGIN CFENGINE$" + LocateLineMatching "^$" + BeginGroupIfNoLineMatching "[[:blank:]]+IndexRSSEngine On" + InsertLine " IndexRSSEngine On" + EndGroup + UnsetAbort "^# END CFENGINE$" + EndGroup + # + # LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so + # + # + # + # AuthPAM_Enabled Off + # + # + # + BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_auth_pam.so" + ResetSearch "1" +# bug! UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+pam_auth_module[[:blank:]].*" + LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+pam_auth_module[[:blank:]]+/usr/lib/apache/1.3/mod_auth_pam.so$" + ReplaceLineWith "LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so" + CatchAbort + AbortAtLineMatching "^# END CFENGINE$" + LocateLineMatching "^# BEGIN CFENGINE$" + BeginGroupIfNoSuchLine "" + InsertLine "" + InsertLine " " + InsertLine " " + InsertLine "" + EndGroup + ResetSearch "1" + LocateLineMatching "^# BEGIN CFENGINE$" + LocateLineMatching "^$" + LocateLineMatching "[[:blank:]]+" + BeginGroupIfNoLineMatching "[[:blank:]]+AuthPAM_Enabled Off" + InsertLine " AuthPAM_Enabled Off" + EndGroup + UnsetAbort "^# END CFENGINE$" + EndGroup + } +processes: + "apache" restart "/etc/init.d/apache restart" +shellcommands: + apache_reload:: + "/etc/init.d/apache force-reload" diff --git a/cfengine/cf.site b/cfengine/cf.site new file mode 100644 index 0000000..2c552b5 --- /dev/null +++ b/cfengine/cf.site @@ -0,0 +1,5 @@ +import: + jones|macvaerk|homebase|adamatic:: + $(cfroot)/cf.site.jones + xenux|raps|grinsted|mogl:: + $(cfroot)/cf.site.xenux diff --git a/cfengine/cf.site.jones b/cfengine/cf.site.jones new file mode 100644 index 0000000..13bb27b --- /dev/null +++ b/cfengine/cf.site.jones @@ -0,0 +1,62 @@ +############################################################## +# +# cf.main.$site +# +# This file contains generic config stuff +# +################################################################# + +### +# +# BEGIN cf.main +# +### + +control: + jones:: + site = ( jones ) + domain = ( jones.dk ) + sysadm = ( dr@jones.dk ) + homebase:: + site = ( homebase ) + domain = ( homebase.dk ) + sysadm = ( teknik@homebase.dk ) + adamatic:: + site = ( adamatic ) + domain = ( a-host.dk ) + sysadm = ( hostmaster@a-host.dk ) + macvaerk:: + site = ( macvaerk ) + domain = ( macvaerk.com ) + sysadm = ( hostmaster@macvaerk.com ) + + timezone = ( MET CET ) + +# netmask = ( 255.255.255.0 ) + +###################################################################### + +defaultroute: + jones:: + 192.168.1.1 + +###################################################################### + +resolve: + + "search macvaerk.com" # last one searched + "search homebase.dk" # 2nd .. + "search jones.dk" # first one searched + DNSServer:: + 127.0.0.1 # localhost + any:: + 212.54.64.170 # ns.worldonline.dk + 212.54.64.171 # ns2.worldonline.dk + +###################################################################### + +### +# +# END cf.main.$site +# +### diff --git a/cfengine/cf.site.xenux b/cfengine/cf.site.xenux new file mode 100644 index 0000000..14e70b5 --- /dev/null +++ b/cfengine/cf.site.xenux @@ -0,0 +1,75 @@ +############################################################## +# +# cf.main.$site +# +# This file contains generic config stuff +# +################################################################# + +### +# +# BEGIN cf.main +# +### + +control: + xenux:: + site = ( xenux ) + domain = ( xenux.dk ) + sysadm = ( root@xenux.dk ) + xenuxlocal:: + site = ( xenuxlocal ) + domain = ( xenux.dk ) + sysadm = ( root@xenux.dk ) + raps:: # R-ApS + site = ( raps ) + domain = ( r-aps.dk ) + sysadm = ( root@r-aps.dk ) + grinsted:: # Grinsted Public + site = ( grinsted ) + domain = ( public.dk ) + sysadm = ( root@post.public.dk ) + mogensen:: # Mogensen & Lassen + site = ( mogensen ) + domain = ( mogensen.com ) + sysadm = ( root@mogensen.com ) + + timezone = ( MET CET ) + +# netmask = ( 255.255.255.0 ) + +###################################################################### + +defaultroute: + xenux:: + 192.184.114.1 + grinsted:: + 62.242.55.89 + mogl:: + 192.168.11.1 + +###################################################################### + +resolve: + + xenux:: + "search xenux.dk" + raps:: + "search xenux.dk" + grinsted:: + "search grinsted.dk" + mogl:: + "search mogensen.com" + DNSServer:: + 127.0.0.1 # localhost + any:: + 212.54.64.170 # ns.worldonline.dk + 212.54.64.171 # ns2.worldonline.dk + +###################################################################### + +### +# +# END cf.main.$site +# +### diff --git a/cfengine/cfengine.conf b/cfengine/cfengine.conf new file mode 100755 index 0000000..e32c8ec --- /dev/null +++ b/cfengine/cfengine.conf @@ -0,0 +1,37 @@ +##################################################################### +# +# CFENGINE CONFIGURATION FOR site = jones.dk|xenux.dk +# +# This file is for root only. +# +###################################################################### + +### +# +# BEGIN cfengine.conf (Only hard classes in this file ) +# +### + +control: + cfroot = ( /etc/local-COMMON/cfengine ) + +import: + + # + # Split things up to keep things tidy + # + + $(cfroot)/cf.groups.jones + $(cfroot)/cf.groups.xenux + $(cfroot)/cf.groups.merge + $(cfroot)/cf.main + $(cfroot)/cf.isp + $(cfroot)/cf.site + $(cfroot)/cf.services +# $(cfroot)/cf.motd + +### +# +# END cfengine.conf +# +### -- cgit v1.2.3