RubyGems - cloud-mu - Versions diffs - 1.9.0.pre.beta - Mend

cloud-mu 1.9.0.pre.beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (618) hide show

checksums.yaml +7 -0
data/Berksfile +56 -0
data/Berksfile.lock +250 -0
data/Jenkinsfile +184 -0
data/LICENSE.md +37 -0
data/README.md +26 -0
data/bin/mu-aws-setup +376 -0
data/bin/mu-cleanup +68 -0
data/bin/mu-configure +1133 -0
data/bin/mu-deploy +166 -0
data/bin/mu-firewall-allow-clients +30 -0
data/bin/mu-gcp-setup +200 -0
data/bin/mu-gen-docs +34 -0
data/bin/mu-gen-env +42 -0
data/bin/mu-load-config.rb +158 -0
data/bin/mu-node-manage +683 -0
data/bin/mu-self-update +228 -0
data/bin/mu-ssh +23 -0
data/bin/mu-tunnel-nagios +144 -0
data/bin/mu-upload-chef-artifacts +757 -0
data/bin/mu-user-manage +275 -0
data/cookbooks/awscli/LICENSE +37 -0
data/cookbooks/awscli/README.md +58 -0
data/cookbooks/awscli/attributes/default.rb +1 -0
data/cookbooks/awscli/libraries/instance_metadata.rb +21 -0
data/cookbooks/awscli/metadata.rb +20 -0
data/cookbooks/awscli/recipes/default.rb +56 -0
data/cookbooks/awscli/templates/default/config.erb +18 -0
data/cookbooks/mu-activedirectory/CHANGELOG.md +13 -0
data/cookbooks/mu-activedirectory/LICENSE +37 -0
data/cookbooks/mu-activedirectory/README.md +6 -0
data/cookbooks/mu-activedirectory/attributes/default.rb +98 -0
data/cookbooks/mu-activedirectory/files/default/password-auth +32 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-activedirectory/files/default/system-auth +34 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.te +37 -0
data/cookbooks/mu-activedirectory/libraries/config.rb +106 -0
data/cookbooks/mu-activedirectory/libraries/helper.rb +86 -0
data/cookbooks/mu-activedirectory/metadata.rb +17 -0
data/cookbooks/mu-activedirectory/providers/domain.rb +152 -0
data/cookbooks/mu-activedirectory/providers/domain_controller.rb +89 -0
data/cookbooks/mu-activedirectory/providers/domain_node.rb +275 -0
data/cookbooks/mu-activedirectory/recipes/default.rb +8 -0
data/cookbooks/mu-activedirectory/recipes/domain-controller.rb +44 -0
data/cookbooks/mu-activedirectory/recipes/domain-node.rb +50 -0
data/cookbooks/mu-activedirectory/recipes/domain.rb +43 -0
data/cookbooks/mu-activedirectory/recipes/sssd.rb +185 -0
data/cookbooks/mu-activedirectory/resources/domain.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_node.rb +20 -0
data/cookbooks/mu-activedirectory/templates/default/dhclient-eth0.conf.erb +4 -0
data/cookbooks/mu-activedirectory/templates/default/interface +0 -0
data/cookbooks/mu-activedirectory/templates/default/krb5.conf.erb +23 -0
data/cookbooks/mu-activedirectory/templates/default/ntp.conf.erb +56 -0
data/cookbooks/mu-activedirectory/templates/default/smb.conf.erb +33 -0
data/cookbooks/mu-activedirectory/templates/default/sssd.conf.erb +60 -0
data/cookbooks/mu-activedirectory/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-activedirectory/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-activedirectory/templates/windows/gpreprt.xml.erb +198 -0
data/cookbooks/mu-activedirectory/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-activedirectory/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-firewall/CHANGELOG.md +11 -0
data/cookbooks/mu-firewall/LICENSE +37 -0
data/cookbooks/mu-firewall/README.md +5 -0
data/cookbooks/mu-firewall/attributes/default.rb +3 -0
data/cookbooks/mu-firewall/metadata.rb +16 -0
data/cookbooks/mu-firewall/recipes/default.rb +10 -0
data/cookbooks/mu-glusterfs/CHANGELOG.md +13 -0
data/cookbooks/mu-glusterfs/LICENSE +37 -0
data/cookbooks/mu-glusterfs/README.md +5 -0
data/cookbooks/mu-glusterfs/attributes/default.rb +34 -0
data/cookbooks/mu-glusterfs/metadata.rb +17 -0
data/cookbooks/mu-glusterfs/recipes/client.rb +62 -0
data/cookbooks/mu-glusterfs/recipes/default.rb +16 -0
data/cookbooks/mu-glusterfs/recipes/samba.rb +57 -0
data/cookbooks/mu-glusterfs/recipes/server.rb +200 -0
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +71 -0
data/cookbooks/mu-glusterfs/templates/default/smb.conf.erb +14 -0
data/cookbooks/mu-jenkins/CHANGELOG.md +13 -0
data/cookbooks/mu-jenkins/LICENSE +37 -0
data/cookbooks/mu-jenkins/README.md +105 -0
data/cookbooks/mu-jenkins/attributes/default.rb +42 -0
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +73 -0
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +44 -0
data/cookbooks/mu-jenkins/metadata.rb +21 -0
data/cookbooks/mu-jenkins/recipes/default.rb +195 -0
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +54 -0
data/cookbooks/mu-jenkins/recipes/public_key.rb +24 -0
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +24 -0
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +14 -0
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +6 -0
data/cookbooks/mu-master/CHANGELOG.md +13 -0
data/cookbooks/mu-master/LICENSE +37 -0
data/cookbooks/mu-master/README.md +6 -0
data/cookbooks/mu-master/attributes/default.rb +95 -0
data/cookbooks/mu-master/files/default/0-mu-log-server.conf +19 -0
data/cookbooks/mu-master/files/default/addRSA.ldif +8 -0
data/cookbooks/mu-master/files/default/check_mem.pl +197 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.pp +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.te +13 -0
data/cookbooks/mu-master/files/default/nagios_selinux.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux.te +51 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.te +17 -0
data/cookbooks/mu-master/files/default/pam_sshd +18 -0
data/cookbooks/mu-master/files/default/ssl_enable.ldif +18 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-master/files/default/vimrc +19 -0
data/cookbooks/mu-master/libraries/mu.rb +29 -0
data/cookbooks/mu-master/metadata.rb +30 -0
data/cookbooks/mu-master/providers/user.rb +41 -0
data/cookbooks/mu-master/recipes/389ds.rb +164 -0
data/cookbooks/mu-master/recipes/basepackages.rb +58 -0
data/cookbooks/mu-master/recipes/caching_nameserver.rb +37 -0
data/cookbooks/mu-master/recipes/default.rb +451 -0
data/cookbooks/mu-master/recipes/eks-kubectl.rb +41 -0
data/cookbooks/mu-master/recipes/firewall-holes.rb +70 -0
data/cookbooks/mu-master/recipes/init.rb +542 -0
data/cookbooks/mu-master/recipes/ssl-certs.rb +109 -0
data/cookbooks/mu-master/recipes/sssd.rb +89 -0
data/cookbooks/mu-master/recipes/update_nagios_only.rb +242 -0
data/cookbooks/mu-master/recipes/vault.rb +111 -0
data/cookbooks/mu-master/resources/user.rb +19 -0
data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +28 -0
data/cookbooks/mu-master/templates/default/chef-server.rb.erb +18 -0
data/cookbooks/mu-master/templates/default/dhclient-eth0.conf.erb +9 -0
data/cookbooks/mu-master/templates/default/mu-momma-cat.erb +149 -0
data/cookbooks/mu-master/templates/default/mu.rc.erb +9 -0
data/cookbooks/mu-master/templates/default/openssl.cnf.erb +354 -0
data/cookbooks/mu-master/templates/default/sssd.conf.erb +44 -0
data/cookbooks/mu-master/templates/default/web_app.conf.erb +90 -0
data/cookbooks/mu-mongo/CHANGELOG.md +13 -0
data/cookbooks/mu-mongo/LICENSE +37 -0
data/cookbooks/mu-mongo/README.md +5 -0
data/cookbooks/mu-mongo/attributes/default.rb +22 -0
data/cookbooks/mu-mongo/files/default/keyfile +16 -0
data/cookbooks/mu-mongo/files/default/remove_nodes.js +5 -0
data/cookbooks/mu-mongo/metadata.rb +17 -0
data/cookbooks/mu-mongo/recipes/default.rb +149 -0
data/cookbooks/mu-mongo/recipes/yum-update-rule.rb +18 -0
data/cookbooks/mu-mongo/templates/default/mongo_create_openfema_db.js.erb +2 -0
data/cookbooks/mu-mongo/templates/default/mongo_init.js.erb +1 -0
data/cookbooks/mu-mongo/templates/default/mongo_logrotate.erb +14 -0
data/cookbooks/mu-mongo/templates/default/mongo_replset_addnodes.js.erb +6 -0
data/cookbooks/mu-mongo/templates/default/replset_init.js.erb +2 -0
data/cookbooks/mu-openvpn/CHANGELOG.md +13 -0
data/cookbooks/mu-openvpn/LICENSE +37 -0
data/cookbooks/mu-openvpn/README.md +6 -0
data/cookbooks/mu-openvpn/attributes/default.rb +119 -0
data/cookbooks/mu-openvpn/metadata.rb +18 -0
data/cookbooks/mu-openvpn/recipes/default.rb +108 -0
data/cookbooks/mu-openvpn/templates/default/users.json.erb +42 -0
data/cookbooks/mu-php54/CHANGELOG.md +12 -0
data/cookbooks/mu-php54/LICENSE +37 -0
data/cookbooks/mu-php54/README.md +0 -0
data/cookbooks/mu-php54/files/centos/php.ini +1802 -0
data/cookbooks/mu-php54/files/ubuntu/php.ini +1870 -0
data/cookbooks/mu-php54/metadata.rb +21 -0
data/cookbooks/mu-php54/recipes/default.rb +97 -0
data/cookbooks/mu-splunk/CHANGELOG.md +37 -0
data/cookbooks/mu-splunk/LICENSE +37 -0
data/cookbooks/mu-splunk/README.md +451 -0
data/cookbooks/mu-splunk/attributes/default.rb +95 -0
data/cookbooks/mu-splunk/attributes/upgrade.rb +49 -0
data/cookbooks/mu-splunk/definitions/splunk_installer.rb +103 -0
data/cookbooks/mu-splunk/files/default/splunk-nocheck +10 -0
data/cookbooks/mu-splunk/libraries/helpers.rb +72 -0
data/cookbooks/mu-splunk/libraries/splunk_app_provider.rb +156 -0
data/cookbooks/mu-splunk/libraries/splunk_app_resource.rb +43 -0
data/cookbooks/mu-splunk/metadata.json +30 -0
data/cookbooks/mu-splunk/metadata.rb +17 -0
data/cookbooks/mu-splunk/recipes/client.rb +143 -0
data/cookbooks/mu-splunk/recipes/default.rb +31 -0
data/cookbooks/mu-splunk/recipes/disabled.rb +41 -0
data/cookbooks/mu-splunk/recipes/install_forwarder.rb +23 -0
data/cookbooks/mu-splunk/recipes/install_server.rb +23 -0
data/cookbooks/mu-splunk/recipes/server.rb +53 -0
data/cookbooks/mu-splunk/recipes/service.rb +95 -0
data/cookbooks/mu-splunk/recipes/setup_auth.rb +49 -0
data/cookbooks/mu-splunk/recipes/setup_ssl.rb +63 -0
data/cookbooks/mu-splunk/recipes/upgrade.rb +94 -0
data/cookbooks/mu-splunk/recipes/user.rb +34 -0
data/cookbooks/mu-splunk/templates/default/base_logs_unix_inputs.conf.erb +26 -0
data/cookbooks/mu-splunk/templates/default/inputs.conf.erb +13 -0
data/cookbooks/mu-splunk/templates/default/outputs.conf.erb +9 -0
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +74 -0
data/cookbooks/mu-splunk/templates/default/system-web.conf.erb +7 -0
data/cookbooks/mu-tools/CHANGELOG.md +12 -0
data/cookbooks/mu-tools/LICENSE +37 -0
data/cookbooks/mu-tools/README.md +188 -0
data/cookbooks/mu-tools/attributes/default.rb +142 -0
data/cookbooks/mu-tools/attributes/ebs_rolling_snapshots.rb +3 -0
data/cookbooks/mu-tools/files/amazon/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/CentOS-Base.repo +52 -0
data/cookbooks/mu-tools/files/centos/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/centos/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/centos/etc/profile +77 -0
data/cookbooks/mu-tools/files/centos/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/centos/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/centos/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/centos-6/README_MU +0 -0
data/cookbooks/mu-tools/files/centos-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/centos-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/centos-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/centos-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/centos-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/default/Mu_CA.pem +34 -0
data/cookbooks/mu-tools/files/default/PSWindowsUpdate.zip +0 -0
data/cookbooks/mu-tools/files/default/ebs_snapshots.py +123 -0
data/cookbooks/mu-tools/files/default/etc/BANNER +0 -0
data/cookbooks/mu-tools/files/default/etc/BANNER-FEDERAL +19 -0
data/cookbooks/mu-tools/files/default/gpo_no_uac.zip +0 -0
data/cookbooks/mu-tools/files/default/mypol.pp +0 -0
data/cookbooks/mu-tools/files/default/mypol.te +37 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.te +31 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.te +11 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.te +10 -0
data/cookbooks/mu-tools/files/default/nrpe_file.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_file.te +31 -0
data/cookbooks/mu-tools/files/default/ntrights +0 -0
data/cookbooks/mu-tools/files/default/serverclass.conf +18 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/inputs.conf +13 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/inputs.conf +8 -0
data/cookbooks/mu-tools/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-tools/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-tools/files/redhat/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/redhat/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/redhat/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/redhat/etc/profile +77 -0
data/cookbooks/mu-tools/files/redhat/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/redhat/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/redhat/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/redhat-6/README_MU +0 -0
data/cookbooks/mu-tools/files/redhat-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/redhat-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/redhat-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/redhat-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/redhat-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/redhat-7.1/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/bash.bashrc +64 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/common-session +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/login.defs +338 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/profile +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/security/limits.conf +56 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/sysctl.conf +60 -0
data/cookbooks/mu-tools/libraries/helper.rb +292 -0
data/cookbooks/mu-tools/metadata.rb +28 -0
data/cookbooks/mu-tools/recipes/add_admin_ssh_keys.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +440 -0
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -0
data/cookbooks/mu-tools/recipes/base_repositories.rb +31 -0
data/cookbooks/mu-tools/recipes/cisbenchmark.rb +59 -0
data/cookbooks/mu-tools/recipes/clamav.rb +53 -0
data/cookbooks/mu-tools/recipes/cloudinit.rb +58 -0
data/cookbooks/mu-tools/recipes/configure_oracle_tools.rb +81 -0
data/cookbooks/mu-tools/recipes/disable-requiretty.rb +22 -0
data/cookbooks/mu-tools/recipes/ebs_rolling_snapshots.rb +75 -0
data/cookbooks/mu-tools/recipes/efs.rb +70 -0
data/cookbooks/mu-tools/recipes/eks.rb +160 -0
data/cookbooks/mu-tools/recipes/gcloud.rb +98 -0
data/cookbooks/mu-tools/recipes/google_api.rb +25 -0
data/cookbooks/mu-tools/recipes/maldet.rb +67 -0
data/cookbooks/mu-tools/recipes/nagios.rb +19 -0
data/cookbooks/mu-tools/recipes/newclient.rb +23 -0
data/cookbooks/mu-tools/recipes/nrpe.rb +115 -0
data/cookbooks/mu-tools/recipes/python_pip.rb +35 -0
data/cookbooks/mu-tools/recipes/retrieve_application.rb +51 -0
data/cookbooks/mu-tools/recipes/rsyslog.rb +65 -0
data/cookbooks/mu-tools/recipes/set_local_fw.rb +57 -0
data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +81 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +86 -0
data/cookbooks/mu-tools/recipes/splunk-client.rb +69 -0
data/cookbooks/mu-tools/recipes/splunk-server.rb +104 -0
data/cookbooks/mu-tools/recipes/store_inspec_attr.rb +8 -0
data/cookbooks/mu-tools/recipes/updates.rb +96 -0
data/cookbooks/mu-tools/recipes/windows-client.rb +202 -0
data/cookbooks/mu-tools/resources/aws_windows.rb +33 -0
data/cookbooks/mu-tools/resources/disk.rb +88 -0
data/cookbooks/mu-tools/resources/mommacat_request.rb +11 -0
data/cookbooks/mu-tools/resources/scheduled_tasks.rb +29 -0
data/cookbooks/mu-tools/resources/sshd_service.rb +45 -0
data/cookbooks/mu-tools/resources/windows_users.rb +242 -0
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +168 -0
data/cookbooks/mu-tools/templates/centos-6/sshd_config.erb +212 -0
data/cookbooks/mu-tools/templates/centos-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/default/0-mu-log-client.conf.erb +13 -0
data/cookbooks/mu-tools/templates/default/conf.maldet.erb +137 -0
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +30 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_password-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_system-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_sysconfig_network.erb +12 -0
data/cookbooks/mu-tools/templates/default/kubeconfig.erb +29 -0
data/cookbooks/mu-tools/templates/default/kubelet.service.erb +35 -0
data/cookbooks/mu-tools/templates/default/maldet_scanall.sh.erb +15 -0
data/cookbooks/mu-tools/templates/default/nrpe.cfg.erb +233 -0
data/cookbooks/mu-tools/templates/redhat-6/sshd_config.erb +213 -0
data/cookbooks/mu-tools/templates/redhat-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/ubuntu-12.04/sshd_config.erb +146 -0
data/cookbooks/mu-tools/templates/ubuntu-14.04/sshd_config.erb +145 -0
data/cookbooks/mu-tools/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-tools/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/gpreprt.xml.erb +214 -0
data/cookbooks/mu-tools/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-tools/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/set_ad_dns_scheduled_task.ps1.erb +6 -0
data/cookbooks/mu-tools/templates/windows/sshd_config.erb +136 -0
data/cookbooks/mu-utility/CHANGELOG.md +12 -0
data/cookbooks/mu-utility/LICENSE +37 -0
data/cookbooks/mu-utility/README.md +6 -0
data/cookbooks/mu-utility/attributes/default.rb +1 -0
data/cookbooks/mu-utility/libraries/matchers.rb +21 -0
data/cookbooks/mu-utility/metadata.rb +16 -0
data/cookbooks/mu-utility/recipes/apt.rb +23 -0
data/cookbooks/mu-utility/recipes/cleanup_image_helper.rb +118 -0
data/cookbooks/mu-utility/recipes/iptables.rb +26 -0
data/cookbooks/mu-utility/recipes/luks.rb +18 -0
data/cookbooks/mu-utility/recipes/nat.rb +104 -0
data/cookbooks/mu-utility/recipes/php.rb +33 -0
data/cookbooks/mu-utility/recipes/rdp_gateway.rb +83 -0
data/cookbooks/mu-utility/recipes/remi.rb +44 -0
data/cookbooks/mu-utility/recipes/vim.rb +26 -0
data/cookbooks/mu-utility/recipes/windows_basics.rb +37 -0
data/cookbooks/mu-utility/recipes/zip.rb +26 -0
data/cookbooks/mu-utility/templates/default/BundleConfig.xml.erb +34 -0
data/cookbooks/mu-utility/templates/default/config.xml.erb +60 -0
data/cookbooks/nagios/Berksfile +8 -0
data/cookbooks/nagios/CHANGELOG.md +589 -0
data/cookbooks/nagios/CONTRIBUTING.md +11 -0
data/cookbooks/nagios/LICENSE +37 -0
data/cookbooks/nagios/README.md +328 -0
data/cookbooks/nagios/TESTING.md +2 -0
data/cookbooks/nagios/attributes/config.rb +171 -0
data/cookbooks/nagios/attributes/default.rb +228 -0
data/cookbooks/nagios/chefignore +102 -0
data/cookbooks/nagios/definitions/command.rb +33 -0
data/cookbooks/nagios/definitions/contact.rb +33 -0
data/cookbooks/nagios/definitions/contactgroup.rb +33 -0
data/cookbooks/nagios/definitions/host.rb +33 -0
data/cookbooks/nagios/definitions/hostdependency.rb +33 -0
data/cookbooks/nagios/definitions/hostescalation.rb +34 -0
data/cookbooks/nagios/definitions/hostgroup.rb +33 -0
data/cookbooks/nagios/definitions/nagios_conf.rb +38 -0
data/cookbooks/nagios/definitions/resource.rb +33 -0
data/cookbooks/nagios/definitions/service.rb +33 -0
data/cookbooks/nagios/definitions/servicedependency.rb +33 -0
data/cookbooks/nagios/definitions/serviceescalation.rb +34 -0
data/cookbooks/nagios/definitions/servicegroup.rb +33 -0
data/cookbooks/nagios/definitions/timeperiod.rb +33 -0
data/cookbooks/nagios/libraries/base.rb +314 -0
data/cookbooks/nagios/libraries/command.rb +91 -0
data/cookbooks/nagios/libraries/contact.rb +230 -0
data/cookbooks/nagios/libraries/contactgroup.rb +112 -0
data/cookbooks/nagios/libraries/custom_option.rb +36 -0
data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
data/cookbooks/nagios/libraries/default.rb +90 -0
data/cookbooks/nagios/libraries/host.rb +412 -0
data/cookbooks/nagios/libraries/hostdependency.rb +181 -0
data/cookbooks/nagios/libraries/hostescalation.rb +173 -0
data/cookbooks/nagios/libraries/hostgroup.rb +119 -0
data/cookbooks/nagios/libraries/nagios.rb +282 -0
data/cookbooks/nagios/libraries/resource.rb +59 -0
data/cookbooks/nagios/libraries/service.rb +455 -0
data/cookbooks/nagios/libraries/servicedependency.rb +215 -0
data/cookbooks/nagios/libraries/serviceescalation.rb +195 -0
data/cookbooks/nagios/libraries/servicegroup.rb +144 -0
data/cookbooks/nagios/libraries/timeperiod.rb +160 -0
data/cookbooks/nagios/libraries/users_helper.rb +54 -0
data/cookbooks/nagios/metadata.rb +25 -0
data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
data/cookbooks/nagios/recipes/apache.rb +48 -0
data/cookbooks/nagios/recipes/default.rb +204 -0
data/cookbooks/nagios/recipes/nginx.rb +82 -0
data/cookbooks/nagios/recipes/pagerduty.rb +143 -0
data/cookbooks/nagios/recipes/server_package.rb +40 -0
data/cookbooks/nagios/recipes/server_source.rb +164 -0
data/cookbooks/nagios/templates/default/apache2.conf.erb +96 -0
data/cookbooks/nagios/templates/default/cgi.cfg.erb +266 -0
data/cookbooks/nagios/templates/default/commands.cfg.erb +13 -0
data/cookbooks/nagios/templates/default/contacts.cfg.erb +37 -0
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +25 -0
data/cookbooks/nagios/templates/default/hosts.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/htpasswd.users.erb +6 -0
data/cookbooks/nagios/templates/default/nagios.cfg.erb +22 -0
data/cookbooks/nagios/templates/default/nginx.conf.erb +62 -0
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +185 -0
data/cookbooks/nagios/templates/default/resource.cfg.erb +27 -0
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/services.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/templates.cfg.erb +31 -0
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +13 -0
data/cookbooks/s3fs/CHANGELOG.md +13 -0
data/cookbooks/s3fs/LICENSE +37 -0
data/cookbooks/s3fs/README.md +6 -0
data/cookbooks/s3fs/attributes/default.rb +15 -0
data/cookbooks/s3fs/files/default/fuse-2.9.3.zip +0 -0
data/cookbooks/s3fs/metadata.rb +16 -0
data/cookbooks/s3fs/recipes/default.rb +91 -0
data/data_bags/demo/app.json +7 -0
data/data_bags/nagios_services/chef.json +6 -0
data/data_bags/nagios_services/linux_diskspace.json +5 -0
data/data_bags/nagios_services/momma_cat.json +6 -0
data/data_bags/nagios_services/mu-master-memory.json +5 -0
data/data_bags/nagios_services/nagios_ui.json +6 -0
data/data_bags/nagios_services/node_ssh.json +6 -0
data/data_bags/nagios_services/ssh.json +6 -0
data/demo/lambda_test.yaml +29 -0
data/environments/DEV.json +8 -0
data/environments/PROD.json +8 -0
data/environments/dev.json +8 -0
data/environments/development.json +8 -0
data/environments/prod.json +8 -0
data/extras/README.md +1 -0
data/extras/admin-role-binding.yaml +16 -0
data/extras/admin-user.yaml +6 -0
data/extras/aws-auth-cm.yaml.erb +12 -0
data/extras/clean-stock-amis +48 -0
data/extras/git-fix-permissions-hook +12 -0
data/extras/gitlab-eks-helper.sh.erb +20 -0
data/extras/image-generators/README.md +2 -0
data/extras/image-generators/aws/centos6.yaml +18 -0
data/extras/image-generators/aws/centos7-govcloud.yaml +24 -0
data/extras/image-generators/aws/centos7.yaml +17 -0
data/extras/image-generators/aws/rhel7.yaml +17 -0
data/extras/image-generators/aws/win2k12.yaml +16 -0
data/extras/image-generators/aws/win2k16.yaml +16 -0
data/extras/image-generators/aws/windows.yaml +18 -0
data/extras/image-generators/gcp/centos6.yaml +17 -0
data/extras/lambda_waf_domain_blacklist.py +103 -0
data/extras/platform_berksfile_base +50 -0
data/extras/ruby_rpm/build.sh +17 -0
data/extras/ruby_rpm/muby.spec +44 -0
data/extras/vault_tools/README.md +6 -0
data/extras/vault_tools/export_vaults.sh +3 -0
data/extras/vault_tools/recreate_vaults.sh +5 -0
data/extras/vault_tools/test_vaults.sh +5 -0
data/install/README.md +8 -0
data/install/cfn_create_mu_master.json +1034 -0
data/install/chef-server.rb.erb +19 -0
data/install/deprecated-bash-library.sh +1891 -0
data/install/images/Usage.png +0 -0
data/install/installer +71 -0
data/install/jenkinskeys.rb +8 -0
data/install/user-dot-murc.erb +14 -0
data/modules/html.erb +19 -0
data/modules/mommacat.ru +426 -0
data/modules/mu/cleanup.rb +339 -0
data/modules/mu/cloud.rb +1446 -0
data/modules/mu/clouds/README.md +201 -0
data/modules/mu/clouds/aws/alarm.rb +319 -0
data/modules/mu/clouds/aws/cache_cluster.rb +1010 -0
data/modules/mu/clouds/aws/collection.rb +373 -0
data/modules/mu/clouds/aws/container_cluster.rb +667 -0
data/modules/mu/clouds/aws/database.rb +1836 -0
data/modules/mu/clouds/aws/dnszone.rb +911 -0
data/modules/mu/clouds/aws/firewall_rule.rb +641 -0
data/modules/mu/clouds/aws/folder.rb +92 -0
data/modules/mu/clouds/aws/function.rb +349 -0
data/modules/mu/clouds/aws/group.rb +251 -0
data/modules/mu/clouds/aws/loadbalancer.rb +888 -0
data/modules/mu/clouds/aws/log.rb +363 -0
data/modules/mu/clouds/aws/msg_queue.rb +480 -0
data/modules/mu/clouds/aws/notification.rb +139 -0
data/modules/mu/clouds/aws/role.rb +656 -0
data/modules/mu/clouds/aws/search_domain.rb +646 -0
data/modules/mu/clouds/aws/server.rb +2294 -0
data/modules/mu/clouds/aws/server_pool.rb +1388 -0
data/modules/mu/clouds/aws/storage_pool.rb +495 -0
data/modules/mu/clouds/aws/user.rb +382 -0
data/modules/mu/clouds/aws/userdata/README.md +4 -0
data/modules/mu/clouds/aws/userdata/linux.erb +179 -0
data/modules/mu/clouds/aws/userdata/windows.erb +278 -0
data/modules/mu/clouds/aws/vpc.rb +1943 -0
data/modules/mu/clouds/aws.rb +1009 -0
data/modules/mu/clouds/cloudformation/alarm.rb +146 -0
data/modules/mu/clouds/cloudformation/cache_cluster.rb +167 -0
data/modules/mu/clouds/cloudformation/collection.rb +117 -0
data/modules/mu/clouds/cloudformation/database.rb +278 -0
data/modules/mu/clouds/cloudformation/dnszone.rb +274 -0
data/modules/mu/clouds/cloudformation/firewall_rule.rb +308 -0
data/modules/mu/clouds/cloudformation/loadbalancer.rb +193 -0
data/modules/mu/clouds/cloudformation/log.rb +170 -0
data/modules/mu/clouds/cloudformation/server.rb +370 -0
data/modules/mu/clouds/cloudformation/server_pool.rb +279 -0
data/modules/mu/clouds/cloudformation/vpc.rb +322 -0
data/modules/mu/clouds/cloudformation.rb +733 -0
data/modules/mu/clouds/docker.rb +30 -0
data/modules/mu/clouds/google/container_cluster.rb +290 -0
data/modules/mu/clouds/google/database.rb +152 -0
data/modules/mu/clouds/google/firewall_rule.rb +267 -0
data/modules/mu/clouds/google/group.rb +164 -0
data/modules/mu/clouds/google/loadbalancer.rb +479 -0
data/modules/mu/clouds/google/server.rb +1510 -0
data/modules/mu/clouds/google/server_pool.rb +274 -0
data/modules/mu/clouds/google/user.rb +266 -0
data/modules/mu/clouds/google/userdata/README.md +4 -0
data/modules/mu/clouds/google/userdata/linux.erb +137 -0
data/modules/mu/clouds/google/userdata/windows.erb +275 -0
data/modules/mu/clouds/google/vpc.rb +890 -0
data/modules/mu/clouds/google.rb +811 -0
data/modules/mu/config/README.md +11 -0
data/modules/mu/config/alarm.rb +271 -0
data/modules/mu/config/cache_cluster.rb +172 -0
data/modules/mu/config/collection.rb +87 -0
data/modules/mu/config/container_cluster.rb +103 -0
data/modules/mu/config/container_cluster.yml +36 -0
data/modules/mu/config/database.rb +458 -0
data/modules/mu/config/database.yml +26 -0
data/modules/mu/config/dnszone.rb +327 -0
data/modules/mu/config/firewall_rule.rb +118 -0
data/modules/mu/config/folder.rb +70 -0
data/modules/mu/config/function.rb +140 -0
data/modules/mu/config/group.rb +64 -0
data/modules/mu/config/loadbalancer.rb +482 -0
data/modules/mu/config/log.rb +47 -0
data/modules/mu/config/log.yml +6 -0
data/modules/mu/config/msg_queue.rb +47 -0
data/modules/mu/config/msg_queue.yml +9 -0
data/modules/mu/config/notification.rb +44 -0
data/modules/mu/config/project.rb +71 -0
data/modules/mu/config/role.rb +102 -0
data/modules/mu/config/search_domain.rb +61 -0
data/modules/mu/config/search_domain.yml +25 -0
data/modules/mu/config/server.rb +587 -0
data/modules/mu/config/server.yml +8 -0
data/modules/mu/config/server_pool.rb +216 -0
data/modules/mu/config/server_pool.yml +71 -0
data/modules/mu/config/storage_pool.rb +145 -0
data/modules/mu/config/user.rb +78 -0
data/modules/mu/config/vpc.rb +743 -0
data/modules/mu/config/vpc.yml +6 -0
data/modules/mu/config.rb +2000 -0
data/modules/mu/defaults/README.md +2 -0
data/modules/mu/defaults/amazon_images.yaml +121 -0
data/modules/mu/defaults/google_images.yaml +16 -0
data/modules/mu/deploy.rb +686 -0
data/modules/mu/groomer.rb +123 -0
data/modules/mu/groomers/README.md +58 -0
data/modules/mu/groomers/chef.rb +1024 -0
data/modules/mu/kittens.rb +11319 -0
data/modules/mu/logger.rb +208 -0
data/modules/mu/master/README.md +27 -0
data/modules/mu/master/chef.rb +471 -0
data/modules/mu/master/ldap.rb +1005 -0
data/modules/mu/master.rb +415 -0
data/modules/mu/mommacat.rb +2703 -0
data/modules/mu-load-config.rb +1 -0
data/modules/mu.rb +724 -0
data/modules/scratchpad.erb +1 -0
data/modules/tests/super_complex_bok.yml +41 -0
data/modules/tests/super_simple_bok.yml +40 -0
data/mu.gemspec +62 -0
data/roles/demo-dbservice-configure.json +19 -0
data/roles/demo-portal-configure.json +19 -0
data/roles/mu-master-jenkins.json +24 -0
data/roles/mu-master-nagios-only.json +13 -0
data/roles/mu-master.json +12 -0
data/roles/mu-node.json +19 -0
data/roles/mu-splunk-server.json +13 -0
data/roles/mu-splunk.json +13 -0
data/test/clean_up.py +25 -0
data/test/demo-test-profile/README.md +3 -0
data/test/demo-test-profile/controls/flask.rb +84 -0
data/test/demo-test-profile/inspec.lock +7 -0
data/test/demo-test-profile/inspec.yml +11 -0
data/test/etco-test-profile/README.md +3 -0
data/test/etco-test-profile/controls/all-in-one.rb +182 -0
data/test/etco-test-profile/inspec.lock +7 -0
data/test/etco-test-profile/inspec.yml +11 -0
data/test/exec_inspec.py +246 -0
data/test/exec_mu_install.py +241 -0
data/test/exec_retry.py +44 -0
data/test/mu-master-test/README.md +3 -0
data/test/mu-master-test/controls/all_in_one.rb +557 -0
data/test/mu-master-test/inspec.lock +3 -0
data/test/mu-master-test/inspec.yml +11 -0
data/test/mu-tools-test/README.md +3 -0
data/test/mu-tools-test/controls/base.rb +265 -0
data/test/mu-tools-test/inspec.lock +3 -0
data/test/mu-tools-test/inspec.yml +8 -0
data/test/simple-server-php-test/README.md +3 -0
data/test/simple-server-php-test/controls/apachephp.rb +25 -0
data/test/simple-server-php-test/controls/example.rb +19 -0
data/test/simple-server-php-test/inspec.lock +7 -0
data/test/simple-server-php-test/inspec.yml +12 -0
data/test/simple-server-rails-test/README.md +3 -0
data/test/simple-server-rails-test/controls/rails.rb +188 -0
data/test/simple-server-rails-test/inspec.lock +7 -0
data/test/simple-server-rails-test/inspec.yml +11 -0
data/test/simple-windows-test/README.md +3 -0
data/test/simple-windows-test/controls/windows.rb +20 -0
data/test/simple-windows-test/inspec.lock +7 -0
data/test/simple-windows-test/inspec.yml +11 -0
data/test/smoke_test.rb +75 -0
data/test/wordpress-test/README.md +3 -0
data/test/wordpress-test/controls/wordpress.rb +97 -0
data/test/wordpress-test/inspec.lock +7 -0
data/test/wordpress-test/inspec.yml +11 -0
metadata +979 -0

data/bin/mu-configure ADDED Viewed

@@ -0,0 +1,1133 @@
+#!/usr/local/ruby-current/bin/ruby
+# Copyright:: Copyright (c) 2017 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'optimist'
+require 'simple-password-gen'
+require 'socket'
+require 'open-uri'
+require 'colorize'
+require 'timeout'
+require 'etc'
+require 'aws-sdk-core'
+require 'json'
+require 'pp'
+require 'readline'
+require 'fileutils'
+require 'erb'
+require 'tmpdir'
+GIT_PATTERN = /(((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?))?([\w\.@\:\/\-~]+)(\.git)?(\/)?/
+# Top-level keys in $MU_CFG for which we'll provide interactive, menu-driven
+# configuration.
+$CONFIGURABLES = {
+  "public_address" => {
+    "title" => "Public Address",
+    "desc" => "IP address or hostname",
+    "required" => true,
+    "rootonly" => true,
+    "pattern" => /^(localhost|127\.0\.0\.1|#{Socket.gethostname})$/,
+    "negate_pattern" => true,
+    "changes" => ["389ds", "chef-server", "chefrun", "chefcerts"]
+  },
+  "mu_admin_email" => {
+    "title" => "Admin Email",
+    "desc" => "Administative contact email",
+    "pattern" => /\A([\w+\-].?)+@[a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z/i,
+    "required" => true,
+    "rootonly" => true,
+    "changes" => ["mu-user", "chefrun"]
+  },
+  "mu_admin_name" => {
+    "title" => "Admin Name",
+    "desc" => "Administative contact's full name",
+    "default" => "Mu Administrator",
+    "rootonly" => true,
+    "changes" => ["mu-user", "chefrun"]
+  },
+  "hostname" => {
+    "title" => "Local Hostname",
+    "pattern" => /^[a-z0-9\-_]+$/i,
+    "required" => true,
+    "rootonly" => true,
+    "desc" => "The local system's value for HOSTNAME",
+    "changes" => ["chefrun", "hostname"]
+  },
+  "banner" => {
+    "title" => "Banner",
+    "desc" => "Login banner, displayed in various locations",
+    "rootonly" => true,
+    "changes" => ["chefrun"]
+  },
+  "mu_repository" => {
+    "title" => "Mu Tools Repository",
+    "desc" => "Source repository for Mu tools",
+    "pattern" => GIT_PATTERN,
+    "callback" => :cloneGitRepo,
+    "changes" => ["chefartifacts", "chefrun"],
+    "default" => "git://github.com/cloudamatic/mu.git"
+  },
+  "repos" => {
+    "title" => "Additional Repositories",
+    "desc" => "Optional platform repositories, as a Git URL or Github repo name (ex: eGT-Labs/fema_platform.git)",
+    "pattern" => GIT_PATTERN,
+    "callback" => :cloneGitRepo,
+    "changes" => ["chefartifacts", "chefrun"],
+    "array" => true,
+    "default" => ['https://github.com/cloudamatic/mu_demo_platform']
+  },
+  "master_runlist_extras" => {
+    "title" => "Mu Master Runlist Extras",
+    "desc" => "Optional extra Chef roles or recipes to invoke when running chef-client on this Master (ex: recipe[mycookbook::mumaster])",
+    "array" => true,
+    "rootonly" => true,
+    "changes" => ["chefrun"]
+  },
+  "allow_invade_foreign_vpcs" => {
+    "title" => "Invade Foreign VPCs?",
+    "desc" => "If set to true, Mu will be allowed to modify routing and peering behavior of VPCs which it did not create, but for which it has permissions.",
+    "boolean" => true
+  },
+  "jenkins" => {
+    "title" => "Jenkins Continuous Integration",
+    "rootonly" => true,
+    "subtree" => {
+      "enable" => {
+        "title" => "Enable Jenkins",
+        "desc" => "Enable Jenkins, with UI web-accessible at /jenkins.",
+        "default" => false,
+        "boolean" => true,
+        "changes" => ["chefrun"]
+      },
+      "admin_email" => {
+        "title" => "Jenkins Admin Email",
+        "desc" => "Administative contact email for Jenkins",
+        "pattern" => /\A([\w+\-].?)+@[a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z/i,
+        "changes" => ["chefrun"]
+      },
+      "admin_user" => {
+        "title" => "Jenkins admin username",
+        "desc" => "The name of a Mu user who will serve as the Jenkins admin.",
+        "default" => "jenkins",
+        "changes" => ["chefrun"]
+      }
+    }
+  },
+  "aws" => {
+    "title" => "Amazon Web Services",
+    "subtree" => {
+      "account_number" => {
+        "title" => "Account Number",
+        "desc" => "Account number for the Amazon Web Services account which we administer",
+        "pattern" => /^\d+$/
+      },
+      "region" => {
+        "title" => "Default Region",
+        "desc" => "Default Amazon Web Services region in which we operate"
+      },
+      "access_key" => {
+        "title" => "Access Key",
+        "desc" => "Credentials used for accessing the AWS API (looks like: AKIAINWLOOAA24PBRBZA)",
+        "pattern" => /^[a-z0-9]+$/i
+      },
+      "access_secret" => {
+        "title" => "Access Secret",
+        "desc" => "Credentials used for accessing the AWS API (looks like: +Z16iRP9QAq7EcjHINyEMs3oR7A76QpfaSgCBogp)"
+      },
+      "log_bucket_name" => {
+        "title" => "Log and Secret Bucket Name",
+        "desc" => "S3 bucket into which we'll synchronize deploy secrets, and if we're hosted in AWS, collected system logs",
+        "changes" => ["chefrun"]
+      }
+    }
+  },
+  "google" => {
+    "title" => "Google Cloud Platform",
+    "subtree" => {
+      "project" => {
+        "title" => "Default Project",
+        "desc" => "Default Google Cloud Platform project in which we operate and deploy. Generate a service account at: https://console.cloud.google.com/iam-admin/serviceaccounts/project, making sure the account has sufficient privileges to manage cloud resources. Download the private key as JSON, and import that key to the vault specified here. Import example: knife vault create secrets google -J my-google-service-account.json"
+      },
+      "credentials" => {
+        "title" => "Credentials Vault:Item",
+        "desc" => "A vault and item from which to retrieve the JSON-formatted Service Account credentials for our GCP account, in the format vault:itemname (e.g. 'secrets:google'). Generate a service account at: https://console.cloud.google.com/iam-admin/serviceaccounts/project, making sure the account has sufficient privileges to manage cloud resources. Download the private key as JSON, and import that key to the vault specified here. Import example: knife vault create secrets google -J my-google-service-account.json "
+      },
+      "region" => {
+        "title" => "Default Region",
+        "desc" => "Default Google Cloud Platform region in which we operate and deploy",
+        "default" => "us-east4"
+      },
+      "log_bucket_name" => {
+        "title" => "Log and Secret Bucket Name",
+        "desc" => "Cloud Storage bucket into which we'll synchronize deploy secrets, and if we're hosted in GCP, collected system logs",
+        "changes" => ["chefrun"]
+      }
+    }
+  }
+}
+AMROOT = Process.uid == 0
+HOMEDIR = Etc.getpwuid(Process.uid).dir
+$opts = Optimist::options do
+  banner <<-EOS
+  EOS
+  required = []
+  opt :noninteractive, "Skip menu-based configuration prompts. If there is no existing configuration, the following flags are required: #{required.map{|x|"--"+x}.join(", ")}", :require => false, :default => false, :type => :boolean
+  $CONFIGURABLES.each_pair { |key, data|
+    next if !AMROOT and data['rootonly']
+    if data.has_key?("subtree")
+      data["subtree"].each_pair { |subkey, subdata|
+        next if !AMROOT and subdata['rootonly']
+        subdata['cli-opt'] = (key+"-"+subkey).gsub(/_/, "-")
+        opt (key+"-"+subkey).to_sym, subdata["desc"], :require => false, :type => (subdata["boolean"] ? :boolean : :string)
+        required << subdata['cli-opt'] if subdata['required']
+      }
+    elsif data["array"]
+      data['cli-opt'] = key.gsub(/_/, "-")
+      opt key.to_sym, data["desc"], :require => false, :type => (data["boolean"] ? :booleans : :strings)
+      required << data['cli-opt'] if data['required']
+    else
+      data['cli-opt'] = key.gsub(/_/, "-")
+      opt key.to_sym, data["desc"], :require => false, :type => (data["boolean"] ? :boolean : :string)
+      required << data['cli-opt'] if data['required']
+    end
+  }
+  opt :force, "Run all rebuild actions, whether or not our configuration is changed.", :require => false, :default => false, :type => :boolean if AMROOT
+  opt :ssh_keys, "One or more paths to SSH private keys, which we can try to use for SSH-based Git clone operations", :require => false, :type => :strings
+end
+if ENV.has_key?("MU_INSTALLDIR")
+  MU_BASE = ENV["MU_INSTALLDIR"]
+else
+  MU_BASE = "/opt/mu"
+end
+$INITIALIZE = (!File.size?("#{MU_BASE}/etc/mu.yaml") or $opts[:force])
+$HAVE_GLOBAL_CONFIG = File.size?("#{MU_BASE}/etc/mu.yaml")
+if !AMROOT and ($INITIALIZE or !$HAVE_GLOBAL_CONFIG)
+  puts "Global configuration has not been initialized or is missing. Must run as root to correct."
+  exit 1
+end
+if !$HAVE_GLOBAL_CONFIG and $opts[:noninteractive] and (!$opts[:public_address] or !$opts[:mu_admin_email])
+  puts "Specify --public-address and --mu-admin-email on new non-interactive configs"
+  exit 1
+end
+$IN_AWS = false
+begin
+  Timeout.timeout(2) do
+    instance_id = open("http://169.254.169.254/latest/meta-data/instance-id").read
+    $IN_AWS = true if !instance_id.nil? and instance_id.size > 0
+  end
+rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH
+end
+$IN_GOOGLE = false
+begin
+  Timeout.timeout(2) do
+    instance_id = open(
+      "http://metadata.google.internal/computeMetadata/v1/instance/name",
+      "Metadata-Flavor" => "Google"
+    ).read
+    $IN_GOOGLE = true if !instance_id.nil? and instance_id.size > 0
+  end
+rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH
+end
+KNIFE_TEMPLATE = "log_level                :info
+log_location             STDOUT
+node_name                '<%= chefuser %>'
+client_key               '<%= MU_BASE %>/var/users/<%= user %>/<%= chefuser %>.user.key'
+validation_client_name   'mu-validator'
+validation_key           '<%= MU_BASE %>/var/orgs/<%= user %>/<%= chefuser %>.org.key'
+chef_server_url 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>'
+chef_server_root 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>'
+syntax_check_cache_path  '<%= HOMEDIR %>/.chef/syntax_check_cache'
+cookbook_path [ '<%= HOMEDIR %>/.chef/cookbooks', '<%= HOMEDIR %>/.chef/site_cookbooks' ]
+<% if $MU_CFG.has_key?('ssl') and $MU_CFG['ssl'].has_key?('chain') %>
+ssl_ca_path '<%= File.dirname($MU_CFG['ssl']['chain']) %>'
+ssl_ca_file '<%= File.basename($MU_CFG['ssl']['chain']) %>'
+<% end %>
+knife[:vault_mode] = 'client'
+knife[:vault_admins] = ['<%= chefuser %>']"
+CLIENT_TEMPLATE = "chef_server_url  'https://<%= MU.mu_public_addr %>:7443/organizations/<%= user %>'
+validation_client_name 'mu-validator'
+log_location   STDOUT
+node_name 'MU-MASTER'
+verify_api_cert false
+ssl_verify_mode :verify_none
+"
+PIVOTAL_TEMPLATE = "node_name 'pivotal'
+chef_server_url 'https://<%= MU.mu_public_addr %>:7443'
+chef_server_root 'https://<%= MU.mu_public_addr %>:7443'
+no_proxy '<%= MU.mu_public_addr %>'
+client_key '/etc/opscode/pivotal.pem'
+ssl_verify_mode :verify_none
+"
+$CHANGES = []
+$MENU_MAP = {}
+def assignMenuEntries
+  count = 1
+  $CONFIGURABLES.each_pair { |key, data|
+    next if !AMROOT and data['rootonly']
+    if data.has_key?("subtree")
+      letters = ("a".."z").to_a
+      lettercount = 0
+      data["subtree"].each_pair { |subkey, subdata|
+        next if !AMROOT and subdata['rootonly']
+        $CONFIGURABLES[key]["subtree"][subkey]["menu"] = count.to_s+letters[lettercount]
+        $MENU_MAP[count.to_s+letters[lettercount]] = $CONFIGURABLES[key]["subtree"][subkey]
+        lettercount = lettercount + 1
+      }
+    end
+    $MENU_MAP[count.to_s] = $CONFIGURABLES[key]
+    $CONFIGURABLES[key]["menu"] = count.to_s
+    count = count + 1
+  }
+  $MENU_MAP.freeze
+end
+def trySSHKeyWithGit(repo, keypath = nil)
+  cfgbackup = nil
+  deletekey = false
+  repo.match(/^([^@]+?)@([^:]+?):/)
+  ssh_user = Regexp.last_match(1)
+  ssh_host = Regexp.last_match(2)
+  if keypath.nil?
+    response = nil
+    puts "Would you like to provide a private ssh key for #{repo} and try again?"
+    begin
+      response = Readline.readline("Y/N> ".bold, false)
+    end while !response and !response.match(/^(y|n)$/i)
+    if response == "y" or response == "Y"
+      Dir.mkdir("#{HOMEDIR}/.ssh", 0700) if !Dir.exists?("#{HOMEDIR}/.ssh")
+      keynamestr = repo.gsub(/[^a-z0-9\-]/i, "-") + Process.pid.to_s
+      keypath = "#{HOMEDIR}/.ssh/#{keynamestr}"
+      puts "Paste a complete SSH private key for #{ssh_user.bold}@#{ssh_host.bold} below, then ^D"
+      system("cat > #{keypath}")
+      File.chmod(0600, keypath)
+      puts "Key saved to "+keypath.bold
+      deletekey = true
+    else
+      return false
+    end
+  end
+  if File.exists?("#{HOMEDIR}/.ssh/config")
+    FileUtils.cp("#{HOMEDIR}/.ssh/config", "#{HOMEDIR}/.ssh/config.bak.#{Process.pid.to_s}")
+    cfgbackup = "#{HOMEDIR}/.ssh/config.bak.#{Process.pid.to_s}"
+  end
+  File.open("#{HOMEDIR}/.ssh/config", "a", 0600){ |f|
+    f.puts "Host "+ssh_host
+    f.puts "  User "+ssh_user
+    f.puts "  IdentityFile "+keypath
+    f.puts "  StrictHostKeyChecking no"
+  }
+  puts "/usr/bin/git clone #{repo}"
+  output = %x{/usr/bin/git clone #{repo} 2>&1}
+  if $?.exitstatus == 0
+    puts "Successfully cloned #{repo}".green.on_black
+    return true
+  else
+    puts output.red.on_black
+    if cfgbackup
+      puts "Restoring #{HOMEDIR}/.ssh/config"
+      File.rename(cfgbackup, "#{HOMEDIR}/.ssh/config")
+    end
+    if deletekey
+      puts "Removing #{keypath}"
+      File.unlink(keypath)
+    end
+  end
+  return false
+end
+def cloneGitRepo(repo)
+  puts "Testing ability to check out Git repository #{repo.bold}"
+  fullrepo = repo
+  if !repo.match(/@|:\/\//) # we try ssh first
+    fullrepo = "git@github.com:"+repo
+    puts "Doesn't look like a full URL, trying SSH to #{fullrepo}"
+  end
+  cwd = Dir.pwd
+  Dir.mktmpdir("mu-git-test-") { |dir|
+    Dir.chdir(dir)
+    puts "/usr/bin/git clone #{fullrepo}"
+    output = %x{/usr/bin/git clone #{fullrepo} 2>&1}
+    if $?.exitstatus == 0
+      puts "Successfully cloned #{fullrepo}".green.on_black
+      Dir.chdir(cwd)
+      return fullrepo
+    elsif $?.exitstatus != 0 and output.match(/permission denied/i)
+      puts ""
+      puts output.red.on_black
+      if $opts[:ssh_keys_given]
+        $opts[:ssh_keys].each { |keypath|
+          if trySSHKeyWithGit(fullrepo, keypath)
+            Dir.chdir(cwd)
+            return fullrepo
+          end
+        }
+      end
+      if !$opts[:noninteractive]
+        if trySSHKeyWithGit(fullrepo)
+          Dir.chdir(cwd)
+          return fullrepo
+        end
+      end
+    end
+    if !repo.match(/@|:\/\//)
+      fullrepo = "git://github.com/"+repo
+      puts ""
+      puts "No luck there, trying #{fullrepo}".bold
+      puts "/usr/bin/git clone #{fullrepo}"
+      output = %x{/usr/bin/git clone #{fullrepo} 2>&1}
+      if $?.exitstatus == 0
+        puts "Successfully cloned #{fullrepo}".green.on_black
+        Dir.chdir(cwd)
+        return fullrepo
+      else
+        puts output.red.on_black
+        fullrepo = "https://github.com/"+repo
+        puts "Final attempt, trying #{fullrepo}"
+        puts "/usr/bin/git clone #{fullrepo}"
+        output = %x{/usr/bin/git clone #{fullrepo} 2>&1}
+        if $?.exitstatus == 0
+          puts "Successfully cloned #{fullrepo}".green.on_black
+          Dir.chdir(cwd)
+          return fullrepo
+        else
+          puts output.red.on_black
+        end
+      end
+    else
+      puts "No other methods I can think to try, giving up on #{repo.bold}".red.on_black
+    end
+  }
+  Dir.chdir(cwd)
+  nil
+end
+# Rustle up some sensible default values, if this is our first time
+def setDefaults
+  ips = []
+  if $IN_AWS
+    ["public-ipv4", "local-ipv4"].each { |addr|
+      begin
+      Timeout.timeout(2) do
+        ip = open("http://169.254.169.254/latest/meta-data/#{addr}").read
+        ips << ip if !ip.nil? and ip.size > 0
+      end
+      rescue OpenURI::HTTPError, Timeout::Error, SocketError
+        # these are ok to ignore
+      end
+    }
+  elsif $IN_GOOGLE
+    base_url = "http://metadata.google.internal/computeMetadata/v1"
+    begin
+      Timeout.timeout(2) do
+# TODO iterate across multiple interfaces/access-configs
+        ip = open("#{base_url}/instance/network-interfaces/0/ip", "Metadata-Flavor" => "Google").read
+        ips << ip if !ip.nil? and ip.size > 0
+        ip = open("#{base_url}/instance/network-interfaces/0/access-configs/0/external-ip", "Metadata-Flavor" => "Google").read
+        ips << ip if !ip.nil? and ip.size > 0
+      end
+    rescue OpenURI::HTTPError, Timeout::Error, SocketError => e
+      # This is fairly normal, just handle it gracefully
+    end
+  end
+  ips.concat(Socket.ip_address_list.delete_if { |i| !i.ipv4? or i.ip_address.match(/^(0\.0\.0\.0$|169\.254\.|127\.0\.)/) }.map { |a| a.ip_address })
+  $CONFIGURABLES["allow_invade_foreign_vpcs"]["default"] = false
+  $CONFIGURABLES["public_address"]["default"] = ips.first
+  $CONFIGURABLES["hostname"]["default"] = Socket.gethostname
+  $CONFIGURABLES["banner"]["default"] = "Mu Master at #{$CONFIGURABLES["public_address"]["default"]}"
+  if $CONFIGURABLES["mu_admin_email"]["value"]
+    $CONFIGURABLES["jenkins"]["subtree"]["admin_email"]["default"] = $CONFIGURABLES["mu_admin_email"]["value"]
+  end
+  if $IN_AWS
+    aws = JSON.parse(open("http://169.254.169.254/latest/dynamic/instance-identity/document").read)
+    iam = nil
+    begin
+      iam = open("http://169.254.169.254/latest/meta-data/iam/security-credentials").read
+    rescue OpenURI::HTTPError, SocketError
+    end
+    $CONFIGURABLES["aws"]["subtree"]["account_number"]["default"] = aws["accountId"]
+    $CONFIGURABLES["aws"]["subtree"]["region"]["default"] = aws["region"]
+    if iam and iam.size > 0
+      # XXX can we think of a good way to test our permission set?
+      $CONFIGURABLES["aws"]["subtree"]["access_key"]["desc"] = $CONFIGURABLES["aws"]["subtree"]["access_key"]["desc"] + ". Not necessary if IAM Profile #{iam.bold} has sufficient API access."
+      $CONFIGURABLES["aws"]["subtree"]["access_secret"]["desc"] = $CONFIGURABLES["aws"]["subtree"]["access_key"]["desc"] + ". Not necessary if IAM Profile #{iam.bold} has sufficient API access."
+    end
+  end
+  $CONFIGURABLES["aws"]["subtree"]["log_bucket_name"]["default"] = $CONFIGURABLES["hostname"]["default"]
+  $CONFIGURABLES["google"]["subtree"]["log_bucket_name"]["default"] = $CONFIGURABLES["hostname"]["default"]
+end
+def runValueCallback(desc, val)
+  if desc['array']
+    if desc["callback"]
+      newval = []
+      val.each { |v|
+        v = send(desc["callback"].to_sym, v)
+        newval << v if !v.nil?
+      }
+      val = newval
+    end
+  elsif desc["callback"]
+    val = send(desc["callback"].to_sym, val)
+  end
+  val
+end
+def importCLIValues
+  $CONFIGURABLES.each_pair { |key, data|
+    next if !AMROOT and data['rootonly']
+    if data.has_key?("subtree")
+      data["subtree"].each_pair { |subkey, subdata|
+        next if !AMROOT and subdata['rootonly']
+        if $opts[(subdata['cli-opt'].gsub(/-/, "_")+"_given").to_sym]
+          newval = runValueCallback(subdata, $opts[subdata['cli-opt'].gsub(/-/, "_").to_sym])
+          subdata["value"] = newval if !newval.nil?
+          $CHANGES.concat(subdata['changes']) if subdata['changes']
+        end
+      }
+    else
+      if $opts[(data['cli-opt'].gsub(/-/, "_")+"_given").to_sym]
+        newval = runValueCallback(data, $opts[data['cli-opt'].gsub(/-/, "_").to_sym])
+        data["value"] = newval if !newval.nil?
+        $CHANGES.concat(data['changes']) if data['changes']
+      end
+    end
+  }
+end
+# Load values from our existing configuration into the $CONFIGURABLES hash
+def importCurrentValues
+  require File.realpath(File.expand_path(File.dirname(__FILE__)+"/mu-load-config.rb"))
+  $CONFIGURABLES.each_key { |key|
+    next if !$MU_CFG.has_key?(key)
+    if $CONFIGURABLES[key].has_key?("subtree")
+      # It's a sub-tree. I'm too lazy to write a recursive thing for this, just
+      # cover the simple case that we actually care about for now.
+      $CONFIGURABLES[key]["subtree"].keys.each { |subkey|
+        next if !$MU_CFG[key].has_key?(subkey)
+        $CONFIGURABLES[key]["subtree"][subkey]["value"] = $MU_CFG[key][subkey]
+      }
+    else
+      $CONFIGURABLES[key]["value"] = $MU_CFG[key]
+    end
+  }
+end
+def printVal(data)
+  valid = true
+  valid = validate(data["value"], data, false) if data["value"]
+  if !valid
+    print " "+data["value"].to_s.red.on_black
+    print " (consider default of #{data["default"].to_s.bold})" if data["default"]
+  elsif !data["value"].nil?
+    print " - "+data["value"].to_s.green.on_black
+  elsif data["required"]
+    print " - "+"REQUIRED".red.on_black
+  elsif !data["default"].nil?
+    print " - "+data["default"].to_s.yellow.on_black+" (DEFAULT)"
+  end
+end
+# Converts the current $CONFIGURABLES object to a Hash suitable for merging
+# with $MU_CFG.
+def setConfigTree
+  cfg = {}
+  $CONFIGURABLES.each_pair { |key, data|
+    next if !AMROOT and data['rootonly']
+    if data.has_key?("subtree")
+      data["subtree"].each_pair { |subkey, subdata|
+        next if !AMROOT and subdata['rootonly']
+        if !subdata["value"].nil?
+          cfg[key] ||= {}
+          cfg[key][subkey] = subdata["value"]
+        elsif !subdata["default"].nil? and !$HAVE_GLOBAL_CONFIG or ($MU_CFG and (!$MU_CFG[key] or !$MU_CFG[key][subkey]))
+          cfg[key] ||= {}
+          cfg[key][subkey] = subdata["default"]
+        end
+      }
+    elsif !data["value"].nil?
+      cfg[key] = data["value"]
+    elsif !data["default"].nil? and !$HAVE_GLOBAL_CONFIG or ($MU_CFG and !$MU_CFG[key])
+      cfg[key] = data["default"]
+    end
+  }
+  cfg
+end
+def displayCurrentOpts
+  count = 1
+  optlist = []
+  $CONFIGURABLES.each_pair { |key, data|
+    next if !AMROOT and data['rootonly']
+    print data["menu"].bold+") "+data["title"]
+    if data.has_key?("subtree")
+      puts ""
+      data["subtree"].each_pair { |subkey, subdata|
+        next if !AMROOT and subdata['rootonly']
+        print "  "+subdata["menu"].bold+". "+subdata["title"]
+        printVal(subdata)
+        puts ""
+      }
+    else
+      printVal(data)
+      puts ""
+    end
+    count = count + 1
+  }
+  optlist
+end
+###############################################################################
+trap("INT"){ puts "" ; exit }
+importCurrentValues if !$INITIALIZE or $HAVE_GLOBAL_CONFIG
+importCLIValues
+setDefaults
+assignMenuEntries # populates and freezes $MENU_MAP
+def ask(desc)
+  puts ""
+  puts (desc['required'] ? "REQUIRED".red.on_black : "OPTIONAL".yellow.on_black)+" - "+desc["desc"]
+  puts "Enter one or more values, separated by commas".yellow.on_black if desc['array']
+  puts "Enter 0 or false, 1 or true".yellow.on_black if desc['boolean']
+  prompt = desc["title"].bold + "> "
+  current = desc['value'] || desc['default']
+  if current
+    current = current.join(", ") if desc['array'] and current.is_a?(Array)
+    Readline.pre_input_hook = -> do
+      Readline.insert_text current.to_s
+      Readline.redisplay
+      Readline.pre_input_hook = nil
+    end
+  end
+  val = Readline.readline(prompt, false)
+  if desc['array'] and !val.nil?
+    val = val.strip.split(/\s*,\s*/)
+  end
+  if desc['boolean']
+    val = false if ["0", "false", "FALSE"].include?(val)
+    val = true if ["1", "true", "TRUE"].include?(val)
+  end
+  val = runValueCallback(desc, val)
+  val = current if val.nil? and desc['value']
+  val
+end
+def validate(newval, reqs, addnewline = true)
+  ok = true
+  def validate_individual_value(newval, reqs, addnewline)
+    ok = true
+    if reqs['boolean'] and newval != true and newval != false and newval != nil
+      puts "\nInvalid value '#{newval.bold}' for #{reqs['title'].bold} (must be true or false)".light_red.on_black
+      puts "\n\n" if addnewline
+      ok = false
+    elsif reqs['pattern']
+      if newval.nil?
+        puts "\nSupplied value for #{reqs['title'].bold} did not pass validation".light_red.on_black
+        puts "\n\n" if addnewline
+        ok = false
+      elsif reqs['negate_pattern']
+        if newval.to_s.match(reqs['pattern'])
+          puts "\nInvalid value '#{newval.bold}' for #{reqs['title'].bold} (must NOT match #{reqs['pattern']})".light_red.on_black
+          puts "\n\n" if addnewline
+          ok = false
+        end
+      elsif !newval.to_s.match(reqs['pattern'])
+        puts "\nInvalid value '#{newval.bold}' #{reqs['title'].bold} (must match #{reqs['pattern']})".light_red.on_black
+        puts "\n\n" if addnewline
+        ok = false
+      end
+    end
+    ok
+  end
+  if reqs['array']
+    if !newval.is_a?(Array)
+      puts "\nInvalid value '#{newval.bold}' for #{reqs['title'].bold} (should be an array)".light_red.on_black
+      puts "\n\n" if addnewline
+      ok = false
+    else
+      newval.each { |v|
+        ok = false if !validate_individual_value(v, reqs, addnewline)
+      }
+    end
+  else
+    ok = false if !validate_individual_value(newval, reqs, addnewline)
+  end
+  ok
+end
+answer = nil
+changed = false
+def entireConfigValid?
+  ok = true
+  $CONFIGURABLES.each_pair { |key, data|
+    next if !AMROOT and data['rootonly']
+    if data.has_key?("subtree")
+      data["subtree"].each_pair { |subkey, subdata|
+        next if !AMROOT and subdata['rootonly']
+        next if !data["value"]
+        ok = false if !validate(data["value"], data, false)
+      }
+    else
+      next if !data["value"]
+      ok = false if !validate(data["value"], data, false)
+    end
+  }
+  ok
+end
+def menu
+  begin
+    optlist = displayCurrentOpts
+    begin
+      print "Enter an option to change, "+"O".bold+" to save this config, or "+"^D".bold+" to quit.\n> "
+      answer = gets
+      if answer.nil?
+        puts ""
+        exit 0
+      end
+      answer.strip!
+    rescue EOFError
+      puts ""
+      exit 0
+    end
+    if $MENU_MAP.has_key?(answer) and !$MENU_MAP[answer].has_key?("subtree")
+      newval = ask($MENU_MAP[answer])
+      if !validate(newval, $MENU_MAP[answer])
+        sleep 1
+        next
+      end
+      $MENU_MAP[answer]['value'] = newval == "" ? nil : newval
+      $CHANGES.concat($MENU_MAP[answer]['changes']) if $MENU_MAP[answer].include?("changes")
+      if $MENU_MAP[answer]['title'] == "Local Hostname"
+        $CONFIGURABLES["aws"]["subtree"]["log_bucket_name"]["default"] = newval
+      elsif $MENU_MAP[answer]['title'] == "Public Address"
+        $CONFIGURABLES["banner"]["default"] = "Mu Master at #{newval}"
+      elsif $MENU_MAP[answer]['title'] == "Mu Admin Email"
+        $CONFIGURABLES["jenkins"]["subtree"]["admin_email"]["default"] = newval
+      end
+      changed = true
+      puts ""
+    elsif !["", "0", "O", "o"].include?(answer)
+      puts "\nInvalid option '#{answer.bold}'".light_red.on_black+"\n\n"
+      sleep 1
+    else
+      answer = nil if !entireConfigValid?
+    end
+  end while answer != "0" and answer != "O" and answer != "o"
+end
+if !$opts[:noninteractive]
+  menu
+else
+  if !entireConfigValid?
+    puts "Configuration had validation errors, exiting.\nRe-invoke #{$0} to correct."
+    exit 1
+  end
+end
+if AMROOT
+  $MU_CFG['multiuser'] = true
+  saveMuConfig($MU_CFG)
+end
+def set389DSCreds
+  require 'mu'
+  credlist = {
+    "bind_creds" => {
+      "user" => "CN=mu_bind_creds,#{$MU_CFG["ldap"]['user_ou']}"
+    },
+    "join_creds" => {
+      "user" => "CN=mu_join_creds,#{$MU_CFG["ldap"]['user_ou']}"
+    },
+    "cfg_directory_adm" => {
+      "user" => "admin"
+    },
+    "root_dn_user" => {
+      "user" => "CN=root_dn_user"
+    }
+  }
+  credlist.each_pair { |creds, cfg|
+    begin
+      data = nil
+      if $MU_CFG["ldap"].has_key?(creds)
+        data = MU::Groomer::Chef.getSecret(
+          vault: $MU_CFG["ldap"][creds]["vault"],
+          item: $MU_CFG["ldap"][creds]["item"]
+        )
+        MU::Groomer::Chef.grantSecretAccess("MU-MASTER", $MU_CFG["ldap"][creds]["vault"], $MU_CFG["ldap"][creds]["item"])
+      else
+        data = MU::Groomer::Chef.getSecret(vault: "mu_ldap", item: creds)
+        MU::Groomer::Chef.grantSecretAccess("MU-MASTER", "mu_ldap", creds)
+      end
+    rescue MU::Groomer::Chef::MuNoSuchSecret
+      user = cfg["user"]
+      pw = Password.pronounceable(14..16)
+      if $MU_CFG["ldap"].has_key?(creds)
+        data = {
+          $MU_CFG["ldap"][creds]["username_field"] => user,
+          $MU_CFG["ldap"][creds]["password_field"] => pw
+        }
+        MU::Groomer::Chef.saveSecret(
+          vault: $MU_CFG["ldap"][creds]["vault"],
+          item: $MU_CFG["ldap"][creds]["item"],
+          data: data,
+          permissions: "name:MU-MASTER"
+        )
+      else
+        MU::Groomer::Chef.saveSecret(
+          vault: "mu_ldap",
+          item: creds,
+          data: { "username" => user, "password" => pw },
+          permissions: "name:MU-MASTER"
+        )
+      end
+    end
+  }
+end
+if AMROOT
+  cur_chef_version = `/bin/rpm -q chef`.sub(/^chef-(\d+\.\d+\.\d+-\d+)\..*/, '\1').chomp
+  pref_chef_version = File.read("#{MU_BASE}/var/mu-chef-client-version").chomp
+  if cur_chef_version != pref_chef_version
+    puts "Updating MU-MASTER's Chef Client to '#{pref_chef_version}'"
+    chef_installer = open("https://omnitruck.chef.io/install.sh").read
+    File.open("#{HOMEDIR}/chef-install.sh", File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
+      f.puts chef_installer
+    }
+    system("/bin/rm -rf /opt/chef ; sh #{HOMEDIR}/chef-install.sh -v #{pref_chef_version}");
+    # This will go fix gems, permissions, etc
+    system("/opt/chef/bin/chef-apply #{MU_BASE}/lib/cookbooks/mu-master/recipes/init.rb");
+  end
+end
+if $INITIALIZE
+  %x{/sbin/service iptables stop} # Chef run will set up correct rules later
+  $MU_SET_DEFAULTS = setConfigTree
+  require File.realpath(File.expand_path(File.dirname(__FILE__)+"/mu-load-config.rb"))
+else
+  if AMROOT
+    $NEW_CFG = $MU_CFG.merge(setConfigTree)
+  else
+    $NEW_CFG = setConfigTree
+  end
+  saveMuConfig($NEW_CFG)
+  $MU_CFG = $MU_CFG.merge(setConfigTree)
+  require File.realpath(File.expand_path(File.dirname(__FILE__)+"/mu-load-config.rb"))
+end
+begin
+  require 'mu'
+rescue MU::MuError => e
+  puts "Correct the above error before proceeding. To retry, run:\n\n#{$0.bold} #{ARGV.join(" ").bold}"
+  exit 1
+rescue LoadError
+  system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install")
+  require 'mu'
+end
+if AMROOT and ($INITIALIZE or $CHANGES.include?("hostname"))
+  system("/bin/hostname #{$MU_CFG['hostname']}")
+end
+# Do some more basic-but-Chef-dependent configuration *before* we meddle with
+# the Chef Server configuration, which depends on some of this (SSL certs and
+# local firewall ports).
+if AMROOT and ($INITIALIZE or $CHANGES.include?("chefartifacts"))
+  MU.log "Purging and re-uploading all Chef artifacts", MU::NOTICE
+  %x{/sbin/service iptables stop} if $INITIALIZE
+  output = %x{MU_INSTALLDIR=#{MU_BASE} MU_LIBDIR=#{MU_BASE}/lib MU_DATADIR=#{MU_BASE}/var #{MU_BASE}/lib/bin/mu-upload-chef-artifacts}
+  if $?.exitstatus != 0
+    puts output
+    MU.log "mu-upload-chef-artifacts failed, can't proceed", MU::ERR
+    %x{/sbin/service iptables start} if $INITIALIZE
+    exit 1
+  end
+  %x{/sbin/service iptables start} if $INITIALIZE
+end
+if $INITIALIZE and AMROOT
+  MU.log "Force open key firewall holes", MU::NOTICE
+  system("chef-client -o 'recipe[mu-master::firewall-holes]'")
+end
+if AMROOT
+  MU.log "Checking internal SSL signing authority and certificates", MU::NOTICE
+  if !system("chef-client -o 'recipe[mu-master::ssl-certs]'") and $INITIALIZE
+    MU.log "Got bad exit code trying to run recipe[mu-master::ssl-certs]', aborting", MU::ERR
+    exit 1
+  end
+end
+def updateChefRbs
+  user = AMROOT ? "mu" : Etc.getpwuid(Process.uid).name
+  chefuser = user.gsub(/\./, "")
+  templates = { HOMEDIR+"/.chef/knife.rb" => KNIFE_TEMPLATE }
+  if AMROOT
+    templates["/etc/chef/client.rb"] = CLIENT_TEMPLATE
+    templates["/etc/opscode/pivotal.rb"] = PIVOTAL_TEMPLATE
+  end
+  templates.each_pair { |file, template|
+    erb = ERB.new(template)
+    processed = erb.result(binding)
+    tmpfile = file+".tmp."+Process.pid.to_s
+    File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
+      f.puts processed
+    }
+    if !File.size?(file) or File.read(tmpfile) != File.read(file)
+      File.rename(tmpfile, file)
+      MU.log "Updated #{file}", MU::NOTICE
+      $CHANGES << "chefcerts"
+    else
+      File.unlink(tmpfile)
+    end
+  }
+end
+if AMROOT
+  erb = ERB.new(File.read("#{MU_BASE}/lib/cookbooks/mu-master/templates/default/chef-server.rb.erb"))
+  updated_server_cfg = erb.result(binding)
+  cfgpath = "/etc/opscode/chef-server.rb"
+  tmpfile = "/etc/opscode/chef-server.rb.#{Process.pid}"
+  File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
+    f.puts updated_server_cfg
+  }
+  if !File.size?(cfgpath) or File.read(tmpfile) != File.read(cfgpath)
+    File.rename(tmpfile, cfgpath)
+    # Opscode can't seem to get things right with their postgres socket
+    Dir.mkdir("/var/run/postgresql", 0755) if !Dir.exists?("/var/run/postgresql")
+    if File.exists?("/tmp/.s.PGSQL.5432") and !File.exists?("/var/run/postgresql/.s.PGSQL.5432")
+      File.symlink("/tmp/.s.PGSQL.5432", "/var/run/postgresql/.s.PGSQL.5432")
+    elsif !File.exists?("/tmp/.s.PGSQL.5432") and File.exists?("/var/run/postgresql/.s.PGSQL.5432")
+      File.symlink("/var/run/postgresql/.s.PGSQL.5432", "/tmp/.s.PGSQL.5432")
+    end
+    MU.log "Chef Server config was modified, reconfiguring...", MU::NOTICE
+    # XXX Some undocumented port Chef needs only on startup is being blocked by
+    # iptables. Something rabbitmq-related. Dopey workaround.
+    %x{/sbin/service iptables stop}
+    system("/opt/opscode/bin/chef-server-ctl reconfigure")
+    system("/opt/opscode/bin/chef-server-ctl restart")
+    %x{/sbin/service iptables start}
+    updateChefRbs
+    $CHANGES << "chefcerts"
+  else
+    File.unlink(tmpfile)
+    updateChefRbs
+  end
+else
+  updateChefRbs
+end
+if $IN_AWS and AMROOT
+  system("#{MU_BASE}/lib/bin/mu-aws-setup --dns --sg --logs --ephemeral")
+# XXX --ip? Do we really care?
+end
+if $IN_GOOGLE and AMROOT
+  system("#{MU_BASE}/lib/bin/mu-gcp-setup --sg --logs")
+end
+if $INITIALIZE or $CHANGES.include?("chefcerts")
+  system("rm -f #{HOMEDIR}/.chef/trusted_certs/* ; knife ssl fetch -c #{HOMEDIR}/.chef/knife.rb")
+  if AMROOT
+    system("rm -f /etc/chef/trusted_certs/* ; knife ssl fetch -c /etc/chef/client.rb")
+  end
+end
+# knife ssl fetch isn't bright enough to nab our intermediate certs, which
+# ironically becomes a problem when we use one from the real world. Jam it
+# into knife and chef-client's faces thusly:
+if $MU_CFG['ssl'] and $MU_CFG['ssl']['chain'] and File.size?($MU_CFG['ssl']['chain'])
+  cert = File.basename($MU_CFG['ssl']['chain'])
+  FileUtils.cp($MU_CFG['ssl']['chain'], HOMEDIR+"/.chef/trusted_certs/#{cert}")
+  File.chmod(0600, HOMEDIR+"/.chef/trusted_certs/#{cert}")
+  if AMROOT
+    File.chmod(0644, $MU_CFG['ssl']['chain'])
+    FileUtils.cp($MU_CFG['ssl']['chain'], "/etc/chef/trusted_certs/#{cert}")
+  end
+end
+if $MU_CFG['repos'] and $MU_CFG['repos'].size > 0
+  $MU_CFG['repos'].each { |repo|
+    repo.match(/\/([^\/]+?)(\.git)?$/)
+    shortname = Regexp.last_match(1)
+    repodir = MU.dataDir + "/" + shortname
+    if !Dir.exists?(repodir)
+      MU.log "Cloning #{repo} into #{repodir}", MU::NOTICE
+      Dir.chdir(MU.dataDir)
+      system("/usr/bin/git clone #{repo}")
+      $CHANGES << "chefartifacts"
+    end
+  }
+end
+if !AMROOT
+  exit
+end
+begin
+  MU::Groomer::Chef.getSecret(vault: "secrets", item: "consul")
+rescue MU::Groomer::Chef::MuNoSuchSecret
+  data = {
+    "private_key" => File.read("#{MU_BASE}/var/ssl/consul.key"),
+    "certificate" => File.read("#{MU_BASE}/var/ssl/consul.crt"),
+    "ca_certificate" => File.read("#{MU_BASE}/var/ssl/Mu_CA.pem")
+  }
+  MU::Groomer::Chef.saveSecret(
+    vault: "secrets",
+    item: "consul",
+    data: data,
+    permissions: "name:MU-MASTER"
+  )
+end
+if $INITIALIZE or $CHANGES.include?("vault")
+  MU.log "Setting up Hashicorp Vault", MU::NOTICE
+  system("chef-client -o 'recipe[mu-master::vault]'")
+end
+if $MU_CFG['ldap']['type'] == "389 Directory Services"
+  begin
+    MU::Master::LDAP.listUsers
+  rescue Exception => e # XXX lazy exception handling is lazy
+    $CHANGES << "389ds"
+  end
+  if $INITIALIZE or $CHANGES.include?("389ds")
+    File.unlink("/root/389ds.tmp/389-directory-setup.inf") if File.exists?("/root/389ds.tmp/389-directory-setup.inf")
+    MU.log "Configuring 389 Directory Services", MU::NOTICE
+    set389DSCreds
+    system("chef-client -o 'recipe[mu-master::389ds]'")
+    exit 1 if $? != 0
+    MU::Master::LDAP.initLocalLDAP
+    system("chef-client -o 'recipe[mu-master::sssd]'")
+    exit 1 if $? != 0
+  end
+end
+if $MU_CFG['jenkins'] and $MU_CFG['jenkins']['enable']
+  MU::Groomer::Chef.loadChefLib
+  chef_node = ::Chef::Node.load("MU-MASTER")
+  begin
+    data = MU::Groomer::Chef.getSecret(vault: "jenkins", item: "admin")
+    MU::Groomer::Chef.grantSecretAccess("MU-MASTER", "jenkins", "admin")
+  rescue MU::Groomer::Chef::MuNoSuchSecret
+    MU.log "Saving keys for Jenkins admin user '#{$MU_CFG['jenkins']['admin_user']}' into Vault jenkins:admin", MU::NOTICE
+    if !File.exists?("#{HOMEDIR}/.ssh/mu-jenkins-admin.pub") and !File.exists?("#{HOMEDIR}/.ssh/mu-jenkins-admin.pub")
+      system("/usr/bin/ssh-keygen -N '' -f #{HOMEDIR}/.ssh/mu-jenkins-admin")
+    end
+    public_key = File.read("#{HOMEDIR}/.ssh/mu-jenkins-admin.pub").chomp
+    private_key = File.read("#{HOMEDIR}/.ssh/mu-jenkins-admin").chomp
+    MU::Groomer::Chef.saveSecret(
+      vault: "jenkins",
+      item: "admin",
+      data: {
+        "username": $MU_CFG['jenkins']['admin_user'],
+        "private_key": private_key,
+        "public_key": public_key
+      }
+    )
+  end
+end
+# Figure out if our run list is dumb
+MU.log "Verifying MU-MASTER's Chef run list", MU::NOTICE
+MU::Groomer::Chef.loadChefLib
+chef_node = ::Chef::Node.load("MU-MASTER")
+run_list = ["role[mu-master]"]
+run_list << "role[mu-master-jenkins]" if $MU_CFG['jenkins']['enable']
+run_list.concat($MU_CFG['master_runlist_extras']) if $MU_CFG['master_runlist_extras'].is_a?(Array)
+set_runlist = false
+run_list.each { |rl|
+  set_runlist = true if !chef_node.run_list?(rl)
+}
+if set_runlist
+  MU.log "Updating MU-MASTER run_list", MU::NOTICE, details: run_list
+  chef_node.run_list(run_list)
+  chef_node.save
+  $CHANGES << "chefrun"
+else
+  MU.log "Chef run list looks correct", MU::NOTICE, details: run_list
+end
+# TODO here are some things we don't do yet but should
+# accommodate running as a non-root user
+if $INITIALIZE
+  MU::Config.emitSchemaAsRuby
+  MU.log "Generating YARD documentation in /var/www/html/docs (see http://#{$MU_CFG['public_address']}/docs/frames.html)"
+  File.umask(0022)
+  system("cd #{MU.myRoot} && umask 0022 && env -i PATH=#{ENV['PATH']} HOME=#{HOMEDIR} /usr/local/ruby-current/bin/yard doc modules -m markdown -o /var/www/html/docs && chcon -R -h -t httpd_sys_script_exec_t /var/www/html/")
+end
+MU.log "Running chef-client on MU-MASTER", MU::NOTICE
+system("chef-client -o '#{run_list.join(",")}'")
+if !File.exists?("#{MU_BASE}/var/users/mu/email") or !File.exists?("#{MU_BASE}/var/users/mu/realname")
+  MU.log "Finalizing the 'mu' Chef/LDAP account", MU::NOTICE
+  MU.setLogging(MU::Logger::SILENT)
+  MU::Master.manageUser(
+    "mu",
+    name: $MU_CFG['mu_admin_name'],
+    email: $MU_CFG['mu_admin_email'],
+    admin: true,
+    password: MU.generateWindowsPassword # we'll just overwrite this and do it with mu-user-manage below, which can do smart things with Scratchpad
+  )
+  MU.setLogging(MU::Logger::NORMAL)
+  sleep 3 # avoid LDAP lag for mu-user-manage
+end
+output = %x{/opt/chef/bin/knife vault show scratchpad 2>&1}
+if $?.exitstatus != 0 or output.match(/is not a chef-vault/)
+  MU::Groomer::Chef.saveSecret(
+    vault: "scratchpad",
+    item: "placeholder",
+    data: { "secret" => "DO NOT DELETE", "timestamp" => "9999999999" },
+    permissions: "name:MU-MASTER"
+  )
+end
+MU.log "Regenerating documentation in /var/www/html/docs"
+%x{#{MU_BASE}/lib/bin/mu-gen-docs}
+if $INITIALIZE
+  MU.log "Setting initial password for admin user 'mu', for logging into Nagios and other built-in services.", MU::NOTICE
+  puts %x{#{MU_BASE}/lib/bin/mu-user-manage -g mu}
+  MU.log "If Scratchpad web interface is not accessible, try the following:", MU::NOTICE
+  puts "#{MU_BASE}/lib/bin/mu-user-manage -g --no-scratchpad mu".bold
+end
+if !ENV['PATH'].match(/(^|:)#{Regexp.quote(MU_BASE)}\/bin(:|$)/)
+  MU.log "I added some entries to your $PATH, run this to import them:", MU::NOTICE
+  puts "source #{HOMEDIR}/.bashrc".bold
+end