RubyGems - cloud-mu - Versions diffs - 1.9.0.pre.beta - Mend

cloud-mu 1.9.0.pre.beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (618) hide show

checksums.yaml +7 -0
data/Berksfile +56 -0
data/Berksfile.lock +250 -0
data/Jenkinsfile +184 -0
data/LICENSE.md +37 -0
data/README.md +26 -0
data/bin/mu-aws-setup +376 -0
data/bin/mu-cleanup +68 -0
data/bin/mu-configure +1133 -0
data/bin/mu-deploy +166 -0
data/bin/mu-firewall-allow-clients +30 -0
data/bin/mu-gcp-setup +200 -0
data/bin/mu-gen-docs +34 -0
data/bin/mu-gen-env +42 -0
data/bin/mu-load-config.rb +158 -0
data/bin/mu-node-manage +683 -0
data/bin/mu-self-update +228 -0
data/bin/mu-ssh +23 -0
data/bin/mu-tunnel-nagios +144 -0
data/bin/mu-upload-chef-artifacts +757 -0
data/bin/mu-user-manage +275 -0
data/cookbooks/awscli/LICENSE +37 -0
data/cookbooks/awscli/README.md +58 -0
data/cookbooks/awscli/attributes/default.rb +1 -0
data/cookbooks/awscli/libraries/instance_metadata.rb +21 -0
data/cookbooks/awscli/metadata.rb +20 -0
data/cookbooks/awscli/recipes/default.rb +56 -0
data/cookbooks/awscli/templates/default/config.erb +18 -0
data/cookbooks/mu-activedirectory/CHANGELOG.md +13 -0
data/cookbooks/mu-activedirectory/LICENSE +37 -0
data/cookbooks/mu-activedirectory/README.md +6 -0
data/cookbooks/mu-activedirectory/attributes/default.rb +98 -0
data/cookbooks/mu-activedirectory/files/default/password-auth +32 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-activedirectory/files/default/system-auth +34 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.te +37 -0
data/cookbooks/mu-activedirectory/libraries/config.rb +106 -0
data/cookbooks/mu-activedirectory/libraries/helper.rb +86 -0
data/cookbooks/mu-activedirectory/metadata.rb +17 -0
data/cookbooks/mu-activedirectory/providers/domain.rb +152 -0
data/cookbooks/mu-activedirectory/providers/domain_controller.rb +89 -0
data/cookbooks/mu-activedirectory/providers/domain_node.rb +275 -0
data/cookbooks/mu-activedirectory/recipes/default.rb +8 -0
data/cookbooks/mu-activedirectory/recipes/domain-controller.rb +44 -0
data/cookbooks/mu-activedirectory/recipes/domain-node.rb +50 -0
data/cookbooks/mu-activedirectory/recipes/domain.rb +43 -0
data/cookbooks/mu-activedirectory/recipes/sssd.rb +185 -0
data/cookbooks/mu-activedirectory/resources/domain.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_node.rb +20 -0
data/cookbooks/mu-activedirectory/templates/default/dhclient-eth0.conf.erb +4 -0
data/cookbooks/mu-activedirectory/templates/default/interface +0 -0
data/cookbooks/mu-activedirectory/templates/default/krb5.conf.erb +23 -0
data/cookbooks/mu-activedirectory/templates/default/ntp.conf.erb +56 -0
data/cookbooks/mu-activedirectory/templates/default/smb.conf.erb +33 -0
data/cookbooks/mu-activedirectory/templates/default/sssd.conf.erb +60 -0
data/cookbooks/mu-activedirectory/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-activedirectory/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-activedirectory/templates/windows/gpreprt.xml.erb +198 -0
data/cookbooks/mu-activedirectory/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-activedirectory/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-firewall/CHANGELOG.md +11 -0
data/cookbooks/mu-firewall/LICENSE +37 -0
data/cookbooks/mu-firewall/README.md +5 -0
data/cookbooks/mu-firewall/attributes/default.rb +3 -0
data/cookbooks/mu-firewall/metadata.rb +16 -0
data/cookbooks/mu-firewall/recipes/default.rb +10 -0
data/cookbooks/mu-glusterfs/CHANGELOG.md +13 -0
data/cookbooks/mu-glusterfs/LICENSE +37 -0
data/cookbooks/mu-glusterfs/README.md +5 -0
data/cookbooks/mu-glusterfs/attributes/default.rb +34 -0
data/cookbooks/mu-glusterfs/metadata.rb +17 -0
data/cookbooks/mu-glusterfs/recipes/client.rb +62 -0
data/cookbooks/mu-glusterfs/recipes/default.rb +16 -0
data/cookbooks/mu-glusterfs/recipes/samba.rb +57 -0
data/cookbooks/mu-glusterfs/recipes/server.rb +200 -0
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +71 -0
data/cookbooks/mu-glusterfs/templates/default/smb.conf.erb +14 -0
data/cookbooks/mu-jenkins/CHANGELOG.md +13 -0
data/cookbooks/mu-jenkins/LICENSE +37 -0
data/cookbooks/mu-jenkins/README.md +105 -0
data/cookbooks/mu-jenkins/attributes/default.rb +42 -0
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +73 -0
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +44 -0
data/cookbooks/mu-jenkins/metadata.rb +21 -0
data/cookbooks/mu-jenkins/recipes/default.rb +195 -0
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +54 -0
data/cookbooks/mu-jenkins/recipes/public_key.rb +24 -0
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +24 -0
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +14 -0
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +6 -0
data/cookbooks/mu-master/CHANGELOG.md +13 -0
data/cookbooks/mu-master/LICENSE +37 -0
data/cookbooks/mu-master/README.md +6 -0
data/cookbooks/mu-master/attributes/default.rb +95 -0
data/cookbooks/mu-master/files/default/0-mu-log-server.conf +19 -0
data/cookbooks/mu-master/files/default/addRSA.ldif +8 -0
data/cookbooks/mu-master/files/default/check_mem.pl +197 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.pp +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.te +13 -0
data/cookbooks/mu-master/files/default/nagios_selinux.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux.te +51 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.te +17 -0
data/cookbooks/mu-master/files/default/pam_sshd +18 -0
data/cookbooks/mu-master/files/default/ssl_enable.ldif +18 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-master/files/default/vimrc +19 -0
data/cookbooks/mu-master/libraries/mu.rb +29 -0
data/cookbooks/mu-master/metadata.rb +30 -0
data/cookbooks/mu-master/providers/user.rb +41 -0
data/cookbooks/mu-master/recipes/389ds.rb +164 -0
data/cookbooks/mu-master/recipes/basepackages.rb +58 -0
data/cookbooks/mu-master/recipes/caching_nameserver.rb +37 -0
data/cookbooks/mu-master/recipes/default.rb +451 -0
data/cookbooks/mu-master/recipes/eks-kubectl.rb +41 -0
data/cookbooks/mu-master/recipes/firewall-holes.rb +70 -0
data/cookbooks/mu-master/recipes/init.rb +542 -0
data/cookbooks/mu-master/recipes/ssl-certs.rb +109 -0
data/cookbooks/mu-master/recipes/sssd.rb +89 -0
data/cookbooks/mu-master/recipes/update_nagios_only.rb +242 -0
data/cookbooks/mu-master/recipes/vault.rb +111 -0
data/cookbooks/mu-master/resources/user.rb +19 -0
data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +28 -0
data/cookbooks/mu-master/templates/default/chef-server.rb.erb +18 -0
data/cookbooks/mu-master/templates/default/dhclient-eth0.conf.erb +9 -0
data/cookbooks/mu-master/templates/default/mu-momma-cat.erb +149 -0
data/cookbooks/mu-master/templates/default/mu.rc.erb +9 -0
data/cookbooks/mu-master/templates/default/openssl.cnf.erb +354 -0
data/cookbooks/mu-master/templates/default/sssd.conf.erb +44 -0
data/cookbooks/mu-master/templates/default/web_app.conf.erb +90 -0
data/cookbooks/mu-mongo/CHANGELOG.md +13 -0
data/cookbooks/mu-mongo/LICENSE +37 -0
data/cookbooks/mu-mongo/README.md +5 -0
data/cookbooks/mu-mongo/attributes/default.rb +22 -0
data/cookbooks/mu-mongo/files/default/keyfile +16 -0
data/cookbooks/mu-mongo/files/default/remove_nodes.js +5 -0
data/cookbooks/mu-mongo/metadata.rb +17 -0
data/cookbooks/mu-mongo/recipes/default.rb +149 -0
data/cookbooks/mu-mongo/recipes/yum-update-rule.rb +18 -0
data/cookbooks/mu-mongo/templates/default/mongo_create_openfema_db.js.erb +2 -0
data/cookbooks/mu-mongo/templates/default/mongo_init.js.erb +1 -0
data/cookbooks/mu-mongo/templates/default/mongo_logrotate.erb +14 -0
data/cookbooks/mu-mongo/templates/default/mongo_replset_addnodes.js.erb +6 -0
data/cookbooks/mu-mongo/templates/default/replset_init.js.erb +2 -0
data/cookbooks/mu-openvpn/CHANGELOG.md +13 -0
data/cookbooks/mu-openvpn/LICENSE +37 -0
data/cookbooks/mu-openvpn/README.md +6 -0
data/cookbooks/mu-openvpn/attributes/default.rb +119 -0
data/cookbooks/mu-openvpn/metadata.rb +18 -0
data/cookbooks/mu-openvpn/recipes/default.rb +108 -0
data/cookbooks/mu-openvpn/templates/default/users.json.erb +42 -0
data/cookbooks/mu-php54/CHANGELOG.md +12 -0
data/cookbooks/mu-php54/LICENSE +37 -0
data/cookbooks/mu-php54/README.md +0 -0
data/cookbooks/mu-php54/files/centos/php.ini +1802 -0
data/cookbooks/mu-php54/files/ubuntu/php.ini +1870 -0
data/cookbooks/mu-php54/metadata.rb +21 -0
data/cookbooks/mu-php54/recipes/default.rb +97 -0
data/cookbooks/mu-splunk/CHANGELOG.md +37 -0
data/cookbooks/mu-splunk/LICENSE +37 -0
data/cookbooks/mu-splunk/README.md +451 -0
data/cookbooks/mu-splunk/attributes/default.rb +95 -0
data/cookbooks/mu-splunk/attributes/upgrade.rb +49 -0
data/cookbooks/mu-splunk/definitions/splunk_installer.rb +103 -0
data/cookbooks/mu-splunk/files/default/splunk-nocheck +10 -0
data/cookbooks/mu-splunk/libraries/helpers.rb +72 -0
data/cookbooks/mu-splunk/libraries/splunk_app_provider.rb +156 -0
data/cookbooks/mu-splunk/libraries/splunk_app_resource.rb +43 -0
data/cookbooks/mu-splunk/metadata.json +30 -0
data/cookbooks/mu-splunk/metadata.rb +17 -0
data/cookbooks/mu-splunk/recipes/client.rb +143 -0
data/cookbooks/mu-splunk/recipes/default.rb +31 -0
data/cookbooks/mu-splunk/recipes/disabled.rb +41 -0
data/cookbooks/mu-splunk/recipes/install_forwarder.rb +23 -0
data/cookbooks/mu-splunk/recipes/install_server.rb +23 -0
data/cookbooks/mu-splunk/recipes/server.rb +53 -0
data/cookbooks/mu-splunk/recipes/service.rb +95 -0
data/cookbooks/mu-splunk/recipes/setup_auth.rb +49 -0
data/cookbooks/mu-splunk/recipes/setup_ssl.rb +63 -0
data/cookbooks/mu-splunk/recipes/upgrade.rb +94 -0
data/cookbooks/mu-splunk/recipes/user.rb +34 -0
data/cookbooks/mu-splunk/templates/default/base_logs_unix_inputs.conf.erb +26 -0
data/cookbooks/mu-splunk/templates/default/inputs.conf.erb +13 -0
data/cookbooks/mu-splunk/templates/default/outputs.conf.erb +9 -0
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +74 -0
data/cookbooks/mu-splunk/templates/default/system-web.conf.erb +7 -0
data/cookbooks/mu-tools/CHANGELOG.md +12 -0
data/cookbooks/mu-tools/LICENSE +37 -0
data/cookbooks/mu-tools/README.md +188 -0
data/cookbooks/mu-tools/attributes/default.rb +142 -0
data/cookbooks/mu-tools/attributes/ebs_rolling_snapshots.rb +3 -0
data/cookbooks/mu-tools/files/amazon/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/CentOS-Base.repo +52 -0
data/cookbooks/mu-tools/files/centos/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/centos/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/centos/etc/profile +77 -0
data/cookbooks/mu-tools/files/centos/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/centos/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/centos/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/centos-6/README_MU +0 -0
data/cookbooks/mu-tools/files/centos-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/centos-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/centos-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/centos-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/centos-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/default/Mu_CA.pem +34 -0
data/cookbooks/mu-tools/files/default/PSWindowsUpdate.zip +0 -0
data/cookbooks/mu-tools/files/default/ebs_snapshots.py +123 -0
data/cookbooks/mu-tools/files/default/etc/BANNER +0 -0
data/cookbooks/mu-tools/files/default/etc/BANNER-FEDERAL +19 -0
data/cookbooks/mu-tools/files/default/gpo_no_uac.zip +0 -0
data/cookbooks/mu-tools/files/default/mypol.pp +0 -0
data/cookbooks/mu-tools/files/default/mypol.te +37 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.te +31 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.te +11 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.te +10 -0
data/cookbooks/mu-tools/files/default/nrpe_file.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_file.te +31 -0
data/cookbooks/mu-tools/files/default/ntrights +0 -0
data/cookbooks/mu-tools/files/default/serverclass.conf +18 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/inputs.conf +13 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/inputs.conf +8 -0
data/cookbooks/mu-tools/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-tools/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-tools/files/redhat/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/redhat/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/redhat/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/redhat/etc/profile +77 -0
data/cookbooks/mu-tools/files/redhat/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/redhat/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/redhat/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/redhat-6/README_MU +0 -0
data/cookbooks/mu-tools/files/redhat-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/redhat-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/redhat-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/redhat-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/redhat-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/redhat-7.1/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/bash.bashrc +64 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/common-session +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/login.defs +338 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/profile +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/security/limits.conf +56 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/sysctl.conf +60 -0
data/cookbooks/mu-tools/libraries/helper.rb +292 -0
data/cookbooks/mu-tools/metadata.rb +28 -0
data/cookbooks/mu-tools/recipes/add_admin_ssh_keys.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +440 -0
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -0
data/cookbooks/mu-tools/recipes/base_repositories.rb +31 -0
data/cookbooks/mu-tools/recipes/cisbenchmark.rb +59 -0
data/cookbooks/mu-tools/recipes/clamav.rb +53 -0
data/cookbooks/mu-tools/recipes/cloudinit.rb +58 -0
data/cookbooks/mu-tools/recipes/configure_oracle_tools.rb +81 -0
data/cookbooks/mu-tools/recipes/disable-requiretty.rb +22 -0
data/cookbooks/mu-tools/recipes/ebs_rolling_snapshots.rb +75 -0
data/cookbooks/mu-tools/recipes/efs.rb +70 -0
data/cookbooks/mu-tools/recipes/eks.rb +160 -0
data/cookbooks/mu-tools/recipes/gcloud.rb +98 -0
data/cookbooks/mu-tools/recipes/google_api.rb +25 -0
data/cookbooks/mu-tools/recipes/maldet.rb +67 -0
data/cookbooks/mu-tools/recipes/nagios.rb +19 -0
data/cookbooks/mu-tools/recipes/newclient.rb +23 -0
data/cookbooks/mu-tools/recipes/nrpe.rb +115 -0
data/cookbooks/mu-tools/recipes/python_pip.rb +35 -0
data/cookbooks/mu-tools/recipes/retrieve_application.rb +51 -0
data/cookbooks/mu-tools/recipes/rsyslog.rb +65 -0
data/cookbooks/mu-tools/recipes/set_local_fw.rb +57 -0
data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +81 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +86 -0
data/cookbooks/mu-tools/recipes/splunk-client.rb +69 -0
data/cookbooks/mu-tools/recipes/splunk-server.rb +104 -0
data/cookbooks/mu-tools/recipes/store_inspec_attr.rb +8 -0
data/cookbooks/mu-tools/recipes/updates.rb +96 -0
data/cookbooks/mu-tools/recipes/windows-client.rb +202 -0
data/cookbooks/mu-tools/resources/aws_windows.rb +33 -0
data/cookbooks/mu-tools/resources/disk.rb +88 -0
data/cookbooks/mu-tools/resources/mommacat_request.rb +11 -0
data/cookbooks/mu-tools/resources/scheduled_tasks.rb +29 -0
data/cookbooks/mu-tools/resources/sshd_service.rb +45 -0
data/cookbooks/mu-tools/resources/windows_users.rb +242 -0
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +168 -0
data/cookbooks/mu-tools/templates/centos-6/sshd_config.erb +212 -0
data/cookbooks/mu-tools/templates/centos-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/default/0-mu-log-client.conf.erb +13 -0
data/cookbooks/mu-tools/templates/default/conf.maldet.erb +137 -0
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +30 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_password-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_system-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_sysconfig_network.erb +12 -0
data/cookbooks/mu-tools/templates/default/kubeconfig.erb +29 -0
data/cookbooks/mu-tools/templates/default/kubelet.service.erb +35 -0
data/cookbooks/mu-tools/templates/default/maldet_scanall.sh.erb +15 -0
data/cookbooks/mu-tools/templates/default/nrpe.cfg.erb +233 -0
data/cookbooks/mu-tools/templates/redhat-6/sshd_config.erb +213 -0
data/cookbooks/mu-tools/templates/redhat-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/ubuntu-12.04/sshd_config.erb +146 -0
data/cookbooks/mu-tools/templates/ubuntu-14.04/sshd_config.erb +145 -0
data/cookbooks/mu-tools/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-tools/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/gpreprt.xml.erb +214 -0
data/cookbooks/mu-tools/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-tools/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/set_ad_dns_scheduled_task.ps1.erb +6 -0
data/cookbooks/mu-tools/templates/windows/sshd_config.erb +136 -0
data/cookbooks/mu-utility/CHANGELOG.md +12 -0
data/cookbooks/mu-utility/LICENSE +37 -0
data/cookbooks/mu-utility/README.md +6 -0
data/cookbooks/mu-utility/attributes/default.rb +1 -0
data/cookbooks/mu-utility/libraries/matchers.rb +21 -0
data/cookbooks/mu-utility/metadata.rb +16 -0
data/cookbooks/mu-utility/recipes/apt.rb +23 -0
data/cookbooks/mu-utility/recipes/cleanup_image_helper.rb +118 -0
data/cookbooks/mu-utility/recipes/iptables.rb +26 -0
data/cookbooks/mu-utility/recipes/luks.rb +18 -0
data/cookbooks/mu-utility/recipes/nat.rb +104 -0
data/cookbooks/mu-utility/recipes/php.rb +33 -0
data/cookbooks/mu-utility/recipes/rdp_gateway.rb +83 -0
data/cookbooks/mu-utility/recipes/remi.rb +44 -0
data/cookbooks/mu-utility/recipes/vim.rb +26 -0
data/cookbooks/mu-utility/recipes/windows_basics.rb +37 -0
data/cookbooks/mu-utility/recipes/zip.rb +26 -0
data/cookbooks/mu-utility/templates/default/BundleConfig.xml.erb +34 -0
data/cookbooks/mu-utility/templates/default/config.xml.erb +60 -0
data/cookbooks/nagios/Berksfile +8 -0
data/cookbooks/nagios/CHANGELOG.md +589 -0
data/cookbooks/nagios/CONTRIBUTING.md +11 -0
data/cookbooks/nagios/LICENSE +37 -0
data/cookbooks/nagios/README.md +328 -0
data/cookbooks/nagios/TESTING.md +2 -0
data/cookbooks/nagios/attributes/config.rb +171 -0
data/cookbooks/nagios/attributes/default.rb +228 -0
data/cookbooks/nagios/chefignore +102 -0
data/cookbooks/nagios/definitions/command.rb +33 -0
data/cookbooks/nagios/definitions/contact.rb +33 -0
data/cookbooks/nagios/definitions/contactgroup.rb +33 -0
data/cookbooks/nagios/definitions/host.rb +33 -0
data/cookbooks/nagios/definitions/hostdependency.rb +33 -0
data/cookbooks/nagios/definitions/hostescalation.rb +34 -0
data/cookbooks/nagios/definitions/hostgroup.rb +33 -0
data/cookbooks/nagios/definitions/nagios_conf.rb +38 -0
data/cookbooks/nagios/definitions/resource.rb +33 -0
data/cookbooks/nagios/definitions/service.rb +33 -0
data/cookbooks/nagios/definitions/servicedependency.rb +33 -0
data/cookbooks/nagios/definitions/serviceescalation.rb +34 -0
data/cookbooks/nagios/definitions/servicegroup.rb +33 -0
data/cookbooks/nagios/definitions/timeperiod.rb +33 -0
data/cookbooks/nagios/libraries/base.rb +314 -0
data/cookbooks/nagios/libraries/command.rb +91 -0
data/cookbooks/nagios/libraries/contact.rb +230 -0
data/cookbooks/nagios/libraries/contactgroup.rb +112 -0
data/cookbooks/nagios/libraries/custom_option.rb +36 -0
data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
data/cookbooks/nagios/libraries/default.rb +90 -0
data/cookbooks/nagios/libraries/host.rb +412 -0
data/cookbooks/nagios/libraries/hostdependency.rb +181 -0
data/cookbooks/nagios/libraries/hostescalation.rb +173 -0
data/cookbooks/nagios/libraries/hostgroup.rb +119 -0
data/cookbooks/nagios/libraries/nagios.rb +282 -0
data/cookbooks/nagios/libraries/resource.rb +59 -0
data/cookbooks/nagios/libraries/service.rb +455 -0
data/cookbooks/nagios/libraries/servicedependency.rb +215 -0
data/cookbooks/nagios/libraries/serviceescalation.rb +195 -0
data/cookbooks/nagios/libraries/servicegroup.rb +144 -0
data/cookbooks/nagios/libraries/timeperiod.rb +160 -0
data/cookbooks/nagios/libraries/users_helper.rb +54 -0
data/cookbooks/nagios/metadata.rb +25 -0
data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
data/cookbooks/nagios/recipes/apache.rb +48 -0
data/cookbooks/nagios/recipes/default.rb +204 -0
data/cookbooks/nagios/recipes/nginx.rb +82 -0
data/cookbooks/nagios/recipes/pagerduty.rb +143 -0
data/cookbooks/nagios/recipes/server_package.rb +40 -0
data/cookbooks/nagios/recipes/server_source.rb +164 -0
data/cookbooks/nagios/templates/default/apache2.conf.erb +96 -0
data/cookbooks/nagios/templates/default/cgi.cfg.erb +266 -0
data/cookbooks/nagios/templates/default/commands.cfg.erb +13 -0
data/cookbooks/nagios/templates/default/contacts.cfg.erb +37 -0
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +25 -0
data/cookbooks/nagios/templates/default/hosts.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/htpasswd.users.erb +6 -0
data/cookbooks/nagios/templates/default/nagios.cfg.erb +22 -0
data/cookbooks/nagios/templates/default/nginx.conf.erb +62 -0
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +185 -0
data/cookbooks/nagios/templates/default/resource.cfg.erb +27 -0
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/services.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/templates.cfg.erb +31 -0
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +13 -0
data/cookbooks/s3fs/CHANGELOG.md +13 -0
data/cookbooks/s3fs/LICENSE +37 -0
data/cookbooks/s3fs/README.md +6 -0
data/cookbooks/s3fs/attributes/default.rb +15 -0
data/cookbooks/s3fs/files/default/fuse-2.9.3.zip +0 -0
data/cookbooks/s3fs/metadata.rb +16 -0
data/cookbooks/s3fs/recipes/default.rb +91 -0
data/data_bags/demo/app.json +7 -0
data/data_bags/nagios_services/chef.json +6 -0
data/data_bags/nagios_services/linux_diskspace.json +5 -0
data/data_bags/nagios_services/momma_cat.json +6 -0
data/data_bags/nagios_services/mu-master-memory.json +5 -0
data/data_bags/nagios_services/nagios_ui.json +6 -0
data/data_bags/nagios_services/node_ssh.json +6 -0
data/data_bags/nagios_services/ssh.json +6 -0
data/demo/lambda_test.yaml +29 -0
data/environments/DEV.json +8 -0
data/environments/PROD.json +8 -0
data/environments/dev.json +8 -0
data/environments/development.json +8 -0
data/environments/prod.json +8 -0
data/extras/README.md +1 -0
data/extras/admin-role-binding.yaml +16 -0
data/extras/admin-user.yaml +6 -0
data/extras/aws-auth-cm.yaml.erb +12 -0
data/extras/clean-stock-amis +48 -0
data/extras/git-fix-permissions-hook +12 -0
data/extras/gitlab-eks-helper.sh.erb +20 -0
data/extras/image-generators/README.md +2 -0
data/extras/image-generators/aws/centos6.yaml +18 -0
data/extras/image-generators/aws/centos7-govcloud.yaml +24 -0
data/extras/image-generators/aws/centos7.yaml +17 -0
data/extras/image-generators/aws/rhel7.yaml +17 -0
data/extras/image-generators/aws/win2k12.yaml +16 -0
data/extras/image-generators/aws/win2k16.yaml +16 -0
data/extras/image-generators/aws/windows.yaml +18 -0
data/extras/image-generators/gcp/centos6.yaml +17 -0
data/extras/lambda_waf_domain_blacklist.py +103 -0
data/extras/platform_berksfile_base +50 -0
data/extras/ruby_rpm/build.sh +17 -0
data/extras/ruby_rpm/muby.spec +44 -0
data/extras/vault_tools/README.md +6 -0
data/extras/vault_tools/export_vaults.sh +3 -0
data/extras/vault_tools/recreate_vaults.sh +5 -0
data/extras/vault_tools/test_vaults.sh +5 -0
data/install/README.md +8 -0
data/install/cfn_create_mu_master.json +1034 -0
data/install/chef-server.rb.erb +19 -0
data/install/deprecated-bash-library.sh +1891 -0
data/install/images/Usage.png +0 -0
data/install/installer +71 -0
data/install/jenkinskeys.rb +8 -0
data/install/user-dot-murc.erb +14 -0
data/modules/html.erb +19 -0
data/modules/mommacat.ru +426 -0
data/modules/mu/cleanup.rb +339 -0
data/modules/mu/cloud.rb +1446 -0
data/modules/mu/clouds/README.md +201 -0
data/modules/mu/clouds/aws/alarm.rb +319 -0
data/modules/mu/clouds/aws/cache_cluster.rb +1010 -0
data/modules/mu/clouds/aws/collection.rb +373 -0
data/modules/mu/clouds/aws/container_cluster.rb +667 -0
data/modules/mu/clouds/aws/database.rb +1836 -0
data/modules/mu/clouds/aws/dnszone.rb +911 -0
data/modules/mu/clouds/aws/firewall_rule.rb +641 -0
data/modules/mu/clouds/aws/folder.rb +92 -0
data/modules/mu/clouds/aws/function.rb +349 -0
data/modules/mu/clouds/aws/group.rb +251 -0
data/modules/mu/clouds/aws/loadbalancer.rb +888 -0
data/modules/mu/clouds/aws/log.rb +363 -0
data/modules/mu/clouds/aws/msg_queue.rb +480 -0
data/modules/mu/clouds/aws/notification.rb +139 -0
data/modules/mu/clouds/aws/role.rb +656 -0
data/modules/mu/clouds/aws/search_domain.rb +646 -0
data/modules/mu/clouds/aws/server.rb +2294 -0
data/modules/mu/clouds/aws/server_pool.rb +1388 -0
data/modules/mu/clouds/aws/storage_pool.rb +495 -0
data/modules/mu/clouds/aws/user.rb +382 -0
data/modules/mu/clouds/aws/userdata/README.md +4 -0
data/modules/mu/clouds/aws/userdata/linux.erb +179 -0
data/modules/mu/clouds/aws/userdata/windows.erb +278 -0
data/modules/mu/clouds/aws/vpc.rb +1943 -0
data/modules/mu/clouds/aws.rb +1009 -0
data/modules/mu/clouds/cloudformation/alarm.rb +146 -0
data/modules/mu/clouds/cloudformation/cache_cluster.rb +167 -0
data/modules/mu/clouds/cloudformation/collection.rb +117 -0
data/modules/mu/clouds/cloudformation/database.rb +278 -0
data/modules/mu/clouds/cloudformation/dnszone.rb +274 -0
data/modules/mu/clouds/cloudformation/firewall_rule.rb +308 -0
data/modules/mu/clouds/cloudformation/loadbalancer.rb +193 -0
data/modules/mu/clouds/cloudformation/log.rb +170 -0
data/modules/mu/clouds/cloudformation/server.rb +370 -0
data/modules/mu/clouds/cloudformation/server_pool.rb +279 -0
data/modules/mu/clouds/cloudformation/vpc.rb +322 -0
data/modules/mu/clouds/cloudformation.rb +733 -0
data/modules/mu/clouds/docker.rb +30 -0
data/modules/mu/clouds/google/container_cluster.rb +290 -0
data/modules/mu/clouds/google/database.rb +152 -0
data/modules/mu/clouds/google/firewall_rule.rb +267 -0
data/modules/mu/clouds/google/group.rb +164 -0
data/modules/mu/clouds/google/loadbalancer.rb +479 -0
data/modules/mu/clouds/google/server.rb +1510 -0
data/modules/mu/clouds/google/server_pool.rb +274 -0
data/modules/mu/clouds/google/user.rb +266 -0
data/modules/mu/clouds/google/userdata/README.md +4 -0
data/modules/mu/clouds/google/userdata/linux.erb +137 -0
data/modules/mu/clouds/google/userdata/windows.erb +275 -0
data/modules/mu/clouds/google/vpc.rb +890 -0
data/modules/mu/clouds/google.rb +811 -0
data/modules/mu/config/README.md +11 -0
data/modules/mu/config/alarm.rb +271 -0
data/modules/mu/config/cache_cluster.rb +172 -0
data/modules/mu/config/collection.rb +87 -0
data/modules/mu/config/container_cluster.rb +103 -0
data/modules/mu/config/container_cluster.yml +36 -0
data/modules/mu/config/database.rb +458 -0
data/modules/mu/config/database.yml +26 -0
data/modules/mu/config/dnszone.rb +327 -0
data/modules/mu/config/firewall_rule.rb +118 -0
data/modules/mu/config/folder.rb +70 -0
data/modules/mu/config/function.rb +140 -0
data/modules/mu/config/group.rb +64 -0
data/modules/mu/config/loadbalancer.rb +482 -0
data/modules/mu/config/log.rb +47 -0
data/modules/mu/config/log.yml +6 -0
data/modules/mu/config/msg_queue.rb +47 -0
data/modules/mu/config/msg_queue.yml +9 -0
data/modules/mu/config/notification.rb +44 -0
data/modules/mu/config/project.rb +71 -0
data/modules/mu/config/role.rb +102 -0
data/modules/mu/config/search_domain.rb +61 -0
data/modules/mu/config/search_domain.yml +25 -0
data/modules/mu/config/server.rb +587 -0
data/modules/mu/config/server.yml +8 -0
data/modules/mu/config/server_pool.rb +216 -0
data/modules/mu/config/server_pool.yml +71 -0
data/modules/mu/config/storage_pool.rb +145 -0
data/modules/mu/config/user.rb +78 -0
data/modules/mu/config/vpc.rb +743 -0
data/modules/mu/config/vpc.yml +6 -0
data/modules/mu/config.rb +2000 -0
data/modules/mu/defaults/README.md +2 -0
data/modules/mu/defaults/amazon_images.yaml +121 -0
data/modules/mu/defaults/google_images.yaml +16 -0
data/modules/mu/deploy.rb +686 -0
data/modules/mu/groomer.rb +123 -0
data/modules/mu/groomers/README.md +58 -0
data/modules/mu/groomers/chef.rb +1024 -0
data/modules/mu/kittens.rb +11319 -0
data/modules/mu/logger.rb +208 -0
data/modules/mu/master/README.md +27 -0
data/modules/mu/master/chef.rb +471 -0
data/modules/mu/master/ldap.rb +1005 -0
data/modules/mu/master.rb +415 -0
data/modules/mu/mommacat.rb +2703 -0
data/modules/mu-load-config.rb +1 -0
data/modules/mu.rb +724 -0
data/modules/scratchpad.erb +1 -0
data/modules/tests/super_complex_bok.yml +41 -0
data/modules/tests/super_simple_bok.yml +40 -0
data/mu.gemspec +62 -0
data/roles/demo-dbservice-configure.json +19 -0
data/roles/demo-portal-configure.json +19 -0
data/roles/mu-master-jenkins.json +24 -0
data/roles/mu-master-nagios-only.json +13 -0
data/roles/mu-master.json +12 -0
data/roles/mu-node.json +19 -0
data/roles/mu-splunk-server.json +13 -0
data/roles/mu-splunk.json +13 -0
data/test/clean_up.py +25 -0
data/test/demo-test-profile/README.md +3 -0
data/test/demo-test-profile/controls/flask.rb +84 -0
data/test/demo-test-profile/inspec.lock +7 -0
data/test/demo-test-profile/inspec.yml +11 -0
data/test/etco-test-profile/README.md +3 -0
data/test/etco-test-profile/controls/all-in-one.rb +182 -0
data/test/etco-test-profile/inspec.lock +7 -0
data/test/etco-test-profile/inspec.yml +11 -0
data/test/exec_inspec.py +246 -0
data/test/exec_mu_install.py +241 -0
data/test/exec_retry.py +44 -0
data/test/mu-master-test/README.md +3 -0
data/test/mu-master-test/controls/all_in_one.rb +557 -0
data/test/mu-master-test/inspec.lock +3 -0
data/test/mu-master-test/inspec.yml +11 -0
data/test/mu-tools-test/README.md +3 -0
data/test/mu-tools-test/controls/base.rb +265 -0
data/test/mu-tools-test/inspec.lock +3 -0
data/test/mu-tools-test/inspec.yml +8 -0
data/test/simple-server-php-test/README.md +3 -0
data/test/simple-server-php-test/controls/apachephp.rb +25 -0
data/test/simple-server-php-test/controls/example.rb +19 -0
data/test/simple-server-php-test/inspec.lock +7 -0
data/test/simple-server-php-test/inspec.yml +12 -0
data/test/simple-server-rails-test/README.md +3 -0
data/test/simple-server-rails-test/controls/rails.rb +188 -0
data/test/simple-server-rails-test/inspec.lock +7 -0
data/test/simple-server-rails-test/inspec.yml +11 -0
data/test/simple-windows-test/README.md +3 -0
data/test/simple-windows-test/controls/windows.rb +20 -0
data/test/simple-windows-test/inspec.lock +7 -0
data/test/simple-windows-test/inspec.yml +11 -0
data/test/smoke_test.rb +75 -0
data/test/wordpress-test/README.md +3 -0
data/test/wordpress-test/controls/wordpress.rb +97 -0
data/test/wordpress-test/inspec.lock +7 -0
data/test/wordpress-test/inspec.yml +11 -0
metadata +979 -0

data/install/deprecated-bash-library.sh ADDED Viewed

@@ -0,0 +1,1891 @@
+#!/bin/sh
+#
+# This script installs and configures (or reconfigures) an Mu Master,
+# setting up the Mu tools, Chef, and assorted support libraries and utilities.
+#
+# clean containing environment of nonsense
+unset GEM_HOME
+unset GEM_PATH
+DIST_VERSION=`rpm -qa \*-release\* | grep -Ei "redhat|centos" | cut -d"-" -f3`
+IS_AMAZON=0
+if [ "$DIST_VERSION" == "" ];then # funny package name in Amazon Linux
+#  DIST_VERSION=`rpm -qa \*-release\* | cut -d"-" -f3` # XXX always 6 for now
+  DIST_VERSION=6
+  IS_AMAZON=1
+elif [ "$DIST_VERSION" == "server" ];then # funny package name in RHEL6
+  DIST_VERSION="6"
+fi
+EPEL_RPM="http://mirror.metrocast.net/fedora/epel/epel-release-latest-$DIST_VERSION.noarch.rpm"
+CHEF_CLIENT_VERSION="12.17.44-1"
+CHEF_SERVER_VERSION="12.11.1-1"
+if [ "$DIST_VERSION" == "7" ];then
+  # mariadb replaces mysql, qt and qt-x11 are required by gecode which is required by the dep_selector gem.
+  PACKAGES="git curl vim-enhanced zip unzip java-1.8.0-openjdk gcc gcc-c++ make libxml2-devel libxslt-devel cryptsetup-luks python-pip lsof mlocate strace nmap openssl-devel readline-devel python-devel ImageMagick-devel diffutils patch bind-utils httpd-tools gecode-devel mailx postgresql-devel openssl libyaml graphviz graphviz-devel mariadb mariadb-devel qt qt-x11 iptables-services jq"
+  DEL_PACKAGES="nagios firewalld"
+  OPSCODE_CHEF_PKG="chef-server-core-$CHEF_SERVER_VERSION.el7.x86_64"
+  OPSCODE_CHEF_DL="https://packages.chef.io/stable/el/7/${OPSCODE_CHEF_PKG}.rpm"
+  CHEF_CLIENT_PKG="chef-$CHEF_CLIENT_VERSION.el7.x86_64"
+  RUBY_RPM="https://s3.amazonaws.com/cloudamatic/ruby23-2.3.1-1.el7.centos.x86_64.rpm"
+  RUBY_INSTALL_DIR="/opt/rubies/ruby-2.3.1"
+  RUBY_VERSION="ruby23-2.3.1"
+  GECODE_RPMS="https://s3.amazonaws.com/cap-public/gecode-3.7.3-2.el7.centos.x86_64.rpm https://s3.amazonaws.com/cap-public/gecode-devel-3.7.3-2.el7.centos.x86_64.rpm"
+else
+  PACKAGES="git curl vim-enhanced zip unzip java-1.5.0-gcj java-1.8.0-openjdk mysql-server gcc gcc-c++ make libxml2-devel libxslt-devel cryptsetup-luks python-pip lsof mlocate strace nmap openssl-devel readline-devel python-devel diffutils patch bind-utils httpd-tools mailx mysql-devel postgresql-devel openssl libyaml graphviz autoconf ImageMagick-devel graphviz-devel jq"
+  if [ "$IS_AMAZON" != "1" ];then
+    PACKAGES="${PACKAGES} gecode-devel"
+#  else
+#    PACKAGES="${PACKAGES} "
+  fi
+  OPSCODE_CHEF_PKG="chef-server-core-$CHEF_SERVER_VERSION.el6.x86_64"
+  OPSCODE_CHEF_DL="https://packages.chef.io/stable/el/6/${OPSCODE_CHEF_PKG}.rpm"
+  CHEF_CLIENT_PKG="chef-$CHEF_CLIENT_VERSION.el6.x86_64"
+  RUBY_RPM="https://s3.amazonaws.com/cloudamatic/ruby23-2.3.1-1.el6.x86_64.rpm"
+  RUBY_INSTALL_DIR="/opt/rubies/ruby-2.3.1"
+  RUBY_VERSION="ruby23-2.3.1"
+  DEL_PACKAGES="nagios"
+fi
+if ! curl --fail http://169.254.169.254/latest/meta-data/instance-id > /dev/null 2>&1;then
+  IN_AWS=0
+else
+  GET_METADATA="curl --fail -s -S http://169.254.169.254/latest"
+  IN_AWS=1
+fi
+if ! curl --fail http://metadata.google.internal/computeMetadata/v1/instance/name -H "Metadata-Flavor: Google" > /dev/null 2>&1;then
+  IN_GOOGLE=0
+else
+  GET_METADATA="curl --fail -s -S http://metadata.google.internal/computeMetadata/v1"
+  IN_GOOGLE=1
+fi
+RCFILE=".murc"
+#tput will cause a noninteractive session to silently fail, else color things
+if [ -t 0 ]; then
+  BOLD=`tput bold`
+  NORM=`tput sgr0`
+  BLACK=`tput setaf 0`
+  RED=`tput setaf 1`
+  GREEN=`tput setaf 2`
+  YELLOW=`tput setaf 3`
+  BLUE=`tput setaf 4`
+  PINK=`tput setaf 5`
+  CYAN=`tput setaf 6`
+  WHITE=`tput setaf 7`
+fi
+export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+# Non-root users can only customize certain configuration parameters
+if [ "root" == "`whoami`" ];then
+  CONFIG_VARS="AWS_ACCESS AWS_SECRET MU_ADMIN_EMAIL MU_ADMIN_PW JENKINS_ADMIN_PW MU_INSTALLDIR MU_DATADIR ADDTL_CHEF_REPOS MU_REPO CHEF_PUBLIC_IP HOST_NAME EC2SECGROUP LOG_BUCKET_NAME ALLOW_INVADE_FOREIGN_VPCS MU_SSL_CERT MU_SSL_KEY MU_SSL_CHAIN"
+  RO_CONFIG_VARS="AWS_ACCOUNT_NUMBER EC2_REGION"
+else
+  CONFIG_VARS="AWS_ACCESS AWS_SECRET MU_DATADIR ADDTL_CHEF_REPOS MU_REPO LOG_BUCKET_NAME"
+  RO_CONFIG_VARS="AWS_ACCOUNT_NUMBER EC2_REGION CHEF_PUBLIC_IP HOST_NAME EC2SECGROUP MU_INSTALLDIR"
+fi
+usage()
+{
+  echo "Create or reconfigure your Chef master."
+  echo "Usage: $0 [-d] [-c /path/to/murc] [-b branch]"
+  echo "    -d: Use default values and run non-interactively."
+  echo "    -b: Choose a branch (default: master)."
+  echo "    -c: Use an alternate .murc file."
+  echo "    -k: Run curl with -k to skip SSL certificate checks."
+  exit 1
+}
+_me="`basename $0`"
+#if  [ "$_me" == "mu-configure" ];then
+#  chef_artifacts_uploaded=1
+#  if [ -d "$MU_LIBDIR/.git" ]; then
+#    cd $MU_LIBDIR
+#    MUBRANCH="`git branch 2>/dev/null | egrep '^\*' |cut -d' ' -f2`"
+#  fi
+#fi
+if [ "$_me" == "mu-self-update" ];then
+  library=1
+fi
+if [ "$_me" == "mu-upload-chef-artifacts" ];then
+  library=1
+fi
+if [ "$_me" == "mu-user-manage" ];then
+  library=1
+fi
+curl_dash_k=1
+chef_self_test=0
+if [ "$library" != "1" ];then
+  while getopts "c:tdhkb:" opt; do
+    case $opt in
+      c)
+        MURC=$OPTARG
+        ;;
+      d)
+        use_defaults=1
+        ;;
+      b)
+        MUBRANCH=$OPTARG
+        ;;
+      k)
+        curl_dash_k=1
+        ;;
+      h)
+        usage
+        ;;
+      \?)
+        usage
+        ;;
+    esac
+  done
+else
+  set +e
+  set +x
+fi
+umask 0077
+# Populate key environment variables. Default them to whatever's set in the
+# environment we've inherited, and failing that, see if we can extract some of
+# them from this instance's EC2 metadata.
+USER=`whoami`
+if [ "$MU_INSTALLDIR" == "" ];then
+  MU_INSTALLDIR="/opt/mu"
+fi
+if [ "$MU_SSL_CERT" == "" ];then
+  MU_SSL_CERT="/opt/mu/var/ssl/mommacat.crt"
+fi
+if [ "$MU_SSL_KEY" == "" ];then
+  MU_SSL_KEY="/opt/mu/var/ssl/mommacat.key"
+fi
+if [ "$MU_SSL_CHAIN" == "" ];then
+  MU_SSL_CHAIN="/opt/mu/var/ssl/Mu_CA.pem"
+fi
+HOMEDIR="`getent passwd \"$USER\" |cut -d: -f6`"
+MU_CHEF_CACHE="$HOMEDIR/.chef"
+if [ -z $MU_DATADIR ];then
+  if [ "$USER" != "root" ];then
+    MU_DATADIR="$HOMEDIR/.mu"
+  else
+    MU_DATADIR="$MU_INSTALLDIR/var"
+  fi
+fi
+if [ "$MU_LIBDIR" == "" ];then
+  MU_LIBDIR="$MU_INSTALLDIR/lib"
+fi
+if [ "$MURC" == "" ];then
+  if [ "$USER" != "root" ];then
+    MURC="$HOMEDIR/$RCFILE"
+  else
+    MURC="$MU_INSTALLDIR/etc/mu.rc"
+    test -f "$MU_INSTALLDIR/etc/mu.rc" || ( mkdir -p $MU_INSTALLDIR/etc && touch "$MU_INSTALLDIR/etc/mu.rc" )
+    chmod 755 $MU_INSTALLDIR/etc
+  fi
+fi
+# Source the global .murc file, then overlay the local one if it exists
+test -f "$MU_INSTALLDIR/etc/mu.rc" && source "$MU_INSTALLDIR/etc/mu.rc"
+if [ -f "$MURC" -a "$MURC" != "$MU_INSTALLDIR/etc/mu.rc" ] ;then
+  source $MURC
+fi
+MU_REPO='cloudamatic/mu.git'
+if [ "$MUBRANCH" == "" ];then
+  if [ -d "$MU_LIBDIR/.git" ]; then
+    cd $MU_LIBDIR
+    MUBRANCH="`git branch 2>/dev/null | grep '^\*' | awk '{print $2}'`"
+  fi
+  if [ "$MUBRANCH" == "" ];then
+    MUBRANCH="master"
+  fi
+fi
+MU_REPO_NAME="`echo $MU_REPO | cut -d/ -f2 | sed -e 's/\.git$//'`"
+MY_PRIVATE_IP=""
+if [ "$IN_AWS" == "1" ];then
+  if [ "$EC2_AVAILABILITY_ZONE" == "" ];then
+    EC2_AVAILABILITY_ZONE=`$GET_METADATA/meta-data/placement/availability-zone`
+  fi
+  if [ "$EC2_REGION" == "" ];then
+    EC2_REGION=`$GET_METADATA/dynamic/instance-identity/document|grep region|awk -F\" '{print $4}'`
+  fi
+  if [ "$AWS_ACCOUNT_NUMBER" == "" ];then
+    AWS_ACCOUNT_NUMBER=`$GET_METADATA/dynamic/instance-identity/document|grep accountId|awk -F\" '{print $4}'`
+  fi
+  ip_pattern='^[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+$'
+  MY_INSTANCE_ID="`$GET_METADATA/meta-data/instance-id`"
+  MY_PRIVATE_IP="`$GET_METADATA/meta-data/local-ipv4 | egrep \"$ip_pattern\"`"
+  MY_PUBLIC_IP="`$GET_METADATA/meta-data/public-ipv4 2>&1 | egrep \"$ip_pattern\"`"
+  if [ "$MY_PRIVATE_IP" == "" ];then
+    echo "Couldn't determine my private IP with '$GET_METADATA/meta-data/local-ipv4'"
+    exit 1
+  fi
+elif [ "$IN_GOOGLE" == "1" ];then
+  MY_INSTANCE_ID="`$GET_METADATA/instance/name -H 'Metadata-Flavor: Google'`"
+  MY_PRIVATE_IP="`$GET_METADATA/instance/network-interfaces/0/ip -H 'Metadata-Flavor: Google'`"
+  if [ "$MY_PRIVATE_IP" == "" ];then
+    echo "Couldn't determine my private IP with '$GET_METADATA/instance/network-interfaces/0/ip'"
+    exit 1
+  fi
+#  MY_PUBLIC_IP="`$GET_METADATA/meta-data/public-ipv4 | egrep \"$ip_pattern\"`"
+fi
+if [ "$CHEF_PUBLIC_IP" == "" -a "$MY_PUBLIC_IP" != "" ];then
+  CHEF_PUBLIC_IP=$MY_PUBLIC_IP
+fi
+if [ "$MY_PUBLIC_IP" == "" ];then
+  MY_PUBLIC_IP=$MY_PRIVATE_IP
+fi
+if [ "$HOST_NAME" == "" ];then
+  HOST_NAME="`hostname -s`"
+fi
+MY_VPC_ID=""
+# Figure out if we have at least one interface in a VPC
+if [ "$IN_AWS" == "1" ];then
+  if [ "$LOG_BUCKET_NAME" == "" ];then
+    LOG_BUCKET_NAME="mu-logs-${HOST_NAME}-${MY_INSTANCE_ID}"
+  fi
+  for mac in `$GET_METADATA/meta-data/network/interfaces/macs/`;do
+    vpc_id="`$GET_METADATA/meta-data/network/interfaces/macs/$mac/vpc-id | egrep '^vpc\-'`"
+    if [ "$vpc_id" != "" ];then
+      MY_VPC_ID=$vpc_id
+      break
+    fi
+  done
+  IAM_ROLE="`$GET_METADATA/meta-data/iam/security-credentials/ 2> /dev/null`"
+fi
+###############################################################################
+fail_with_message()
+{
+  if [ "$1" != "" ];then
+    echo ""
+    echo "${RED}*******************************************************************************${NORM}"
+    echo "${RED}*******************************************************************************${NORM}"
+    echo $1
+    test "$2" != "" && echo $2
+    echo "${RED}*******************************************************************************${NORM}"
+    echo "${RED}*******************************************************************************${NORM}"
+    echo ""
+  fi
+  exit 1
+}
+###############################################################################
+warning_message()
+{
+  if [ "$1" != "" ];then
+    echo ""
+    echo "${YELLOW}*******************************************************************************${NORM}"
+    echo $1
+    test "$2" != "" && echo $2
+    echo "${YELLOW}*******************************************************************************${NORM}"
+    echo ""
+  fi
+}
+###############################################################################
+status_message()
+{
+  if [ "$1" != "" ];then
+    echo ""
+    echo "${GREEN}*******************************************************************************${NORM}"
+    echo $1
+    test "$2" != "" && echo $2
+    echo "${GREEN}*******************************************************************************${NORM}"
+    echo ""
+  fi
+}
+###############################################################################
+# Useful for accessing our parallel key/value structure.
+# Accepts named key as argument
+# Returns value of target env variable from array structures
+# Uses stdout so do **not** echo or printf in this function
+###############################################################################
+return_targetvar_value()
+{
+    for i in "${!var_name[@]}"; do
+      if [ ${var_name[$i]}  = "$1" ]; then
+         printf '%s' ${var_val[$i]}
+        break
+      fi
+    done
+}
+###############################################################################
+update_murc()
+{
+  name="$1"
+  value="$2"
+  murc_path="$3"
+  if [ "$murc_path" == "" ];then
+    murc_path="$MURC"
+  fi
+  if [ "$name" == "" ];then
+    fail_with_message "update_murc called with missing variable name"
+  fi
+  test -f $murc_path && sed -i "/^export $name=.*/d" $murc_path
+  echo "export $name=\"$value\"" >> $murc_path
+  chmod 644 $murc_path
+}
+###############################################################################
+set_path_env_vars()
+{
+  MU_REPO_NAME="`echo $MU_REPO | cut -d/ -f2 | sed -e 's/\.git$//'`"
+  HOMEDIR="`getent passwd \"$USER\" |cut -d: -f6`"
+  MU_CHEF_CACHE="$HOMEDIR/.chef"
+  SSHDIR="$HOMEDIR/.ssh"
+  ENVFILE="$HOMEDIR/.bash_profile"
+  mkdir -p $MU_INSTALLDIR/etc $MU_INSTALLDIR/bin $MU_DATADIR/deployments
+  chmod 755 $MU_INSTALLDIR $MU_DATADIR
+  DEVOPS_TMP_DIR='/tmp/.mu.$$'
+  update_murc MU_INSTALLDIR $MU_INSTALLDIR
+  update_murc MU_DATADIR $MU_DATADIR
+  AWS_ACCESS_KEY_ID=$AWS_ACCESS
+  AWS_SECRET_ACCESS_KEY=$AWS_SECRET
+}
+pivotal_cfg_setup(){
+  port=$2
+  if [ "$port" == "" ];then
+    port=7443
+  fi
+  cat >> /etc/opscode/pivotal.rb.tmp.$$ << EOF
+node_name "pivotal"
+chef_server_url "https://${CHEF_PUBLIC_IP}:$port"
+chef_server_root "https://${CHEF_PUBLIC_IP}:$port"
+client_key "/etc/opscode/pivotal.pem"
+ssl_verify_mode :verify_none
+EOF
+  if [ ! -f /etc/opscode/pivotal.rb -o "`diff /etc/opscode/pivotal.rb /etc/opscode/pivotal.rb.tmp.$$`" != "" ];then
+    /bin/mv -f /etc/opscode/pivotal.rb.tmp.$$ /etc/opscode/pivotal.rb
+  fi
+  pivotal_pem="/opt/opscode/embedded/service/omnibus-ctl/spec/fixtures/pivotal.pem"
+  if [ -f /etc/opscode/pivotal.pem ];then
+    pivotal_pem="/etc/opscode/pivotal.pem"
+  fi
+  pivotal_cfg="-u pivotal -k $pivotal_pem"
+  knife ssl fetch $pivotal_cfg > /dev/null 2>&1
+  eval "$1=\"$pivotal_cfg\""
+}
+remove_chef_org()
+{
+  org="$1"
+  pivotal_cfg_setup pivotal_cfg
+  # chef-server-ctl generates a spectcular amount of stupid noise
+  filter="(ffi-yajl|falling back to ffi)"
+  if ! /opt/opscode/bin/chef-server-ctl org-list $pivotal_cfg 2>&1 | egrep -v "$filter" | grep "^$org$" >/dev/null;then
+    warning_message "Chef org ${BOLD}$org${NORM} already removed"
+  else
+    status_message "Deleting Chef org ${BOLD}$org${NORM}"
+    /opt/opscode/bin/chef-server-ctl org-delete -y "$org" $pivotal_cfg 2>&1 | egrep -v "$filter"
+  fi
+}
+manage_chef_org()
+{
+  org=$1
+  orgname=$2
+  add_user=$3
+  association_user=$4
+  if curl -k -so /dev/null https://${CHEF_PUBLIC_IP}:7443;then
+    pivotal_cfg_setup pivotal_cfg
+  else
+    pivotal_cfg_setup pivotal_cfg 443
+  fi
+  # chef-server-ctl generates a spectcular amount of stupid noise
+  filter="(ffi-yajl|falling back to ffi)"
+  if [ "$orgname" == "" ];then
+    orgname="$org"
+  fi
+  mkdir -p $MU_DATADIR/orgs/$org
+  assoc=""
+  if [ "$association_user" != "" ];then
+    assoc="-a $association_user"
+  fi
+  keypath="$MU_DATADIR/orgs/$org/$org.org.key"
+  if ! /opt/opscode/bin/chef-server-ctl org-list $pivotal_cfg 2>&1 | egrep -v "$filter" | grep "^$org$" >/dev/null;then
+    if [ "$association_user" != "" ];then
+      status_message "Creating Chef organization ${BOLD}$org${NORM} with admin user ${BOLD}$association_user${NORM}"
+    else
+      status_message "Creating Chef organization ${BOLD}$org${NORM}"
+    fi
+    attempts=0
+    while : ;do
+      /bin/rm -f $keypath
+      cmd="/opt/opscode/bin/chef-server-ctl org-create $org $orgname $assoc -f $keypath $pivotal_cfg"
+      $cmd 2>&1 | egrep -v "$filter"
+      test -f $keypath && grep 'BEGIN RSA PRIVATE KEY' $keypath > /dev/null && break
+      attempts=`expr $attempts + 1`
+      if [ $attempts -gt 5 ];then
+        output="`$cmd 2>&1 | egrep -v \"$filter\"`"
+        warning_message "Unable to set up Chef org ${BOLD}$org${NORM}" "$cmd: $output"
+        break
+      fi
+    done
+    if [ "$association_user" != "" ];then
+      if [ "$association_user" != "mu" ];then
+        user_home="`getent passwd \"$association_user\" |cut -d: -f6`"
+      else
+        user_home="`getent passwd \"root\" |cut -d: -f6`"
+      fi
+      mkdir -p "$user_home/.chef"
+      /bin/cp -f "$keypath" "$user_home/.chef/"
+    fi
+  fi
+  if [ "$add_user" != "" -a "$add_user" != "$association_user" ];then
+    status_message "Adding ${BOLD}$add_user${NORM} to Chef organization ${BOLD}$org${NORM}"
+    cmd="/opt/opscode/bin/chef-server-ctl org-user-add $org $add_user $pivotal_cfg"
+    $cmd 2>&1 | egrep -v "$filter"
+    if [ "$org" != "mu" ];then
+      if [ "$add_user" != "mu" ];then
+        user_home="`getent passwd \"$add_user\" |cut -d: -f6`"
+      else
+        user_home="`getent passwd \"root\" |cut -d: -f6`"
+      fi
+      mkdir -p "$user_home/.chef"
+      /bin/cp -f "$keypath" "$user_home/.chef/"
+    fi
+  fi
+#   warning_message "Failed to add ${BOLD}$user${NORM} to Chef org ${BOLD}$org${NORM}" "$cmd"
+}
+remove_chef_user_from_org()
+{
+  user="$1"
+  org="$2"
+  pivotal_cfg_setup pivotal_cfg
+  # chef-server-ctl generates a spectcular amount of stupid noise
+  filter="(ffi-yajl|falling back to ffi)"
+  status_message "Removing ${BOLD}$user${NORM} from Chef org ${BOLD}$org${NORM}"
+  /opt/opscode/bin/chef-server-ctl org-user-remove "$org" "$user" -y $pivotal_cfg 2>&1 | egrep -v "$filter"
+}
+remove_chef_user()
+{
+  user="$1"
+  pivotal_cfg_setup pivotal_cfg
+  # chef-server-ctl generates a spectcular amount of stupid noise
+  filter="(ffi-yajl|falling back to ffi)"
+  if ! /opt/opscode/bin/chef-server-ctl user-list $pivotal_cfg 2>&1 | egrep -v "$filter" | grep "^$user$" >/dev/null;then
+    warning_message "Chef user ${BOLD}$user${NORM} already removed"
+  else
+    remove_chef_org "$user"
+    for org in `/opt/opscode/bin/chef-server-ctl user-show $user --with-orgs $pivotal_cfg 2>&1 | egrep -v "$filter" | grep ^organizations: |cut -d: -f2`;do
+      remove_chef_user_from_org "$user" "$org"
+    done
+    status_message "Deleting Chef user ${BOLD}$user${NORM}"
+    /opt/opscode/bin/chef-server-ctl user-delete "$user" -y $pivotal_cfg 2>&1 | egrep -v "$filter"
+  fi
+}
+list_chef_users(){
+  # chef-server-ctl generates a spectcular amount of stupid noise
+  filter="(ffi-yajl|falling back to ffi)"
+  list="`/opt/opscode/bin/chef-server-ctl user-list 2>&1 | egrep -v \"$filter\" | egrep -v '^(pivotal)$' | tr -s '\n' ' '`"
+  eval "$1=\"$list\""
+}
+manage_chef_user()
+{
+  user="$1"
+  pass="$2"
+  name="$3"
+  email="$4"
+  org="$5"
+  is_admin="$6"
+  is_normal="$7"
+  replace="$8"
+  if [ "$is_admin" == "1" -a "$is_normal" == "1" ];then
+    fail_with_message "Can't force-set a Chef user to both administrator and regular user"
+  fi
+  mkdir -p "$MU_DATADIR/users/$user"
+  /bin/chmod g+rsx "$MU_DATADIR/users"
+  /bin/chgrp mu-users "$MU_DATADIR/users"
+  if curl -k -so /dev/null https://${CHEF_PUBLIC_IP}:7443;then
+    pivotal_cfg_setup pivotal_cfg
+  else
+    pivotal_cfg_setup pivotal_cfg 443
+  fi
+  # chef-server-ctl generates a spectcular amount of stupid noise
+  filter="(ffi-yajl|falling back to ffi)"
+  if ! ( [ -f "$MU_DATADIR/users/$user/$user.user.key" ] && /opt/opscode/bin/chef-server-ctl user-list 2>&1 | egrep -v "$filter" | grep "^$user$" >/dev/null );then
+    ok=1
+    if [ "$name" == "" ];then
+      warning_message "Must supply a real name to create new Chef user ${BOLD}$user${NORM}"
+      ok=0
+    fi
+    if [ "$email" == "" ];then
+      warning_message "Must supply an email address to create new Chef user ${BOLD}$user${NORM}"
+      ok=0
+    fi
+    if [ "$pass" == "" ];then
+      warning_message "Must supply a password to create new Chef user ${BOLD}$user${NORM}"
+      ok=0
+    fi
+    if [ "$ok" != "1" ];then
+      return
+    fi
+    status_message "Creating Chef user ${BOLD}$user${NORM} - $name ($email)"
+    attempts=0
+    keypath="$MU_DATADIR/users/$user/$user.user.key"
+    if [ ! -f "$MU_DATADIR/users/$user/$user.user.key" -a "$replace" != "" ];then
+      /opt/opscode/bin/chef-server-ctl user-delete "$user" -y $pivotal_cfg 2>&1 | egrep -v "$filter"
+    fi
+    create_cmd="/opt/opscode/bin/chef-server-ctl user-create $user $name $email $pass $pivotal_cfg -f $keypath"
+    while : ;do
+      /bin/rm -f "$keypath"
+      # XXX Flinging passwords around CLI calls is terrible, need a better way
+      # to do this. Maybe we need local-brew directory services.
+      $create_cmd 2>&1 | egrep -v "$filter"
+      test -f "$keypath" && grep 'BEGIN RSA PRIVATE KEY' "$keypath" > /dev/null && break
+      attempts=`expr $attempts + 1`
+      if [ $attempts -gt 5 ];then
+        output="`$create_cmd 2>&1 | egrep -v \"$filter\"`"
+        warning_message "Unable to set up Chef ${BOLD}$user${NORM} user" "$create_cmd: $output"
+        break
+      fi
+    done
+    if [ "$user" != "mu" ];then
+      user_home="`getent passwd \"$user\" |cut -d: -f6`"
+    else
+      user_home="`getent passwd \"root\" |cut -d: -f6`"
+    fi
+    mkdir -p "$user_home/.chef"
+    /bin/cp -f "$keypath" "$user_home/.chef/"
+    manage_chef_org "$user" "$user" "" "$user"
+    set_knife_rb "organizations/$user" "$user" "https://${CHEF_PUBLIC_IP}:7443"
+    status_message "Configuring ${BOLD}$user_home/.chef/client.rb${NORM}"
+    cat /dev/null > "$user_home/.chef/client.rb"
+    cat >> "$user_home/.chef/client.rb" << EOF
+#
+# Client settings
+#
+log_level        :info
+log_location     STDOUT
+chef_server_url  "https://${CHEF_PUBLIC_IP}:7443/organizations/$user"
+validation_client_name '$user-validator'
+EOF
+    if [ "$user" != "mu" ];then
+      chown -R "$user" "$user_home/.chef/"
+      runuser -l "$user" -c "cd $user_home && /opt/chef/bin/knife ssl fetch" > /root/knifesslfetch.out 2>&1
+    else
+      /opt/chef/bin/knife ssl fetch > /dev/null 2>&1
+    fi
+    if [ "$add_org" != "" ];then
+      manage_chef_org "$add_org" "$add_org" "$user" "mu"
+    fi
+    if [ "$is_admin" == "1" ];then
+      manage_chef_org "mu" "" "$user"
+    elif [ "$is_normal" == "1" ];then
+      remove_chef_user_from_org "$user" "mu"
+    fi
+  else
+    status_message "Updating Chef user ${BOLD}$user${NORM}"
+    if [ "$add_org" != "" ];then
+      manage_chef_org "$add_org" "$add_org" "$user" "mu"
+    fi
+    if [ "$is_admin" == "1" ];then
+      manage_chef_org "mu" "" "$user"
+    elif [ "$is_normal" == "1" ];then
+      remove_chef_user_from_org "$user" "mu"
+    fi
+    if [ "$password" != "" ];then
+      warning_message "You'll have to enter the new password again for Chef" "Also it will display it back to you in plain text. Yeah."
+      /opt/opscode/bin/chef-server-ctl password $user
+    fi
+  fi
+}
+###############################################################################
+validate_setup_env_vars(){
+  n=1
+  validate_errs=0
+  while [ "${var_name[$n]}" != "" ];do
+    if [ "${var_name[$n]}" == "AWS_ACCESS" -o "${var_name[$n]}" == "AWS_SECRET" ]; then
+      if [ "$IAM_ROLE" == "" -a "${var_val[$n]}" == "" ];then
+        warning_message "No IAM instance profile assigned to this server. You must specify AWS credentials."
+        validate_errs=1
+      fi
+    elif [ "${var_name[$n]}" == "CHEF_PUBLIC_IP" ]; then
+      if [ "${var_val[$n]}" == "" ];then
+        warning_message "An IP accessible to client nodes must be specified"
+        validate_errs=1
+      fi
+    elif [ "${var_name[$n]}" == "MU_ADMIN_EMAIL" ]; then
+      if [ "${var_val[$n]}" == "" ];then
+        warning_message "You must specify an email contact for the 'mu' admin user."
+        validate_errs=1
+      elif ! ( echo ${var_val[$n]} | egrep -q '^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}$' ) ; then
+        warning_message "The 'mu' admin user email contact is badly formed!"
+        validate_errs=1
+      fi
+    elif [ "${var_name[$n]}" == "MU_ADMIN_PW" -a ! -f "$MU_CHEF_CACHE/mu.user.key" ]; then
+      if [ "${var_val[$n]}" == "" ];then
+        warning_message "You must specify a password for the 'mu' admin user."
+        validate_errs=1
+      fi
+    elif [ "${var_name[$n]}" == "LOG_BUCKET_NAME" ]; then
+      if [ "${var_val[$n]}" == "" ];then
+        warning_message "You must specify a dns-legal log bucket name ."
+        validate_errs=1
+      elif ! ( echo ${var_val[$n]} | egrep -q '^[a-z0-9.-]*$' ) ; then
+        warning_message "The log bucket name is badly formed!"
+        validate_errs=1
+      fi
+    elif [ "${var_name[$n]}" == "JENKINS_ADMIN_PW" ]; then
+      if [ "${var_val[$n]}" == "" ];then
+        warning_message "You must specify a password for the 'jenkins' admin user to enable the Jenkins front-end. Jenkins will not be enabled at this time. Rerun mu-configure and supply a password if you wish to enable it."
+        sleep 5
+      fi
+    fi
+    n=$[$n +1]
+  done
+  MU_ADMIN_EMAIL_VAL=$(return_targetvar_value "MU_ADMIN_EMAIL")
+  JENKINS_ADMIN_EMAIL_VAL=$(return_targetvar_value "MU_ADMIN_EMAIL")
+}
+###############################################################################
+print_setup_env_vars(){
+  echo "${CYAN}System-wide settings${NORM}:"
+  for ro in $RO_CONFIG_VARS;do
+      echo "  ${BOLD}$ro${NORM}: ${CYAN}${!ro}${NORM}"
+  done
+  echo "${GREEN}Configurable settings to write to ${BOLD}$MURC${NORM}:"
+  n=1
+  while [ "${var_name[$n]}" != "" ];do
+    if [ "${var_name[$n]}" == "CHEF_PUBLIC_IP" ]; then
+      if [ "$MY_VPC_ID" != "" ];then
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (if in private subnet, set to bastion public IP): ${GREEN}${var_val[$n]}${NORM}"
+      else
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (OPTIONAL; will try to guess): ${GREEN}${var_val[$n]}${NORM}"
+      fi
+    elif [ "${var_name[$n]}" == "AWS_ACCESS" -o "${var_name[$n]}" == "AWS_SECRET" ]; then
+      if [ "$IAM_ROLE" != "" ];then
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (N/A if IAM role ${BOLD}$IAM_ROLE${NORM} has admin privs): ${GREEN}${var_val[$n]}${NORM}"
+      else
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (required): ${GREEN}${var_val[$n]}${NORM}"
+      fi
+    elif [ "${var_name[$n]}" == "MU_ADMIN_EMAIL" ]; then
+      echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (required): ${GREEN}${var_val[$n]}${NORM}"
+    elif [ "${var_name[$n]}" == "MU_ADMIN_PW" ]; then
+      if [ "${var_val[$n]}" != "" -o -f "$MU_CHEF_CACHE/mu.user.key" ];then
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (required): ********"
+      else
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (required):"
+      fi
+    elif [ "${var_name[$n]}" == "JENKINS_ADMIN_PW" ]; then
+      if [ "${var_val[$n]}" != "" ];then
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (OPTIONAL): ********"
+      else
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (OPTIONAL):"
+      fi
+    elif [ "${var_name[$n]}" == "EC2SECGROUP" ]; then
+      if [ "$MY_VPC_ID" == "" ];then
+        echo "  ${BOLD}$n${NORM}) ${var_name[$n]} (OPTIONAL; will try to guess): ${GREEN}${var_val[$n]}${NORM}"
+      fi
+    else
+      echo "  ${BOLD}$n${NORM}) ${var_name[$n]}: ${GREEN}${var_val[$n]}${NORM}"
+    fi
+    n=$[$n +1]
+  done
+}
+chef_client()
+{
+  punch_tcp_hole 7443 # sometimes this isn't ready
+  upload_chef_artifacts -n -r $MU_REPO_NAME
+  status_message "chef-client $@"
+  chef_cert_name="`echo $CHEF_PUBLIC_IP | sed 's/\./_/g'`"
+  /bin/cp -f /opt/mu/var/ssl/Mu_CA.pem /etc/chef/trusted_certs/
+  if (knife ssl check -c /etc/chef/client.rb | egrep "^ERROR.*certificate");then
+    /bin/rm -f /etc/chef/trusted_certs/${chef_cert_name}.crt
+    /bin/rm -f /etc/chef/trusted_certs/${HOST_NAME}_platform-mu.crt
+    /opt/chef/bin/knife ssl fetch -c /etc/chef/client.rb
+  fi
+  # Same, but for /root/.chef/trusted_certs
+  /bin/cp -f /opt/mu/var/ssl/Mu_CA.pem /root/.chef/trusted_certs/
+  if (knife ssl check | egrep "^ERROR.*certificate");then
+    /bin/rm -f /root/.chef/trusted_certs/${chef_cert_name}.crt
+    /bin/rm -f /root/.chef/trusted_certs/${HOST_NAME}_platform-mu.crt
+    /opt/chef/bin/knife ssl fetch
+  fi
+  chef-client $@
+}
+###############################################################################
+chef_server_ctl()
+{
+  cmd=$1
+  pivotal_cfg_setup pivotal_cfg
+  status_message "/opt/opscode/bin/chef-server-ctl $cmd"
+  if ! /opt/opscode/bin/chef-server-ctl $cmd > /dev/null;then
+    status_message "Bad exit code from chef-server-ctl $cmd! Logs:"
+    (/opt/opscode/bin/chef-server-ctl tail) & pid=$!
+    pgid="`ps x -o  \"%p %r %y %x %c \" | egrep \"^[[:space:]]*$pid[[:space:]]+\" | awk '{print $2}'`"
+    sleep 10 && kill -TERM -$pgid
+    fail_with_message "Bad exit code from chef-server-ctl $cmd! See above logs. $pid $pgid"
+  fi
+}
+###############################################################################
+## Patch knife-windows to deal with Cygwin
+patch_knife_windows()
+{
+  kw_version="1.8.0"
+  for rubydir in $RUBY_INSTALL_DIR /opt/chef/embedded;do
+    if [ -d "$rubydir/lib/ruby/gems" ];then
+      # Remove gem versions other than the one we're mangling
+      for gem in `find $rubydir/lib/ruby/gems -type d -name 'knife-windows-*' | grep -v "knife-windows-$kw_version" | sed 's/.*\///'`;do
+        kw_badversion="`echo $gem | cut -d\- -f3`"
+        status_message "Removing knife-windows $kw_badversion from $rubydir"
+        $rubydir/bin/gem uninstall --force knife-windows --version $kw_badversion
+      done
+      knife_win_dir=`find $rubydir/lib/ruby/gems -type d -name knife-windows-$kw_version | grep -v /doc/knife-windows`
+      if [ "$knife_win_dir" == "" ];then
+        status_message "Installing knife-windows-$kw_version in $rubydir"
+        $rubydir/bin/gem install --force knife-windows --version $kw_version
+        knife_win_dir=`find $rubydir/lib/ruby/gems -type d -name knife-windows-$kw_version | grep -v /doc/knife-windows`
+      fi
+      if [ "`grep -i 'locate_config_value(:cygwin)' $knife_win_dir/lib/chef/knife/bootstrap_windows_base.rb`" == "" ];then
+        status_message "Patching Cygwin support into knife-windows-$kw_version in $rubydir"
+        cd $knife_win_dir && patch -p1 < $MU_LIBDIR/install/knife-windows-cygwin-$kw_version.patch || warning_message "Failed to patch knife-windows gem! Cygwin-based deploys of Windows hosts may not work!"
+      fi
+#    if [ "`grep -i '@config\[:node_ssl_verify_mode\]' $knife_win_dir/lib/chef/knife/core/windows_bootstrap_context.rb`" == "" ];then
+#      status_message "Patching Chef 12 support into knife-windows-$kw_version in $rubydir"
+#      cd $knife_win_dir && patch -p1 < $MU_LIBDIR/install/knife-windows-chef12-$kw_version.patch || warning_message "Failed to patch knife-windows gem! Cygwin-based deploys of Windows hosts may not work!"
+#    fi
+      if [ -e $rubydir ];then
+        find $rubydir/lib/ruby/gems -type f -exec chmod o+r {} \;
+        find $rubydir/lib/ruby/gems -type d -exec chmod o+rx {} \;
+      fi
+    fi
+  done
+  cd
+}
+###############################################################################
+adjust_config_vars()
+{
+  n=1
+  for v in $CONFIG_VARS;do
+    var_name[$n]=$v
+    var_val[$n]=${!v}
+    n=$[$n +1]
+  done
+  last_var=$n
+  print_setup_env_vars
+  bypass_aws_creds=0
+  while
+    read -p "Enter ${BOLD}O${NORM} to proceed with this config, or select a number to change. `echo $'\n> '`" config
+  do
+    echo ""
+    if [ "$config" == "O" -o "$config" == "o" ];then
+      validate_setup_env_vars
+      if [ $validate_errs == 0 ];then
+        break
+      fi
+    elif ! echo $config | egrep '^[0-9]{1,2}$' ; then
+      warning_message "Invalid option $config"
+      print_setup_env_vars
+      continue
+    else [ "${var_name[$config]}" != "" ] 2>/dev/null
+      # Process vars with password-style reads
+      if [ "${var_name[$config]}" == "MU_ADMIN_PW" ];then
+        read -s -p "Enter password for the ${BOLD}mu${NORM} admin user. `echo $'\n> '`" newval
+      elif [ "${var_name[$config]}" == "JENKINS_ADMIN_PW" ];then
+        read -s -p "Enter password for the ${BOLD}jenkins${NORM} admin user. `echo $'\n> '`" newval
+      else
+        # Process vars with normal style reads and special prompts
+        case ${var_name[$config]} in
+          "ADDTL_CHEF_REPOS")
+            echo "Enter the Github repos from which we'll pull Chef artifacts additional to those "
+            echo "from $MU_REPO. Delineate multiple repositories with spaces. Example:"
+            echo "${BOLD}eGT-Labs/mu-internal.git HHS/healthdata_platform.git${NORM}"
+            echo ""
+            ;;&
+          "MU_ADMIN_EMAIL")
+            echo "Enter an email address for the internal 'mu' user."
+            echo "Note that you won't be able to reuse this address for a regular user. See also:"
+            echo "https://github.com/chef/chef-server/issues/59"
+            ;;&
+          *)
+          # Everybody gets a read
+            read -p "Enter new value for ${BOLD}${var_name[$config]}${NORM}. `echo $'\n> '`" newval
+            ;;
+        esac
+      fi
+      var_val[$config]=$newval
+      print_setup_env_vars
+    fi
+  done
+  n=1
+  homedir="`getent passwd \"$USER\" |cut -d: -f6`"
+  while [ "${var_name[$n]}" != "" ];do
+    if [ "${var_name[$n]}" != "PATH" ];then
+      eval "export ${var_name[$n]}=\"${var_val[$n]}\""
+    fi
+    # Set these in .murc too
+    if [ "${var_name[$n]}" == "AWS_ACCESS" -a "${var_val[$n]}" == "" ];then
+      echo "AWS_ACCESS is empty, leaving it unset" > /dev/null
+    elif [ "${var_name[$n]}" == "AWS_SECRET" -a "${var_val[$n]}" == "" ];then
+      echo "AWS_SECRET is empty, leaving it unset" > /dev/null
+    elif [ "${var_name[$n]}" != "MU_ADMIN_PW" -a "${var_name[$n]}" != "JENKINS_ADMIN_PW" ];then
+      update_murc ${var_name[$n]} "${var_val[$n]}"
+    fi
+    n=$[$n +1]
+  done
+  # Special cases- alternate env variable names for AWS credentials
+  if [ "$AWS_ACCESS" != "" ];then
+    update_murc AWS_ACCESS_KEY_ID $AWS_ACCESS
+  fi
+  if [ "$AWS_SECRET" != "" ];then
+    update_murc AWS_SECRET_ACCESS_KEY $AWS_SECRET
+  fi
+  for v in $RO_CONFIG_VARS;do
+    update_murc $v "${!v}"
+  done
+}
+###############################################################################
+create_ssh_config()
+{
+  mkdir -p $SSHDIR
+  touch $SSHDIR/config
+  chmod 600 $SSHDIR/config
+#  grep "^StrictHostKeyChecking " $SSHDIR/config || echo "StrictHostKeyChecking no" >> $SSHDIR/config
+}
+###############################################################################
+set_up_github_ssh_key()
+{
+  set -e
+  keyname="github-key-from-mu-install.$$"
+  echo "Paste a ${BOLD}private${NORM} SSH key for $1 here (^D to commit):"
+  cat > $SSHDIR/$keyname
+  chmod 400 $SSHDIR/$keyname
+  echo "Host github.com" >> $SSHDIR/config
+  echo "  User git" >> $SSHDIR/config
+  echo "  IdentityFile $SSHDIR/$keyname" >> $SSHDIR/config
+  echo "  StrictHostKeyChecking no" >> $SSHDIR/config
+  set +e
+  export keyname
+}
+###############################################################################
+# Only use this if called right after set_up_github_ssh_key. It's not smart.
+expunge_github_ssh_key(){
+  keyname=$1
+  head -n -3 $SSHDIR/config > $SSHDIR/config.tmp.$$
+  /bin/mv -f $SSHDIR/config.tmp.$$ $SSHDIR/config
+  /bin/rm -f $keyname
+  unset keyname
+}
+fix_platform_repo_permissions()
+{
+  chefdir="$1"
+  if [ "$chefdir" != "" ];then
+    chmod go+rx $chefdir
+    for subdir in applications cookbooks site_cookbooks roles environments data_bags modules Berks* README.md LICENSE.md demo;do
+      if [ -e "$chefdir/$subdir" ];then
+        find "$chefdir/$subdir" -type d -exec chmod go+rx {} \;
+        find "$chefdir/$subdir" -type f -exec chmod go+r {} \;
+      fi
+    done
+    for subdir in bin utils;do
+      if [ -e "$chefdir/$subdir" ];then
+        find "$chefdir/$subdir" -type d -exec chmod go+rx {} \;
+        find "$chefdir/$subdir" -type f -exec chmod go+rx {} \;
+      fi
+    done
+  fi
+}
+###############################################################################
+clone_repository()
+{
+  set +e
+  repo=$1
+  clone_path=$2
+  clone_ssh="git clone git@github.com:$repo $clone_path"
+  # This is ugly. Adding a 30 second timeout for HTTPS clone so we don't hang if prompted for a username and/or password.
+  clone_https="timeout 30 git clone https://github.com/$repo $clone_path"
+  mkdir -p $clone_path
+  if [ "$(ls -A $clone_path)" ];then
+    echo "$clone_path exists and is non-empty. I'm going to assume the repo has already been cloned..."
+    sleep 3
+  else
+    mkdir -p $SSHDIR
+    echo "Attempting to clone $repo without private key."
+    echo $clone_https
+    $clone_https 2>&1 > /dev/null
+    if [ "$(ls -A $clone_path)" ];then
+      echo "$clone_path exists and is not empty. I'm going to assume $repo was cloned successfully without a private key"
+    else
+      if [ "`grep ^github.com $SSHDIR/known_hosts 2>/dev/null`" != "" ];then
+        echo "Attempting to clone $repo with existing keys..."
+        echo $clone_ssh
+        $clone_ssh 2>&1 > /dev/null
+      fi
+      if [ $? != 0 -o "`grep ^github.com $SSHDIR/known_hosts 2>/dev/null`" == "" ];then
+        echo ""
+        authtype=""
+        echo "We'll need a key for access to ${BOLD}$repo${NORM}."
+        if [ "$use_defaults" != "" ];then
+          fail_with_message "In non-interactive mode, but I need Git credentials! Run without -n."
+        fi
+        while /bin/true ;do
+          rm -rf $clone_path
+          expunge_github_ssh_key $keyname
+          echo ""
+          set_up_github_ssh_key $repo
+          echo $clone_ssh
+          $clone_ssh && break
+        done
+      fi
+    fi
+  fi
+  fix_platform_repo_permissions "$clone_path"
+}
+###############################################################################
+set_hostname()
+{
+  if [ "$HOST_NAME" != "`hostname -s`" ];then
+    hostname $HOST_NAME
+    sed -i "s/^HOST_NAME=.*/HOST_NAME=$HOST_NAME/" /etc/sysconfig/network
+    if [ $DIST_VERSION == 7 ];then
+      hostnamectl set-hostname $HOST_NAME && systemctl restart systemd-hostnamed
+    fi
+  fi
+  if ! grep "^$MY_PRIVATE_IP $HOST_NAME.platform-mu $HOST_NAME MU-MASTER" /etc/hosts > /dev/null;then
+    sed -i "/ $HOST_NAME/d" /etc/hosts
+    sed -i "/^$MY_PRIVATE_IP/d" /etc/hosts
+    echo "$MY_PRIVATE_IP $HOST_NAME.platform-mu $HOST_NAME MU-MASTER" >> /etc/hosts
+  fi
+  if [ "$MY_PRIVATE_IP" != "$MY_PUBLIC_IP" -a "$MY_PUBLIC_IP" != "" ];then
+    if ! grep "^$MY_PUBLIC_IP $HOST_NAME.platform-mu $HOST_NAME MU-MASTER" /etc/hosts > /dev/null;then
+      sed -i "/ $HOST_NAME/d" /etc/hosts
+      sed -i "/^$MY_PUBLIC_IP/d" /etc/hosts
+      echo "$MY_PRIVATE_IP $HOST_NAME.platform-mu $HOST_NAME MU-MASTER" >> /etc/hosts
+      echo "$MY_PUBLIC_IP $HOST_NAME.platform-mu $HOST_NAME MU-MASTER" >> /etc/hosts
+    fi
+  fi
+  export HOST_NAME
+}
+###############################################################################
+set_logbucket()
+{
+if [ "$LOG_BUCKET_NAME" == "" ];then
+  LOG_BUCKET_NAME="mu-logs-${HOST_NAME}-${MY_INSTANCE_ID}"
+fi
+export LOG_BUCKET_NAME
+update_murc LOG_BUCKET_NAME $LOG_BUCKET_NAME
+}
+###############################################################################
+install_system_packages()
+{
+  if [ ! -f /etc/yum.repos.d/epel.repo ];then
+    status_message "Installing ${BOLD}EPEL${NORM}"
+    rpm -ivh ${EPEL_RPM}
+  fi
+  uninstall_me=""
+  for pkg in $DEL_PACKAGES;do
+    rpm -q $pkg 2>&1 > /dev/null && uninstall_me="${install_me} $pkg"
+  done
+  if [ "$uninstall_me" != "" ];then
+    yum -y erase ${uninstall_me} || exit 1
+  fi
+  install_me=""
+  for pkg in $PACKAGES;do
+    rpm -q $pkg 2>&1 > /dev/null || install_me="${install_me} $pkg"
+  done
+  enables=""
+  for r in rhui-REGION-rhel-server-releases-optional epel extras;do
+    if grep $r /etc/yum.repos.d/* > /dev/null;then
+      enables="${enables} --enablerepo=$r"
+    fi
+  done
+  if [ "$install_me" != "" ];then
+    status_message "Installing ${BOLD}base packages${NORM}"
+    yum -y install ${enables} ${install_me} || exit 1
+  fi
+  # if [ $DIST_VERSION == 7 ];then
+    # for pkg in $GECODE_RPMS;do
+      # rpm -ivh $pkg
+    # done
+  # fi
+}
+###############################################################################
+set_bash_defaults()
+{
+  status_message "Initializing ${BOLD}shell environment${NORM}"
+  # Stange-isms, maybe these don't belong here.
+  grep "alias vi=" $HOMEDIR/.bashrc > /dev/null || echo "alias vi=vim" >> $HOMEDIR/.bashrc
+  grep "export EDITOR=vim" $HOMEDIR/.bashrc > /dev/null || echo "export EDITOR=vim" >> $HOMEDIR/.bashrc
+  update_murc PATH "$MU_INSTALLDIR/bin:/usr/local/ruby-current/bin:\${PATH}:/opt/opscode/embedded/bin"
+  grep "^source $MURC" $HOMEDIR/.bashrc > /dev/null || echo "source $MURC" >> $HOMEDIR/.bashrc
+}
+###############################################################################
+clone_mu_repository()
+{
+  rpm -q git > /dev/null || yum -y install git || exit 1
+  status_message "Cloning ${BOLD}$MU_REPO${NORM} to $MU_LIBDIR"
+  clone_repository $MU_REPO "$MU_LIBDIR"
+  status_message "Checking out $MUBRANCH"
+  cd "$MU_LIBDIR" && git checkout "$MUBRANCH"
+}
+###############################################################################
+## Go fetch a current version of Ruby.  Some of our tools will need this,
+## and this isn't the same as the Ruby that is bundled with Chef, which
+## will reside in its own /opt/chef sandbox and should be left unmolested.
+install_ruby()
+{
+  if [ "$1" == "purgeold" ];then
+    status_message "Purging existing ${BOLD}$RUBY_VERSION${NORM} package"
+    rpm -e $RUBY_VERSION
+    rm -rf $RUBY_INSTALL_DIR
+  fi
+  status_message "Installing ${BOLD}$RUBY_VERSION${NORM}"
+  if rpm -q ruby > /dev/null ;then
+    yum -y erase ruby
+  fi
+  if ! rpm -q $RUBY_VERSION > /dev/null ;then
+    if [ "$IS_AMAZON" != "1" ];then
+      yum -y install $RUBY_RPM
+    else
+      rpm -ivh --nodeps $RUBY_RPM # XXX hack workaround for spurious dependency
+    fi
+  fi
+  rm -f /usr/local/ruby-current
+  ln -s $RUBY_INSTALL_DIR /usr/local/ruby-current
+  # Init Mu's gem library now that it has a Ruby to use.
+  export USE_SYSTEM_GECODE=1
+  if [ ! -f $RUBY_INSTALL_DIR/bin/bundle ];then
+    set -e
+    $RUBY_INSTALL_DIR/bin/gem install bundler
+    cd $MU_LIBDIR/modules && $RUBY_INSTALL_DIR/bin/bundle install
+    set +e
+  fi
+  add_chef_support_gems $RUBY_INSTALL_DIR
+}
+###############################################################################
+## Fetch cookbooks managed by berkshelf
+install_cookbooks()
+{
+  status_message "Installing Berkshelf cookbooks specified in $MU_LIBDIR/Berksfile"
+  rm -rf $HOMEDIR/.berkshelf/cookbooks/*
+  cd $MU_LIBDIR && ( /usr/local/ruby-current/bin/berks install || /usr/local/ruby-current/bin/berks update )
+}
+###############################################################################
+## Let's use the AWS CLI tools in lieu of... well, all the other crufty
+## tools we might try.
+install_awscli()
+{
+  status_message "Installing ${BOLD}awscli${NORM}"
+  test -x /usr/bin/aws || pip install awscli
+  if [ ! -f $HOMEDIR/.aws/config ];then
+    mkdir -p $HOMEDIR/.aws
+    cat > $HOMEDIR/.aws/config <<EOF
+[default]
+region = $EC2_REGION
+EOF
+    if [ "$AWS_SECRET" != "" -a "$AWS_ACCESS" != "" ];then
+      echo "aws_access_key_id = $AWS_ACCESS" >> $HOMEDIR/.aws/config
+      echo "aws_secret_access_key = $AWS_SECRET" >> $HOMEDIR/.aws/config
+    else
+      echo "${BOLD}AWS_SECRET${NORM} or ${BOLD}AWS_ACCESS${NORM} aren't set!"
+      echo "Note that ${BOLD}awscli${NORM} will not work without credentials, unless you have configured"
+      echo "${BOLD}IAM Roles${NORM} to allow us to manage resources."
+      echo ""
+    fi
+  else
+    echo "Looks like /usr/bin/aws is already present."
+  fi
+  test -f $HOMEDIR/.aws/config && chmod 400 $HOMEDIR/.aws/config
+  if ! aws ec2 describe-instances --instance-ids $MY_INSTANCE_ID >/dev/null;then
+    warning_message "I can't run basic AWS commands with awscli!" "Tried: aws ec2 describe-instances --instance-ids $MY_INSTANCE_ID"
+  fi
+}
+###############################################################################
+## Create our internal-use ".platform-mu" private DNS zone
+create_private_dns_zone()
+{
+  status_message "Creating private ${BOLD}.platform-mu${NORM} DNS zone"
+  $MU_LIBDIR/bin/mu-aws-setup -d
+}
+###############################################################################
+## Associate our preferred public IP address, if applicable.
+associate_public_ip()
+{
+  status_message "Setting IP to ${BOLD}$CHEF_PUBLIC_IP${NORM}"
+  $MU_LIBDIR/bin/mu-aws-setup -i
+}
+###############################################################################
+configure_ec2_security_group()
+{
+  status_message "Detecting ${BOLD}EC2 Security Group${NORM} configuration"
+  set -e
+  EC2SECGROUP="`$MU_LIBDIR/bin/mu-aws-setup -s | grep 'Setting' | cut -d'(' -f2 | cut -d')' -f1`"
+  set +e
+  update_murc EC2SECGROUP $EC2SECGROUP
+}
+###############################################################################
+punch_tcp_hole()
+{
+  port=$1
+# status_message "Opening firewall for port ${BOLD}$port${NORM}"
+  /sbin/iptables -nL | egrep "^ACCEPT.*dpt:$port($| )" > /dev/null || ( /sbin/iptables -I INPUT -p tcp --dport $port -j ACCEPT && service iptables save )
+}
+###############################################################################
+## Install gems for Rubies that use Chef
+add_chef_support_gems()
+{
+  rubydir=$1
+  set -e
+  $rubydir/bin/gem list | grep '^bundler' > /dev/null || $rubydir/bin/gem install bundler --no-rdoc --no-ri
+  status_message "Installing support gems in $rubydir"
+  cd $MU_LIBDIR/modules && $rubydir/bin/bundle install
+  $rubydir/bin/gem update --system
+  set +e
+  find $rubydir/ -type f -exec chmod go+r {} \;
+  find $rubydir/bin -type f -exec chmod go+rx {} \;
+  find $rubydir/ -type d -exec chmod go+rx {} \;
+}
+###############################################################################
+## Set up knife.rb for root
+set_knife_rb()
+{
+  basepath="$1"
+  knife_user="$2"
+  url="$3"
+  chef_cache="$MU_CHEF_CACHE"
+  if [ "$knife_user" == "" ];then
+    knife_user="mu"
+  elif [ "$knife_user" != "mu" ];then
+    chef_cache="`getent passwd \"$association_user\" |cut -d: -f6`/.chef"
+  fi
+  mkdir -p $chef_cache
+  cat /dev/null > $chef_cache/knife.rb
+# XXX verify_api_cert ssl_verify_mode shouldn't have to be set like this.
+# don't release with this grotesquely insecure configuration.
+  cat > $chef_cache/knife.rb.tmp.$$ << EOF
+log_level                :info
+log_location             STDOUT
+node_name                '$knife_user'
+client_key               '$chef_cache/$knife_user.user.key'
+validation_client_name   '$knife_user-validator'
+validation_key           '$chef_cache/$knife_user.org.key'
+chef_server_url "https://${CHEF_PUBLIC_IP}:7443/$basepath"
+chef_server_root "https://${CHEF_PUBLIC_IP}:7443/$basepath"
+syntax_check_cache_path  '$chef_cache/syntax_check_cache'
+cookbook_path [ '$chef_cache/cookbooks', '$chef_cache/site_cookbooks' ]
+knife[:vault_mode] = 'client'
+knife[:vault_admins] = ['$knife_user']
+# verify_api_cert    false
+# ssl_verify_mode    :verify_none
+EOF
+  mv -f $chef_cache/knife.rb.tmp.$$ $chef_cache/knife.rb
+}
+###############################################################################
+## Install the Chef Omnibus package.
+install_chef()
+{
+  punch_tcp_hole 80
+  punch_tcp_hole 443
+  punch_tcp_hole 7443
+  # Sometimes we get a half-deleted Chef package in our way
+  if [ ! -d /opt/chef ];then
+    rpm -e chef
+  fi
+  # Chef Server 12 inexplicably ships with old, broken versions of the
+  # client. Install something sane.
+  if ! rpm -q $CHEF_CLIENT_PKG > /dev/null ;then
+    status_message "Installing current Chef client"
+    yum -y erase chef || rpm -e chef # one of these will get it
+    rm -rf /opt/chef # and stay out
+    curl https://www.chef.io/chef/install.sh > /root/chef-install.sh
+    sh /root/chef-install.sh -v $CHEF_CLIENT_VERSION
+  fi
+  if [ -f /opt/chef/embedded/bin/gem ];then
+    add_chef_support_gems /opt/chef/embedded
+  fi
+  port="`grep \"'ssl_port'\" /etc/opscode/chef-server.rb | awk '{print $3}'`"
+  if [ "$port" == "" ];then
+    port="443"
+    service httpd stop # sits on 443, and Chef is stupid; disable temporarily
+  fi
+  set_knife_rb organizations/mu mu "https://${CHEF_PUBLIC_IP}:$port"
+  # Now Chef server
+  if ! rpm -q chef-server-core > /dev/null ;then
+    if rpm -q chef-server > /dev/null ;then
+      /opt/chef-server/bin/chef-server-ctl stop
+    fi
+    status_message "Installing ${BOLD}Chef Server${NORM} (listen port: ${port})"
+    rpm -ivh $OPSCODE_CHEF_DL
+    find /opt/opscode/embedded/lib/ruby -type f -exec chmod o+r {} \;
+    find /opt/opscode/embedded/lib/ruby -type d -exec chmod o+rx {} \;
+    pivotal_cfg_setup pivotal_cfg $port
+    /opt/opscode/bin/chef-server-ctl reconfigure
+    chef_self_test=1
+  elif [ ! -f "/var/opt/opscode/nginx/ca/${CHEF_PUBLIC_IP}.crt" ];then
+    status_message "Hostname or IP may have changed, reconfiguring Chef (listen port: ${port})"
+    pivotal_cfg_setup pivotal_cfg $port
+    /opt/opscode/bin/chef-server-ctl restart
+    /opt/opscode/bin/chef-server-ctl reconfigure
+    knife ssl fetch -u pivotal -k /etc/opscode/pivotal.pem -s https://${CHEF_PUBLIC_IP}:$port > /dev/null 2>&1
+    rm -f /etc/chef/client.*
+    knife node delete -y MU-MASTER
+    knife client delete -y MU-MASTER
+    chef_self_test=1
+  fi
+# add_chef_support_gems /opt/opscode/embedded
+  pivotal_cfg_setup pivotal_cfg $port
+  knife ssl fetch $pivotal_cfg > /dev/null 2>&1
+  list_chef_users ext_chef_users
+  umask 0077
+# if ! ( echo "$ext_chef_users" | egrep "(^| )mu( |$)" > /dev/null );then
+  if  [ ! -f "$MU_DATADIR/users/mu/mu.user.key" -o ! -f "$MU_CHEF_CACHE/mu.org.key" ];then
+    manage_chef_user "mu" "$MU_ADMIN_PW" "Mu Master" "$MU_ADMIN_EMAIL" "" "1" "" "1"
+  fi
+  mkdir -p "$MU_DATADIR/users/mu"
+  echo "$MU_ADMIN_EMAIL" > "$MU_DATADIR/users/mu/email"
+  echo "Mu Master" > "$MU_DATADIR/users/mu/realname"
+  if [ ! -f "$MU_DATADIR/users/mu/htpasswd" -a "$MU_ADMIN_PW" != "" ];then
+    # XXX this is sloppy as hell, from a security standpoint
+    /usr/bin/htpasswd -c -b -m "$MU_DATADIR/users/mu/htpasswd" "mu" "$MU_ADMIN_PW"
+  fi
+  set_knife_rb organizations/mu mu "https://${CHEF_PUBLIC_IP}:$port"
+  /opt/chef/bin/knife ssl fetch -s https://$CHEF_PUBLIC_IP:$port > /dev/null 2>&1
+  umask 0022
+  cur_chef="`rpm -q chef-server-core`"
+  if [ "$cur_chef" != "$OPSCODE_CHEF_PKG" ];then
+    status_message "Upgrading ${BOLD}Chef Server${NORM}"
+    if rpm -Uvh $OPSCODE_CHEF_DL;then
+      chef_self_test=1
+      /opt/opscode/bin/chef-server-ctl upgrade
+      find /opt/opscode/embedded/lib/ruby -type f -exec chmod o+r {} \;
+      find /opt/opscode/embedded/lib/ruby -type d -exec chmod o+rx {} \;
+      /opt/opscode/bin/chef-server-ctl reconfigure
+#     add_chef_support_gems /opt/opscode/embedded
+      $RUBY_INSTALLDIR/bin/bundle update chef
+      /opt/opscode/bin/chef-server-ctl start
+    else
+      warning_message "Failed to upgrade to package $OPSCODE_CHEF_DL"
+    fi
+  fi
+  export CHEF_PUBLIC_IP
+  if ! ( echo $PATH | egrep ":/opt/opscode/embedded/bin(:|$)" > /dev/null );then
+    export PATH="$MU_INSTALLDIR/bin:${PATH}:/opt/opscode/embedded/bin"
+  fi
+  mkdir -p /etc/opscode
+  cat >> /etc/opscode/chef-server.rb.tmp.$$ << EOF
+#
+# Mu Chef Server Settings
+#
+server_name="$CHEF_PUBLIC_IP"
+api_fqdn server_name
+nginx['server_name'] = server_name
+nginx['enable_non_ssl'] = false
+nginx['non_ssl_port'] = 81
+nginx['ssl_port'] = 7443
+nginx['ssl_ciphers'] = "HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
+nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
+nginx['ssl_certificate'] = "$MU_SSL_CERT"
+nginx['ssl_certificate_key'] = "$MU_SSL_KEY"
+bookshelf['external_url'] = "https://"+server_name+":7443"
+bookshelf['vip_port'] = 7443
+EOF
+  if [ ! -f /etc/opscode/chef-server.rb -o "`diff /etc/opscode/chef-server.rb /etc/opscode/chef-server.rb.tmp.$$`" != "" ];then
+    /bin/mv -f /etc/opscode/chef-server.rb.tmp.$$ /etc/opscode/chef-server.rb
+    chef_server_ctl reconfigure
+  else
+    /bin/rm -f /etc/opscode/chef-server.rb.tmp.$$
+  fi
+  # XXX workaround for vile chef bug, see:
+  # https://github.com/chef/chef-server/issues/50
+#  if ! grep "s3_url, \"https:\/\/${HOST_NAME}.platform-mu:7443\"" /var/opt/opscode/opscode-erchef/sys.config > /dev/null;then
+#    status_message "Switching ${BOLD}Chef Server${NORM} to port ${BOLD}7443${NORM}"
+#    /bin/sed -i "s/s3_url, \"https:\/\/${HOST_NAME}.platform-mu\"/s3_url, \"https:\/\/${HOST_NAME}.platform-mu:7443\"/" /var/opt/opscode/opscode-erchef/sys.config
+#    chef_server_ctl restart
+#  fi
+  set_knife_rb organizations/mu mu "https://${CHEF_PUBLIC_IP}:7443"
+  /opt/chef/bin/knife ssl fetch -s https://$CHEF_PUBLIC_IP:7443 > /dev/null 2>&1
+  /opt/chef/bin/knife ssl fetch -s https://localhost:7443 > /dev/null 2>&1
+  /opt/chef/bin/knife ssl fetch -s https://127.0.0.1:7443 > /dev/null 2>&1
+  pivotal_cfg_setup pivotal_cfg 7443
+  cat >> /etc/chef/client.rb.tmp.$$ << EOF
+log_location     STDOUT
+chef_server_url  "https://${CHEF_PUBLIC_IP}:7443/organizations/mu"
+validation_client_name "mu-validator"
+node_name "MU-MASTER"
+trusted_certs_dir "/etc/chef/trusted_certs"
+EOF
+  if [ -f /etc/chef/client.rb -a "`diff /etc/chef/client.rb /etc/chef/client.rb.tmp.$$`" != "" ];then
+    /bin/cp -f /etc/chef/client.rb.tmp.$$ /etc/chef/client.rb
+  fi
+  if [ -f /root/.chef/client.rb -a "`diff /root/.chef/client.rb /etc/chef/client.rb.tmp.$$`" != "" ];then
+    /bin/cp -f /etc/chef/client.rb.tmp.$$ /root/.chef/client.rb
+  fi
+  /bin/rm -f /etc/chef/client.rb.tmp.$$ /etc/chef/validation.pem
+  /sbin/service httpd start 2>&1 > /dev/null
+  punch_tcp_hole 7443 # sometimes this isn't ready
+  knife vault create scratchpad dummy '{ "merp":"meep" }'
+  knife vault delete -y scratchpad dummy
+}
+upload_chef_artifacts()
+{
+  punch_tcp_hole 7443 # sometimes this isn't ready
+  if [ "$chef_artifacts_uploaded" != "1" ];then
+    if ! echo "$@" | egrep -- "-n" ;then
+      rm -rf $HOMEDIR/.berkshelf
+      rm -rf $HOMEDIR/.chef/cookbooks
+      rm -rf $HOMEDIR/.chef/site_cookbooks
+      rm -rf $MU_LIBDIR/cookbooks/cap-*
+      for a in cookbooks site_bookbooks data_bags roles environments;do
+        /bin/rm -rf $MU_CHEF_CACHE/$a
+      done
+    fi
+    /opt/chef/bin/knife ssl fetch -s https://$CHEF_PUBLIC_IP > /dev/null 2>&1
+    status_message "Syncing Chef artifacts to running server..."
+    $MU_LIBDIR/bin/mu-upload-chef-artifacts $@
+    chef_artifacts_uploaded_by_installer=1
+  fi
+  chef_artifacts_uploaded=1
+}
+###############################################################################
+## Set us up to use ~/.chef, and knife accordingly.
+setup_chef_cache()
+{
+  upload_chef_artifacts=$1
+  status_message "Setting up local Chef cache in ${BOLD}$MU_CHEF_CACHE${NORM}"
+  mkdir -p $MU_CHEF_CACHE
+}
+###############################################################################
+## Get ~/.devops arranged
+install_mu_executables()
+{
+  status_message "Installing/updating Mu executables"
+#  if [ "$_me" == "mu-self-update" ];then
+# XXX need to test this a different way
+#    if [ "`diff $MU_LIBDIR/bin/$_me $MU_INSTALLDIR/bin/$_me`" != "" -o "`diff $MU_LIBDIR/install/mu_setup $MU_INSTALLDIR/bin/mu-configure`" != "" ];then
+#      status_message "We're updating $_me, and $_me has changed." "Re-invoking as ${BOLD}$MU_LIBDIR/bin/$_me $@${NORM}"
+#      /bin/cp -f $MU_LIBDIR/bin/$_me $MU_INSTALLDIR/bin/$_me
+#      /bin/cp -f $MU_LIBDIR/install/mu_setup $MU_INSTALLDIR/bin/mu-configure
+#      chmod 0755 $MU_INSTALLDIR/bin/$_me $MU_INSTALLDIR/bin/mu-configure
+#      exec $MU_LIBDIR/bin/$_me $1 $2 $3 $4 $5 $6 $7 $8 $9
+#      exit
+#    fi
+#  fi
+  rm -rf $MU_INSTALLDIR/bin/*
+  # most executables should just be symlinks
+  _files=$MU_LIBDIR/bin/*
+  for file in $_files;do
+    f="`basename $file`"
+    if [ "$f" != "mu-self-update" ];then
+      ln -s $MU_LIBDIR/bin/$f $MU_INSTALLDIR/bin/$f
+    fi
+  done
+  /bin/cp -f $MU_LIBDIR/bin/mu-self-update $MU_INSTALLDIR/bin/mu-self-update
+#  /bin/cp -f $MU_LIBDIR/install/mu_setup $MU_INSTALLDIR/bin/mu-configure
+  chmod 0755 $MU_INSTALLDIR/bin/mu-self-update $MU_INSTALLDIR/bin/mu-configure
+  # ...and make sure the flippin' link to mu-cli-lib.rb is right.
+  /bin/rm -f $MU_INSTALLDIR/bin/mu-load-config.rb
+  /bin/ln -s $MU_LIBDIR/modules/mu-load-config.rb $MU_INSTALLDIR/bin/mu-load-config.rb
+  chef_bin=/opt/chef/embedded/bin
+  # We can get invoked before Chef is installed, so handle that gracefully
+  if [ -d $chef_bin ];then
+    for f in `ls -1 $chef_bin/*knife* $chef_bin/*chef* $chef_bin/*ohai*`;do
+      name="`basename $f`"
+      ln -s $f $MU_INSTALLDIR/bin/$name
+    done
+  fi
+  # Same thing, but for server-only executables
+  chef_bin=/opt/opscode/embedded/bin
+  if [ -d $chef_bin ];then
+    for f in `ls -1 $chef_bin/*knife* $chef_bin/*chef* $chef_bin/*ohai*`;do
+      name="`basename $f`"
+      if [ ! -h $MU_INSTALLDIR/bin/$name ];then
+        ln -s $f $MU_INSTALLDIR/bin/$name
+      fi
+    done
+  fi
+  chmod 755 $MU_INSTALLDIR/bin
+}
+start_momma_cat()
+{
+  status_message "Setting up ${BOLD}mu-momma-cat${NORM}"
+  punch_tcp_hole 2260
+  /bin/cp -f $MU_LIBDIR/bin/mu-momma-cat /etc/init.d/
+  chkconfig mu-momma-cat on
+  service mu-momma-cat restart
+}
+###############################################################################
+setup_localhost_chef_client()
+{
+  punch_tcp_hole 7443 # sometimes this isn't ready
+  allowuser="`grep ^AllowUsers /etc/ssh/sshd_config | awk '{print $2}'`"
+  if [ "$allowuser" == "" ];then
+    allowuser="root"
+  fi
+  if [ ! -f $HOMEDIR/.ssh/id_rsa.pub ];then
+    ssh-keygen -N '' -f $HOMEDIR/.ssh/id_rsa
+    chmod 600 $HOMEDIR/.ssh/id_rsa
+  fi
+  # On CentOS 7 and the like, this is some non-root user
+  ssh_homedir="`getent passwd \"$allowuser\" |cut -d: -f6`"
+  mkdir -p "$ssh_homedir/.ssh/"
+  pubkey="`cat $HOMEDIR/.ssh/id_rsa.pub`"
+  if [ "`grep \"$pubkey\" $ssh_homedir/.ssh/authorized_keys`" == "" ];then
+    echo "$pubkey" >> $ssh_homedir/.ssh/authorized_keys
+  fi
+  chown -R "$allowuser" "$ssh_homedir/.ssh/"
+  if [ "`grep '^Host localhost' $HOMEDIR/.ssh/config`" == "" ];then
+    echo "Host localhost" >> $HOMEDIR/.ssh/config
+    echo "  IdentityFile $HOMEDIR/.ssh/id_rsa"  >> $HOMEDIR/.ssh/config
+  fi
+  if [ "`/opt/chef/bin/knife node list | grep '^CAP-MASTER$'`" == "CAP-MASTER" ];then
+    warning_message "Removing old Chef node profile 'CAP-MASTER'"
+    rm -f /etc/chef/client.*
+    /opt/chef/bin/knife node delete -y CAP-MASTER
+    /opt/chef/bin/knife client delete -y CAP-MASTER
+  fi
+  if [ "`/opt/chef/bin/knife node list | grep '^MU-MASTER$'`" != "MU-MASTER" ];then
+    status_message "Bootstrapping localhost as Chef node 'MU-MASTER'"
+    chef_artifacts_uploaded=0
+    if [ "$chef_artifacts_uploaded_by_installer" != "1" ];then
+      upload_chef_artifacts -n -r $MU_REPO_NAME
+    fi
+    mkdir -p /etc/chef
+    if [ "$allowuser" == "root" -o "$allowuser" == "" ];then
+      /opt/chef/bin/knife bootstrap -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none ${CHEF_PUBLIC_IP}
+    else
+      /opt/chef/bin/knife bootstrap -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -x ${allowuser} --sudo ${CHEF_PUBLIC_IP}
+    fi
+    run_chef_client=0
+  fi
+  status_message "Configuring local LDAP directory"
+  punch_tcp_hole 389
+  punch_tcp_hole 636
+  $MU_LIBDIR/install/ldap_setup.rb
+  /opt/chef/bin/knife node run_list remove MU-MASTER "role[mu-master-jenkins]" > /dev/null 2>&1 # buggy prior invocations get fouled up on subsequent runs
+  /opt/chef/bin/knife node run_list add MU-MASTER "role[mu-master]"
+  chef_client
+}
+###############################################################################
+configure_nagios_server()
+{
+  status_message "Configuring the ${BOLD}Nagios${NORM} server"
+  punch_tcp_hole 8443
+  if [ "`/bin/ls $MU_DATADIR/users/`" == "" ];then
+    echo "${RED}Cannot enable Nagios until at least one admin user is specified.${NORM}"
+    echo "${RED}Use ${BOLD}mu-user-manage${NORM}${RED} to create and manage users.${NORM}"
+    return
+  fi
+  if [ "`grep ^nagios: /etc/passwd`" == "" -o "`pgrep -u nagios -f /usr/sbin/nagios`" == "" ];then
+    # skip this if we're being called from mu-self-update and have already
+    # done it
+    if [ "$chef_artifacts_uploaded" != 1 ];then
+	    upload_chef_artifacts -r mu
+    	upload_chef_artifacts -n
+    fi
+    chef_client -o "recipe[mu-master::update_nagios_only]"
+    run_chef_client=0
+  fi
+  mkdir -p /opt/mu/var/nagios_user_home
+  chown nagios:nagios /opt/mu/var/nagios_user_home
+  if [ "`grep ^nagios: /etc/passwd | grep /opt/mu/var/nagios_user_home`" = "" ];then
+    /sbin/service nagios stop
+    sleep 5
+    /usr/bin/pkill -u nagios
+    /usr/sbin/usermod -d /opt/mu/var/nagios_user_home nagios
+    /sbin/service nagios start
+  fi
+  if [ -d /home/nagios ];then
+    /bin/mv -f /home/nagios /home/nagios.old
+    /bin/ln -s /opt/mu/var/nagios_user_home /home/nagios
+  fi
+}
+###############################################################################
+preconfigure_jenkins_artifacts()
+{
+  punch_tcp_hole 7443 # sometimes this isn't ready
+  if [ "$JENKINS_ADMIN_PW" != "" ];then
+        status_message "Configuring the ${BOLD}Jenkins${NORM} artifacts"
+        punch_tcp_hole 9443
+        if [ "`/bin/ls $MU_DATADIR/users/`" == "" ];then
+                echo "${RED}Cannot enable Jenkins until at least one admin user is specified.${NORM}"
+                echo "${RED}Use ${BOLD}mu-user-manage${NORM}${RED} to create and manage users.${NORM}"
+                return
+        fi
+        # skip user and vault creation if we're being called from mu-self-update and have already
+        # done it
+        #
+        if ! (knife vault show jenkins > /dev/null 2>&1) ;then
+          # Create Jenkins Vault with admin and user items
+          $MU_LIBDIR/install/jenkinskeys.rb
+          knife vault create jenkins users "{\"mu_user_password\":\"$JENKINS_ADMIN_PW\"}" --mode client -F json -u mu --search name:MU-MASTER
+          # Create the Jenkins user
+        fi
+        if [ ! -d /home/jenkins ];then
+          $MU_LIBDIR/bin/mu-user-manage jenkins -e $JENKINS_ADMIN_EMAIL -p "$JENKINS_ADMIN_PW" -n "Jenkins Service" -s --no-scratchpad
+          su - jenkins -c "ls"
+        fi
+  fi
+  mkdir -p /home/jenkins
+  chown jenkins /home/jenkins
+}
+generate_docs()
+{
+  status_message "Generating documentation"
+  cd $MU_LIBDIR/modules && /usr/local/ruby-current/bin/bundle install
+  /usr/local/ruby-current/bin/ruby $MU_INSTALLDIR/bin/mu-gen-docs
+}
+generate_ssl_certs()
+{
+  status_message "Managing internal SSL certificates"
+  skip_chef="$1"
+  mkdir -p $MU_DATADIR/ssl
+  cd $MU_DATADIR/ssl
+  if [ -f Mu_CA.pem ];then
+    # Force us to clean up crusty old certs that we generated badly
+    if ! ( /usr/bin/openssl x509 -in $MU_DATADIR/ssl/Mu_CA.pem -text -noout | grep "Subject: CN=$CHEF_PUBLIC_IP, OU=Mu Server $CHEF_PUBLIC_IP," > /dev/null );then
+      /usr/bin/openssl x509 -in $MU_DATADIR/ssl/Mu_CA.pem -text -noout | grep "Subject: "
+      status_message "Forcing regeneration of Mu's self-signed SSL certificate authority (didn't see ${BOLD}Subject: CN=$CHEF_PUBLIC_IP, OU=Mu Server $CHEF_PUBLIC_IP,${NORM})"
+      /usr/bin/openssl x509 -in $MU_DATADIR/ssl/Mu_CA.pem -text -noout | grep "Subject: "
+      /bin/rm -f Mu_CA.*
+    fi
+  fi
+  regen_all=0
+  if [ ! -f Mu_CA.pem ];then
+    regen_all=1
+    status_message "Creating internal-use SSL certificate authority"
+    openssl genrsa -out Mu_CA.key 4096
+    chmod 400 Mu_CA.key
+    openssl req -subj "/CN=$CHEF_PUBLIC_IP/OU=Mu Server $CHEF_PUBLIC_IP/O=eGlobalTech/C=US" -x509 -new -nodes -key Mu_CA.key -days 1024 -out Mu_CA.pem -sha512
+    /bin/cp -f Mu_CA.pem $MU_LIBDIR/cookbooks/mu-tools/files/default/Mu_CA.pem
+    if [ "$skip_chef" == "" ];then
+      chef_artifacts_uploaded=0
+      upload_chef_artifacts -r $MU_REPO_NAME -n -s
+    fi
+  elif [ ! -f $MU_LIBDIR/cookbooks/mu-tools/files/default/Mu_CA.pem ];then
+    /bin/cp -f Mu_CA.pem $MU_LIBDIR/cookbooks/mu-tools/files/default/Mu_CA.pem
+    if [ "$skip_chef" == "" ];then
+      chef_artifacts_uploaded=0
+      upload_chef_artifacts -r $MU_REPO_NAME -n -s
+    fi
+  fi
+  # XXX should use set_serial option and maniuplate "serial"
+  for cert in rsyslog mommacat ldap;do
+    if [ -f $cert.crt ];then
+      # Force us to clean up crusty old certs that we generated badly,
+      # making sure the CA cert is bundled while we're at it.
+      if ! ( grep "BEGIN CERTIFICATE" $MU_DATADIR/ssl/$cert.crt | wc -l | grep '^2$' > /dev/null );then
+        status_message "Forcing regeneration of $MU_DATADIR/ssl/$cert.crt"
+        /bin/rm -f $cert.crt
+      elif openssl x509 -text -noout -in $MU_DATADIR/ssl/$cert.crt | grep "Signature Algorithm: sha1WithRSAEncryption" > /dev/null ;then
+        status_message "Forcing regeneration of $MU_DATADIR/ssl/$cert.crt (SHA-1 signature detected)"
+        /bin/rm -f $cert.crt
+      fi
+    fi
+    if [ ! -f $cert.crt -o $regen_all == 1 ];then
+      status_message "Creating self-signed $cert SSL certificate"
+      openssl genrsa -out $cert.key 4096
+      chmod 400 $cert.key
+      openssl req -subj "/CN=$CHEF_PUBLIC_IP/OU=Mu $cert/O=eGlobalTech/C=US" -new -key $cert.key -out $cert.csr -sha512
+      openssl x509 -req -in $cert.csr -CA Mu_CA.pem -CAkey Mu_CA.key -CAcreateserial -out $cert.crt -days 500 -sha512
+      cat Mu_CA.pem >> $cert.crt
+      if [ "$cert" == "mommacat" -a "$skip_chef" == "" ];then
+        chef_server_ctl restart
+        /bin/rm -f /etc/chef/trusted_certs/*.crt /root/.chef/trusted_certs/*.crt
+        /opt/chef/bin/knife ssl fetch -s https://$CHEF_PUBLIC_IP > /dev/null 2>&1
+        /bin/cp -f /root/.chef/trusted_certs/*.crt /etc/chef/trusted_certs/
+        if (knife ssl check -c /etc/chef/client.rb | egrep "^ERROR.*certificate");then
+          /opt/chef/bin/knife ssl fetch -c /etc/chef/client.rb
+        fi
+        if (knife ssl check | egrep "^ERROR.*certificate");then
+          /opt/chef/bin/knife ssl fetch
+        fi
+      fi
+    fi
+    if [ ! -f $cert.p12 -o $regen_all == 1 ];then
+      openssl pkcs12 -export -inkey $cert.key -in $cert.crt -out $cert.p12 -nodes -name "$cert" -passout pass:""
+    fi
+  done
+  /bin/cp -f /opt/mu/var/ssl/Mu_CA.pem /etc/pki/ca-trust/source/anchors/
+  /usr/bin/update-ca-trust force-enable
+  /usr/bin/update-ca-trust extract
+}
+enable_audit_logs()
+{
+  status_message "Enabling Mu audit logs"
+  punch_tcp_hole 10514
+  set -e
+  $MU_LIBDIR/bin/mu-aws-setup -l
+  set +e
+}
+set_permissions()
+{
+  /bin/chmod g+rsx "$MU_DATADIR/users"
+  /bin/chgrp mu-users "$MU_DATADIR/users"
+  cp -a $MU_LIBDIR/extras/git-fix-permissions-hook $MU_LIBDIR/.git/hooks/post-merge
+  cp -a $MU_LIBDIR/extras/git-fix-permissions-hook $MU_LIBDIR/.git/hooks/post-checkout
+  cp -a $MU_LIBDIR/extras/git-fix-permissions-hook $MU_LIBDIR/.git/hooks/post-rewrite
+  status_message "Setting permissions in Ruby installations and platform repos"
+  test -f $MU_INSTALLDIR/etc/amazon_images.yaml && chmod 644 $MU_INSTALLDIR/etc/amazon_images.yaml
+  chmod 644 $MU_INSTALLDIR/etc/mu.rc
+  for extra in $ADDTL_CHEF_REPOS;do
+    extra_repo_name="`echo $extra | sed 's/^.*\///' | cut -d. -f1`"
+    fix_platform_repo_permissions "$MU_DATADIR/$extra_repo_name"
+  done
+  fix_platform_repo_permissions "$MU_LIBDIR"
+  if [ "$1" != "skip_rubies" ] ;then
+    /sbin/restorecon -r /home
+    for rubydir in /opt/opscode/embedded /opt/chef/embedded `find /opt/rubies -maxdepth 1 -mindepth 1 -type d`;do
+      find $rubydir/lib/ruby/gems -type f -exec chmod o+r {} \;
+      find $rubydir/lib/ruby/gems -type d -exec chmod o+rx {} \;
+    done
+  fi
+}
+generate_repo_berksfile()
+{
+  repodir=$1
+  cd $repodir || return
+  if [ ! -f "Berksfile" ];then
+    warning_message "Generating a Berksfile in ${BOLD}$repodir${NORM}"
+    cat > "$repodir/Berksfile" << EOF
+if !ENV.include? 'MU_DATADIR'
+  if !ENV.include? 'MU_INSTALLDIR'
+    raise "Can't find MU_DATADIR or MU_INSTALLDIR in my environment!"
+  end
+  ENV['MU_DATADIR'] = "#{ENV['MU_INSTALLDIR']}/var"
+end
+instance_eval(File.read(File.expand_path("#{ENV['MU_INSTALLDIR']}/lib/Berksfile", __FILE__)))
+source "https://supermarket.getchef.com"
+EOF
+    for d in cookbooks site_cookbooks;do
+      if [ -d "$repodir/$d" ];then
+        cd "$repodir/$d"
+        for c in `ls -1`;do
+          echo "cookbook '$c', path: '$repodir/$d/$c'" >> "$repodir/Berksfile"
+        done
+      fi
+    done
+    cd "$repodir" && berks install
+  fi
+}
+###############################################################################
+###############################################################################
+###############################################################################
+# Main execution path begins here
+###############################################################################
+###############################################################################
+###############################################################################
+if [ "$library" != "1" ];then
+  if [ "$use_defaults" == "" ];then
+    adjust_config_vars
+  fi
+  set_path_env_vars
+  set_bash_defaults
+  set_hostname
+  set_logbucket
+  create_ssh_config
+  umask 0022
+  clone_mu_repository
+  for extra in $ADDTL_CHEF_REPOS;do
+    extra_repo_name="`echo $extra | sed 's/^.*\///' | cut -d. -f1`"
+    clone_repository "$extra" "$MU_DATADIR/$extra_repo_name"
+    generate_repo_berksfile "$MU_DATADIR/$extra_repo_name"
+  done
+  if [ "$USER" == "root" ];then
+    install_system_packages
+    install_ruby
+    install_awscli
+  fi
+  install_mu_executables
+  # We might disconnect right here! That's normal.
+  associate_public_ip
+  create_private_dns_zone
+  configure_ec2_security_group
+  generate_ssl_certs skip_chef
+  install_chef
+  patch_knife_windows
+  if [ "$USER" == "root" ];then
+    # set up executables again to enable Chef aliases
+    install_mu_executables
+    enable_audit_logs
+    umask 0077
+    start_momma_cat
+    setup_localhost_chef_client
+    generate_ssl_certs
+    configure_nagios_server
+    set_permissions
+    preconfigure_jenkins_artifacts
+  fi
+  if [ "$JENKINS_ADMIN_PW" != "" ];then
+    punch_tcp_hole 7443 # sometimes this isn't ready
+    knife node run_list add MU-MASTER "role[mu-master-jenkins]"
+    chef_client -l info
+  fi
+  cd
+  source $MURC
+  generate_docs
+  # Chef's reloads of sshd don't seem to cause it to re-read its config for
+  # some reason. This means regular user logins don't work on new installs
+  # until it's been kicked.
+  /sbin/service sshd restart
+  echo ""
+  echo "You MUST source all of the changes I made to your environment:"
+  echo ""
+  echo "${BOLD}source $MURC${NORM}"
+  echo ""
+  $MU_LIBDIR/bin/mu-user-manage
+  echo ""
+  echo "To add more users, use ${BOLD}mu-user-manage${NORM}."
+  echo ""
+fi