comfy 0.2.0

data/lib/templates/centos/files/krb5.conf

@@ -0,0 +1,181 @@
+[libdefaults]
+        default_realm = META 
+        forwardable = yes
+        forward = yes
+        encrypt = yes
+        srv_lookup = no
+        srv_try_txt = no
+        no-addresses = yes
+	allow_weak_crypto = true
+
+[realms]
+    ICS.MUNI.CZ = {
+	    kdc = kdccesnet.ics.muni.cz
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.meta.zcu.cz
+            admin_server = kdc1.cesnet.cz
+            kpasswd_server = kdc1.cesnet.cz
+    }
+    META = {
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.meta.zcu.cz
+            kdc = sal.ruk.cuni.cz:89
+	    kdc = jerry.ruk.cuni.cz
+            admin_server = kdc1.cesnet.cz
+            kpasswd_server = kdc1.cesnet.cz
+	    krb525_server = kdccesnet.ics.muni.cz
+	    krb525_server = kdc1.cesnet.cz 
+	    krb525_server = kdccesnet.meta.zcu.cz 
+    }
+    ZCU.CZ = {
+            kdc = kerberos1.zcu.cz
+            kdc = kerberos2.zcu.cz
+            kdc = kerberos3.zcu.cz
+            admin_server = kerberos-adm.zcu.cz
+            kpasswd_server = kerberos-adm.zcu.cz
+    }
+    RUK.CUNI.CZ = {
+            kdc = sal.ruk.cuni.cz
+            kdc = jerry.ruk.cuni.cz:89
+            admin_server = sal.ruk.cuni.cz
+            kpasswd_server = sal.ruk.cuni.cz
+	    krb524_server = sal.ruk.cuni.cz
+	    krb524_server = jerry.ruk.cuni.cz:89
+    }
+    IS.MUNI.CZ = {
+            kdc = ariadna.fi.muni.cz
+    }
+    SITOLA.FI.MUNI.CZ = {
+            kdc = hendrak.fi.muni.cz
+            kdc = oberon.fi.muni.cz
+            admin_server = oberon.fi.muni.cz
+            kpasswd_server = oberon.fi.muni.cz
+    }
+    ADMIN.META = {
+            kdc = kdccesnet.ics.muni.cz
+            admin_server = kdccesnet.ics.muni.cz
+            kpasswd_server = kdccesnet.ics.muni.cz
+    }
+    ASR.ICS.MUNI.CZ = {
+            kdc = bombur.ics.muni.cz
+            admin_server = bombur.ics.muni.cz
+            kpasswd_server = bombur.ics.muni.cz
+    }
+    EINFRA = {
+            kdc = kdc1.cesnet.cz
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+	    admin_server = kdc1.cesnet.cz
+    }
+    EINFRA-SERVICES = {
+            kdc = kdc1.cesnet.cz
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+   	    admin_server = kdc1.cesnet.cz
+    }
+    EGI = {
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+	    admin_server = kdc1.cesnet.cz
+    }
+    SAGRID = {
+            kdc = kdc1.cesnet.cz
+            admin_server = kdc1.cesnet.cz
+    }
+    ELIXIR-EUROPE.ORG = {
+            kdc = kdc1.cesnet.cz
+            admin_server = kdc1.cesnet.cz
+    }
+
+[capaths]
+        RUK.CUNI.CZ = {
+                EINFRA-SERVICES = META
+                ZCU.CZ = META
+        }
+        ZCU.CZ = {
+                EINFRA-SERVICES = META
+                RUK.CUNI.CZ = META
+        }
+        ICS.MUNI.CZ = {
+                  EINFRA-SERVICES = META
+        }
+        EINFRA = {
+                ICS.MUNI.CZ = META
+        }
+        EINFRA-SERVICES = {
+                ICS.MUNI.CZ = META
+                RUK.CUNI.CZ = META
+                ZCU.CZ = META
+        }
+
+[domain_realm]
+        sirion.ics.muni.cz = META
+        erebor.ics.muni.cz = META
+        acharon.ruk.cuni.cz = META
+	androth.zcu.cz = ICS.MUNI.CZ
+        .fi.muni.cz = SITOLA.FI.MUNI.CZ
+        .ics.muni.cz = ICS.MUNI.CZ
+        .cesnet.cz = ICS.MUNI.CZ
+        .zcu.cz = ZCU.CZ
+        .ruk.cuni.cz = RUK.CUNI.CZ
+	.medigrid.cz = ICS.MUNI.CZ
+	.video.muni.cz = ICS.MUNI.CZ
+	.ncbr.muni.cz = ICS.MUNI.CZ
+	.prf.jcu.cz = ICS.MUNI.CZ
+	.feec.vutbr.cz = ICS.MUNI.CZ
+	atlases.muni.cz = ICS.MUNI.CZ
+	.egi.eu = META
+	.fzu.cz = META
+	.cerit-sc.cz = ICS.MUNI.CZ
+	kdc1.cesnet.cz = EINFRA-SERVICES
+	.du1.cesnet.cz = EINFRA-SERVICES
+	.du2.cesnet.cz = EINFRA-SERVICES
+	.du3.cesnet.cz = EINFRA-SERVICES
+	ui2.grid.cesnet.cz = EINFRA-SERVICES
+	ui1.egee.cesnet.cz = EINFRA-SERVICES
+	ui1.grid.cesnet.cz = EINFRA-SERVICES
+	.metacentrum.cz = ICS.MUNI.CZ
+	.ueb.cas.cz = ICS.MUNI.CZ
+	.meta.zcu.cz = META
+	.ukb.muni.cz = ICS.MUNI.CZ
+	.ceitec.muni.cz = EINFRA-SERVICES
+
+[appdefaults]
+    krb4_get_tickets = no
+    krb4_convert = no
+    krb4_convert_524 = no
+    pam = {
+        debug = false
+        forwardable = true
+        afs_cells = ics.muni.cz
+        minimum_uid=100
+        addressless = true
+#Debian
+        realm = META
+        validate = true
+#SuSE
+        ticket_lifetime = 36000
+        renew_lifetime = 36000
+        proxiable = false
+        retain_after_close = false
+        try_first_pass = true
+        external=true
+        force_creds = true
+    }
+    libkafs = {
+    	ZCU.CZ = {
+		afs-use-524 = 2b
+	}
+    	ICS.MUNI.CZ = {
+		afs-use-524 = 2b
+	}
+	RUK.CUNI.CZ = {
+		afs-use-524 = 2b
+	}
+   }
+
+[kadmin]
+	default_keys = v5 v4
+

data/lib/templates/centos/files/ntp.conf

@@ -0,0 +1,61 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+server tik.cesnet.cz
+server tak.cesnet.cz
+server ntp.muni.cz
+server time.fi.muni.cz
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+#server 0.debian.pool.ntp.org iburst
+#server 1.debian.pool.ntp.org iburst
+#server 2.debian.pool.ntp.org iburst
+#server 3.debian.pool.ntp.org iburst
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+
+# Try to avoid NTP amplification attacks
+disable monitor

data/lib/templates/centos/files/sshd_config

@@ -0,0 +1,152 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+AddressFamily inet
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+#UsePAM no
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 30
+ClientAliveCountMax 5
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Uncomment this if you want to use .local domain
+#Host *.local
+#	CheckHostIP no
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	ForceCommand cvs server

data/lib/templates/centos/files/xen-domU.conf

@@ -0,0 +1 @@
+add_drivers+="xen-blkfront xen-netfront xen-kbdfront"

data/lib/templates/centos/scripts/init.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+# add EPEL repository
+yum -y install http://ftp.astral.ro/mirrors/fedora/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
+# update already installed packages
+yum -y update
+# install new packages
+yum -y install cloud-init
+yum -y install fail2ban ntp
+yum -y install qemu-guest-agent
+yum -y install krb5-libs krb5-workstation pam_krb5
+yum -y install vim git
+
+# set cloud-init to start after boot
+systemctl enable cloud-init-local
+systemctl enable cloud-init
+systemctl enable cloud-config
+systemctl enable cloud-final
+
+# NTPd start after boot
+systemctl enable ntpd.service
+
+# move configuration file to their right place
+mv /root/cloud.cfg /etc/cloud/cloud.cfg
+mv /root/krb5.conf /etc/krb5.conf
+mv /root/sshd_config /etc/ssh/sshd_config
+mv /root/10-ipv6.conf /etc/sysctl.d/10-ipv6.conf
+mv /root/grub /etc/default/grub
+mv /root/getty\@ttyS0.service /etc/systemd/system/getty\@ttyS0.service
+grub2-mkconfig -o /boot/grub2/grub.cfg
+ln -s /etc/systemd/system/getty\@ttyS0.service /etc/systemd/system/getty.target.wants/getty@ttyS0.service
+mv /root/ntp.conf /etc/ntp.conf
+mv /root/xen-domU.conf /etc/dracut.conf.d/xen-domU.conf
+
+# fail2ban
+mv /root/iptables-multiport.local /etc/fail2ban/action.d/iptables-multiport.local
+mv /root/jail.local /etc/fail2ban/jail.local
+mv /root/fail2ban.local /etc/fail2ban/fail2ban.local
+
+# pakiti-2-client
+rpm -i pakiti-2.1.5-1.noarch.rpm
+rm -f pakiti-2.1.5-1.noarch.rpm
+
+# check-mk-agent
+yum -y install check-mk-agent
+rpm -i check-mk-agent-meta-key-1.0-1.noarch.rpm
+rpm -i check-mk-agent-meta-checks-2.0-1.noarch.rpm
+rm -f check-mk-agent-meta-key-1.0-1.noarch.rpm
+rm -f check-mk-agent-meta-checks-2.0-1.noarch.rpm
+sed -i s/"disable\s*= no"/'disable       = yes'/g /etc/xinetd.d/check-mk-agent
+
+# remove hardware address (MAC) and UUID from NIC configuration files
+sed -i '/^HWADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth*
+sed -i '/^UUID/d' /etc/sysconfig/network-scripts/ifcfg-eth*
+
+# make sure nothing is messing with NICs' MAC adresses
+unlink /etc/udev/rules.d/70-persistent-net.rules
+ln -s /dev/null /etc/udev/rules.d/70-persistent-net.rules
+unlink /etc/udev/rules.d/70-persistent-cd.rules
+ln -s /dev/null /etc/udev/rules.d/70-persistent-cd.rules
+
+# create configuration for second NIC if it's missing
+if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ]; then
+  sed 's/eth0/eth1/g' /etc/sysconfig/network-scripts/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth1
+fi
+
+# enable built-in networking
+# using both commands because of unfinished systemd support in system
+systemctl enable network
+chkconfig network on
+
+# disable NetworkManager
+systemctl disable NetworkManager
+
+#regenerate initrd files
+dracut -f
+
+# disable root login with password
+passwd -d root
+
+# clean bash history and cloud init logs
+rm -f ~/.bash_history
+rm -f /var/log/cloud-init*

data/lib/templates/debian/debian.cfg.erb

@@ -0,0 +1,80 @@
+#Contents of the preconfiguration file (for wheezy)
+
+# Localization and language
+d-i debian-installer/locale string en_US
+
+# Keyboard
+d-i console-keymaps-at/keymap select us
+d-i keyboard-configuration/xkb-keymap select us
+
+# Network
+d-i netcfg/choose_interface select auto
+d-i netcfg/get_hostname string debian
+d-i netcfg/get_domain string cesnet.cz
+d-i netcfg/wireless_wep string
+d-i hw-detect/load_firmware boolean true
+
+#Mirror
+d-i mirror/country string manual
+d-i mirror/http/hostname string ftp.debian.org
+d-i mirror/http/directory string /debian
+d-i mirror/http/proxy string
+
+# Clock and time zone
+d-i clock-setup/utc boolean true
+d-i time/zone string Europe/Prague
+d-i clock-setup/ntp boolean true
+
+# Account
+d-i passwd/make-user boolean false
+
+# Root password
+d-i passwd/root-password password <%= @data[:password] %>
+d-i passwd/root-password-again password <%= @data[:password] %>
+
+# Partition
+d-i partman-md/device_remove_md boolean true
+d-i partman-lvm/device_remove_lvm boolean true
+    
+d-i partman-auto/choose_recipe select boot-root
+d-i partman-auto/init_automatically_partition select biggest_free
+d-i partman-auto/method string regular
+
+d-i partman-auto/expert_recipe string                         \
+      boot-root ::                                            \
+              500 10000 1000000000 ext4                       \
+		      method{ format } format{ }	      \
+                      use_filesystem{ } filesystem{ ext4 }    \
+                      mountpoint{ / }                         \
+              .                                               
+
+d-i partman/confirm_write_new_label boolean true
+d-i partman/choose_partition select  finish
+d-i partman/confirm_nooverwrite boolean true
+d-i partman/confirm boolean true
+d-i partman-basicfilesystems/no_swap boolean false
+d-i partman-basicfilesystems/no_swap seen true 
+d-i partman/mount_style select uuid
+
+# Grub
+d-i grub-installer/only_debian boolean true
+d-i grub-installer/with_other_os boolean true
+d-i grub-installer/bootdev string /dev/vda
+
+# Apt setup
+d-i apt-setup/non-free boolean true
+d-i apt-setup/contrib boolean true
+
+# Package selection
+tasksel tasksel/first multiselect none
+d-i pkgsel/include string openssh-server build-essential
+#d-i pkgsel/include string openssh-server git-buildpackage
+
+# SSH hack to allow root login
+d-i preseed/late_command string in-target sed -i "s/PermitRootLogin without-password/PermitRootLogin yes/" /etc/ssh/sshd_config; \
+in-target echo "blacklist ipv6" >> /etc/modprobe.d/blacklist.conf
+
+popularity-contest popularity-contest/participate boolean false
+# Finishing up the installation
+d-i finish-install/reboot_in_progress note<span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 13px; line-height: 19px; white-space: normal;" class="Apple-style-span"> </span>
+

data/lib/templates/debian/debian.description

@@ -0,0 +1,28 @@
+{
+  "name": "Debian",
+  "versions": [{
+      "major_version": "7",
+      "minor_version": "9",
+      "patch_version": "0",
+      "codename": "wheezy",
+      "iso_url": "http://cdimage.debian.org/cdimage/archive/7.9.0/amd64/iso-cd/debian-7.9.0-amd64-netinst.iso",
+      "iso_checksum": "b6a19b4cf1d046e5eba1ae235a94824bca5a7c8f092a28216396c9d585ef709d"
+    },{
+      "major_version": "8",
+      "minor_version": "2",
+      "patch_version": "0",
+      "codename": "jessie",
+      "iso_url": "http://cdimage.debian.org/debian-cd/8.2.0/amd64/iso-cd/debian-8.2.0-amd64-netinst.iso",
+      "iso_checksum": "d393d17ac6b3113c81186e545c416a00f28ed6e05774284bb5e8f0df39fcbcb9"
+    }],
+  "boot_command": "install auto=true priority=critical preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}",
+  "qemu": {
+    "accelerator": "kvm",
+    "qemuargs": [ [ "-m", "1024M" ] ]
+  },
+  "virtualbox": {
+    "guest_os_type": "Debian_64",
+    "vboxmanage": [ ["modifyvm", "{{.Name}}", "--memory", "1024"] ],
+    "guest_additions_mode": "disable"
+  }
+}