debian-lan-config-0.13/0000755000000000000000000000000012176652571011574 5ustar debian-lan-config-0.13/fai/0000755000000000000000000000000012176652571012333 5ustar debian-lan-config-0.13/fai/config/0000755000000000000000000000000012176652571013600 5ustar debian-lan-config-0.13/fai/config/debconf/0000755000000000000000000000000012176652571015200 5ustar debian-lan-config-0.13/fai/config/debconf/KERBEROS_CLIENT0000644000000000000000000000041212176652571017372 0ustar krb5-config krb5-config/default_realm string INTERN krb5-config krb5-config/dns_for_default boolean true krb5-config krb5-config/add_servers boolean false krb5-config krb5-config/kerberos_servers string kerberos krb5-config krb5-config/admin_server string kerberos debian-lan-config-0.13/fai/config/debconf/DEBIAN0000644000000000000000000000131312176652571016043 0ustar exim4-config exim4/dc_eximconfig_configtype select local delivery only; not on a network locales locales/default_environment_locale select en_US.UTF-8 locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8 keyboard-configuration keyboard-configuration/modelcode string pc105 keyboard-configuration keyboard-configuration/xkb-keymap select us keyboard-configuration keyboard-configuration/variant select USA keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC keyboard-configuration keyboard-configuration/layoutcode string us keyboard-configuration keyboard-configuration/optionscode string ctrl:nocaps,terminate:ctrl_alt_bksp debian-lan-config-0.13/fai/config/debconf/SERVER_A0000644000000000000000000000053312176652571016372 0ustar ## Network interfaces on which the DHCP server should listen: isc-dhcp-server isc-dhcp-server/interfaces string eth0 ## Do you want system-wide readable home directories? adduser adduser/homedir-permission boolean false ## Automatically download and install stable updates? unattended-upgrades unattended-upgrades/enable_auto_updates boolean true debian-lan-config-0.13/fai/config/debconf/CLIENT_A0000644000000000000000000000032512176652571016341 0ustar nullmailer nullmailer/adminaddr string postmaster@mail.intern nullmailer nullmailer/relayhost string mail.intern smtp --starttls --insecure unattended-upgrades unattended-upgrades/enable_auto_updates boolean true debian-lan-config-0.13/fai/config/debconf/DNS_SERVER0000644000000000000000000000012512176652571016633 0ustar # Should resolv.conf settings be overridden? bind9 bind9/run-resolvconf boolean true debian-lan-config-0.13/fai/config/debconf/MAIL_SERVER0000644000000000000000000000050412176652571016732 0ustar exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; received via SMTP or fetchmail exim4-config exim4/mailname string mail.intern exim4-config exim4/dc_localdelivery select Maildir format in home directory exim4-config exim4/use_split_config boolean true exim4-config exim4/dc_local_interfaces string debian-lan-config-0.13/fai/config/debconf/GERMAN0000644000000000000000000000116612176652571016100 0ustar locales locales/default_environment_locale select de_DE.UTF-8 locales locales/locales_to_be_generated multiselect de_DE.UTF-8 UTF-8 keyboard-configuration keyboard-configuration/modelcode string pc105 keyboard-configuration keyboard-configuration/xkb-keymap select de keyboard-configuration keyboard-configuration/variant select Germany keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC keyboard-configuration keyboard-configuration/layoutcode string de keyboard-configuration keyboard-configuration/optionscode string ctrl:nocaps,terminate:ctrl_alt_bksp debian-lan-config-0.13/fai/config/debconf/GATEWAY_A0000644000000000000000000000011112176652571016455 0ustar unattended-upgrades unattended-upgrades/enable_auto_updates boolean true debian-lan-config-0.13/fai/config/debconf/DISKLESS_CLIENT0000644000000000000000000000143512176652571017405 0ustar passwd passwd/shadow boolean true locales locales/default_environment_locale select en_US.UTF-8 locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8 xserver-xorg xserver-xorg/config/inputdevice/keyboard/model string pc105 xserver-xorg xserver-xorg/autodetect_monitor boolean false xserver-xorg xserver-xorg/autodetect_keyboard boolean true xserver-xorg xserver-xorg/autodetect_mouse boolean true xserver-xorg xserver-xorg/autodetect_video_card boolean true nbd-client nbd-client/killall boolean false nbd-client nbd-client/device string /dev/nbd0 nbd-client nbd-client/host string swapserver nbd-client nbd-client/port string 10809 nbd-client nbd-client/type select swap ## FIXME: workaround #685610 nbd-client nbd-client/extra string -Nswap nbd-client nbd-client/number string 1 debian-lan-config-0.13/fai/config/debconf/LDAP_SERVER0000644000000000000000000000040212176652571016725 0ustar slapd slapd/no_configuration boolean true slapd shared/organization string Debian-LAN slapd slapd/custom_suffix string dc=intern slapd slapd/domain string intern slapd slapd/internal/dn string dc=intern slapd slapd/internal/admin string ^cn=admin,dc=intern$ debian-lan-config-0.13/fai/config/debconf/FR_BELGIAN0000644000000000000000000000110212176652571016545 0ustar locales locales/default_environment_locale select fr_BE.UTF-8 locales locales/locales_to_be_generated multiselect fr_BE.UTF-8 UTF-8 keyboard-configuration keyboard-configuration/modelcode string pc105 keyboard-configuration keyboard-configuration/xkb-keymap select be keyboard-configuration keyboard-configuration/variant select Belgium keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC keyboard-configuration keyboard-configuration/layoutcode string be keyboard-configuration keyboard-configuration/optionscode string terminate:ctrl_alt_bksp debian-lan-config-0.13/fai/config/debconf/LDAP_CLIENT0000644000000000000000000000036712176652571016707 0ustar libnss-ldapd libnss-ldapd/nsswitch multiselect group, netgroup, networks, passwd, shadow nslcd nslcd/ldap-base string dc=intern nslcd nslcd/ldap-uris string ldap://ldap nslcd nslcd/ldap-starttls boolean true nslcd nslcd/ldap-reqcert select demand debian-lan-config-0.13/fai/config/debconf/KERBEROS_KDC0000644000000000000000000000007112176652571017016 0ustar krb5-admin-server krb5-admin-server/kadmind boolean true debian-lan-config-0.13/fai/config/files/0000755000000000000000000000000012176652571014702 5ustar debian-lan-config-0.13/fai/config/files/var/0000755000000000000000000000000012176652571015472 5ustar debian-lan-config-0.13/fai/config/files/var/www/0000755000000000000000000000000012176652571016316 5ustar debian-lan-config-0.13/fai/config/files/var/www/index.html/0000755000000000000000000000000012176652571020370 5ustar debian-lan-config-0.13/fai/config/files/var/www/index.html/GOSA0000644000000000000000000000142312176652571021044 0ustar

Debian-LAN

This is the starting web page for the Debian-LAN mainserver.

Consider changing your password after the first login.

Available services:

More information is available in the Debian-LAN Wiki. debian-lan-config-0.13/fai/config/files/usr/0000755000000000000000000000000012176652571015513 5ustar debian-lan-config-0.13/fai/config/files/usr/local/0000755000000000000000000000000012176652571016605 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/0000755000000000000000000000000012176652571017540 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/debian-lan/0000755000000000000000000000000012176652571021532 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/debian-lan/SERVER_A0000755000000000000000000002425212176652571022733 0ustar #!/bin/bash # # Manage users, pricipals and keytabs. Add machines to dhcpd.conf. # set -e DATADIR="/root/installation/" #KADMINOPTION="-force" HOSTNAME=`hostname -s` HOME="/lan/$HOSTNAME/home0" DHCPCONF="/etc/dhcp/dhcpd.conf" DATE=`date +%Y%m%d` ## Password restrictions (compliant with kerberos policy): MINLEN=4 # minimal password length (max 8 with slappasswd as password generator) MINCLS=2 # minimal number of character classes usage(){ echo "Usage: debian-lan adduser|deluser|purgehomes|key2machine argument" echo " debian-lan add2dhcp" echo echo "The corresponding argument can be one of the following:" echo echo " adduser (list|file)" echo " \"list\" is a list of user (login) names. If instead a file" echo " is provided, it must contain lines of the form 'name [password]'." echo " If the password is omitted, a random password will be generated and" echo " appended to the corresponding login name in the file given." echo echo " deluser (list|file)" echo " \"list\" is a list of user (login) names. If instead a file" echo " is provided, the first word in each lines is taken as a login name." echo echo " purgehomes age" echo " \"age\" is the number of days since the (former) user has been deleted." echo echo " key2machine list" echo " \"list\" is a list of host names." echo echo " add2dhcp" echo " All non-local hardware MAC addresses found in the syslog may be added" echo " to '$DHCPCONF', either as workstation or diskless machine." echo exit 1 } sync_nscd(){ if pidof nscd 1>&2 > /dev/null ; then ## Clear tables to have database up to date: nscd -i passwd nscd -i group fi } adduserLDAP(){ echo "Creating LDAP account for \"$1\": " if ! getent group $1 > /dev/null ; then ldapaddgroup $1 else echo "Group \"$1\" already exists!" fi if ! getent passwd $1 > /dev/null ; then ldapadduser $1 $1 else echo "User \"$1\" already exists!" fi } deluserLDAP(){ if getent passwd $1 ; then ## First, fetch user's home directory and tagg it for removal: HOMEDIR=`getent passwd $1 | cut -d : -f 6` RM_HOMEDIR=`dirname $HOMEDIR`"/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR` echo "Tagging $1's home directory $HOMEDIR for removal:" if mv -v $HOMEDIR $RM_HOMEDIR; then chown root:root $RM_HOMEDIR chmod go-rwx $RM_HOMEDIR else echo "ERROR: Tagging $1's home directory failed!" fi ## Then, remove user from LDAP: echo "Deleting LDAP account for \"$1\": " ldapdeleteuser $1 || true ldapdeletegroup $1 || true else echo "User \"$1\" not found in LDAP database!" fi } add2log () { MACHINE=$1 ## munin: CONFDIR='/etc/munin/munin-conf.d/' if [ -d $CONFDIR ] && ! grep -sq ${MACHINE} $CONFDIR/nodes.conf ; then cat >> $CONFDIR/nodes.conf <> $CONF < MAC address already present in ${DHCPCONF}." else echo "Add ${HWaddr} to ${DHCPCONF}?" read -e -n 1 -p "Choose d (diskless), w (workstation) or press RETURN to ignore [d|w|N]: " inp inp=${inp:-N} case $inp in d) NAME="diskless" ;; w) NAME="workstation" ;; *) echo "MAC address $HWaddr ignored." echo continue ;; esac sed -i "0,/\(host ${NAME}.*\) A1:B2:C3:D4:E5:\w\{2\};/s//\1 ${HWaddr};/" ${DHCPCONF} MACHINE=$(grep $HWaddr ${DHCPCONF} | awk -F " " '{print $2}') echo -n "MAC address $HWaddr added as: ${MACHINE}" add2log ${MACHINE} fi echo done /etc/init.d/isc-dhcp-server restart /etc/init.d/icinga reload ;; *) usage ;; esac debian-lan-config-0.13/fai/config/files/usr/local/sbin/gosa-create/0000755000000000000000000000000012176652571021732 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/gosa-create/GOSA0000755000000000000000000000373212176652571022416 0ustar #!/bin/sh set -e ## This script is run by www-data using sudo. Keep that in mind! ## Make sure that malicious execution cannot hurt. ## ## This script creates the home directories and principals for users ## added with gosa. There are some tests that make sure only ## non-existent home directories are created. Malicious execution ## cannot hurt, because either the user is missing in ldap or his home ## directory already exists. In both cases nothing should happen. PREFIX=/lan HOSTNAME=$(hostname -s) USERID=$1 ## Fetch home dir permissions from 'adduser.conf': eval $(grep "^DIR_MODE" /etc/adduser.conf) #FIXME Change this ldap search to only find new users, to not slow down as more users are added. # One ide might be to look for objects without the krbPasswordExpiration attributes. ## lookup user and create home directory and principal: ldapsearch -b "ou=gosa,dc=intern" -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \ cn homeDirectory gidNumber 2>/dev/null | perl -p0e 's/\n //g' | \ while read KEY VALUE ; do case "$KEY" in dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;; cn:) USERNAME="$VALUE" ;; homeDirectory:) HOMEDIR="$VALUE" ;; gidNumber:) GROUPID="$VALUE" ;; "") test "$HOMEDIR" || continue echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue test -e "$HOMEDIR" && continue cp -r /etc/skel $HOMEDIR if type nscd > /dev/null 2>&1 ; then nscd -i passwd nscd -i group fi chown -R $USERID:$GROUPID $HOMEDIR chmod $DIR_MODE $HOMEDIR kadmin.local -q "add_principal -randkey -x $USERDN $USERID" logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created. ## send a welcome-email: cat << EOF | /usr/lib/sendmail $USERID Subject: Welcome to the mail-system Hello $USERNAME, welcome to the mail-system. Your userID is $USERID, and your email address is: $USERID@mail.intern Regards, Debian-LAN SysAdmin EOF ;; esac done exit 0 debian-lan-config-0.13/fai/config/files/usr/local/sbin/add2gosa/0000755000000000000000000000000012176652571021224 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/add2gosa/GOSA0000755000000000000000000001535412176652571021713 0ustar #!/bin/bash # # Import a list of users to GOsa. Based on the ldapscripts package. # set -e umask 0022 sync_nscd(){ if pidof nscd 1>&2 > /dev/null ; then ## Clear tables to have database up to date: nscd -i passwd nscd -i group fi } mk_uname() { GNAME=${1,,} FNAME=${2,,} echo ${GNAME::4}${FNAME::4} #echo ${GNAME}_${FNAME} } ou2LDAP() { OU=$1 # Add ou to LDAP _extractldif 3 | sed -e "s||$OU|g" | _filterldif | _utf8encode | _ldapadd [ $? -eq 0 ] || end_die "Error adding '$OU' to '$SUFFIX'." echo_log "Successfully added '$OU' to '$SUFFIX'." } user2LDAP() { set +e GNAME=$1 FNAME=$2 _USER="$3" _GROUP="$_USER" # Group GID _GID=$(_findnextgid) [ -z "_GID" ] && end_die "Cannot guess next free group ID." # Add group to LDAP _extractldif 4 | _filterldif | _utf8encode | _ldapadd [ $? -eq 0 ] || end_die "Error adding group '$_GROUP' to LDAP." echo_log "Successfully added group '$_GROUP' to LDAP." ################### # User UID _UID=$(_findnextuid) [ -z "_UID" ] && end_die "Cannot guess next free user ID." # Compute homedir _HOMEDIR=$(echo "$UHOMES" | sed "s|%u|$_USER|g") # Add user to LDAP _extractldif 5 | \ sed -e "s||$GNAME|g" \ -e "s||$FNAME|g" \ -e "s||$PWHASH|g" \ | _filterldif | _utf8encode | _ldapadd [ $? -eq 0 ] || end_die "Error adding user '$_USER' to LDAP." echo_log "Successfully added user '$_USER' to LDAP." # Create Home dir if [ -e "$_HOMEDIR" ] ; then warn_log "Skipped home directory creation for user '$_USER' (already exists)." else if [ -d "$HOMESKEL" ] ; then mkdir -p $(dirname "$_HOMEDIR") 2>>"$LOGFILE" 1>/dev/null cp -pR "$HOMESKEL/" "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null else mkdir -p "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null fi chmod "$HOMEPERMS" "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null chown -R "$_UID":"$_GID" "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null echo_log "Successfully created home directory '$_HOMEDIR' for user '$_USER'." fi set -e } checkPASSWD (){ PASSWD="$1" local NUM=0 if [ $(expr length "$PASSWD") -ge $MINLEN ] ; then [ -n "${PASSWD//[![:lower:]]/}" ] && NUM=$(($NUM+1)) [ -n "${PASSWD//[![:upper:]]/}" ] && NUM=$(($NUM+1)) [ -n "${PASSWD//[![:digit:]]/}" ] && NUM=$(($NUM+1)) [ -n "${PASSWD//[![:punct:]]/}" ] && NUM=$(($NUM+1)) fi echo $NUM } createPASSWD (){ local NUM=0 while [ $NUM -lt $MINCLS ] ; do PASSWD=$(slappasswd -g) NUM=$(checkPASSWD "$PASSWD") done echo "$PASSWD" } ########################################### FILE=$1 GOSAOU=$2 # Source runtime file _RUNTIMEFILE="/usr/share/ldapscripts/runtime" . "$_RUNTIMEFILE" # We need to overwrite variables defined in the configuration # and sourced in the runtime file above: SUFFIX="$GOSAOU,ou=gosa,dc=intern" SUFFIX=${SUFFIX#,} # remove ',' if $GOSAOU="" GIDSTART="10000" UIDSTART="10000" ## Map LDAP structure on the home directory tree if not switched off: if [ -n "$GOSAOU" ] && [ "$3" != "--no-map" ] ; then HSUFFIX=$(echo -n "${GOSAOU}," | tac -s "," | sed -e "s|ou=||g" -e "s|,|\/|g" ) UHOMES=${UHOMES/\%u/${HSUFFIX}%u} fi ## Password restrictions (compliant with kerberos policy): MINLEN=4 # minimal password length (max 8 with slappasswd as password generator) MINCLS=2 # minimal number of character classes if [ ! -r "$FILE" ] ; then cat < [ou=[,ou=...] [--no-map]] Where contains rows of first and last names: ... ... Empty lines or lines starting with a '#' will be ignored. The generated password is appended to the line during processing, the line commented. Optionally it is possible to specify an organizational unit within the GOsa tree. The users will be added to that department. The location of the home directory created will map the structure of the organizational units in LDAP. This feature can be switched off with the --no-map option. Examples: * add users to GOsa base, home directory: '//': add2gosa * add users to department 'ou=2013,ou=students', home directory '//students/2013/': add2gosa ou=2013,ou=students The department has to be created in GOsa before adding users. EOF exit 1 fi sync_nscd # Test if dn exists: _ldapsearch "$SUFFIX" "(objectClass=organizationalUnit)" "dn" \ | grep -q "$SUFFIX" || end_die "No Department '$SUFFIX' found. Create it in GOsa first." # Create ou=groups if missing: _ldapsearch "$GSUFFIX,$SUFFIX" "(objectClass=organizationalUnit)" "dn" \ | grep -q "$GSUFFIX,$SUFFIX" || ou2LDAP $GSUFFIX # Create ou=people if missing: _ldapsearch "$USUFFIX,$SUFFIX" "(objectClass=organizationalUnit)" "dn" \ | grep -q "$USUFFIX,$SUFFIX" || ou2LDAP $USUFFIX echo chmod 600 $FILE IFS=$'\n' for LINE in $(grep -Ev "^(#|[[:space:]]*$)" $FILE | sed "s/\#.*//g" | awk '{print $1, $2, $3}') ; do GNAME=`echo "$LINE" | cut -d " " -f1` FNAME=`echo "$LINE" | cut -d " " -f2` USERNAME=$(mk_uname ${GNAME} ${FNAME}) echo "---------------- $USERNAME ----------------" PASSWD=$(createPASSWD) PWHASH=$(slappasswd -s $PASSWD -h {SSHA}) echo "Password and hash created." sed -i "s|\($GNAME[[:space:]]\+$FNAME\)|\# \1:\t $USERNAME\t ${PASSWD}|" $FILE user2LDAP "$GNAME" "$FNAME" "$USERNAME" "$PWHASH" USERDN="dn=uid=$USERNAME,$USUFFIX,$SUFFIX" kadmin.local -q "add_principal -pw "$PASSWD" -x $USERDN $USERNAME" echo done cat <, ###objectClass: top ###objectClass: organizationalUnit ###ou: # Ldif group template ############################### ####dn: cn=,, ####objectClass: ####cn: ####gidNumber: ####description: Group of user # Ldif user template ################################ #####dn: uid=,, #####objectClass: person #####objectClass: organizationalPerson #####objectClass: inetOrgPerson #####objectClass: gosaAccount #####objectClass: posixAccount #####objectClass: shadowAccount #####sn: #####givenName: #####cn: #####gecos: #####uid: #####homeDirectory: #####loginShell: #####uidNumber: #####gidNumber: #####userPassword: debian-lan-config-0.13/fai/config/files/usr/local/sbin/dhcpd-keytab/0000755000000000000000000000000012176652571022077 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A0000755000000000000000000000341712176652571023300 0ustar #!/bin/bash # # Send kerberos keytab to machines during PXE installation. # Called by dhcpd on lease. # set -e DATADIR="/root/installation/" NFSROOT="/srv/fai/nfsroot/live/filesystem.dir/" MACHINE=$1 WAIT=60 if [ ! -e $DATADIR/${MACHINE}.keytab ] ; then ## The keytab is missing or in use already, exit. exit 0 elif [ "$2" != "go" ]; then ## Fork to the background and run script. $0 "$1" go >> /var/log/`basename ${0}`.log 2>&1 & exit 0 fi ## Only one process: STAMP=/tmp/`basename ${0}`_$MACHINE if [ -e $STAMP ] ; then exit 0 else touch $STAMP trap "rm -f $STAMP" ERR SIGHUP SIGINT SIGTERM fi cleanup(){ echo $1 rm -f $STAMP exit 0 } ## Make chroot accessible to root: if [ ! -e ${NFSROOT}/root/.ssh/authorized_keys ] ; then echo $MACHINE `date` mkdir -vp ${NFSROOT}/root/.ssh/ for KEY in `ls /root/.ssh/*.pub` ; do cat $KEY >> ${NFSROOT}/root/.ssh/authorized_keys done fi sleep $WAIT for i in `seq 8` ; do echo $MACHINE `date` echo "Copying keytab to $MACHINE: $i try." ## Do not check host ID and do not add the host ID to known_hosts, ## as the host will have a differen ID after installation: if ! scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=\"$STAMP\" -p \ $DATADIR/${MACHINE}.keytab root@${MACHINE}:/target/etc/krb5.keytab ; then echo "Copying failed, sleeping $WAIT s." sleep $WAIT ping -c 2 $MACHINE > /dev/null || cleanup "Cannot ping $MACHINE, exiting." continue fi echo "$DATADIR/${MACHINE}.keytab copied to ${MACHINE}." DATE=`date +%Y%m%d` mv -v $DATADIR/${MACHINE}.keytab $DATADIR/${MACHINE}.keytab_$DATE cleanup "Success! ${MACHINE} activated." done cleanup "Failed to activate ${MACHINE}. Run 'debian-lan key2machine ${MACHINE}' manually." debian-lan-config-0.13/fai/config/files/usr/local/sbin/gosa-remove/0000755000000000000000000000000012176652571021764 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/gosa-remove/GOSA0000755000000000000000000000350312176652571022444 0ustar #!/bin/sh set -e ## This script is run by www-data using sudo. Keep that in mind! ## Make sure that malicious execution cannot hurt. ## ## This script removes the home directories and principals for users removed with gosa. ## Home directories are not purged immediately, but marked with a time stamp. Next time ## this script is run it looks for all home directories marked for removal and removes ## directories older than the given age $MAXAGE. ## ## Malicious execution can mark directories for purging, but if $MAXAGE is chosen not ## too short, this will be detected by the owner and no data will get lost. USERID=$1 HOMEDIR=$2 ## minimum age to keep a directory before it is purged ## in days (only integer values): MAXAGE_DAYS=500 #################################### MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 )) [ -d $HOMEDIR ] || exit 1 PREFIX=/lan HOSTNAME=$(hostname -s) echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1 ## move mail directory to home directory if [ -d /var/mail/$USERID ]; then mkdir -p $HOMEDIR/Maildir/ mv /var/mail/$USERID/* $HOMEDIR/Maildir/ rmdir /var/mail/$USERID fi ## rename home directory and delete principal: HOME=`dirname $HOMEDIR` RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR` mv $HOMEDIR $RM_HOMEDIR chown root:root $RM_HOMEDIR chmod go-rwx $RM_HOMEDIR kadmin.local -q "delete_principal $USERID" logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed. for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"` AGE=$(( `date +"%s"`-`date +"%s" -d $RMDATE` )) if [ $AGE -gt $MAXAGE_SEC ] ; then rm -rf $DIR logger -t gosa-remove -p notice Home directory \'$DIR\' purged. fi done exit 0 debian-lan-config-0.13/fai/config/files/usr/local/sbin/nbdswapd/0000755000000000000000000000000012176652571021342 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/nbdswapd/DISKLESS_SERVER0000755000000000000000000000043012176652571023574 0ustar #!/bin/sh # # Inspired by nbdswapd from the ltsp-server package. set -e ## swap size (in MB): SIZE="128" SWAP="$1" SWAPDIR=${SWAP%/*} test -d $SWAPDIR || mkdir -p $SWAPDIR ## create swap file: dd if=/dev/zero of=$SWAP bs=1M count=0 seek="$SIZE" 2> /dev/null chmod 600 $SWAP debian-lan-config-0.13/fai/config/files/usr/local/sbin/gosa-sync/0000755000000000000000000000000012176652571021443 5ustar debian-lan-config-0.13/fai/config/files/usr/local/sbin/gosa-sync/GOSA0000755000000000000000000000302512176652571022122 0ustar #!/bin/bash set -e ## This script is run by www-data using sudo. Keep that in mind! ## Make sure that malicious execution cannot hurt. ## ## This script synchronizes the kerberos password of principals to the ## posix password whenever the password is changed in ldap by gosa. To ## make sure only authorized changes happen, it is tested if the ## supplied password corresponds to the supplied distinguished name in ## ldap. ## ## A caller not knowing the correct ldap password cannot change the ## principal's one. USERDN="$1" USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"` ## The new user password is in environment, $USERPASSWORD. ## Check if provided password corresponds to hash saved in ldap database: TMPFILE=$(tempfile) trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM cat < "$TMPFILE" $USERPASSWORD EOF IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true` # Escapes " because kadmin needs to use double quotes: EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')" if [ "$IAM" = "dn:$USERDN" ] ; then cat > "$TMPFILE" < /dev/null) 2>&1) if [ -z "$RET" ] ; then logger -t gosa-sync -p notice "Sucessfully changed kerberos password for '$USERID'." else logger -t gosa-sync -p warning "$RET" echo "$RET" fi else RET="Could not verify password for '$USERID'. Nothing done." echo $RET logger -t gosa-sync -p warning "$RET" fi rm "$TMPFILE" exit 0 debian-lan-config-0.13/fai/config/files/usr/share/0000755000000000000000000000000012176652571016615 5ustar debian-lan-config-0.13/fai/config/files/usr/share/libpam-script/0000755000000000000000000000000012176652571021363 5ustar debian-lan-config-0.13/fai/config/files/usr/share/libpam-script/pam_script_auth/0000755000000000000000000000000012176652571024545 5ustar debian-lan-config-0.13/fai/config/files/usr/share/libpam-script/pam_script_auth/ROAMING0000755000000000000000000000172112176652571025570 0ustar #!/bin/sh # # Create user's local home directory if it does not exist. # Use Kerberos key as machine key if machine key is unavailable. # set -e FILE="/tmp/krb5cc_roaming" NFSHOMES="/lan/mainserver/home0/" ## Find path of user's local home directory: HOMEDIR=$(getent passwd "$PAM_USER" | cut -d : -f 6 | sed "s:$NFSHOMES:/home/:") if [ "$PAM_USER" = "root" ] ; then exit 0 elif [ -n "$HOMEDIR" ] && [ ! -d "$HOMEDIR" ] ; then ## Create local home directory if it does not exist: umask 0022 mkdir -p $(dirname "$HOMEDIR") cp -pR /etc/skel "$HOMEDIR" chmod 750 "$HOMEDIR" chown -R $PAM_USER:$PAM_USER "$HOMEDIR" echo "Successfully created off-line home directory '$HOMEDIR' for user '$PAM_USER'." fi # Use Kerberos key as machine key if machine key is unavailable: if [ ! -e /etc/krb5.keytab ] && [ ! -e "$FILE" ] ; then ID=$(id -u "$PAM_USER") cp -v /tmp/krb5cc_${ID}_* $FILE /etc/init.d/autofs restart > /dev/null fi exit 0 debian-lan-config-0.13/fai/config/files/usr/share/libpam-script/pam_script_auth/DISKLESS_CLIENT0000755000000000000000000000044112176652571026751 0ustar #!/bin/sh # # Use Kerberos key as machine key if machine key is unavailable. # set -e FILE="/tmp/krb5cc_diskless" if [ "$PAM_USER" != "root" ] && [ ! -e /etc/krb5.keytab ] && [ ! -e $FILE ] ; then cp -v /tmp/krb5cc_pam_* $FILE /etc/init.d/autofs restart > /dev/null fi exit 0 debian-lan-config-0.13/fai/config/files/etc/0000755000000000000000000000000012176652571015455 5ustar debian-lan-config-0.13/fai/config/files/etc/sssd/0000755000000000000000000000000012176652571016431 5ustar debian-lan-config-0.13/fai/config/files/etc/sssd/sssd.conf/0000755000000000000000000000000012176652571020331 5ustar debian-lan-config-0.13/fai/config/files/etc/sssd/sssd.conf/ROAMING0000644000000000000000000000116312176652571021351 0ustar [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = intern [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/intern] ; Using enumerate = true leads to high load and slow response enumerate = false cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://ldap ldap_search_base = dc=intern ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ldap/slapd.crt krb5_kdcip = kerberos krb5_realm = INTERN krb5_changepw_principle = kadmin/changepw krb5_auth_timeout = 15 debian-lan-config-0.13/fai/config/files/etc/icinga/0000755000000000000000000000000012176652571016707 5ustar debian-lan-config-0.13/fai/config/files/etc/icinga/objects/0000755000000000000000000000000012176652571020340 5ustar debian-lan-config-0.13/fai/config/files/etc/icinga/objects/hostgroups_icinga.cfg/0000755000000000000000000000000012176652571024625 5ustar debian-lan-config-0.13/fai/config/files/etc/icinga/objects/hostgroups_icinga.cfg/LOG_SERVER0000644000000000000000000000315412176652571026262 0ustar #### all machines #### define hostgroup { hostgroup_name all alias All Servers members * } define hostgroup { hostgroup_name debian-servers alias Debian GNU/Linux Servers members * } #### server #### define hostgroup { hostgroup_name ssh-servers alias SSH servers members mainserver hostgroup_members workstation } define hostgroup { hostgroup_name http-servers alias HTTP servers members mainserver } define hostgroup { hostgroup_name ldap-servers alias LDAP servers members mainserver } define hostgroup { hostgroup_name nfs-servers alias NFS servers members mainserver } define hostgroup { hostgroup_name smtp-servers alias SMTP servers members mainserver } define hostgroup { hostgroup_name imap-servers alias IMAP servers members mainserver } define hostgroup { hostgroup_name cups-servers alias CUPS servers members mainserver } define hostgroup { hostgroup_name dns-servers alias DNS members mainserver } #### workstations and diskless #### define hostgroup { hostgroup_name workstation alias Debian GNU/Linux Workstation } define hostgroup { hostgroup_name diskless alias Debian GNU/Linux Diskless } debian-lan-config-0.13/fai/config/files/etc/icinga/objects/hosts.cfg/0000755000000000000000000000000012176652571022236 5ustar debian-lan-config-0.13/fai/config/files/etc/icinga/objects/hosts.cfg/LOG_SERVER0000644000000000000000000000063012176652571023667 0ustar define host{ use generic-host host_name gateway address $GATEWAY } define host{ use generic-host host_name mainserver address 127.0.0.1 } define host{ use generic-host host_name workstation00 hostgroups workstation notifications_enabled 0 } debian-lan-config-0.13/fai/config/files/etc/icinga/objects/services_icinga.cfg/0000755000000000000000000000000012176652571024233 5ustar debian-lan-config-0.13/fai/config/files/etc/icinga/objects/services_icinga.cfg/LOG_SERVER0000644000000000000000000001366112176652571025674 0ustar #### servers #### define service{ host mainserver service_description APT check_command check_apt use generic-service } define service{ hostgroup_name cups-servers service_description CUPS check_command check_cups use generic-service } define service{ host mainserver service_description Current Load check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 use generic-service } define service{ host mainserver service_description Current Users check_command check_users!20!50 use generic-service } define service{ hostgroup_name dns-servers service_description DNS extern check_command check_dns use generic-service } define service{ hostgroup_name dns-servers service_description DNS intern check_command check_dig!'domain.intern' use generic-service } define service{ host mainserver service_description Disk Space check_command check_all_disks!20%!10% use generic-service } define service { hostgroup_name http-servers service_description HTTP check_command check_http use generic-service } define service{ hostgroup_name imap-servers service_description IMAP check_command check_imap use generic-service } define service{ hostgroup_name ldap-servers service_description LDAP check_command debian-lan_check_ldap!dc=intern use generic-service } define service{ hostgroup_name nfs-servers service_description NFS check_command debian-lan_check_nfs use generic-service } define service{ host mainserver service_description NTP Server check_command check_ntp_ntpq use generic-service } define service{ hostgroup_name smtp-servers service_description SMTP check_command check_smtp use generic-service } define service { hostgroup_name ssh-servers service_description SSH check_command check_ssh use generic-service } define service{ host mainserver service_description Squid check_command check_squid!3128!'http://www.intern' use generic-service } define service{ host mainserver service_description Swap check_command debian-lan_check_swap use generic-service } define service{ host mainserver service_description Total Procs check_command check_procs!250!400 use generic-service } define service{ host mainserver service_description Zombie Procs check_command check_procs_zombie!5!10 use generic-service } #### gateway define service{ host gateway service_description Alive check_command check-host-alive use generic-service } define service{ host gateway service_description Internet check_command debian-lan_check_internet!8.8.8.8 use generic-service } #### nrpe (remote) machines define service{ hostgroup_name workstation service_description APT check_command check_nrpe_1arg!check_apt use generic-service } define service{ hostgroup_name workstation,diskless service_description Current Load check_command check_nrpe_1arg!debian-lan_check_load use generic-service } define service{ hostgroup_name workstation,diskless service_description Current Users check_command check_nrpe_1arg!debian-lan_check_users use generic-service } define service{ hostgroup_name workstation service_description Disk Space check_command check_nrpe_1arg!debian-lan_check_all_disks use generic-service } define service{ hostgroup_name workstation service_description Kerberos Key check_command check_nrpe_1arg!debian-lan_check_file_age use generic-service } define service{ hostgroup_name workstation,diskless service_description Swap check_command check_nrpe_1arg!debian-lan_check_swap use generic-service } define service{ hostgroup_name workstation,diskless service_description Time check_command check_nrpe_1arg!debian-lan_check_ntp_time use generic-service } define service{ hostgroup_name workstation,diskless service_description Total Procs check_command check_nrpe_1arg!debian-lan_check_procs use generic-service } define service{ hostgroup_name workstation,diskless service_description Zombie Procs check_command check_nrpe_1arg!debian-lan_check_procs_zombie use generic-service } debian-lan-config-0.13/fai/config/files/etc/icinga/objects/commands.cfg/0000755000000000000000000000000012176652571022677 5ustar debian-lan-config-0.13/fai/config/files/etc/icinga/objects/commands.cfg/LOG_SERVER0000644000000000000000000000114712176652571024334 0ustar define command{ command_name debian-lan_check_swap command_line /usr/lib/nagios/plugins/check_swap -w 50% -c 20% } define command{ command_name debian-lan_check_ldap command_line /usr/lib/nagios/plugins/check_ldap -H '$HOSTNAME$' -b '$ARG1$' -T } define command{ command_name debian-lan_check_nfs command_line /usr/lib/nagios/plugins/check_rpc -H '$HOSTADDRESS$' -C nfs -c2,3,4 } define command{ command_name debian-lan_check_internet command_line /usr/lib/nagios/plugins/check_ping -H '$ARG1$' -w 50,10% -c 100,100% -p 5 } debian-lan-config-0.13/fai/config/files/etc/cron.daily/0000755000000000000000000000000012176652571017517 5ustar debian-lan-config-0.13/fai/config/files/etc/cron.daily/backup/0000755000000000000000000000000012176652571020764 5ustar debian-lan-config-0.13/fai/config/files/etc/cron.daily/backup/SERVER_A0000755000000000000000000000342312176652571022162 0ustar #!/bin/bash # # backup ldap, package selection and debconf values # run dirvish # set -e DIR="/backup/" MISC_DIR="${DIR}/tmp/misc/" # from dirvish: mount_check() { mntout=`tempfile -p mount` mount $1 >$mntout 2>&1 || true if [ ! -d $1/lost+found ]; then # only works for "real" filesystems :-) # (Yes, I know about reiserfs.) echo "'mount $1' failed?! Stopping." echo "mount output:" cat $mntout rm -f $mntout exit 2 fi if stat $1 | grep 'Inode: 2[^0-9]' >/dev/null; then # ditto rm -f $mntout return 0 # ok fi echo "$1 isn't inode 2 ?! Mount must have failed; stopping." echo '' stat $1 echo "mount output:" cat $mntout rm -f $mntout umount $1 exit 2 } if grep -q ${DIR%/} /etc/fstab ; then MNT=true mount_check $DIR trap "rc=$?; umount $DIR; exit $rc" ERR fi ## Backup LDAP, package selection and debconf data. ## Drop the data in $MISC_DIR and use dirvish for ## the backup, thereby making use of its expire ## mechanism: if [ -x /usr/sbin/slapcat ] ; then slapcat -l $MISC_DIR/LDAP.ldif_new fi dpkg --get-selections > $MISC_DIR/package.selection_new debconf-get-selections > $MISC_DIR/debconf.selection_new ## Check if the data has changed, if not keep the old file: for FILE in `ls $MISC_DIR/*_new` ; do if diff -qN $FILE ${FILE%_new} >/dev/null ; then ## nothing changed: rm $FILE else ## use new file: mv $FILE ${FILE%_new} fi done chmod 640 $MISC_DIR/* ## dirvish: if [ ! -x /usr/sbin/dirvish-expire ]; then exit 0; fi if [ ! -s /etc/dirvish/master.conf ]; then exit 0; fi /usr/sbin/dirvish-expire --quiet && /usr/sbin/dirvish-runall --quiet rc=$? if [ $MNT ] ; then umount $DIR || rc=$? fi exit $rc debian-lan-config-0.13/fai/config/files/etc/gosa/0000755000000000000000000000000012176652571016406 5ustar debian-lan-config-0.13/fai/config/files/etc/gosa/gosa.conf/0000755000000000000000000000000012176652571020263 5ustar debian-lan-config-0.13/fai/config/files/etc/gosa/gosa.conf/GOSA0000644000000000000000000003406612176652571020750 0ustar
debian-lan-config-0.13/fai/config/files/etc/nbd-server/0000755000000000000000000000000012176652571017524 5ustar debian-lan-config-0.13/fai/config/files/etc/nbd-server/conf.d/0000755000000000000000000000000012176652571020673 5ustar debian-lan-config-0.13/fai/config/files/etc/nbd-server/conf.d/swap.conf/0000755000000000000000000000000012176652571022571 5ustar debian-lan-config-0.13/fai/config/files/etc/nbd-server/conf.d/swap.conf/DISKLESS_SERVER0000644000000000000000000000013512176652571025022 0ustar [swap] exportname = /tmp/nbd-swap/%s prerun = /usr/local/sbin/nbdswapd %s postrun = rm -f %s debian-lan-config-0.13/fai/config/files/etc/krb5kdc/0000755000000000000000000000000012176652571017002 5ustar debian-lan-config-0.13/fai/config/files/etc/krb5kdc/kadm5.acl/0000755000000000000000000000000012176652571020541 5ustar debian-lan-config-0.13/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC0000644000000000000000000000012612176652571022360 0ustar ## access controls for the Kerberos KDC root/admin@INTERN * *@INTERN cil */*@INTERN i debian-lan-config-0.13/fai/config/files/etc/krb5kdc/kdc.conf/0000755000000000000000000000000012176652571020467 5ustar debian-lan-config-0.13/fai/config/files/etc/krb5kdc/kdc.conf/KDC_LDAP0000644000000000000000000000104612176652571021614 0ustar [kdcdefaults] kdc_ports = 750,88 [realms] INTERN = { admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } debian-lan-config-0.13/fai/config/files/etc/fai/0000755000000000000000000000000012176652571016214 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/nfsroot.conf/0000755000000000000000000000000012176652571020632 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/nfsroot.conf/SERVER_A0000644000000000000000000000053212176652571022023 0ustar # For a detailed description see nfsroot.conf(5) FAI_ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' NFSROOT=/srv/fai/nfsroot TFTPROOT=/srv/tftp/fai NFSROOT_HOOKS=/etc/fai/nfsroot-hooks/ FAI_DEBOOTSTRAP_OPTS="--exclude=info" # Configuration space FAI_CONFIGDIR=/srv/fai/config FAI_DEBOOTSTRAP="wheezy http://aptcache:3142/http.debian.net/debian" debian-lan-config-0.13/fai/config/files/etc/fai/nfsroot.conf/FAISERVER0000644000000000000000000000057012176652571022105 0ustar # For a detailed description see nfsroot.conf(5) FAI_ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' NFSROOT=/srv/fai/nfsroot TFTPROOT=/srv/tftp/fai NFSROOT_HOOKS=/etc/fai/nfsroot-hooks/ FAI_DEBOOTSTRAP_OPTS="--exclude=info" # Configuration space FAI_CONFIGDIR=/srv/fai/config NFSROOT_ETC_HOSTS="192.168.33.250 faiserver" FAI_DEBOOTSTRAP="wheezy http://faiserver:9999/debian" debian-lan-config-0.13/fai/config/files/etc/fai/grub.cfg/0000755000000000000000000000000012176652571017711 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/grub.cfg/SERVER_A0000644000000000000000000000362712176652571021112 0ustar ## grub2 configuration set default=" Boot OS of first partition on first disk" set timeout=20 if loadfont /boot/grub/ascii.pf2 ; then insmod png set gfxmode=640x480 insmod gfxterm insmod vbe terminal_output gfxterm fi if background_image /boot/grub/fai.png ; then set color_normal=black/black set color_highlight=red/black set menu_color_normal=black/black set menu_color_highlight=black/yellow else set menu_color_normal=white/black set menu_color_highlight=black/yellow fi # make sure we can access partitions insmod part_msdos insmod part_gpt if [ ${iso_path} ] ; then set loopback="findiso=${iso_path}" fi menuentry "" { set gfxpayload=1024x768 linux /boot/vmlinuz boot=live } menuentry " FAI-CD (c) Thomas Lange, lange@debian.org" { set gfxpayload=1024x768 linux /boot/vmlinuz boot=live } menuentry " _VERSIONSTRING_ " { set gfxpayload=1024x768 linux /boot/vmlinuz boot=live } menuentry "" { set gfxpayload=1024x768 linux /boot/vmlinuz boot=live } menuentry "" { set gfxpayload=1024x768 linux /boot/vmlinuz boot=live } menuentry " Fully Automatic Installation - Debian-LAN: mainserver" { set gfxpayload=1024x768 set root=(cd) linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=install hostname=mainserver initrd /boot/initrd.img } menuentry " Fully Automatic Installation - Debian-LAN: gateway" { set gfxpayload=1024x768 set root=(cd) linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=install hostname=gateway initrd /boot/initrd.img } menuentry " FAI - System Information" { set gfxpayload=1024x768 set root=(cd) linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=sysinfo hostname=mainserver initrd /boot/initrd.img } menuentry " Boot OS of first partition on first disk" { set root=(hd0,1) chainloader +1 } debian-lan-config-0.13/fai/config/files/etc/fai/apt/0000755000000000000000000000000012176652571017000 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/apt/sources.list/0000755000000000000000000000000012176652571021435 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/apt/sources.list/SERVER_A0000644000000000000000000000050112176652571022622 0ustar deb http://aptcache.intern:3142/http.debian.net/debian/ wheezy main deb http://aptcache.intern:3142/security.debian.org/ stable/updates main deb http://aptcache.intern:3142/http.debian.net/debian/ wheezy-updates main ## Backports repository: deb http://aptcache.intern:3142/http.debian.net/debian/ wheezy-backports main debian-lan-config-0.13/fai/config/files/etc/fai/NFSROOT/0000755000000000000000000000000012176652571017346 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/NFSROOT/FAISERVER0000644000000000000000000000163012176652571020617 0ustar # package list for creating the NFSROOT PACKAGES aptitude nfs-common fai-nfsroot module-init-tools ssh rdate lshw rpcbind rsync lftp less dump reiserfsprogs e2fsprogs usbutils hwinfo psmisc pciutils hdparm smartmontools parted mdadm lvm2 dnsutils ntpdate dosfstools xfsprogs xfsdump procinfo numactl dialog console-tools console-common iproute udev subversion xz-utils cupt grub-pc cfengine2 # we need mkpasswd: whois # some network cards needs firmware firmware-bnx2 firmware-bnx2x firmware-realtek # dracut can replace live-boot #dracut-network live-boot- live-boot-initramfs-tools- # squeeze also needs initramfs-tools, even with dracut #initramfs-tools # choose if you like live-boot or dracut inside the nfsroot live-boot # you should not edit the lines below # architecture dependend list of packages that are installed PACKAGES aptitude I386 linux-image-686-pae PACKAGES aptitude AMD64 linux-image-amd64 debian-lan-config-0.13/fai/config/files/etc/fai/fai.conf/0000755000000000000000000000000012176652571017677 5ustar debian-lan-config-0.13/fai/config/files/etc/fai/fai.conf/DEBIAN0000644000000000000000000000030212176652571020537 0ustar # See fai.conf(5) for detailed information. # Account for saving log files and calling fai-chboot. LOGUSER= # URL to access the fai config space. FAI_CONFIG_SRC=nfs://faiserver/srv/fai/config debian-lan-config-0.13/fai/config/files/etc/resolv.conf/0000755000000000000000000000000012176652571017713 5ustar debian-lan-config-0.13/fai/config/files/etc/resolv.conf/DISKLESS_CLIENT0000644000000000000000000000004412176652571022113 0ustar nameserver NAMESERVER search intern debian-lan-config-0.13/fai/config/files/etc/motd/0000755000000000000000000000000012176652571016420 5ustar debian-lan-config-0.13/fai/config/files/etc/motd/SERVER_A0000644000000000000000000000073712176652571017620 0ustar Debian-LAN -- Debian Local Area Network SERVER_A =================================================== Realized by FAI: Plan your installation, and FAI installs your plan. The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. debian-lan-config-0.13/fai/config/files/etc/motd/CLIENT_A0000644000000000000000000000073712176652571017570 0ustar Debian-LAN -- Debian Local Area Network CLIENT_A =================================================== Realized by FAI: Plan your installation, and FAI installs your plan. The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. debian-lan-config-0.13/fai/config/files/etc/motd/GATEWAY_A0000644000000000000000000000074112176652571017706 0ustar Debian-LAN -- Debian Local Area Network GATEWAY_A ==================================================== Realized by FAI: Plan your installation, and FAI installs your plan. The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. debian-lan-config-0.13/fai/config/files/etc/motd/FAIBASE0000644000000000000000000000006712176652571017400 0ustar Plan your installation, and FAI installs your plan. debian-lan-config-0.13/fai/config/files/etc/ldap/0000755000000000000000000000000012176652571016375 5ustar debian-lan-config-0.13/fai/config/files/etc/ldap/slapd.conf/0000755000000000000000000000000012176652571020424 5ustar debian-lan-config-0.13/fai/config/files/etc/ldap/slapd.conf/SERVER_A0000644000000000000000000000705412176652571021623 0ustar ####################################################################### # Global Directives: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema include /etc/ldap/schema/autofs.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel none # TLS/SSL TLSCACertificateFile /etc/ldap/slapd.crt TLSCertificateKeyFile /etc/ldap/slapd.key TLSCertificateFile /etc/ldap/slapd.crt TLSVerifyClient try modulepath /usr/lib/ldap moduleload back_hdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 defaultsearchbase "dc=intern" security update_ssf=128 simple_bind=128 # Access via ldapi/unix socket is assumed to have 128 bit encryption. # This is required to allow the Kerberos KDC to connect: localssf 128 backend hdb ####################################################################### ####################################################################### database hdb # First database suffix "dc=intern" rootdn "cn=admin,dc=intern" # Where the database file are physically stored directory "/var/lib/ldap" # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indices to maintain index default eq index objectClass index ou index uidNumber index gidNumber index memberUid index uniqueMember index krbPwdPolicyReference index krbPrincipalName pres,sub,eq index cn pres,sub,eq index uid pres,sub,eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 ## map authentication via gssapi on user dn: authz-regexp "uid=([^,]*),cn=gssapi,cn=auth" "ldap:///dc=intern??sub?(uid=$1)" access to attrs=userPassword by anonymous auth by self write by * none ################# Kerberos-KDC access ################## access to dn.subtree="cn=kerberos,dc=intern" by dn.exact="cn=kdc,cn=kerberos,dc=intern" read by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write by * none access to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData by dn.exact="cn=kdc,cn=kerberos,dc=intern" read by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write by self read by * auth ## Default access; kadmin needs full access: access to * by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write by * read debian-lan-config-0.13/fai/config/files/etc/ldap/slapd.conf/GOSA0000644000000000000000000001070112176652571021077 0ustar ####################################################################### # Global Directives: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema include /etc/ldap/schema/autofs.schema # These should be present for GOsa: include /etc/ldap/schema/gosa/samba3.schema include /etc/ldap/schema/gosa/gosystem.schema include /etc/ldap/schema/gosa/gofon.schema include /etc/ldap/schema/gosa/gofax.schema include /etc/ldap/schema/gosa/goto.schema include /etc/ldap/schema/gosa/goserver.schema include /etc/ldap/schema/gosa/gosa-samba3.schema include /etc/ldap/schema/gosa/trust.schema include /etc/ldap/schema/gosa/sudo.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel none # TLS/SSL TLSCACertificateFile /etc/ldap/slapd.crt TLSCertificateKeyFile /etc/ldap/slapd.key TLSCertificateFile /etc/ldap/slapd.crt TLSVerifyClient try modulepath /usr/lib/ldap moduleload back_hdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 defaultsearchbase "dc=intern" security update_ssf=128 simple_bind=128 # Access via ldapi/unix socket is assumed to have 128 bit encryption. # This is required to allow the Kerberos KDC to connect: localssf 128 backend hdb ####################################################################### # FIXME #database config #rootdn cn=config #rootpw @LDAP_PW@ ####################################################################### database hdb # First database suffix "dc=intern" rootdn "cn=admin,dc=intern" # Where the database file are physically stored directory "/var/lib/ldap" # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indices to maintain index default eq index objectClass index ou index uidNumber index gidNumber index memberUid index uniqueMember index krbPwdPolicyReference index krbPrincipalName pres,sub,eq index cn pres,sub,eq index uid pres,sub,eq index sudoUser eq,sub # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 ## map authentication via gssapi on user dn: authz-regexp "uid=([^,]*),cn=gssapi,cn=auth" "ldap:///dc=intern??sub?(uid=$1)" ## map authentication via sasl on user dn: #authz-regexp "uid=([^,]*),cn=intern,cn=gssapi,cn=auth" # "ldap:///dc=intern??sub?(uid=$1)" ################# GOsa access ################### access to dn.subtree="ou=gosa,dc=intern" by dn.exact="cn=gosa,ou=gosa,dc=intern" manage by * break access to attrs=userPassword by anonymous auth by self write by * none ################# Kerberos-KDC access ################## access to dn.subtree="cn=kerberos,dc=intern" by dn.exact="cn=kdc,cn=kerberos,dc=intern" read by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write by * none access to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData by dn.exact="cn=kdc,cn=kerberos,dc=intern" read by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write by self read by * auth ## Default access; kadmin needs full access: access to * by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write by * read debian-lan-config-0.13/fai/config/files/etc/ldap/autofs.ldif/0000755000000000000000000000000012176652571020613 5ustar debian-lan-config-0.13/fai/config/files/etc/ldap/autofs.ldif/SERVER_A0000644000000000000000000000214712176652571022010 0ustar ################## Autofs ########################### ## base dn for autofs is 'ou=automount,dc=intern' dn: ou=automount,dc=intern objectClass: top objectClass: organizationalUnit ou: automount ## dn: ou=auto.master,ou=automount,dc=intern objectClass: top objectClass: automountMap ou: auto.master ## reference to indirect automounts: dn: cn=/lan,ou=auto.master,ou=automount,dc=intern objectClass: automount cn: /lan automountInformation: ldap:ou=auto.lan,ou=automount,dc=intern ## indirect mounts: dn: ou=auto.lan,ou=automount,dc=intern objectClass: top objectClass: automountMap ou: auto.lan ## the /lan/mainserver submount dn: cn=mainserver,ou=auto.lan,ou=automount,dc=intern objectClass: automount cn: mainserver automountInformation: -fstype=autofs --timeout=60 ldap:ou=auto.mainserver,ou=automount,dc=intern dn: ou=auto.mainserver,ou=automount,dc=intern objectClass: top objectClass: automountMap ou: auto.mainserver ## the /lan/mainserver/* mount points dn: cn=/,ou=auto.mainserver,ou=automount,dc=intern objectClass: automount cn: / automountInformation: -fstype=nfs4,sec=krb5i,nodev,nosuid mainserver.intern:/& debian-lan-config-0.13/fai/config/files/etc/ldap/krb5.ldif/0000755000000000000000000000000012176652571020155 5ustar debian-lan-config-0.13/fai/config/files/etc/ldap/krb5.ldif/SERVER_A0000644000000000000000000000063412176652571021351 0ustar ################### Kerberos ####################### dn: cn=kerberos,dc=intern objectClass: krbContainer cn: kerberos dn: cn=kdc,cn=kerberos,dc=intern objectClass: organizationalRole objectClass: simpleSecurityObject cn: kdc userPassword: @KDC_SERVICE_PW_HASH@ dn: cn=kadmin,cn=kerberos,dc=intern objectClass: organizationalRole objectClass: simpleSecurityObject cn: kadmin userPassword: @KDC_SERVICE_PW_HASH@ debian-lan-config-0.13/fai/config/files/etc/ldap/root.ldif/0000755000000000000000000000000012176652571020275 5ustar debian-lan-config-0.13/fai/config/files/etc/ldap/root.ldif/SERVER_A0000644000000000000000000000112112176652571021461 0ustar ############### Root of tree and admin ############## dn: dc=intern objectClass: top objectClass: dcObject objectClass: labeledURIObject ObjectClass: organization description: Debian-LAN dc: intern o: Debian-LAN labeledURI: http://www/ LDAP for Debian-LAN dn: cn=admin,dc=intern objectClass: organizationalRole objectClass: simpleSecurityObject cn: admin description: LDAP Administrator userPassword: @LDAP_ADMIN_PW_HASH@ dn: ou=people,dc=intern objectClass: top objectClass: organizationalUnit ou: people dn: ou=groups,dc=intern objectClass: top objectClass: organizationalUnit ou: groups debian-lan-config-0.13/fai/config/files/etc/ldap/gosa.ldif/0000755000000000000000000000000012176652571020243 5ustar debian-lan-config-0.13/fai/config/files/etc/ldap/gosa.ldif/GOSA0000644000000000000000000000664312176652571020730 0ustar ## GOsa ou, full access for the GOsa admin: dn: ou=gosa,dc=intern objectClass: top objectClass: organizationalUnit objectClass: gosaAcl objectClass: gosaDepartment description: Debian-LAN ou: gosa gosaAclEntry: 0:psub:dWlkPWFkbWluLG91PXBlb3BsZSxvdT1nb3NhLGRjPWludGVybg==:all/all;cmdrw gosaAclEntry: 1:psub:Kg==:users/user;s#sn;r#givenName;r#uid;r#gosaUserDefinedFilter;r#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#base;r#userPicture;w#gosaLoginRestriction;r#o;r#ou;r#departmentNumber;r#manager;r#employeeNumber;r#employeeType;r#roomNumber;w#telephoneNumber;w#pager;w#mobile;w#facsimileTelephoneNumber;w#st;r#l;r#postalAddress;r#homePostalAddress;w#homePhone;w#labeledURI;w#userPassword;r#Certificate;r,users/posixAccount;sr,users/password;sw ## GOsa access to LDAP: dn: cn=gosa,ou=gosa,dc=intern objectClass: organizationalRole objectClass: simpleSecurityObject description: GOsa access to LDAP ou=gosa cn: gosa userPassword: @LDAP_ADMIN_PW_HASH@ ## people and groups: dn: ou=people,ou=gosa,dc=intern objectClass: top objectClass: organizationalUnit ou: people dn: ou=groups,ou=gosa,dc=intern objectClass: top objectClass: organizationalUnit ou: groups ## First user 'admin': dn: uid=admin,ou=people,ou=gosa,dc=intern objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount objectClass: posixAccount objectClass: shadowAccount sn: Administrator givenName: System cn: System Administrator gecos: System Administrator uid: admin homeDirectory: /lan/mainserver/home0/admin loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 userPassword: @ADMIN_PW_HASH@ dn: cn=admin,ou=groups,ou=gosa,dc=intern cn: admin description: Group of user admin gidNumber: 10000 objectClass: top objectClass: posixGroup ## User template: dn: uid=default_user,ou=people,ou=gosa,dc=intern objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: gosaAccount objectClass: gosaUserTemplate objectClass: posixAccount objectClass: shadowAccount sn: default_user givenName: default_user uid: default_user cn: default_user default_user userPassword: {ssha}N0T$3T4N0W homeDirectory: /lan/mainserver/home0/%uid loginShell: /bin/bash uidNumber: 9999 gidNumber: 2147483647 ## sudo-ldap (allow www-data to run /usr/sbin/gosa-*) dn: ou=sudoers,ou=gosa,dc=intern objectClass: top objectClass: organizationalUnit ou: sudoers dn: cn=defaults,ou=sudoers,ou=gosa,dc=intern objectClass: top objectClass: sudoRole description: default sudo options cn: defaults sudoOption: env_reset dn: cn=DebianLAN,ou=sudoers,ou=gosa,dc=intern objectClass: top objectClass: sudoRole description: propagate GOsa's changes to the system cn: DebianLAN sudoOption: !authenticate sudoOption: !syslog sudoOption: env_keep=USERPASSWORD sudoHost: mainserver sudoRunAs: ALL sudoCommand: /usr/local/sbin/gosa-sync sudoCommand: /usr/local/sbin/gosa-remove sudoCommand: /usr/local/sbin/gosa-create sudoUser: www-data ## some admin roles: give admin(s) sudo access dn: cn=Admins,ou=sudoers,ou=gosa,dc=intern objectClass: top objectClass: sudoRole description: sudo access all machines cn: Admins sudoHost: ALL sudoRunAs: ALL sudoCommand: ALL sudoUser: admin dn: cn=ClientAdmins,ou=sudoers,ou=gosa,dc=intern objectClass: top objectClass: sudoRole description: sudo access all clients cn: ClientAdmins sudoHost: workstation* sudoHost: diskless* sudoRunAs: ALL sudoCommand: ALL sudoUser: admin debian-lan-config-0.13/fai/config/files/etc/rc.local/0000755000000000000000000000000012176652571017152 5ustar debian-lan-config-0.13/fai/config/files/etc/rc.local/FAISERVER0000755000000000000000000001307312176652571020432 0ustar #! /bin/bash ## Setup script run at boot time. set -e umask 0022 ############################ TIMEOUT=120 URL="http.debian.net" INSTALLER="/usr/lib/debian-installer/images/*/*/text/debian-installer/" DLROOT="/opt/live" . /etc/fai/fai.conf . /etc/fai/nfsroot.conf ########## check_network () { ## Check if package repository is accessible: if ! wget --quiet --output-document=/tmp/fai-setup $URL ; then echo "Error accessing '$URL', check network and internet access." exit 1 fi } setup_nfsroot () { echo "Creating the nfsroot for FAI." trap "rc=$?; rm -rf $NFSROOT; exit $rc" ERR SIGHUP SIGINT SIGTERM fai-setup -e -v -l trap - ERR SIGHUP SIGINT SIGTERM ## Create pxelinux boot configuration for workstationXX. ## The seq range is sed from the corresponding variable ## when fcopy'd: echo -n "Creating pxelinux boot configurations: " NUM=0 for IPADDR in `seq WS_RANGE` ; do fai-chboot -IFvu $FAI_CONFIG_SRC PREFIX.$IPADDR &>> /var/log/fai/fai-chboot.log echo -n "." NUM=$(($NUM+1)) done echo -e " Done.\nCreated $NUM workstation configurations." if [ -d $DLROOT ] ; then fai-chboot -vc diskless.tmpl default &>> /var/log/fai/fai-chboot.log else ## create default configuration (sysinfo): fai-chboot -Svu $FAI_CONFIG_SRC default &>> /var/log/fai/fai-chboot.log sed -i "s/fai-generated/FAI System Information/g" $TFTPROOT/pxelinux.cfg/default fi } setup_diskless () { export LC_ALL=C trap "rc=$?; rm -rf $DLROOT; exit $rc" ERR SIGHUP SIGINT SIGTERM fai -vNu diskless dirinstall $DLROOT/filesystem.dir/ trap - ERR SIGHUP SIGINT SIGTERM TEMPLATE=$TFTPROOT/pxelinux.cfg/diskless.tmpl if [ ! -e $TEMPLATE ]; then KERNEL=`basename $(ls $TFTPROOT/vmlinuz*)` INITRD=`basename $(ls $TFTPROOT/initrd.img*)` echo "Creating template with $KERNEL and $INITRD." cat > $TEMPLATE <> /var/log/fai/fai-chboot.log echo -n "." NUM=$(($NUM+1)) done echo -e " Done.\nCreated $NUM diskless machine configurations." ## Boot unknown machines as diskless: fai-chboot -vc diskless.tmpl default &>> /var/log/fai/fai-chboot.log } setup_PXEinstaller () { ## Add Debian PXE Installer. ## Copy stuff, symlinks do not work (chroot environment): cp -ru $INSTALLER $TFTPROOT if [ -d $TFTPROOT/debian-installer/i386 ] ; then KERNEL=`basename $(ls $TFTPROOT/vmlinuz*)` INITRD=`basename $(ls $TFTPROOT/initrd.img*)` ## add installer menu cat >> $TFTPROOT/pxelinux.cfg/default </dev/null | sh && sed -i "s%\(^munin-node-configure\)%\#\1%" $0 ## Setup nfsroot for FAI: if [ ! -d $NFSROOT ] ; then cat <)"); exit printresult(); # - - - - - - - - - - - - - - - - - - - - - - - - - - __END__ =head1 NAME FAIBASE_TEST - regression test for setup-storage disk layout FAIBASE =head1 SYNOPSIS FAIBASE_TEST checks some important aspects of setup-storage. The disk_config/FAIBASE tunes some filesystem parameters upon creation. We check only the last partition since we expect prior errors to make creation of the last partition fail. Options: -help simple help -verbose=n increase verbosity of test script =head1 OPTIONS =over 8 =item B<-help> simple help =item B<-verbose> increase verbosity of test script debian-lan-config-0.13/fai/config/tests/Faitest.pm0000644000000000000000000000432012176652571016676 0ustar #! /usr/bin/perl # Subroutines for automatic tests # # Copyright (C) 2009 Thomas Lange, lange@informatik.uni-koeln.de # Based on the first version by Sebastian Hetze, 08/2008 package FAITEST; $errors = 0; use Getopt::Long; use Pod::Usage; # - - - - - - - - - - - - - - - - - - - - - - - - - - sub setup_test { my $verbose = 0; my $help = 0; my $man = 0; $verbose = $ENV{'debug'} if $ENV{'debug'}; my $result = GetOptions ( "verbose=i" => \$verbose, "help" => \$help, "man" => \$man, ); pod2usage(1) if $help; pod2usage(-exitstatus => 0, -verbose => 2) if $man; open(LOGFILE,">> $ENV{LOGDIR}/test.log") || die "Can't open test.log. $!"; print LOGFILE "------------ Test $0 starting ------------\n"; } sub printresult { # write test result and set next test my ($nexttest) = @_; if ($errors > 0) { print STDERR "\n===> $0 FAILED with $errors errors\n"; print LOGFILE "\n===> $0 FAILED with $errors errors\n"; } else { print STDERR "\n===> $0 PASSED successfully\n"; print LOGFILE "\n===> $0 PASSED successfully\n"; print LOGFILE "NEXTTEST=$nexttest\n" if $nexttest; } close (LOGFILE); return $errors; } sub getDevByMount { my $mount = shift; my $dev = qx#mount|grep $mount|cut -d' ' -f1#; chomp $dev; return $dev } sub checkMdStat { my ($device, $expected) = @_; my ($value) = qx#grep -i "^$device\\b" /proc/mdstat# =~ m/$device\s*:\s*(.*)/i; if ($value eq $expected) { print LOGFILE "Check raid $device success\n"; return 0; } else { print LOGFILE "Check raid $device FAILED.\n Expect <$expected>\n Found <$value>\n"; $errors++; return 1; } } sub checkE2fsAttribute { my ($device, $attribute, $expected) = @_; # since attribute is a space separated list of attributes, IMO we must loop over # the list. Ask Sebastian again my ($value) = qx#tune2fs -l $device |grep -i "$attribute"# =~ m/$attribute:\s+(.*)/i; if ($value eq $expected) { print LOGFILE "Check $attribute for $device success\n"; return 0; } else { print LOGFILE "Check $attribute for $device FAILED.\n Expect <$expected>\n Found <$value>\n"; $errors++; return 1; } } 1; debian-lan-config-0.13/fai/config/package_config/0000755000000000000000000000000012176652571016520 5ustar debian-lan-config-0.13/fai/config/package_config/CUPS_SERVER0000644000000000000000000000004012176652571020275 0ustar PACKAGES aptitude cups cups-pdf debian-lan-config-0.13/fai/config/package_config/KERBEROS_CLIENT0000644000000000000000000000032712176652571020717 0ustar ## Only list packages that are essential for the KERBEROS_CLIENT class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude krb5-user libpam-krb5 krb5-clients libsasl2-modules-gssapi-mit ntp debian-lan-config-0.13/fai/config/package_config/LOG_CLIENT0000644000000000000000000000033312176652571020121 0ustar ## Only list packages that are essential for the LOG_CLIENT class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude munin-node smartmontools lm-sensors nagios-nrpe-server nagios-plugins-basic debian-lan-config-0.13/fai/config/package_config/KDC_LDAP0000644000000000000000000000024412176652571017644 0ustar ## Only list packages that are essential for the LDAP_KERBEROS_KDC class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude krb5-kdc-ldap debian-lan-config-0.13/fai/config/package_config/DEBIAN0000644000000000000000000000105012176652571017361 0ustar PACKAGES aptitude-r I386 linux-image-686-pae initramfs-tools memtest86+ PACKAGES aptitude CHROOT linux-image-686-pae- linux-image-amd64- PACKAGES aptitude-r AMD64 linux-image-amd64 initramfs-tools memtest86+ PACKAGES aptitude XEN xen-linux-system-2.6.26-2-xen-amd64 PACKAGES aptitude DHCPC isc-dhcp-client PACKAGES aptitude GRUB_PC grub-pc grub-legacy- lilo- ## non-free packages, if you need those, make sure you add 'contrib' ## and 'non-free' to the 'main' repository in ## 'files/etc/apt/sources.list/*': #PACKAGES aptitude-r #firmware-linux debian-lan-config-0.13/fai/config/package_config/ROAMING0000644000000000000000000000034112176652571017535 0ustar ## Only list packages that are essential for the ROAMING class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude libpam-sss libnss-sss sssd libpam-script ## force the use of sss: libpam-krb5- nscd- debian-lan-config-0.13/fai/config/package_config/FIREWALL0000644000000000000000000000003412176652571017645 0ustar PACKAGES aptitude shorewall debian-lan-config-0.13/fai/config/package_config/SERVER_A0000644000000000000000000000040012176652571017703 0ustar ## Here are all default packages for the given setup that do not fit ## another class. PACKAGES aptitude ssl-cert sudo-ldap screen exim4 nullmailer- etckeeper unattended-upgrades ## backup: dirvish #apt-clone PACKAGES aptitude KERBEROS_KDC krb5-kdc-ldap debian-lan-config-0.13/fai/config/package_config/CLIENT_A0000644000000000000000000000025012176652571017656 0ustar ## Here are all default packages for the given setup that do not fit ## another class. PACKAGES aptitude anacron sudo-ldap quota unattended-upgrades #unburden-home-dir debian-lan-config-0.13/fai/config/package_config/DNS_SERVER0000644000000000000000000000024012176652571020151 0ustar ## Only list packages that are essential for the DNS_SERVER class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude bind9 resolvconf debian-lan-config-0.13/fai/config/package_config/EDU0000644000000000000000000000076012176652571017063 0ustar ## Example package selection for educational institutions. ## Take a look at the software-center educational section, ## the Debian education-* packages and ## . PACKAGES aptitude-r ## Primary education: gcompris childsplay tuxmath tuxtype ## Secondary education: klavaro stellarium geogebra arduino fritzing scribus audacity viking gvrng scratch ## High school (consider also the DEVTOOLS class): octave3.2 eclipse blender librecad debian-lan-config-0.13/fai/config/package_config/DEVTOOLS0000644000000000000000000000024612176652571017704 0ustar ## Optional packages for development. PACKAGES aptitude-r ## General purpose: emacs git gitk ## Diagnostics: gdb lsof ltrace nmap ## Documentation #texlive #auctex debian-lan-config-0.13/fai/config/package_config/NFS_CLIENT0000644000000000000000000000023412176652571020126 0ustar ## Only list packages that are essential for the NFS_CLIENT class. ## Put all setup-dependent packages in the CLIENT_* class. PACKAGES aptitude autofs-ldap debian-lan-config-0.13/fai/config/package_config/LOG_SERVER0000644000000000000000000000044412176652571020154 0ustar ## Only list packages that are essential for the LOG_SERVER class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude apache2 libapache2-mod-auth-kerb munin munin-node icinga nagios-images nagios-plugins-standard nagios-nrpe-plugin dnsutils smartmontools lm-sensors debian-lan-config-0.13/fai/config/package_config/NTP_SERVER0000644000000000000000000000022212176652571020166 0ustar ## Only list packages that are essential for the NTPSERVER class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude ntp debian-lan-config-0.13/fai/config/package_config/PROXY0000644000000000000000000000031012176652571017356 0ustar ## Only list packages that are essential for the PROXY class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude squid3 adzapper ## Uncomment for web filtering: #dansguardian debian-lan-config-0.13/fai/config/package_config/MAIL_SERVER0000644000000000000000000000010212176652571020244 0ustar PACKAGES aptitude exim4-daemon-heavy dovecot-imapd dovecot-gssapi debian-lan-config-0.13/fai/config/package_config/DISKLESS_SERVER0000644000000000000000000000023312176652571020750 0ustar ## Only list packages that are essential for the SWAP_SERVER class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude nbd-server debian-lan-config-0.13/fai/config/package_config/GOSA0000644000000000000000000000006612176652571017176 0ustar PACKAGES aptitude gosa gosa-schema gosa-plugin-sudo debian-lan-config-0.13/fai/config/package_config/GERMAN0000644000000000000000000000015712176652571017417 0ustar PACKAGES aptitude task-german PACKAGES aptitude DESKTOP iceweasel-l10n-de icedove-l10n-de libreoffice-l10n-de debian-lan-config-0.13/fai/config/package_config/GATEWAY_A0000644000000000000000000000011712176652571020003 0ustar PACKAGES aptitude bind9-host dnsmasq ntp etckeeper anacron unattended-upgrades debian-lan-config-0.13/fai/config/package_config/FAISERVER0000644000000000000000000000034612176652571017774 0ustar PACKAGES aptitude fai-quickstart isc-dhcp-client debmirror tcpdump apache2 genisoimage grub-pc lftp syslinux-common apt-cacher-ng whois git ## PXE installer: debian-installer-7.0-netboot-i386 debian-installer-7.0-netboot-amd64 debian-lan-config-0.13/fai/config/package_config/DISKLESS_CLIENT0000644000000000000000000000123412176652571020722 0ustar PACKAGES aptitude nbd-client libpam-script ## minimal gnome+lxde+xfce desktop: lxde lxtask desktop-base gnome-session gnome-session-fallback gnome-applets xfce4 ## gnome desktop: #task-gnome-desktop #gnome ## xfce desktop: #xfce4-goodies #task-xfce4-desktop ## other packages: lightdm policykit-1 #gdm3 menu eog evince gcalctool gnome-screenshot iceweasel mozilla-plugin-gnash icedove enigmail inkscape gimp libreoffice #lyx krb5-auth-dialog ## From FAIBASE: fai-client cfengine2 debconf-utils file less nfs-common nscd rsync openssh-client strace time procinfo nullmailer eject locales console-common pciutils usbutils #heirloom-mailx mutt acpi-support-base debian-lan-config-0.13/fai/config/package_config/DESKTOP0000644000000000000000000000117412176652571017557 0ustar PACKAGES aptitude ## minimal gnome+lxde+xfce desktop: lxde lxtask desktop-base gnome-session gnome-session-fallback gnome-applets xfce4 ## gnome desktop: #task-gnome-desktop #gnome ## xfce desktop: #xfce4-goodies #task-xfce4-desktop #xfce4-mailwatch-plugin #xfprint4 ## other packages: lightdm policykit-1 #gdm3 menu eog evince gcalctool gnome-screenshot #vlc iceweasel mozilla-plugin-gnash icedove enigmail inkscape gimp libreoffice #lyx krb5-auth-dialog ## non-free packages, if you need those, make sure you add 'contrib' ## and 'non-free' to the 'main' repository in ## 'files/etc/apt/sources.list/*': #flashplugin-nonfree debian-lan-config-0.13/fai/config/package_config/NFS_SERVER0000644000000000000000000000024712176652571020162 0ustar ## Only list packages that are essential for the NFS_SERVER class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude nfs-kernel-server quota debian-lan-config-0.13/fai/config/package_config/XFCE0000644000000000000000000000012512176652571017166 0ustar PACKAGES aptitude xfce4 # base system xfce4-goodies # additional tools xdm iceweasel debian-lan-config-0.13/fai/config/package_config/RAID0000644000000000000000000000021712176652571017162 0ustar ## Only list packages that are essential for the RAID class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude mdadm debian-lan-config-0.13/fai/config/package_config/FAIBASE0000644000000000000000000000041312176652571017473 0ustar PACKAGES aptitude DEBIAN fai-client cron debconf-utils file hdparm less nfs-common rdate rsync openssh-client openssh-server strace time procinfo nullmailer eject locales console-setup kbd pciutils usbutils lvm2 nscd #heirloom-mailx mutt cfengine2 acpi-support-base debian-lan-config-0.13/fai/config/package_config/XORG0000644000000000000000000000015412176652571017222 0ustar PACKAGES aptitude DEBIAN xorg xserver-xorg-video-all xserver-xorg-input-all ttf-freefont xscreensaver xterm debian-lan-config-0.13/fai/config/package_config/LDAP_SERVER0000644000000000000000000000035012176652571020247 0ustar ## Only list packages that are essential for the LDAP_SERVER class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude slapd autofs-ldap # needed for the autofs.schema openssl ldap-utils ldapscripts ldapvi debian-lan-config-0.13/fai/config/package_config/FR_BELGIAN0000644000000000000000000000015712176652571020076 0ustar PACKAGES aptitude task-french PACKAGES aptitude DESKTOP iceweasel-l10n-fr icedove-l10n-fr libreoffice-l10n-fr debian-lan-config-0.13/fai/config/package_config/GNOME0000644000000000000000000000024712176652571017313 0ustar PACKAGES aptitude iceweasel #icedove menu gdm3 gnome-core gconf-editor gnome-screensaver gnome-system-monitor gnome-system-tools gnome-network-admin libgnomevfs2-bin debian-lan-config-0.13/fai/config/package_config/LDAP_CLIENT0000644000000000000000000000025012176652571020216 0ustar ## Only list packages that are essential for the LDAP_CLIENT class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude libnss-ldapd ldap-utils debian-lan-config-0.13/fai/config/package_config/DEMO0000644000000000000000000000030212176652571017162 0ustar # some packages we need on a demo machine PACKAGES aptitude fortune-mod fortunes rstat-client #rstatd # only when also class XORG is defined PACKAGES aptitude XORG bb xpenguins #frozen-bubble debian-lan-config-0.13/fai/config/package_config/CUPS_CLIENT0000644000000000000000000000003612176652571020252 0ustar PACKAGES aptitude cups-client debian-lan-config-0.13/fai/config/package_config/KERBEROS_KDC0000644000000000000000000000025412176652571020341 0ustar ## Only list packages that are essential for the KERBEROS_KDC class. ## Put all setup-dependent packages in the SETUP_* class. PACKAGES aptitude krb5-kdc krb5-admin-server debian-lan-config-0.13/fai/config/hooks/0000755000000000000000000000000012176652571014723 5ustar debian-lan-config-0.13/fai/config/hooks/instsoft.SERVER_A.source0000755000000000000000000000067012176652571021271 0ustar #! /bin/bash # # Disable services when converting a minimal installation. # Create necessary directories if missing. POLICYFILE="/usr/sbin/policy-rc.d" ## Only when converting: if [ "$CONVERT" == "true" ] && [ "$target" == "/" ] && [ ! -e $POLICYFILE ] ; then cat > $POLICYFILE <&2 exit fi grep -i "$errorpatterns" *.log | grep -vi "$ignorepatterns" > $errfile if [ "$verbose" ]; then egrep -v '^software.log:' $errfile > $LOGDIR/tempfile mv $LOGDIR/tempfile $errfile fi if [ -s $errfile ]; then echo "ERRORS reported in ${errfile}:" cat $errfile | nl echo "ERRORS found in log files. See above and $errfile" >&2 else echo "Congratulations! No errors found in log files." fi debian-lan-config-0.13/fai/config/scripts/0000755000000000000000000000000012176652571015267 5ustar debian-lan-config-0.13/fai/config/scripts/CUPS_SERVER/0000755000000000000000000000000012176652571017127 5ustar debian-lan-config-0.13/fai/config/scripts/CUPS_SERVER/10-config0000755000000000000000000000205512176652571020542 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/cups/cupsd.conf ## Allow remote access: BeginGroupIfNoSuchLine 'Port 631' HashCommentLinesStarting 'Listen localhost:631' LocateLineMatching '#.*Listen localhost:631' InsertLine '# Allow remote access' InsertLine 'Port 631' InsertLine 'ServerAlias print.intern' LocateLineMatching 'BrowseAllow all' InsertLine 'BrowseRemoteProtocols cups dnssd' InsertLine 'BrowseAddress @LOCAL' LocateLineMatching '' LocateLineMatching ' Order allow,deny' InsertLine ' # Allow remote access' InsertLine ' Allow all' LocateLineMatching '' LocateLineMatching ' Order allow,deny' InsertLine ' # Allow remote access' InsertLine ' Allow all' LocateLineMatching '' LocateLineMatching ' Order allow,deny' InsertLine ' # Allow remote access' InsertLine ' Allow all' EndGroup } debian-lan-config-0.13/fai/config/scripts/LOG_CLIENT/0000755000000000000000000000000012176652571016746 5ustar debian-lan-config-0.13/fai/config/scripts/LOG_CLIENT/10-misc0000755000000000000000000000154612176652571020053 0ustar #!/bin/bash # # Configure syslog, munin and icinga. # set -e fcopy -r /etc/rsyslog.d/ fcopy -r /etc/nagios/ ## allow access from host 'syslog': IP=$(host syslog | tail -n 1 | awk '{print $NF}' | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') if [ -n $IP ] ; then ainsl -a /etc/nagios/nrpe.d/debian-lan.cfg "allowed_hosts=${IP}" IP=${IP//\./\\\.} ainsl -Q /etc/munin/munin-node.conf "allow ^${IP}$" "allow ^${IP}$" fi ## reconfigure munin-node on first boot (excludes diskless machines: 'dirinstall'): if [ "$FAI_ACTION" == "install" ] ; then FILE="$target/etc/rc.local" sed -i "s%\(^exit 0\)%\#\1%" $FILE cat >> $FILE </dev/null | sh && sed -i -e "s%\(^munin-node-configure\)%\#\1%" -e "s%\#\(exit 0\)%\1%" \$0 EOF fi debian-lan-config-0.13/fai/config/scripts/KDC_LDAP/0000755000000000000000000000000012176652571016470 5ustar debian-lan-config-0.13/fai/config/scripts/KDC_LDAP/20-keytab0000755000000000000000000000100012176652571020103 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/default/slapd BeginGroupIfNoSuchLine 'KRB5_KTNAME=/etc/krb5.keytab.ldap; export KRB5_KTNAME' HashCommentLinesStarting "KRB5_KTNAME=" HashCommentLinesStarting "export KRB5_KTNAME" LocateLineMatching '#.*export KRB5_KTNAME=.*' InsertLine 'KRB5_KTNAME=/etc/krb5.keytab.ldap; export KRB5_KTNAME' EndGroup } debian-lan-config-0.13/fai/config/scripts/KDC_LDAP/10-slapd-KDC0000755000000000000000000002277112176652571020347 0ustar #!/bin/bash # set -e if ifclass GOSA ; then LDIFS="/etc/ldap/root.ldif /etc/ldap/krb5.ldif /etc/ldap/autofs.ldif /etc/ldap/gosa.ldif" ## sudo schema: cp -n $target/usr/share/doc/sudo-ldap/schema.OpenLDAP \ $target/etc/ldap/schema/gosa/sudo.schema else LDIFS="/etc/ldap/root.ldif /etc/ldap/krb5.ldif /etc/ldap/autofs.ldif" fi ## Copy files in place, but no modifications if file exists: for file in $LDIFS /etc/ldap/slapd.conf; do [ -e $target/$file ] || fcopy -m openldap,openldap,660 $file done DN_KRB_CONT=`$ROOTCMD awk '/^dn: cn=kerberos,/ {print $2}' /etc/ldap/krb5.ldif` DN_KDC="cn=kdc,$DN_KRB_CONT" DN_KADMIN="cn=kadmin,$DN_KRB_CONT" ## We might want to change a configuration after installation, ## so distribute the corresponding files in any case: fcopy /etc/krb5.conf $ROOTCMD sed -i s:@DN_KRB_CONT@:$DN_KRB_CONT:g /etc/krb5.conf $ROOTCMD sed -i s:@DN_KDC@:$DN_KDC:g /etc/krb5.conf $ROOTCMD sed -i s:@DN_KADMIN@:$DN_KADMIN:g /etc/krb5.conf fcopy /etc/krb5kdc/kdc.conf fcopy /etc/krb5kdc/kadm5.acl ## Stop now, if LDAP database is already present: if [ -f /var/lib/ldap/__db.001 ] ; then echo "The LDAP data base is not empty, stopping. " echo "To initialize a brand new LDAP+KDC: " echo "rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb" echo "rm /etc/krb5kdc/stash /etc/krb5.keytab*" exit 0 fi ## Kerberos schema: $ROOTCMD gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > \ $target/etc/ldap/schema/kerberos.schema ## Create $DATADIR: mkdir -p $target$DATADIR ########################################################################## copy_example_DB_CONFIG() { ## Function to set a DB_CONFIG, ripped from slapd.postinst. ## Copy an example DB_CONFIG file: local directory srcdir directory="$1" srcdir="/usr/share/slapd" if ! [ -f "${target}${directory}/DB_CONFIG" ] && [ -d "$target$directory" ]; then $ROOTCMD cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG" fi } ## Prompt for 'admin' password adminPW() { if [ -n "$ADMINPW" ] ; then echo "Admin password is set." else while [ -z "$ADMINPW" ] ; do if ! { inp1=$(dialog --insecure --stdout --backtitle " Admin Password " --passwordbox \ "There is no password for 'admin' available. \nPlease enter a password for 'admin':" 10 47) && inp2=$(dialog --insecure --stdout --backtitle " Admin Password " --passwordbox \ "Please enter the password for 'admin' again:" 9 48); } ; then dialog --stdout --msgbox "Entering passwords canceled, please try again." 5 50 elif [ "$inp1" == "$inp2" ] ; then ADMINPW=$inp1 echo "Password for admin set." else dialog --stdout --msgbox "Passwords do not match, please try again." 5 45 fi unset inp1 inp2 done fi } ## Init LDAP tree init_LDAP () { $ROOTCMD rm -f /var/lib/ldap/* copy_example_DB_CONFIG /var/lib/ldap if [ -z $LDAP_ADMIN_PW ] ; then LDAP_ADMIN_PW=`$ROOTCMD slappasswd -g -h {CLEARTEXT}` PWFILE="$DATADIR/LDAPadminPWD" echo -n $LDAP_ADMIN_PW > $target$PWFILE chmod -v 0600 $target$PWFILE echo "Random LDAP admin password saved in ${PWFILE}." fi PWFILE="/etc/ldapscripts/ldapscripts.passwd" echo -n $LDAP_ADMIN_PW > $target$PWFILE $ROOTCMD chmod -v 0600 $PWFILE LDAP_ADMIN_PW_HASH=`$ROOTCMD slappasswd -v -s $LDAP_ADMIN_PW -h {SSHA}` if ifclass GOSA ; then adminPW ADMIN_PW_HASH=`$ROOTCMD slappasswd -v -s "$ADMINPW" -h {SSHA}` fi #### Kerberos KDC service principals: KDCCONFDIR="/etc/krb5kdc/" KEYFILE="service.keyfile" KDC_SERVICE_PW=`$ROOTCMD slappasswd -g -h {CLEARTEXT}` ## convert to {HEX} and {SSHA} encoding: KDC_SERVICE_PW_HASH=`$ROOTCMD slappasswd -v -s $KDC_SERVICE_PW -h {SSHA}` KDC_SERVICE_PW_HEX=`echo $KDC_SERVICE_PW | xxd -g0 -ps | sed "s/0a$//"` KRB_CONT_DN=`$ROOTCMD awk '/dn: cn=kerberos,/ { print $2 }' /etc/ldap/krb5.ldif` $ROOTCMD touch $KDCCONFDIR$KEYFILE $ROOTCMD chmod -v 0600 $KDCCONFDIR$KEYFILE cat > $target$KDCCONFDIR$KEYFILE < $target$PWFILE chmod -v 0600 $target$PWFILE echo "Random Kerberos KDC master password saved in ${PWFILE}." fi ## Create kerberos subtree in ldap database: $ROOTCMD kdb5_ldap_util -s -D $DN_LDAP_ADMIN -w $LDAP_ADMIN_PW \ create -subtrees dc=intern -H ldapi:// -P $KDC_MASTER_PW ## Create default policy, start with no restrictions for the random password. ## Add -minlength and -minclasses later (cf. below). $ROOTCMD kadmin.local -q "add_policy default" $ROOTCMD kadmin.local -q "addprinc -pw $LDAP_ADMIN_PW root/admin" $ROOTCMD kadmin.local -q "addprinc -pw $LDAP_ADMIN_PW root" ## Create machine principals and add them to the keytab: $ROOTCMD kadmin.local -q "addprinc -randkey host/mainserver.intern" $ROOTCMD kadmin.local -q "ktadd host/mainserver.intern" $ROOTCMD kadmin.local -q "addprinc -randkey nfs/mainserver.intern" $ROOTCMD kadmin.local -q "ktadd nfs/mainserver.intern" for i in `seq 0 9` ; do for j in `seq 0 9` ; do ## NFS principal: $ROOTCMD kadmin.local -q "addprinc -randkey nfs/workstation${i}${j}.intern" $ROOTCMD kadmin.local -q "ktadd -k $DATADIR/workstation${i}${j}.keytab nfs/workstation${i}${j}.intern" ## Host principal: $ROOTCMD kadmin.local -q "addprinc -randkey host/workstation${i}${j}.intern" $ROOTCMD kadmin.local -q "ktadd -k $DATADIR/workstation${i}${j}.keytab host/workstation${i}${j}.intern" done done $ROOTCMD kadmin.local -q "addprinc -randkey ldap/mainserver.intern" $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.ldap ldap/mainserver.intern" $ROOTCMD chown -v openldap:openldap /etc/krb5.keytab.ldap $ROOTCMD kadmin.local -q "addprinc -randkey HTTP/mainserver.intern" $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.http HTTP/mainserver.intern" $ROOTCMD chown -v www-data:www-data /etc/krb5.keytab.http if ifclass MAIL_SERVER ; then $ROOTCMD kadmin.local -q "addprinc -randkey smtp/mainserver.intern" $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/mainserver.intern" $ROOTCMD chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp $ROOTCMD kadmin.local -q "addprinc -randkey imap/mainserver.intern" $ROOTCMD kadmin.local -q "ktadd -k /etc/krb5.keytab.imap imap/mainserver.intern" $ROOTCMD chown dovecot:dovecot /etc/krb5.keytab.imap fi if ifclass GOSA ; then ## Add initial admin user to kerberos: GOSALDIF="$target/etc/ldap/gosa.ldif" USERDN="dn=$(grep "^dn: uid=admin," $GOSALDIF | cut -d ' ' -f 2)" HOMEDIR=$(grep "^homeDirectory.*admin$" $GOSALDIF | cut -d ' ' -f 2) USID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^uidNumber:" | cut -d " " -f 2) GRID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^gidNumber:" | cut -d " " -f 2) $ROOTCMD kadmin.local -q "add_principal -pw "$ADMINPW" -x $USERDN admin" cp -r $target/etc/skel $target/$HOMEDIR $ROOTCMD chmod -R o-rwx $HOMEDIR $ROOTCMD chown -R $USID:$GRID $HOMEDIR ## Forward all mail for root to admin: if $(grep -q "^root: .*$" $target/etc/aliases) ; then sed -i "s/^root: .*$/root: admin/" $target/etc/aliases else ainsl /etc/aliases "root: admin" fi fi $ROOTCMD kadmin.local -q "modify_policy -minlength 4 -minclasses 2 default" echo "Initializing KDC finished. " } start_slapd () { ## check if slapd is running: PID=`pidof slapd || /bin/true` if [ -z "$PID" ]; then echo "The ldap server slapd is not running. Trying to start slapd." if [ -x $target/sbin/start-stop-daemon.distrib ] ; then ## needed to start slapd during installation: $ROOTCMD mv -v /sbin/start-stop-daemon /sbin/start-stop-daemon.FAKE $ROOTCMD cp -v /sbin/start-stop-daemon.distrib /sbin/start-stop-daemon start_stop_daemon_moved=true else echo "No start-stop-daemon.distrib available. " echo "'ls /sbin/start-stop-daemon*' returns: " $ROOTCMD ls /sbin/start-stop-daemon* fi $ROOTCMD /etc/init.d/slapd start fi } stop_slapd () { $ROOTCMD /etc/init.d/slapd stop if [ true = "$start_stop_daemon_moved" ] && \ [ -x $target/sbin/start-stop-daemon.distrib ] ; then $ROOTCMD mv -v /sbin/start-stop-daemon.FAKE /sbin/start-stop-daemon fi } ##################### init_LDAP start_slapd init_KDC create_OLC stop_slapd exit 0 debian-lan-config-0.13/fai/config/scripts/DEBIAN/0000755000000000000000000000000012176652571016211 5ustar debian-lan-config-0.13/fai/config/scripts/DEBIAN/40-misc0000755000000000000000000000140112176652571017307 0ustar #! /bin/bash # (c) Thomas Lange, 2001-2011, lange@debian.org # (c) Michael Goetze, 2010-2011, mgoetze@mgoetze.net error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code # a list of modules which are loaded at boot time for module in $MODULESLIST; do ainsl -a /etc/modules "^$module$" done fcopy -Mv /etc/hostname || echo $HOSTNAME > $target/etc/hostname ainsl -av /etc/mailname ${HOSTNAME} sed -i -e "s/^UTC.*/UTC=${UTC}/" $target/etc/default/rcS sed -i -e 's#/sbin/getty 38400#/sbin/getty --noclear -f /etc/issue.linuxlogo 38400#' ${target}/etc/inittab [ $FAI_ACTION = "softupdate" ] || cp /etc/fai/fai.conf $target/etc/fai/fai.conf ainsl -av /etc/fai/fai.conf "FAI_CONFIG_SRC=$FAI_CONFIG_SRC" fcopy -Miv /etc/fai/fai.conf exit $error debian-lan-config-0.13/fai/config/scripts/DEBIAN/30-interface0000755000000000000000000000163212176652571020321 0ustar #! /bin/bash error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code if ifclass DHCPC && [ $FAI_ACTION != "softupdate" ] then cat > $target/etc/network/interfaces <<-EOF # generated by FAI auto lo eth0 iface lo inet loopback iface eth0 inet dhcp EOF elif [ $FAI_ACTION != "softupdate" ] then [ -n "$IPADDR" ] && cat > $target/etc/network/interfaces <<-EOF # generated by FAI auto lo eth0 iface lo inet loopback iface eth0 inet static address $IPADDR netmask $NETMASK broadcast $BROADCAST gateway $GATEWAYS EOF [ -n "$NETWORK" ] && echo "localnet $NETWORK" > $target/etc/networks [ -L $target/etc/resolv.conf ] || cp -p /etc/resolv.conf $target/etc fi # here fcopy is mostly used, when installing a client for running in a # different subnet than during the installation fcopy -iUM /etc/resolv.conf fcopy -iUM /etc/network/interfaces /etc/networks exit $error debian-lan-config-0.13/fai/config/scripts/DEBIAN/10-rootpw0000755000000000000000000000030312176652571017703 0ustar #! /bin/bash error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code # set root password if [ -n "$ROOTPW" ] ; then $ROOTCMD usermod -p "$ROOTPW" root fi exit $error debian-lan-config-0.13/fai/config/scripts/ROAMING/0000755000000000000000000000000012176652571016363 5ustar debian-lan-config-0.13/fai/config/scripts/ROAMING/10-home_nfs4_krb50000755000000000000000000000031012176652571021326 0ustar #!/bin/bash # set -e ainsl /etc/default/nfs-common 'RPCGSSDOPTS="-n"' ainsl /etc/pam.d/common-auth 'auth optional pam_script.so' fcopy -m root,root,0755 /usr/share/libpam-script/pam_script_auth debian-lan-config-0.13/fai/config/scripts/ROAMING/20-sssd_fstab0000755000000000000000000000066512176652571020672 0ustar #!/bin/bash # set -e fcopy -m root,root,0600 /etc/sssd/sssd.conf HOMEDIRS='/lan/mainserver/home0' ## Make sure the home directories are accessible: if [ "$FAI_ACTION" == "install" ] || [ "$CONVERT" == "true" ] ; then umask 022 mkdir -p $target/$HOMEDIRS fi ## Bind mount the home directories to /home for offline use, ## when the local files are hidden by the NFS mount: ainsl /etc/fstab "/home $HOMEDIRS none bind 0 0" debian-lan-config-0.13/fai/config/scripts/FIREWALL/0000755000000000000000000000000012176652571016474 5ustar debian-lan-config-0.13/fai/config/scripts/FIREWALL/10-config0000755000000000000000000001335712176652571020116 0ustar #!/bin/bash # set -e if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then exit 0 fi CONFDIR="${target}/etc/shorewall/" prepare_shorewall(){ ## Use shorewall's "two-interfaces" example as base setup: for FILE in interfaces masq policy routestopped rules zones ; do cp -v ${target}/usr/share/doc/shorewall/examples/two-interfaces/$FILE $CONFDIR done ## Enable forwarding: sed -i "s/IP_FORWARDING=Keep/IP_FORWARDING=on/" $CONFDIR/shorewall.conf ## Define interfaces and use parameters: sed -i -e 's/eth0/\$NET_IF/' -e 's/eth1/\$LOC_IF/' $CONFDIR/interfaces $CONFDIR/masq $CONFDIR/routestopped sed -i -e '$i LOC_IF=eth0' -e '$i NET_IF=eth1' $CONFDIR/params ## Limited ssh access: sed -i -e 's%^\(SSH(ACCEPT).*\)$%\1 - - - - s:1/min:1%' $CONFDIR/rules } if [ "$HOSTNAME" = "mainserver" ] ; then if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then ## mainserver = gateway, use shorewall's "two-interfaces" example as base setup: prepare_shorewall ## Allow access from the LAN to the firewall and from the firewall to LAN and internet: sed -i -e '/.*MUST BE LAST/i \ \#\# Debian-LAN policy:\ loc $FW ACCEPT\ $FW loc ACCEPT\ $FW net ACCEPT' $CONFDIR/policy ## Comment all rules where traffic is allowed already: sed -i -e "s/^\(.*ACCEPT)\?\s\+loc\s\+\$FW.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" \ -e "s/^\(.*ACCEPT)\?\s\+\$FW\s\+loc.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" \ -e "s/^\(.*ACCEPT)\?\s\+\$FW\s\+net.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" $CONFDIR/rules ## Debian-LAN rules: cat >> $CONFDIR/rules <> $CONFDIR/rules fi elif [ "$HOSTNAME" = "gateway" ] ; then prepare_shorewall ## Allow access from firewall to LAN: sed -i -e '/.*MUST BE LAST/i \ \#\# Debian-LAN policy:\ $FW loc ACCEPT' $CONFDIR/policy ## Comment all rules where traffic is allowed already: sed -i -e "s/^\(.*ACCEPT)\?\s\+\$FW\s\+loc.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" $CONFDIR/rules ## Debian-LAN rules: cat >> $CONFDIR/rules < $FW --> net is not allowed by default) #HTTP(ACCEPT) \$FW net #HTTP(ACCEPT) loc \$FW #HTTPS(ACCEPT) \$FW net #HTTPS(ACCEPT) loc \$FW # #LDAP(ACCEPT) loc \$FW #LDAPS(ACCEPT) loc \$FW # #SMTP(ACCEPT) loc \$FW #IMAP(ACCEPT) loc \$FW # #SSH(ACCEPT) loc \$FW #SSH(ACCEPT) \$FW loc #SSH(ACCEPT) \$FW net # #NTP(ACCEPT) \$FW net #NTP(ACCEPT) loc \$FW # ## ## Allow CUPS ## #IPPserver(ACCEPT) loc \$FW #IPPserver(ACCEPT) \$FW loc #Jetdirect(ACCEPT) \$FW loc # ## ## Allow apt-cacher-ng ## #ACCEPT loc \$FW tcp 3142 # ## ## Allow TFTP ## #TFTP(ACCEPT) loc \$FW #TFTP(ACCEPT) \$FW loc # ## ## Allow Nagios NRPE ## #ACCEPT \$FW loc tcp 5666 # ## ## Allow Munin ## #Munin(ACCEPT) \$FW loc # ## ## Allow Syslog server ## #Syslog(ACCEPT) loc \$FW # ## ## Kerberos v5 KDC ## #ACCEPT loc \$FW tcp 88 #ACCEPT loc \$FW udp 88 ## kpasswd #ACCEPT loc \$FW udp 464 # ## ## Allow NFSv4 ## #ACCEPT loc \$FW udp 111 #ACCEPT loc \$FW tcp 111 #ACCEPT loc \$FW tcp 2049 #ACCEPT loc \$FW udp 2049 #ACCEPT loc \$FW tcp 32764:32769 #ACCEPT loc \$FW udp 32764:32769 # ## ## SQUID Manual Proxy (http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual) ## #Squid(ACCEPT) loc \$FW #Webcache(ACCEPT) loc \$FW # ### below rules must be checked ## mostly triggered during FAI installation #ACCEPT loc \$FW tcp 51105 #ACCEPT loc \$FW udp 55850 #ACCEPT loc \$FW tcp 36174 #ACCEPT loc \$FW tcp 4711 #ACCEPT \$FW loc tcp 39233 #ACCEPT \$FW loc tcp 53615 ##### pay extra attention #### #EOF debian-lan-config-0.13/fai/config/scripts/SERVER_A/0000755000000000000000000000000012176652571016535 5ustar debian-lan-config-0.13/fai/config/scripts/SERVER_A/20-ldapscripts0000755000000000000000000000176612176652571021244 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/ldapscripts/ldapscripts.conf ReplaceAll '#SERVER="ldap://localhost"' With 'SERVER="ldapi://"' ReplaceAll '#BINDDN="cn=Manager,dc=example,dc=com"' With 'BINDDN="cn=admin,dc=intern"' ReplaceAll '#BINDPWDFILE=' With 'BINDPWDFILE=' ReplaceAll '#SUFFIX="dc=example,dc=com"' With 'SUFFIX="dc=intern"' ReplaceAll '#GSUFFIX="ou=Groups"' With 'GSUFFIX="ou=groups"' ReplaceAll '#USUFFIX="ou=Users"' With 'USUFFIX="ou=people"' ReplaceAll '#UHOMES="/home/%u"' With 'UHOMES="/lan/mainserver/home0/%u"' ReplaceAll 'CREATEHOMES="no"' With 'CREATEHOMES="yes"' ## Avoid conflicts with GOsa which starts at uid/gid 10000": ReplaceAll 'UIDSTART="10000"' With 'UIDSTART="40000"' ReplaceAll 'GIDSTART="10000"' With 'GIDSTART="40000"' ## Do not generate a posix password, use kerberos instead: HashCommentLinesStarting 'PASSWORDGEN=' } debian-lan-config-0.13/fai/config/scripts/SERVER_A/80-umask0000755000000000000000000000067012176652571020033 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/pam.d/common-session ## Set default umask: AppendIfNoSuchLine "session optional pam_umask.so" } { ${target}/etc/login.defs ## Modify default umask for more privacy: BeginGroupIfNoSuchLine "UMASK$(tab)$(tab)027" ReplaceAll "^UMASK.*" With "UMASK$(tab)$(tab)027" EndGroup } debian-lan-config-0.13/fai/config/scripts/SERVER_A/60-APTrepo_server0000755000000000000000000000621612176652571021613 0ustar #!/bin/bash # # Prepare anything needed to set up a local APT repository. # cf. # set -e if [ -z "$APT_REPO_DIR" ] ; then exit 0 fi mkdir -p $target$APT_REPO_DIR/pool/main mkdir -p $target$APT_REPO_DIR/dists/stable/main/binary-i386 mkdir -p $target$APT_REPO_DIR/dists/stable/main/binary-amd64 mkdir -p $target$APT_REPO_DIR/dists/stable/main/source cat > $target$APT_REPO_DIR/dists/stable/main/binary-i386/Release << EOF Archive: stable Version: 6.0 Component: main Origin: Debian Label: DebianLAN Architecture: i386 EOF sed "s/i386/amd64/" $target$APT_REPO_DIR/dists/stable/main/binary-i386/Release > \ $target$APT_REPO_DIR/dists/stable/main/binary-amd64/Release sed "s/i386/source/" $target$APT_REPO_DIR/dists/stable/main/binary-i386/Release > \ $target$APT_REPO_DIR/dists/stable/main/source/Release cat > $target$APT_REPO_DIR/aptftp.conf < $target$APT_REPO_DIR/aptgenerate.conf < $target$DATADIR/GPGkey.conf < $target$APT_REPO_DIR/create_archive.sh < DebianLAN.pubkey elif [ ! -e DebianLAN.pubkey ] ; then gpg --export --armor > DebianLAN.pubkey fi ## Create archive, make sure all packages are readable by www-data: chgrp www-data pool/main/*.deb DebianLAN.pubkey chmod g+r pool/main/*.deb DebianLAN.pubkey FILE=dists/stable/Release apt-ftparchive generate -c=aptftp.conf aptgenerate.conf apt-ftparchive release -c=aptftp.conf dists/stable > \$FILE rm -f \${FILE}.gpg gpg -vv -u DebianLAN -b -o \${FILE}.gpg \$FILE chgrp www-data \${FILE} chgrp www-data \${FILE}.gpg EOF chmod 0700 $target$APT_REPO_DIR/create_archive.sh debian-lan-config-0.13/fai/config/scripts/SERVER_A/70-dirvish0000755000000000000000000000337512176652571020367 0ustar #!/bin/bash # # configure dirvish set -e BACKUP_DIR="/backup/" MISC_DIR="${BACKUP_DIR}/tmp/misc/" ## all backed up directories: BANK_DIRS="/etc /srv/fai/config /root /lan/mainserver/home0 $MISC_DIR" fcopy -v /etc/cron.daily/backup rm -vf $target/etc/cron.d/dirvish ## create dirvish' master.conf: cat > $target/etc/dirvish/master.conf <> $target/etc/dirvish/master.conf done cat >> $target/etc/dirvish/master.conf < $target/$BACKUP_DIR/$ID/dirvish/default.conf < $target/etc/network/interfaces <> $target/etc/network/interfaces < /dev/null ; then cat >> $target/etc/network/interfaces <> $target/etc/network/interfaces < ${target}/$CONF echo "subjectAltName=DNS:$HostName,DNS:www.intern,DNS:syslog.intern,DNS:print.intern" >> ${target}/$CONF $ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY $ROOTCMD chmod 644 $CERT $ROOTCMD chmod 640 $KEY $CONF $ROOTCMD chown root:ssl-cert $KEY HASHNAME=$(dirname $CERT)/$($ROOTCMD openssl x509 -hash -noout -in $CERT) $ROOTCMD ln -vsf $CERT $HASHNAME $ROOTCMD a2enmod ssl $ROOTCMD a2ensite default-ssl debian-lan-config-0.13/fai/config/scripts/CLIENT_A/0000755000000000000000000000000012176652571016505 5ustar debian-lan-config-0.13/fai/config/scripts/CLIENT_A/30-APTrepo_client0000755000000000000000000000110612176652571021521 0ustar #!/bin/bash # # Fetch public key for the local site's APT repository. # set -e if [ -z $APT_URL ] ; then exit 0 fi echo "Check if public key is available:" if $ROOTCMD wget -O /tmp/DebianLAN.pubkey $APT_URL/DebianLAN.pubkey ; then echo -n "Run apt-key and add key: " $ROOTCMD apt-key add /tmp/DebianLAN.pubkey ## Key is available, add repository to sources.list.d/. FILE=/etc/apt/sources.list.d/local.list ainsl -a $FILE "## Local APT repository for site-specific packages:" ainsl $FILE "deb $APT_URL stable main" else echo "No key available." fi debian-lan-config-0.13/fai/config/scripts/CLIENT_A/50-umask0000755000000000000000000000067012176652571020000 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/pam.d/common-session ## Set default umask: AppendIfNoSuchLine "session optional pam_umask.so" } { ${target}/etc/login.defs ## Modify default umask for more privacy: BeginGroupIfNoSuchLine "UMASK$(tab)$(tab)027" ReplaceAll "^UMASK.*" With "UMASK$(tab)$(tab)027" EndGroup } debian-lan-config-0.13/fai/config/scripts/CLIENT_A/40-maildir0000755000000000000000000000074012176652571020276 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/environment ## Set MAIL variable: AppendIfNoSuchLine "MAIL=~/Maildir" } { ${target}/etc/pam.d/login ## Set MAIL variable: ReplaceAll "pam_mail.so standard" With "pam_mail.so dir=~/Maildir" } { ${target}/etc/pam.d/sshd ## Set MAIL variable: ReplaceAll "pam_mail.so standard noenv" With "pam_mail.so dir=~/Maildir" } debian-lan-config-0.13/fai/config/scripts/CLIENT_A/10-kerberize0000755000000000000000000000062112176652571020632 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/ssh/sshd_config ## Kerberize sshd: ReplaceAll "#GSSAPIAuthentication no" With "GSSAPIAuthentication yes" } { ${target}/etc/ssh/ssh_config ## Kerberize ssh: ReplaceAll "^ *GSSAPIDelegateCredentials no" With " GSSAPIDelegateCredentials yes" } debian-lan-config-0.13/fai/config/scripts/CLIENT_A/20-misc0000755000000000000000000000265112176652571017611 0ustar #!/bin/bash set -e ## faiconfig: fcopy -ir /etc/fai ## authorized_keys for root: fcopy -ir /root ## Fetch proxy information from wpad.dat: WPAD=/tmp/wpad.dat http_proxy=""; wget --output-document=$WPAD http://wpad.intern/wpad.dat PROXY=`cat $WPAD | grep PROXY | sed "s/^.*PROXY //" | sed "s/;.*$//"` ainsl /etc/environment "http_proxy=http://$PROXY/" if [ "$PROXY" == "webcache:8080" ] ; then ## dansguardian is used, lock iceweasel proxy configuration: ainsl /etc/iceweasel/pref/iceweasel.js 'lockPref("network.proxy.type", 4);' else ## default configuration to wpad.dat proxy: ainsl /etc/iceweasel/pref/iceweasel.js 'pref("network.proxy.type", 4);' fi ## Allow SSO in iceweasel: ainsl /etc/iceweasel/pref/iceweasel.js 'pref("network.negotiate-auth.delegation-uris", "intern");' ainsl /etc/iceweasel/pref/iceweasel.js 'pref("network.negotiate-auth.trusted-uris", "intern");' ## Default Homepage: ainsl /etc/iceweasel/pref/iceweasel.js 'pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=http://www.intern");' ## Switch off caching over the network: ainsl /etc/iceweasel/pref/iceweasel.js 'pref("browser.cache.disk.enable", false);' ainsl /etc/iceweasel/pref/iceweasel.js 'pref("browser.cache.offline.enable", false);' #ainsl /etc/iceweasel/pref/iceweasel.js 'pref("browser.safebrowsing.enabled", false);' #ainsl /etc/iceweasel/pref/iceweasel.js 'pref("browser.safebrowsing.malware.enabled", false);' debian-lan-config-0.13/fai/config/scripts/DNS_SERVER/0000755000000000000000000000000012176652571017001 5ustar debian-lan-config-0.13/fai/config/scripts/DNS_SERVER/10-zones0000755000000000000000000001056512176652571020312 0ustar #!/bin/bash # set -e ## Generate the DNS configuration. ## Use variables from corresponding class/*.var file. # FIXME: make this more general for different subnet masks. PREFIX1=`echo $SUBNET | cut -d "." --fields=1` PREFIX2=`echo $SUBNET | cut -d "." --fields=2` FILE="/etc/bind/db.${PREFIX1}.${PREFIX2}" JOURNAL="/var/lib/bind/db.${PREFIX1}.${PREFIX2}.jnl" if [ -e $target$FILE ]; then exit 0 fi ainsl /etc/bind/named.conf.local "include \"/etc/bind/localzones\";" cat > $target/etc/bind/localzones < $target$FILE <> $target$FILE # NUM=$(($NUM+1)) # done # NUM=0 # for IPADDR in `seq $DL_RANGE` ; do # NUMSTR=`printf "%02d" $NUM` # echo "${IPADDR}.0 PTR diskless${NUMSTR}.intern." \ # >> $target$FILE # NUM=$(($NUM+1)) # done ################### cat > $target/etc/bind/db.intern <> $target/etc/bind/db.intern # NUM=$(($NUM+1)) # done # NUM=0 # for IPADDR in `seq $DL_RANGE` ; do # NUMSTR=`printf "%02d" $NUM` # echo "diskless${NUMSTR} A $PREFIX.$IPADDR" \ # >> $target/etc/bind/db.intern # NUM=$(($NUM+1)) # done debian-lan-config-0.13/fai/config/scripts/DNS_SERVER/30-forwarders0000755000000000000000000000046112176652571021326 0ustar #!/bin/bash # set -e if [ "$FAI_ACTION" = "install" ] || [ "$CONVERT" = "true" ] ; then if [ "$MAINSERVER_IPADDR" != "$GATEWAY" ] ; then ## Add gateway as DNS forwarder: sed -i -e "/\/\/ forwarders {/i \ forwarders {${GATEWAY};};" $target/etc/bind/named.conf.options fi fi debian-lan-config-0.13/fai/config/scripts/DNS_SERVER/20-cosmetics0000755000000000000000000000046412176652571021143 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/default/bind9 # Disable IPv6 (to silence IPv6 lookup failure messages): ReplaceAll 'OPTIONS=\"-u bind\"' With 'OPTIONS=\"-4 -u bind\"' } debian-lan-config-0.13/fai/config/scripts/NFS_CLIENT/0000755000000000000000000000000012176652571016753 5ustar debian-lan-config-0.13/fai/config/scripts/NFS_CLIENT/20-autofs0000755000000000000000000000030012176652571020412 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: { ${target}/etc/default/autofs AppendIfNoSuchLine "LDAPURI=ldap:///" } debian-lan-config-0.13/fai/config/scripts/NFS_CLIENT/30-config0000755000000000000000000000067012176652571020371 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/default/nfs-common ## Start the idmapd daemon: ReplaceAll "NEED_IDMAPD=$" With "NEED_IDMAPD=yes" ## Start the gssd daemon: ReplaceAll "NEED_GSSD=$" With "NEED_GSSD=yes" } { ${target}/etc/idmapd.conf ## Needed for correct ID mapping: HashCommentLinesStarting "Domain =" } debian-lan-config-0.13/fai/config/scripts/LOG_SERVER/0000755000000000000000000000000012176652571016776 5ustar debian-lan-config-0.13/fai/config/scripts/LOG_SERVER/20-munin0000755000000000000000000000051612176652571020273 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles files ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/munin/munin.conf ReplaceAll "\[localhost\.localdomain\]" With "[mainserver.intern]" } files: any:: ${target}/etc/munin/munin-conf.d/nodes.conf mode=0644 action=create debian-lan-config-0.13/fai/config/scripts/LOG_SERVER/30-kerberize0000755000000000000000000000256312176652571021134 0ustar #!/usr/sbin/cfagent -f # # Kerberize access to icinga. # control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/icinga/apache2.conf ReplaceAll "AuthType Basic" With "AuthType Kerberos" ReplaceAll "AuthUserFile .*" With "Krb5Keytab /etc/krb5.keytab.http" # ReplaceAll "Require valid-user" With "Require user admin@INTERN" } { ${target}/etc/icinga/cgi.cfg ReplaceAll "authorized_for_system_information=icingaadmin" With "authorized_for_system_information=*" ReplaceAll "authorized_for_configuration_information=icingaadmin" With "authorized_for_configuration_information=*" ReplaceAll "authorized_for_all_services=icingaadmin" With "authorized_for_all_services=*" ReplaceAll "authorized_for_all_hosts=icingaadmin" With "authorized_for_all_hosts=*" } { ${target}/etc/munin/apache.conf ReplaceAll "^[[:space:]]*Allow from localhost .*" With "$(tab)Allow from All" ReplaceAll "# AuthUserFile .*" With "Krb5Keytab /etc/krb5.keytab.http" ReplaceAll '# AuthName "Munin"' With 'AuthName "Munin Access"' ReplaceAll "# AuthType Basic" With "AuthType Kerberos" ReplaceAll "# require valid-user" With "Require valid-user" } debian-lan-config-0.13/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga0000755000000000000000000000111412176652571022153 0ustar #!/bin/bash # # Configure rsyslog and icinga # set -e fcopy -r /etc/rsyslog.d/ fcopy /etc/icinga/objects/hostgroups_icinga.cfg fcopy /etc/icinga/objects/services_icinga.cfg fcopy /etc/icinga/objects/commands.cfg if [ "$FAI_ACTION" == "install" ] || [ "$CONVERT" == "true" ] ; then ## Machines are added here, so do not overwrite them on softupdate: fcopy /etc/icinga/objects/hosts.cfg sed -i "s#\$GATEWAY#$GATEWAY#" $target/etc/icinga/objects/hosts.cfg mv $target/etc/icinga/objects/localhost_icinga.cfg $target/etc/icinga/objects/localhost_icinga.cfg_orig || true fi debian-lan-config-0.13/fai/config/scripts/NTP_SERVER/0000755000000000000000000000000012176652571017016 5ustar debian-lan-config-0.13/fai/config/scripts/NTP_SERVER/10-ntp.conf0000755000000000000000000000052612176652571020712 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/ntp.conf ReplaceAll "#broadcast 192.168.123.255" With "broadcast ${BROADCAST_LAN}" AppendIfNoSuchLine "server 127.127.1.0 # local clock" AppendIfNoSuchLine "fudge 127.127.1.0 stratum 10" } debian-lan-config-0.13/fai/config/scripts/GRUB_PC/0000755000000000000000000000000012176652571016410 5ustar debian-lan-config-0.13/fai/config/scripts/GRUB_PC/10-setup0000755000000000000000000000123212176652571017712 0ustar #! /bin/bash # support for GRUB version 2 (1.98-1) error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code ## Skip if not installing: if [ "$FAI_ACTION" != "install" ] ; then exit 0 fi set -a # during softupdate use this file [ -r $LOGDIR/disk_var.sh ] && . $LOGDIR/disk_var.sh [ -z "$BOOT_DEVICE" ] && exit 701 $ROOTCMD grub-mkdevicemap --no-floppy GROOT=$($ROOTCMD grub-probe -tdrive -d $BOOT_DEVICE) # see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606035 GROOT=$(echo $GROOT | sed 's:md/:md:g') $ROOTCMD grub-install --no-floppy "$GROOT" echo "Grub installed on $BOOT_DEVICE = $GROOT" $ROOTCMD update-grub exit $error debian-lan-config-0.13/fai/config/scripts/PROXY/0000755000000000000000000000000012176652571016210 5ustar debian-lan-config-0.13/fai/config/scripts/PROXY/10-config0000755000000000000000000000240612176652571017623 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 300000 ) editfiles: any:: { ${target}/etc/adzapper.conf ## Configure adzapper: ReplaceAll 'ZAP_MODE=""' With 'ZAP_MODE="CLEAR"' } { ${target}/etc/squid3/squid.conf ## Define local network: ReplaceAll "#acl localnet src 10.0.0.0/8" With "acl localnet src ${SUBNETMASK}" ## Allow CUPS access: BeginGroupIfNoSuchLine 'acl SSL_ports port 631$(tab)$(tab)# cups' LocateLineMatching 'acl SSL_ports port 443.*' InsertLine 'acl SSL_ports port 631$(tab)$(tab)# cups' LocateLineMatching 'acl Safe_ports port 443.*' InsertLine 'acl Safe_ports port 631$(tab)$(tab)# cups' EndGroup ## Allow local network: BeginGroupIfNoSuchLine "http_access allow localnet" LocateLineMatching "http_access allow localhost" InsertLine "http_access allow localnet" EndGroup ## Use disk cache: ReplaceAll "#cache_dir ufs /var/spool/squid3 100 16 256" With "cache_dir ufs /var/spool/squid3 1000 16 256" ## Define url_rewrite_program: BeginGroupIfNoSuchLine "url_rewrite_program /usr/bin/adzapper.wrapper" LocateLineMatching "# TAG: url_rewrite_program" InsertLine "url_rewrite_program /usr/bin/adzapper.wrapper" EndGroup } debian-lan-config-0.13/fai/config/scripts/PROXY/30-dansguardian0000755000000000000000000000053212176652571021016 0ustar #!/bin/bash # set -e if $ROOTCMD which dansguardian > /dev/null ; then ## enable dansguardian: sed -i "s/^UNCONFIGURED/\# Line commented by FAI. UNCONFIGURED/" ${target}/etc/dansguardian/dansguardian.conf ## disable access to squid from the network: sed -i "/^http_access allow localnet$/d" ${target}/etc/squid3/squid.conf fi debian-lan-config-0.13/fai/config/scripts/PROXY/20-wpad0000755000000000000000000000036212176652571017311 0ustar #!/bin/bash # set -e if $ROOTCMD which dansguardian > /dev/null ; then PORT="8080" else PORT="3128" fi cat > $target/var/www/wpad.dat < ${target}/$CONF echo "subjectAltName=DNS:$HostName,DNS:mail.intern" >> ${target}/$CONF $ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY $ROOTCMD chmod 640 $KEY $CERT $CONF $ROOTCMD chown root:Debian-exim $KEY $CERT else echo "$CERT and $KEY exists, nothing done!" fi ## Create dovecot certificate: CERT="/etc/dovecot/dovecot.pem" KEY="/etc/dovecot/private/dovecot.pem" CONF="/etc/dovecot/dovecot.cnf" if [ ! -f ${target}/$CONF ] ; then sed -e s#@HostName@#"$HostName"# $TEMPLATE > ${target}/$CONF echo "subjectAltName=DNS:$HostName,DNS:mail.intern" >> ${target}/$CONF $ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY $ROOTCMD chmod 640 $KEY $CERT $CONF $ROOTCMD chown root:dovecot $KEY $CERT else echo "${target}/$CONF exists, nothing done!" fi debian-lan-config-0.13/fai/config/scripts/MAIL_SERVER/20-dovecot0000755000000000000000000000103512176652571020706 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/dovecot/conf.d/10-auth.conf ReplaceAll "#auth_krb5_keytab =.*" With "auth_krb5_keytab = /etc/krb5.keytab.imap" ReplaceAll "auth_mechanisms = plain" With "auth_mechanisms = gssapi plain" } { ${target}/etc/dovecot/conf.d/10-mail.conf ReplaceAll "^mail_location = mbox:~/mail:INBOX=/var/mail/%u" With "mail_location = maildir:~/Maildir" } debian-lan-config-0.13/fai/config/scripts/DISKLESS_SERVER/0000755000000000000000000000000012176652571017576 5ustar debian-lan-config-0.13/fai/config/scripts/DISKLESS_SERVER/10-setup0000755000000000000000000000033012176652571021076 0ustar #!/bin/bash # # setup the diskless+swap server # fcopy /usr/local/sbin/nbdswapd fcopy /etc/nbd-server/conf.d/swap.conf ainsl /etc/exports "/opt ${SUBNETMASK}(async,ro,no_subtree_check,no_root_squash)" debian-lan-config-0.13/fai/config/scripts/GOSA/0000755000000000000000000000000012176652571016020 5ustar debian-lan-config-0.13/fai/config/scripts/GOSA/10-config0000755000000000000000000000124112176652571017427 0ustar #!/bin/bash set -e GOSACONF="/etc/gosa/gosa.conf" if [ -e $GOSACONF ]; then exit 0 fi fcopy -m root,www-data,0660 $GOSACONF fcopy -m root,root,0770 /usr/local/sbin/gosa-create fcopy -m root,root,0770 /usr/local/sbin/gosa-sync fcopy -m root,root,0770 /usr/local/sbin/gosa-remove fcopy -m root,root,0770 /usr/local/sbin/add2gosa fcopy /var/www/index.html ## Insert password: PWFILE="$DATADIR/LDAPadminPWD" PW=`cat $target/$PWFILE` sed -i "s#@LDAP_ADMIN_PW@#$PW#" $target/$GOSACONF ## Encrypt password: rm $target/etc/gosa/gosa.secrets $ROOTCMD gosa-encrypt-passwords ## needed for sudo-ldap: ainsl /etc/ldap/ldap.conf "sudoers_base ou=sudoers,ou=gosa,dc=intern" debian-lan-config-0.13/fai/config/scripts/GATEWAY_A/0000755000000000000000000000000012176652571016630 5ustar debian-lan-config-0.13/fai/config/scripts/GATEWAY_A/10-misc0000755000000000000000000000127012176652571017727 0ustar #!/bin/bash set -e ## Switch on apt-cacher-ng: # FIXME: resolv.conf does not use the internal name server, so DNS fails here: ainsl -a /etc/apt/apt.conf '#Acquire::http::Proxy "http://aptcache.intern:3142/";' if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then exit 0 fi ## Generate '/etc/network/interfaces': cat > $target/etc/network/interfaces < ${target}/$CRKEY < /dev/null ; then echo "Key exists already, nothing done!" exit 1 fi KEYFILE=\$(dnssec-keygen -a HMAC-MD5 -b 128 -r /dev/urandom -n USER DHCP_UPDATER).private KEY=\$(grep 'Key: ' \$KEYFILE | cut -d ' ' -f2) cat > $DATADIR/ddns.key < $target/etc/dhcp/dhcpd.conf <> $target/etc/dhcp/dhcpd.conf NUM=$(($NUM+1)) done echo "}" >> $target/etc/dhcp/dhcpd.conf cat >> $target/etc/dhcp/dhcpd.conf <> $target/etc/dhcp/dhcpd.conf NUM=$(($NUM+1)) done echo "}" >> $target/etc/dhcp/dhcpd.conf debian-lan-config-0.13/fai/config/scripts/DISKLESS_CLIENT/0000755000000000000000000000000012176652571017546 5ustar debian-lan-config-0.13/fai/config/scripts/DISKLESS_CLIENT/30-nfs4_krb50000755000000000000000000000031012176652571021503 0ustar #!/bin/bash # set -e ainsl /etc/default/nfs-common 'RPCGSSDOPTS="-n"' ainsl /etc/pam.d/common-auth 'auth optional pam_script.so' fcopy -m root,root,0755 /usr/share/libpam-script/pam_script_auth debian-lan-config-0.13/fai/config/scripts/DISKLESS_CLIENT/40-ntp0000755000000000000000000000063612176652571020523 0ustar #!/usr/sbin/cfagent -f ## This modification is needed because diskless clients do not ## use the ntp-server declaration of the DHCP server. control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/ntp.conf BeginGroupIfNoSuchLine "server ntp iburst" HashCommentLinesStarting "server " AppendIfNoSuchLine "server ntp iburst" EndGroup } debian-lan-config-0.13/fai/config/scripts/DISKLESS_CLIENT/20-munin0000755000000000000000000000454312176652571021047 0ustar #!/bin/bash # # munin-node creates links for the mainserver when installing the # chroot for diskless clients. # Remove all links and create only useful ones. # Use 'munin-node-configure --shell' on a diskless clients to create # the list. # set -e if [ "$FAI_ACTION" != "dirinstall" ] ; then exit 0 fi rm $target/etc/munin/plugins/* $ROOTCMD ln -s '/usr/share/munin/plugins/cpu' '/etc/munin/plugins/cpu' $ROOTCMD ln -s '/usr/share/munin/plugins/entropy' '/etc/munin/plugins/entropy' $ROOTCMD ln -s '/usr/share/munin/plugins/forks' '/etc/munin/plugins/forks' $ROOTCMD ln -s '/usr/share/munin/plugins/fw_packets' '/etc/munin/plugins/fw_packets' $ROOTCMD ln -s '/usr/share/munin/plugins/if_' '/etc/munin/plugins/if_eth0' $ROOTCMD ln -s '/usr/share/munin/plugins/if_err_' '/etc/munin/plugins/if_err_eth0' $ROOTCMD ln -s '/usr/share/munin/plugins/interrupts' '/etc/munin/plugins/interrupts' $ROOTCMD ln -s '/usr/share/munin/plugins/irqstats' '/etc/munin/plugins/irqstats' $ROOTCMD ln -s '/usr/share/munin/plugins/load' '/etc/munin/plugins/load' $ROOTCMD ln -s '/usr/share/munin/plugins/memory' '/etc/munin/plugins/memory' $ROOTCMD ln -s '/usr/share/munin/plugins/nfs4_client' '/etc/munin/plugins/nfs4_client' $ROOTCMD ln -s '/usr/share/munin/plugins/nfs_client' '/etc/munin/plugins/nfs_client' $ROOTCMD ln -s '/usr/share/munin/plugins/ntp_kernel_err' '/etc/munin/plugins/ntp_kernel_err' $ROOTCMD ln -s '/usr/share/munin/plugins/ntp_kernel_pll_freq' '/etc/munin/plugins/ntp_kernel_pll_freq' $ROOTCMD ln -s '/usr/share/munin/plugins/ntp_kernel_pll_off' '/etc/munin/plugins/ntp_kernel_pll_off' $ROOTCMD ln -s '/usr/share/munin/plugins/ntp_offset' '/etc/munin/plugins/ntp_offset' $ROOTCMD ln -s '/usr/share/munin/plugins/open_files' '/etc/munin/plugins/open_files' $ROOTCMD ln -s '/usr/share/munin/plugins/open_inodes' '/etc/munin/plugins/open_inodes' $ROOTCMD ln -s '/usr/share/munin/plugins/proc_pri' '/etc/munin/plugins/proc_pri' $ROOTCMD ln -s '/usr/share/munin/plugins/processes' '/etc/munin/plugins/processes' $ROOTCMD ln -s '/usr/share/munin/plugins/swap' '/etc/munin/plugins/swap' $ROOTCMD ln -s '/usr/share/munin/plugins/threads' '/etc/munin/plugins/threads' $ROOTCMD ln -s '/usr/share/munin/plugins/uptime' '/etc/munin/plugins/uptime' $ROOTCMD ln -s '/usr/share/munin/plugins/users' '/etc/munin/plugins/users' $ROOTCMD ln -s '/usr/share/munin/plugins/vmstat' '/etc/munin/plugins/vmstat' debian-lan-config-0.13/fai/config/scripts/DISKLESS_CLIENT/50-groups0000755000000000000000000000053412176652571021237 0ustar #!/bin/bash set -e ## The following is is needed if you need to have group membership ## assigned to users on login. ## Example: Configure PAM to add users to the dialout group (needed ## to access /dev/tty*): ainsl -q /etc/security/group.conf "*;*;*;Al0000-2400;dialout" ainsl -q /etc/pam.d/common-auth "auth optional pam_group.so" debian-lan-config-0.13/fai/config/scripts/DISKLESS_CLIENT/10-misc0000755000000000000000000000174312176652571020652 0ustar #!/bin/bash # # Compare with the corresponding FAIBASE script. # set -e fcopy -Mv /etc/hosts ## use hostname offered by dhcp server: rm -fv $target/etc/hostname ## fetch template and fill in nameserver's IP address: fcopy -Mv /etc/resolv.conf IP=`host ns | tail -n 1 | awk '{print $NF}'` sed -i "s/NAMESERVER/$IP/" $target/etc/resolv.conf ## timezone echo $TIMEZONE > $target/etc/timezone cp -f /usr/share/zoneinfo/${TIMEZONE} $target/etc/localtime # create keyboard layout table $ROOTCMD bash -c "echo 'console-data console-data/keymap/full select $KEYMAP' | debconf-set-selections" $ROOTCMD install-keymap $KEYMAP || true ## Configure PAM to add users to the dialout group: ainsl -q /etc/security/group.conf "*;*;*;Al0000-2400;dialout" ainsl -q /etc/pam.d/common-auth "auth optional pam_group.so" ## Choose the default desktop: #$ROOTCMD update-alternatives --set x-session-manager /usr/bin/startlxde $ROOTCMD update-alternatives --set x-session-manager /usr/bin/startxfce4 debian-lan-config-0.13/fai/config/scripts/DESKTOP/0000755000000000000000000000000012176652571016400 5ustar debian-lan-config-0.13/fai/config/scripts/DESKTOP/20-default-desktop0000755000000000000000000000027712176652571021646 0ustar #!/bin/bash ## Choose the default desktop: #$ROOTCMD update-alternatives --set x-session-manager /usr/bin/startlxde $ROOTCMD update-alternatives --set x-session-manager /usr/bin/startxfce4 debian-lan-config-0.13/fai/config/scripts/DESKTOP/10-groups0000755000000000000000000000053412176652571020065 0ustar #!/bin/bash set -e ## The following is is needed if you need to have group membership ## assigned to users on login. ## Example: Configure PAM to add users to the dialout group (needed ## to access /dev/tty*): ainsl -q /etc/security/group.conf "*;*;*;Al0000-2400;dialout" ainsl -q /etc/pam.d/common-auth "auth optional pam_group.so" debian-lan-config-0.13/fai/config/scripts/NFS_SERVER/0000755000000000000000000000000012176652571017003 5ustar debian-lan-config-0.13/fai/config/scripts/NFS_SERVER/10-config0000755000000000000000000000230312176652571020412 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( directories editfiles ) EditFileSize = ( 30000 ) directories: any:: # Make sure /srv/nfs4/home0 exists: ${target}/srv/nfs4/home0 mode=755 owner=root group=root editfiles: any:: { ${target}/etc/default/nfs-common ## start the idmapd daemon: ReplaceAll "NEED_IDMAPD=$" With "NEED_IDMAPD=yes" ## start the gssd daemon: ReplaceAll "NEED_GSSD=$" With "NEED_GSSD=yes" } { ${target}/etc/idmapd.conf ## Needed for correct ID mapping: HashCommentLinesStarting "Domain =" } { ${target}/etc/exports ## kerberized NFS4: AppendIfNoSuchLine "/srv/nfs4 ${SUBNETMASK}(sec=krb5p:krb5i,rw,fsid=0,crossmnt,no_subtree_check)" AppendIfNoSuchLine "/srv/nfs4/home0 ${SUBNETMASK}(sec=krb5p:krb5i,rw,no_subtree_check)" } { ${target}/etc/fstab ## Bind the shared directory to the exported tree: AppendIfNoSuchLine "/lan/mainserver/home0 /srv/nfs4/home0 none bind 0 0" } { ${target}/etc/default/nfs-kernel-server ## Start the svcgssd daemon: ReplaceAll "NEED_SVCGSSD=$" With "NEED_SVCGSSD=yes" } { ${target}/etc/default/autofs AppendIfNoSuchLine "exit 0" } debian-lan-config-0.13/fai/config/scripts/FAIBASE/0000755000000000000000000000000012176652571016321 5ustar debian-lan-config-0.13/fai/config/scripts/FAIBASE/20-removable_media0000755000000000000000000000144712176652571021607 0ustar #! /bin/bash # (c) Thomas Lange, 2006,2009, lange@debian.org # create entries for removable media in fstab and directories in /media [ -b $target/dev/fd0 ] && ainsl /etc/fstab "/dev/fd0 /media/floppy auto users,noauto 0 0" cdromlist() { [ -f /proc/sys/dev/cdrom/info ] || return devs=$(grep 'drive name:' /proc/sys/dev/cdrom/info | cut -d ":" -f 2) for d in $devs; do echo $d done } fstabline () { line=$(printf "%-15s %-15s %-7s %-15s %-7s %s\n" "$1" "$2" "$3" "$4" "$5" "$6") ainsl /etc/fstab "$line" } i=0 for cdrom in $(cdromlist | tac); do [ $i -eq 0 ] && [ ! -L $target/media/cdrom/cdrom0 ] && ln -s cdrom0 $target/media/cdrom mkdir -p $target/media/cdrom$i fstabline /dev/$cdrom /media/cdrom$i udf,iso9660 ro,user,noauto 0 0 i=$(($i + 1)) done debian-lan-config-0.13/fai/config/scripts/FAIBASE/10-misc0000755000000000000000000000113712176652571017422 0ustar #! /bin/bash # (c) Thomas Lange, 2001-2012, lange@debian.org error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code echo $TIMEZONE > $target/etc/timezone cp -f /usr/share/zoneinfo/${TIMEZONE} $target/etc/localtime if [ -n "$IPADDR" ]; then ifclass DHCPC || ainsl -s /etc/hosts "$IPADDR $HOSTNAME.$DOMAIN $HOSTNAME" fi fcopy -iM /etc/hosts /etc/motd # make /root accessible only by root chmod -c 0700 $target/root chown -c root:root $target/root # copy default dotfiles for root account fcopy -ir /root chmod -c 1777 ${target}/tmp chown -c 0:0 ${target}/tmp exit $error debian-lan-config-0.13/fai/config/scripts/LAST/0000755000000000000000000000000012176652571016032 5ustar debian-lan-config-0.13/fai/config/scripts/LAST/50-misc0000755000000000000000000000211012176652571017127 0ustar #! /bin/bash # copyright Thomas Lange 2001-2011, lange@debian.org error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code # remove backup files from cfengine, but only if cfengine is installed if [ -x /usr/sbin/cfagent ] || [ -x $target/usr/sbin/cfagent ] ; then dirs="root etc var" for path in $dirs; do find $target/$path -maxdepth 20 -name \*.cfedited -o -name \*.cfsaved | xargs -r rm done fi [ "$FAI_DEBMIRROR" ] && ainsl /etc/fstab "#$FAI_DEBMIRROR $MNTPOINT nfs ro 0 0" # set bios clock if [ $do_init_tasks -eq 1 ] ; then case "$UTC" in no|"") hwopt="--localtime" ;; yes) hwopt="--utc" ;; esac hwclock $hwopt --systohc || true fi # Make sure everything is configured properly if ifclass DEBIAN ; then echo "Running \"apt-get -f install\" for the last time." $ROOTCMD apt-get -f install fi lskernels=$(echo $target/boot/vmlinu*) [ -f ${lskernels%% *} ] || echo "ERROR: No kernel was installed. Have a look at shell.log" >&2 # copy sources.list fcopy -iM /etc/apt/sources.list exit $error debian-lan-config-0.13/fai/config/scripts/LDAP_SERVER/0000755000000000000000000000000012176652571017075 5ustar debian-lan-config-0.13/fai/config/scripts/LDAP_SERVER/10-mkslapdcert0000755000000000000000000000151712176652571021556 0ustar #!/bin/bash # # Create a self-signed certificate for LDAP # set -e CERT="/etc/ldap/slapd.crt" KEY="/etc/ldap/slapd.key" CONF="/etc/ldap/slapd.cnf" TEMPLATE="${target}/usr/share/ssl-cert/ssleay.cnf" HostName="${HOSTNAME}.intern" if [ -f $target/$CERT ] && [ -f $target/$KEY ]; then echo "$CERT and $KEY exists, exiting!" exit 0 fi sed -e s#@HostName@#"$HostName"# $TEMPLATE > ${target}/$CONF echo "subjectAltName=DNS:$HostName,DNS:$HOSTNAME,DNS:ldap.intern,DNS:ldap" >> ${target}/$CONF $ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY $ROOTCMD chmod 600 $KEY $CONF $ROOTCMD chown openldap:openldap $KEY ifclass FAISERVER || exit 0 ## Add the LDAP certificate to the fai config space: $ROOTCMD mkdir -pv /srv/fai/config/files/${CERT}/ $ROOTCMD cp -v $CERT /srv/fai/config/files/${CERT}/LDAP_CLIENT debian-lan-config-0.13/fai/config/scripts/LDAP_CLIENT/0000755000000000000000000000000012176652571017045 5ustar debian-lan-config-0.13/fai/config/scripts/LDAP_CLIENT/40-nsswitch.conf0000755000000000000000000000037612176652571022010 0ustar #!/usr/sbin/cfagent -f ## FIXME: #639529 control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/nsswitch.conf AppendIfNoSuchLine "automount: files ldap" } debian-lan-config-0.13/fai/config/scripts/LDAP_CLIENT/20-nslcd.conf0000755000000000000000000000034712176652571021245 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/nslcd.conf AppendIfNoSuchLine "tls_cacertfile /etc/ldap/slapd.crt" } debian-lan-config-0.13/fai/config/scripts/LDAP_CLIENT/50-sudoers0000755000000000000000000000031512176652571020700 0ustar #!/bin/bash set -e ## Fetch sudoers' base from LDAP: BASE=$($ROOTCMD ldapsearch -xLLL "(ou=sudoers)" dn | cut -d ' ' -f 2) if [ -n "$BASE" ] ; then ainsl /etc/ldap/ldap.conf "sudoers_base $BASE" fi debian-lan-config-0.13/fai/config/scripts/LDAP_CLIENT/30-certificate0000755000000000000000000000007612176652571021500 0ustar #!/bin/bash ifclass LDAP_SERVER || fcopy /etc/ldap/slapd.crt debian-lan-config-0.13/fai/config/scripts/LDAP_CLIENT/10-ldap.conf0000755000000000000000000000117212176652571021056 0ustar #!/usr/sbin/cfagent -f control: any:: actionsequence = ( editfiles ) EditFileSize = ( 30000 ) editfiles: any:: { ${target}/etc/ldap/ldap.conf BeginGroupIfNoLineMatching "^URI .*" AppendIfNoSuchLine "URI ldap://ldap/" EndGroup # Base-DN: BeginGroupIfNoLineMatching "^BASE .*" AppendIfNoSuchLine "BASE dc=intern" EndGroup # Verify the server: BeginGroupIfNoLineMatching "^TLS_REQCERT .*" AppendIfNoSuchLine "TLS_REQCERT demand" EndGroup AppendIfNoSuchLine "TLS_CACERT /etc/ldap/slapd.crt" } debian-lan-config-0.13/fai/config/scripts/DEMO/0000755000000000000000000000000012176652571016013 5ustar debian-lan-config-0.13/fai/config/scripts/DEMO/10-misc0000755000000000000000000000056612176652571017121 0ustar #! /bin/bash # (c) Thomas Lange, 2001-2010, lange@debian.org ifclass XORG && { fcopy -M /etc/X11/xorg.conf } # add a demo user account if [ -n "$ROOTPW" ] && ! $ROOTCMD getent passwd demo ; then $ROOTCMD adduser --disabled-login --gecos "fai demo user" demo $ROOTCMD usermod -p "$ROOTPW" demo fi chmod -c 666 ${target}/dev/fd* chmod -c 444 ${target}/dev/sr* debian-lan-config-0.13/fai/config/scripts/CUPS_CLIENT/0000755000000000000000000000000012176652571017077 5ustar debian-lan-config-0.13/fai/config/scripts/CUPS_CLIENT/10-config0000755000000000000000000000023612176652571020511 0ustar #!/bin/bash # # Configure CUPS client # set -e ainsl -a /etc/cups/client.conf 'ServerName print.intern' ainsl -a /etc/cups/client.conf 'Encryption Always' debian-lan-config-0.13/fai/config/disk_config/0000755000000000000000000000000012176652571016057 5ustar debian-lan-config-0.13/fai/config/disk_config/ROAMING0000644000000000000000000000062012176652571017074 0ustar disk_config disk1 fstabkey:uuid primary /boot 64-512 ext4 rw primary swap 64-2096 swap sw logical - 0- - - disk_config lvm vg vg_system disk1.5 vg_system-root / 500M-10G ext4 errors=remount-ro vg_system-usr /usr 3G-20G ext4 defaults vg_system-var /var 1G-30% ext4 defaults vg_system-home /home 1G-50% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/LVM_XEN_SERVER0000644000000000000000000000141512176652571020241 0ustar disk_config disk1 fstabkey:uuid primary /boot 100 ext4 rw primary swap 256 swap sw primary / 2000 ext4 rw logical /tmp 1000 ext4 rw,nosuid logical /usr 2000 ext4 rw logical /var 2000 ext4 rw logical - 0- - - disk_config lvm vg XENU disk1.8 XENU-worm_ - 2000 ext4 - XENU-wormswap - 500 swap - XENU-worm_tmp - 500 ext4 - XENU-worm_usr - 2000 ext4 - XENU-worm_var - 2000 ext4 - XENU-bull_ - 2000 ext4 - XENU-bullswap - 500 swap - XENU-bull_tmp - 500 ext4 - XENU-bull_usr - 2000 ext4 - XENU-bull_var - 2000 ext4 - XENU-bull_var_spool - 4000 ext4 - XENU-bull_var_mail - 100000 ext4 - debian-lan-config-0.13/fai/config/disk_config/RAIDLVM7_A0000644000000000000000000000117612176652571017434 0ustar ## RAID1 on two identical disks. disk_config disk1 primary - 64-512 - - primary - 64-2096 - - logical - 0- - - disk_config disk2 sameas:disk1 disk_config raid fstabkey:uuid raid1 /boot disk1.1,disk2.1 ext4 rw raid1 swap disk1.2,disk2.2 swap sw raid1 - disk1.5,disk2.5 - - disk_config lvm fstabkey:uuid vg vg_system md2 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-home /lan/mainserver/home0 1G-40% ext4 usrquota vg_system-backup /backup 1G-40% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/LVM5_A0000644000000000000000000000054012176652571016764 0ustar disk_config disk1 fstabkey:uuid primary /boot 64-512 ext4 rw primary swap 64-2096 swap sw logical - 0- - - disk_config lvm vg vg_system disk1.5 vg_system-root / 500M-10G ext4 errors=remount-ro vg_system-usr /usr 3G-20G ext4 defaults vg_system-var /var 1G-70% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/LVM6BAK_A0000644000000000000000000000075112176652571017307 0ustar disk_config disk1 fstabkey:uuid primary /boot 64-512 ext4 rw primary swap 64-2096 swap sw logical - 0- - - disk_config lvm vg vg_system disk1.5 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-home /lan/mainserver/home0 2G-70% ext4 usrquota disk_config disk2 fstabkey:uuid primary /backup 100% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/LVM7BAK_A0000644000000000000000000000103112176652571017300 0ustar disk_config disk1 fstabkey:uuid primary /boot 64-512 ext4 rw primary swap 64-2096 swap sw logical - 0- - - disk_config lvm vg vg_system disk1.5 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-opt /opt 4G-10G ext4 defaults vg_system-home /lan/mainserver/home0 2G-70% ext4 usrquota disk_config disk2 fstabkey:uuid primary /backup 100% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/GATEWAY_A0000644000000000000000000000040212176652571017337 0ustar disk_config disk1 disklabel:msdos bootable:1 fstabkey:uuid primary / 500-1G ext4 errors=remount-ro logical swap 200-1000 swap sw logical /var 1G- ext4 defaults logical /tmp 100-1G ext4 defaults logical /usr 1G-4G ext4 defaults debian-lan-config-0.13/fai/config/disk_config/RAIDLVM7BAK_A0000644000000000000000000000133312176652571017745 0ustar ## RAID1 on two identical disks and a backup disk. disk_config disk1 primary - 64-512 - - primary - 64-2096 - - logical - 0- - - disk_config disk2 sameas:disk1 disk_config raid fstabkey:uuid raid1 /boot disk1.1,disk2.1 ext4 rw raid1 swap disk1.2,disk2.2 swap sw raid1 - disk1.5,disk2.5 - - disk_config lvm fstabkey:uuid vg vg_system md2 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-opt /opt 4G-10G ext4 defaults vg_system-home /lan/mainserver/home0 2G-70% ext4 usrquota disk_config disk3 fstabkey:uuid primary /backup 100% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/FAISERVER0000644000000000000000000000135612176652571017335 0ustar # config file for an FAI install server # # disk_config disk1 disklabel:msdos fstabkey:uuid primary / 300 ext4 rw,noatime,errors=remount-ro logical swap 200-1000 swap sw logical /var 600-5G ext4 rw,noatime,nosuid,nodev createopts="-m15" tuneopts="-c 0 -i 0" logical /tmp 100-1000 ext4 rw,noatime,nosuid,nodev createopts="-m 0" tuneopts="-c 0 -i 0" logical /usr 1G-6G ext4 rw,noatime logical /home 100-40% ext4 rw,noatime,nosuid,nodev createopts="-m 1" tuneopts="-c 0 -i 0" logical /srv 1G-50% ext4 rw,noatime createopts="-m 1" tuneopts="-c 0 -i 0" debian-lan-config-0.13/fai/config/disk_config/RAIDLVM6BAK_A0000644000000000000000000000125312176652571017745 0ustar ## RAID1 on two identical disks and a backup disk. disk_config disk1 primary - 64-512 - - primary - 64-2096 - - logical - 0- - - disk_config disk2 sameas:disk1 disk_config raid fstabkey:uuid raid1 /boot disk1.1,disk2.1 ext4 rw raid1 swap disk1.2,disk2.2 swap sw raid1 - disk1.5,disk2.5 - - disk_config lvm fstabkey:uuid vg vg_system md2 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-home /lan/mainserver/home0 2G-70% ext4 usrquota disk_config disk3 fstabkey:uuid primary /backup 100% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/FAIBASE0000644000000000000000000000117712176652571017042 0ustar # example of new config file for setup-storage # # disk_config disk1 disklabel:msdos bootable:1 fstabkey:uuid primary / 250 ext4 rw,noatime,errors=remount-ro logical swap 200-1000 swap sw logical /var 600-1300 ext4 rw,noatime createopts="-L var -m 5" tuneopts="-c 0 -i 0" logical /tmp 100-1G ext4 rw,noatime,nosuid,nodev createopts="-L tmp -m 0" tuneopts="-c 0 -i 0" logical /usr 1G-8G ext4 rw,noatime,nodev createopts="-L usr" logical /home 100-50% ext4 rw,noatime,nosuid,nodev createopts="-L home -m 1" tuneopts="-c 0 -i 0" debian-lan-config-0.13/fai/config/disk_config/RAIDLVM8_A0000644000000000000000000000125612176652571017434 0ustar ## RAID1 on two identical disks. disk_config disk1 primary - 64-512 - - primary - 64-2096 - - logical - 0- - - disk_config disk2 sameas:disk1 disk_config raid fstabkey:uuid raid1 /boot disk1.1,disk2.1 ext4 rw raid1 swap disk1.2,disk2.2 swap sw raid1 - disk1.5,disk2.5 - - disk_config lvm fstabkey:uuid vg vg_system md2 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-opt /opt 4G-10G ext4 defaults vg_system-home /lan/mainserver/home0 1G-40% ext4 usrquota vg_system-backup /backup 1G-40% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/RAID_XEN_VIRTUAL0000644000000000000000000000116112176652571020440 0ustar disk_config hda virtual primary - 2000 - - primary - 500 - - primary - 500 - - primary - 2000 - - primary - 2000 - - disk_config sda virtual primary - 2000 - - primary - 500 - - primary - 500 - - primary - 2000 - - primary - 2000 - - disk_config raid raid1 / hda1,sda1 ext4 rw raid1 swap hda2,sda2 swap sw raid1 /tmp hda3,sda3 ext4 rw,nosuid,nodev raid1 /usr hda4,sda4 ext4 rw raid1 /var hda5,sda5 ext4 rw debian-lan-config-0.13/fai/config/disk_config/LVM8_A0000644000000000000000000000077612176652571017002 0ustar disk_config disk1 fstabkey:uuid primary /boot 64-512 ext4 rw primary swap 64-2096 swap sw logical - 0- - - disk_config lvm vg vg_system disk1.5 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-opt /opt 4G-10G ext4 defaults vg_system-home /lan/mainserver/home0 1G-40% ext4 usrquota vg_system-backup /backup 1G-40% ext4 defaults debian-lan-config-0.13/fai/config/disk_config/LVM7_A0000644000000000000000000000071612176652571016773 0ustar disk_config disk1 fstabkey:uuid primary /boot 64-512 ext4 rw primary swap 64-2096 swap sw logical - 0- - - disk_config lvm vg vg_system disk1.5 vg_system-root / 1G-5G ext4 errors=remount-ro vg_system-usr /usr 2G-20G ext4 defaults vg_system-var /var 1G-40G ext4 defaults vg_system-home /lan/mainserver/home0 1G-40% ext4 usrquota vg_system-backup /backup 1G-40% ext4 defaults debian-lan-config-0.13/fai/config/class/0000755000000000000000000000000012176652571014705 5ustar debian-lan-config-0.13/fai/config/class/20-hwdetect.source0000755000000000000000000000231112176652571020155 0ustar #! /bin/bash # (c) Thomas Lange, 2002-2012, lange@informatik.uni-koeln.de # NOTE: Files named *.source will be evaluated, but their output ignored. Instead # the contents of $newclasses will be added to the list of defined classes. [ $do_init_tasks -eq 1 ] || return 0 # Do only execute when doing install echo 0 > /proc/sys/kernel/printk # wheezy does not have -m and modules.pcimap depmod -m 2>/dev/null if [ -f "/lib/modules/`uname -r`/modules.pcimap" ]; then for module in $(pcimodules) ; do [ "$verbose" ] && echo loading kernel module $module modprobe "$module" done fi # here, you can load modules depending on the kernel version kernelmodules="sd_mod sr_mod" case $(uname -r) in 2.6*) kernelmodules="$kernelmodules mptspi dm-mod md-mod aes dm-crypt" ;; 3*) kernelmodules="$kernelmodules mptspi dm-mod md-mod aes dm-crypt" ;; esac for mod in $kernelmodules; do [ "$verbose" ] && echo loading kernel module $mod modprobe -a $mod 1>/dev/null 2>&1 done ip ad show up | egrep -iv 'loopback|127.0.0.1|::1/128|_lft' echo $printk > /proc/sys/kernel/printk set_disk_info # calculate number of available disks save_dmesg # save new boot messages (from loading modules) debian-lan-config-0.13/fai/config/class/50-host-classes0000755000000000000000000000707212176652571017473 0ustar #! /bin/bash # assign classes to hosts # Most of the classes in $MAINSERVER_* should be self-contained and not # specific to a given setup. Use the SERVER_* or CLIENT_* class for # all setup-specific details. ## ## Setup A ## ======= ## ## Mainserver variants (FLAVOR) c.f. wiki documentation: ## ## The network configuration (cf. 'class/SERVER_A.var') determines ## if the mainserver acts as gateway to the external network. ## ## *LVM7_A | *LVM8_A DISKLESS_SERVER --> diskless client server ## ## LVM*_A | RAIDLVM*_A RAID --> RAID1 (mirroring) ## ## *BAK_A --> Extra backup disk, recommended. Setups without backup ## disk are intended for testing only. ## ## Example classes that might be added: ## ## DEVTOOLS optional development packages ## EDU package selection for education ## GERMAN localization class ## ## Choose your mainserver setting: #FLAVOR="LVM7_A" ## simple setup for testing in a vm #FLAVOR="LVM6BAK_A" ## backup disk #FLAVOR="RAIDLVM7_A RAID" ## RAID1 #FLAVOR="RAIDLVM6BAK_A RAID" ## RAID1, backup disk FLAVOR="LVM8_A DISKLESS_SERVER" ## simple diskless, default for testing in a VM #FLAVOR="LVM7BAK_A DISKLESS_SERVER" ## diskless, backup disk #FLAVOR="RAIDLVM8_A RAID DISKLESS_SERVER" ## diskless, RAID1 #FLAVOR="RAIDLVM7BAK_A RAID DISKLESS_SERVER" ## diskless, RAID1, backup disk ## Setup with graphical user management tool GOsa. Remove GOSA class if it is not needed: MAINSERVER_A="$FLAVOR FIREWALL CUPS_SERVER LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER \ MAIL_SERVER LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP SERVER_A GOSA" WORKSTATION_A="LVM5_A CUPS_CLIENT LOG_CLIENT LDAP_CLIENT NFS_CLIENT KERBEROS_CLIENT \ CLIENT_A" # Use a list of classes for your machine: case $HOSTNAME in ## The following hosts are kept for reference only (FAI project). ## They are not tested and probably do not work with Debian-LAN: faiserver) echo "FAIBASE DEBIAN DEMO FAISERVER" ;; demohost|client*) echo "FAIBASE DEBIAN DHCPC DEMO" ;; xfcehost) echo "FAIBASE DEBIAN DHCPC DEMO XORG XFCE" ;; gnomehost) echo "FAIBASE DEBIAN DHCPC DEMO XORG GNOME" ;; atom*) echo "FAIBASE DEBIAN DHCPC DEMO" ;; bear) echo "FAIBASE DEBIAN DHCPC LVM_XEN_SERVER XEN" ;; puma) echo "FAIBASE DEBIAN DHCPC RAID_XEN_VIRTUAL" ;; ## ## These hosts are part of the Debian-LAN: ## gateway) echo "FAIBASE DEBIAN DHCPC FIREWALL GATEWAY_A" ;; mainserver) echo "FAIBASE DEBIAN FAISERVER $MAINSERVER_A" ;; ## For individualizing machines, define the host before the ## general workstation* case and add a specializing class: # workstation00) # echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP SPECIAL" ;; ## And/or add ROAMING class to cache credentials for off-line use: # echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP ROAMING" ;; workstation*) ## You might want to add some localization class like: # echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP GERMAN" ;; echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP" ;; diskless) ## You might want to add some localization class like: # echo "DEBIAN $WORKSTATION_A XORG DISKLESS_CLIENT GERMAN" echo "DEBIAN $WORKSTATION_A XORG DISKLESS_CLIENT" ## skip GRUB_PC below: exit 0 ;; *) ## Unknown machines are installed as roaming workstation by default: echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP ROAMING" ;; esac ifclass -o I386 AMD64 && echo GRUB_PC exit 0 debian-lan-config-0.13/fai/config/class/SERVER_A.var0000644000000000000000000000567512176652571016702 0ustar # Default values for installation SERVER_A. # allow installation of packages from unsigned repositories FAI_ALLOW_UNSIGNED=0 CONSOLEFONT= KEYMAP=us-latin1 # Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not. UTC=yes TIMEZONE=Europe/Berlin # Local user and root password for the new installed linux system # Leave empty if no local user apart from root is needed. USERNAME="" # Use: 'mkpasswd -Hsha-256 ' to create the password hash # pw is "fai": #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' # If $ROOTPW is empty, you will be prompted during installation: ROOTPW=${ROOTPW:-''} # If $ADMINPW is empty, you will be prompted during installation: ADMINPW=${ADMINPW:-''} ## All sensible data will end up here (see below): DATADIR=/root/installation/ ## The Kerberos KDC master password in clear text (!). If undefined ## or empty, a random password will be created and saved in $DATADIR. KDC_MASTER_PW= ## The password for the LDAP admin and root's principals in clear ## text (!!!). If undefined or empty, a random password will be ## created and saved in $DATADIR. LDAP_ADMIN_PW= ## Variables that define the network. You can choose the same IP ## address for mainserver ($MAINSERVER_IPADDR) and gateway ($GATEWAY) ## interactively during installation, see below. MAINSERVER_IPADDR=${MAINSERVER_IPADDR:-''} GATEWAY=${GATEWAY:-''} BROADCAST_LAN=${BROADCAST_LAN:-'10.0.255.255'} NAMESERVER_IPADDR="" # leave empty to use mainserver's IP address if [ -z "$GATEWAY" ] || [ -z "$MAINSERVER_IPADDR" ] ; then ## Dialog to choose setup: inp=$(dialog --insecure --stdout --backtitle " Network Setup " --radiolist \ "There are two variants available:\n\n\ SEPARATE: The mainserver and the network's gateway\n\ are separate machines.\n\n\ COMBINED: The mainserver is configured as gateway\n\ to the external network (2 NICs needed)." 15 63 2 \ SEPARATE " mainserver: 10.0.0.10, gateway: 10.0.0.1 " on \ COMBINED " mainserver == gateway: 10.0.0.1, 2 NICs " off ) if [ "$inp" = "COMBINED" ] ; then MAINSERVER_IPADDR='10.0.0.1' GATEWAY='10.0.0.1' else MAINSERVER_IPADDR='10.0.0.10' GATEWAY='10.0.0.1' fi unset inp fi SUBNET="10.0.0.0" NETMASK="255.255.0.0" SUBNETMASK="10.0.0.0/16" ## NETMASK for FAI config space access: FAINETMASK=${FAINETMASK:-'10.0.0.0/16'} ## DHCP range for unknown clients (cf. dhcpd.conf): RANGE="10.0.1.100 10.0.1.199" ## IP address-endings for workstations and diskless machines (the list ## is generated using 'seq $WS_RANGE' respectively 'seq $DL_RANGE'): WS_RANGE="50 149" DL_RANGE="150 249" ## Local APT repository for the site (accessible via http). ## Set empty to skip this feature. APT_REPO_DIR="/var/www/debian/" ## URL of the local site's APT repository. ## Set empty to skip this feature. APT_URL="http://www.intern/debian/" # erros in tasks greater than this value will cause the installation to stop STOP_ON_ERROR=700 debian-lan-config-0.13/fai/config/class/10-base-classes0000755000000000000000000000037012176652571017416 0ustar #! /bin/bash # Echo architecture and OS name in uppercase. Do NOT remove these two lines. uname -s | tr '[:lower:]' '[:upper:]' [ -x "`which dpkg`" ] && dpkg --print-architecture | tr a-z A-Z [ -f /etc/RUNNING_FROM_FAICD ] && echo "FAICD" exit 0 debian-lan-config-0.13/fai/config/class/GATEWAY_A.var0000644000000000000000000000126212176652571016761 0ustar # Default values for installation GATEWAY_A. # allow installation of packages from unsigned repositories FAI_ALLOW_UNSIGNED=0 CONSOLEFONT= KEYMAP=us-latin1 # Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not. UTC=yes TIMEZONE=Europe/Berlin # Use: 'mkpasswd -Hsha-256 ' to create the password hash # pw is "fai": #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' # If $ROOTPW is empty, you will be prompted during installation: ROOTPW=${ROOTPW:-''} GATEWAY_IPADDR=${GATEWAY_IPADDR:-'10.0.0.1'} BROADCAST_LAN=${BROADCAST_LAN:-'10.0.255.255'} NETMASK="255.255.0.0" # erros in tasks greater than this value will cause the installation to stop STOP_ON_ERROR=700 debian-lan-config-0.13/fai/config/class/DEBIAN.var0000644000000000000000000000043612176652571016344 0ustar CONSOLEFONT= KEYMAP=us-latin1 # MODULESLIST contains modules that will be loaded by the new system, # not during installation these modules will be written to /etc/modules # If you need a module during installation, add it to $kernelmodules # in 20-hwdetect.source. MODULESLIST="loop" debian-lan-config-0.13/fai/config/class/GERMAN.var0000644000000000000000000000007712176652571016374 0ustar # german environment (for Debian) KEYMAP=de-latin1-nodeadkeys debian-lan-config-0.13/fai/config/class/ROAMING.var0000644000000000000000000000035312176652571016514 0ustar # Default values for ROAMING class. # Use: 'mkpasswd -Hsha-256 ' to create the password hash # pw is "fai": #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' # If password is empty, you are prompted during installation. ROOTPW='' debian-lan-config-0.13/fai/config/class/FR_BELGIAN.var0000644000000000000000000000006412176652571017047 0ustar # Belgian environment (for Debian) KEYMAP=be-latin1 debian-lan-config-0.13/fai/config/class/CLIENT_A.var0000644000000000000000000000114612176652571016637 0ustar # Default values for installation CLIENT_A. # allow installation of packages from unsigned repositories FAI_ALLOW_UNSIGNED=0 CONSOLEFONT= KEYMAP=us-latin1 # Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not. UTC=yes TIMEZONE=Europe/Berlin # Use: 'mkpasswd -Hsha-256 ' to create the password hash # pw is "fai": #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' ROOTPW='*' ## URL of the local site's APT repository. ## Set empty to skip this feature. APT_URL="http://www.intern/debian/" # erros in tasks greater than this value will cause the installation to stop STOP_ON_ERROR=700 debian-lan-config-0.13/fai/config/class/FAIBASE.var0000644000000000000000000000076612176652571016462 0ustar # default values for installation. You can override them in your *.var files # allow installation of packages from unsigned repositories FAI_ALLOW_UNSIGNED=0 # Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not. UTC=yes TIMEZONE=Europe/Berlin # root password for the new installed linux system; md5 and crypt are possible # pw is "fai" #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' # errors in tasks greater than this value will cause the installation to stop STOP_ON_ERROR=700 debian-lan-config-0.13/debian/0000755000000000000000000000000012176652571013016 5ustar debian-lan-config-0.13/debian/lintian-overrides0000644000000000000000000000034112176652571016375 0ustar # The provided scripts are in general not to be executed on the host # the packet is installed on: debian-lan-config binary: missing-dep-for-interpreter cfagent => cfengine2 (usr/share/debian-lan-config/fai/config/scripts/*) debian-lan-config-0.13/debian/compat0000644000000000000000000000000212176652571014214 0ustar 9 debian-lan-config-0.13/debian/copyright0000644000000000000000000000221012176652571014744 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: debian-lan-config Source: Files: * Copyright: 2011-2013 Andreas B. Mundt Except classes provided by FAI (cf. fai-doc package). License: GPL-3.0+ Files: debian/* Copyright: 2013 Andreas B. Mundt License: GPL-3.0+ License: GPL-3.0+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU General Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". debian-lan-config-0.13/debian/source/0000755000000000000000000000000012176652571014316 5ustar debian-lan-config-0.13/debian/source/format0000644000000000000000000000001512176652571015525 0ustar 3.0 (native) debian-lan-config-0.13/debian/control0000644000000000000000000000172212176652571014423 0ustar Source: debian-lan-config Section: admin Priority: extra Maintainer: Debian LAN Developers Uploaders: Andreas B. Mundt Build-Depends: debhelper (>= 9.0.0) Standards-Version: 3.9.4 Homepage: http://wiki.debian.org/DebianLAN Vcs-Git: git://anonscm.debian.org/collab-maint/debian-lan.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git Package: debian-lan-config Architecture: all Depends: ${misc:Depends} Suggests: fai-server Description: FAI config space for the Debian-LAN system The Debian-LAN (Debian Local Area Network) project makes running Debian in a local area network easy without losing flexibility. It may be used by schools, work groups, associations and small enterprises or to install complex test environments. . Debian-LAN uses FAI (Fully Automatic Installation) to install and configure all machines in the network. . This package contains the FAI config space. debian-lan-config-0.13/debian/install0000644000000000000000000000005512176652571014407 0ustar fai/config /usr/share/debian-lan-config/fai/ debian-lan-config-0.13/debian/rules0000755000000000000000000000067112176652571014102 0ustar #!/usr/bin/make -f # -*- makefile -*- # Sample debian/rules that uses debhelper. # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ debian-lan-config-0.13/debian/README.Debian0000644000000000000000000000424512176652571015064 0ustar The Debian Package debian-lan-config ==================================== This package contains the FAI config space for the Debian-LAN system. Details about Debian-LAN and verbose instructions are available in the Debian wiki at . There are two ways available to install the Debian-LAN mainserver: - prepare a CD image and install from that image or - install a minimal Debian and convert that installation Choose the method appropriate for your situation. Creating a CD image with fai-cd ------------------------------- Create the CD image in the following way: aptitude install debian-lan-config # might be already installed aptitude -R install fai-server genisoimage # no recommends needed mkdir /srv/fai/ cp -r /usr/share/debian-lan-config/fai/config /srv/fai/ cp /srv/fai/config/files/etc/fai/grub.cfg/SERVER_A /etc/fai/grub.cfg cp /srv/fai/config/files/etc/fai/NFSROOT/FAISERVER /etc/fai/NFSROOT sed -i "s/^deb.*fai-project/\#&/" /etc/fai/apt/sources.list Adapt the config space to your needs if necessary and create the FAI nfsroot: fai-make-nfsroot -v -l Now create a fake Debian mirror needed to satisfy fai-cd. The CD image is then created by fai-cd: mkdir -p /tmp/debmirror/dists/fake/main/binary-i386/ touch /tmp/debmirror/dists/fake/main/binary-i386/Packages fai-cd -m /tmp/debmirror/ fai-cd.iso Converting a minimal Debian Installation ---------------------------------------- Install a minimal Debian (only the core system) on the server. Choose 'mainserver' as hostname. Prepare appropriate partitions, examples are available in /usr/share/debian-lan-config/fai/config/disk_config/. Then convert the installation with the following commands: aptitude install debian-lan-config # might be already installed aptitude -R install fai-server dialog # no recommends needed mkdir /srv/fai/ cp -r /usr/share/debian-lan-config/fai/config /srv/fai/ Adapt the config space to your needs if necessary and run FAI with the variable CONVERT set to true: export CONVERT=true ; fai -vN -s file:///srv/fai/config/ softupdate -- Andreas B. Mundt Wed, 30 Jan 2013 18:50:03 +0100 debian-lan-config-0.13/debian/changelog0000644000000000000000000000546212176652571014677 0ustar debian-lan-config (0.13) unstable; urgency=low * Fix timeout in PXE menu. * Rearrange squid cfengine script to make it succeed in a single run. * Increase squid cache size. * Add FIREWALL class and the new machine 'gateway', a simple gateway/firewall. * Enable shorewall for the 'two-interfaces'-setup. * Fix permission problem when executing '/etc/rc.local' manually. * Add some packages to DESKTOP, DISKLESS_CLIENT and EDU class. -- Andreas B. Mundt Thu, 01 Aug 2013 21:02:25 +0200 debian-lan-config (0.12) unstable; urgency=low * Implement ROAMING class, which allows using machines off-line. * Add roaming machine installation to the PXE-boot menu. * Switch to dynamic DNS updates. Improve DHCPd configuration and improve handling of unknown machines that do not provide a hostname. * Enable disk cache for squid. -- Andreas B. Mundt Sat, 08 Jun 2013 08:23:39 +0200 debian-lan-config (0.11) unstable; urgency=low * Fix lintian warnings and errors. * Config space: Add localization class FR_BELGIAN, thanks to Julien Lambot. Create certificate for dovecot and replace the default one. Do not add unnecessary modules to '/etc/modules'. Use default options for NFSv4 mounts. * Enable 'dialog' to choose setup variant during installation or conversion. Non-interactive installations are possible by providing the necessary FAI variables as kernel boot parameters. Thanks to Andreas Schockenhoff. * Small fixes and improvements. -- Andreas B. Mundt Mon, 20 May 2013 20:45:09 +0200 debian-lan-config (0.10) unstable; urgency=low * Remove disk checks for diskless clients in munin. * Increase the default size range of /boot and /var partitions. * Improve debian-lan script (distribution of Kerberos keytabs). * Packaging: Team maintenance. Bump debian/compat to 9. * Small fixes/improvements, cleanup and cosmetics (Closes: #705891): - Only allow signed APT repositories. - Fix permissions for the public key of the local APT repository. - Enable the local APT repository for the 'mainserver'. - Rename some scripts for consistency, typos, ... . - Remove workaround for apt-cacher-ng as it is not needed anymore. - Add acpi-support-base package. * Rework the creation of self-signed certificates (subjectAltName=...). * Add link to the GOsa password changing page on the Debian-LAN intranet site and make it the default home page on the clients. * Many thanks to Andreas Schockenhoff, Julien Lambot and Michael Welsh Duggan for various valuable input. -- Andreas B. Mundt Sat, 04 May 2013 14:38:17 +0200 debian-lan-config (0.9) experimental; urgency=low * Initial packaged release. -- Andreas B. Mundt Mon, 25 Mar 2013 14:17:37 +0100