#!/bin/sh

# (c) Copyright 2001-2013, Packet General Networks, Inc. All rights reserved.

# Copyright (c) 2013.  The Packet General Networks, Inc. (Packet General).
# All Rights Reserved. Contact Packet General Networks, Inc., 865
# Merrick Road, Suite 204, NY 11510, (650) 485-1415 for any additional
# information regarding this notice.

# All materials are the intellectual property of Packet General
# Networks, Inc. and may not be copied, reproduced, distributed or
# displayed without Packet General Networks, Inc.'s express written
# permission.

# IN NO EVENT SHALL PACKET GENERAL BE LIABLE TO ANY PARTY FOR DIRECT,
# INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
# LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS
# DOCUMENTATION, EVEN IF PACKET GENERAL HAS BEEN ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

# PACKET GENERAL SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT
# NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE. THE SOFTWARE AND ACCOMPANYING DOCUMENTATION,
# IF ANY, PROVIDED HEREUNDER IS PROVIDED "AS IS". PACKET GENERAL HAS NO
# OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
# MODIFICATIONS.

# define variables
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BACKUP_DST=`grep "^backuphost:" /root/serverg.vars | cut -d ":" -f 2`
BACKUP_BIN=`which srvg_bckp`
EVENTS_BIN=`which srvg_evnt`
SUCHCK_BIN=`which srvg_chck`
MYMAIL=`grep "^noc_notify:" /root/serverg.vars | cut -d ":" -f 2`

# definre hostname for this host
if [ `domainname` = "(none)" ]; then
	# host has not got fqdn
	MYHOST=`hostname`
else
	# host has got fqdn
	MYHOST=`hostname -f`
fi

# add user sga to /etc/sudoers
if [ "`grep '^sga ALL' /etc/sudoers`" = "" ]; then
	chmod 640 /etc/sudoers
	echo "sga ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
	chmod 440 /etc/sudoers
fi

# add backup destination ro known_hosts file
touch /root/.ssh/known_hosts
ssh-keygen -q -f /root/.ssh/known_hosts -R $BACKUP_DST >/dev/null 2>&1
ssh-keyscan -t rsa $BACKUP_DST >> /root/.ssh/known_hosts 2>&1

# add backup script to crontab for root
touch /var/spool/cron/crontabs/root
if [ "`grep $BACKUP_BIN /var/spool/cron/crontabs/root`" = "" ]; then
	echo "`date +%u` * * * * $BACKUP_BIN >/dev/null 2>&1" >> /var/spool/cron/crontabs/root
fi

# add event script to crontab for root
if [ "`grep $EVENTS_BIN /var/spool/cron/crontabs/root`" = "" ]; then
	echo "* * * * * $EVENTS_BIN >/dev/null 2>&1" >> /var/spool/cron/crontabs/root
fi

# add script which check su appempts to crontab
if [ "`grep $SUCHCK_BIN /var/spool/cron/crontabs/root`" = "" ]; then
        echo "* * * * * $SUCHCK_BIN >/dev/null 2>&1" >> /var/spool/cron/crontabs/root
fi

# rewrite crontab
crontab -l | crontab - 

# configure and restart monit
# make monit configured and ready to run
echo "startup=1" > /etc/default/monit
#
# build monit's configuration file
echo "
set daemon 120
set logfile /var/log/monit.log
set idfile /var/lib/monit/id
set statefile /var/lib/monit/state
set mailserver	localhost
set eventqueue
basedir /var/lib/monit/events
slots 100
set alert $MYMAIL
check system $MYHOST
if loadavg (1min) > 4 then alert
if loadavg (5min) > 2 then alert
if memory usage > 75% then alert
if cpu usage (user) > 70% then alert
if cpu usage (system) > 30% then alert
check process sendmail with pidfile /var/run/sendmail/mta/sendmail.pid
start program = \"/etc/init.d/sendmail start\"
stop program  = \"/etc/init.d/sendmail stop\"
if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 200.0 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout
group server
check process sshd with pidfile /var/run/sshd.pid
start program = \"/etc/init.d/ssh start\"
stop program  = \"/etc/init.d/ssh stop\"
if failed host 127.0.0.1 port 22 type tcp then alert
if 5 restarts within 5 cycles then timeout
group system
check filesystem rootfs with path /
if space usage > 80% then alert
group system" > /etc/monit/monitrc 
#
# restart monit
/etc/init.d/monit restart >> /dev/null 2>&1

# rewrite login.defs
echo "
MAIL_DIR        /var/mail
FAILLOG_ENAB		yes
LOG_OK_LOGINS		no
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes
SULOG_FILE	/var/log/sulog
FTMP_FILE	/var/log/btmp
SU_NAME		su
HUSHLOGIN_FILE	.hushlogin
ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP	tty
TTYPERM		0600
ERASECHAR	0177
KILLCHAR	025
UMASK		022
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
UID_MIN			 1000
UID_MAX			60000
GID_MIN			 1000
GID_MAX			60000
LOGIN_RETRIES		5
LOGIN_TIMEOUT		60
CHFN_RESTRICT		rwh
DEFAULT_HOME	yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512" > /etc/login.defs

echo "
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

[puppetd]
server=sgl" > /etc/puppet/puppet.conf

if [ "`grep -w 'sgl' /etc/hosts`" = "" ]; then
        echo "$BACKUP_DST sgl" >> /etc/hosts
fi

find /var/lib/puppet -type f -print0 |xargs -0r rm

exit 0
