#!/bin/sh

# (c) Copyright 2001-2013, Packet General Networks, Inc. All rights reserved.

# Copyright (c) 2013.  The Packet General Networks, Inc. (Packet General).
# All Rights Reserved. Contact Packet General Networks, Inc., 865
# Merrick Road, Suite 204, NY 11510, (650) 485-1415 for any additional
# information regarding this notice.

# All materials are the intellectual property of Packet General
# Networks, Inc. and may not be copied, reproduced, distributed or
# displayed without Packet General Networks, Inc.'s express written
# permission.

# IN NO EVENT SHALL PACKET GENERAL BE LIABLE TO ANY PARTY FOR DIRECT,
# INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
# LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS
# DOCUMENTATION, EVEN IF PACKET GENERAL HAS BEEN ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

# PACKET GENERAL SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT
# NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE. THE SOFTWARE AND ACCOMPANYING DOCUMENTATION,
# IF ANY, PROVIDED HEREUNDER IS PROVIDED "AS IS". PACKET GENERAL HAS NO
# OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
# MODIFICATIONS.

# define variables
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BACKUP_DST=`grep "^backuphost:" /root/serverg.vars | cut -d ":" -f 2`
BACKUP_BIN=`which srvg_bckp`
EVENTS_BIN=`which srvg_evnt`
SUCHCK_BIN=`which srvg_chck`
MYMAIL=`grep "^noc_notify:" /root/serverg.vars | cut -d ":" -f 2`

# definre hostname for this host
if [ `domainname` = "(none)" ]; then
	# host has not got fqdn
	MYHOST=`hostname`
else
	# host has got fqdn
	MYHOST=`hostname -f`
fi

# add user sga to /etc/sudoers
if [ "`grep '^sga ALL' /etc/sudoers`" = "" ]; then
	chmod 640 /etc/sudoers
	echo "sga ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
	chmod 440 /etc/sudoers
fi

# add backup destination ro known_hosts file
touch /root/.ssh/known_hosts
ssh-keygen -q -f /root/.ssh/known_hosts -R $BACKUP_DST >/dev/null 2>&1
ssh-keyscan -t rsa $BACKUP_DST >> /root/.ssh/known_hosts 2>&1

# add backup script to crontab for root
touch /var/spool/cron/crontabs/root
if [ "`grep $BACKUP_BIN /var/spool/cron/crontabs/root`" = "" ]; then
	echo "`date +%u` * * * * $BACKUP_BIN >/dev/null 2>&1" >> /var/spool/cron/crontabs/root
fi

# add event script to crontab for root
if [ "`grep $EVENTS_BIN /var/spool/cron/crontabs/root`" = "" ]; then
	echo "* * * * * $EVENTS_BIN >/dev/null 2>&1" >> /var/spool/cron/crontabs/root
fi

# add script which check su appempts to crontab
if [ "`grep $SUCHCK_BIN /var/spool/cron/crontabs/root`" = "" ]; then
        echo "* * * * * $SUCHCK_BIN >/dev/null 2>&1" >> /var/spool/cron/crontabs/root
fi

# rewrite crontab
crontab -l | crontab - 

# configure and restart monit
# make monit configured and ready to run
echo "startup=1" > /etc/default/monit
#
# build monit's configuration file
echo "
set daemon 120
set logfile /var/log/monit.log
set idfile /var/lib/monit/id
set statefile /var/lib/monit/state
set mailserver	localhost
set eventqueue
basedir /var/lib/monit/events
slots 100
set alert $MYMAIL
check system $MYHOST
if loadavg (1min) > 4 then alert
if loadavg (5min) > 2 then alert
if memory usage > 75% then alert
if cpu usage (user) > 70% then alert
if cpu usage (system) > 30% then alert
check process sendmail with pidfile /var/run/sendmail/mta/sendmail.pid
start program = \"/etc/init.d/sendmail start\"
stop program  = \"/etc/init.d/sendmail stop\"
if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 200.0 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout
group server
check process sshd with pidfile /var/run/sshd.pid
start program = \"/etc/init.d/ssh start\"
stop program  = \"/etc/init.d/ssh stop\"
if failed host 127.0.0.1 port 22 type tcp then alert
if 5 restarts within 5 cycles then timeout
group system
check filesystem rootfs with path /
if space usage > 80% then alert
group system" > /etc/monit/monitrc 
#
# restart monit
/etc/init.d/monit restart >> /dev/null 2>&1

# rewrite login.defs
echo "
MAIL_DIR        /var/mail
FAILLOG_ENAB		yes
LOG_OK_LOGINS		no
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes
SULOG_FILE	/var/log/sulog
FTMP_FILE	/var/log/btmp
SU_NAME		su
HUSHLOGIN_FILE	.hushlogin
ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP	tty
TTYPERM		0600
ERASECHAR	0177
KILLCHAR	025
UMASK		022
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
UID_MIN			 1000
UID_MAX			60000
GID_MIN			 1000
GID_MAX			60000
LOGIN_RETRIES		5
LOGIN_TIMEOUT		60
CHFN_RESTRICT		rwh
DEFAULT_HOME	yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512" > /etc/login.defs

# configure apache
echo "
NameVirtualHost *:32768
Listen 32768
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>"  > /etc/apache2/ports.conf
echo "
<VirtualHost *:32768>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
LogLevel warn
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>" > /etc/apache2/sites-available/default

# restart apache
/etc/init.d/apache2 restart >/dev/null 2>&1

# configure puppet master
# polices
echo "
class polices {
file { \"/root/DataAdmin1.conf\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/DataAdmin1.conf\") }
file { \"/root/DataAdmin2.conf\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/DataAdmin2.conf\") }
file { \"/root/DataAdmin3.conf\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/DataAdmin3.conf\") }
file { \"/root/security_officer.conf\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/security_officer.conf\") }
file { \"/root/security_policy_apache\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/security_policy_apache\") }
file { \"/root/security_policy_directory\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/security_policy_directory\") }
file { \"/root/security_policy_mysql\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/security_policy_mysql\") }
file { \"/root/serverg.vars\":
ensure => "present",
owner => "root",
mode => "644",
content => template(\"/etc/puppet/files/serverg.vars\") }
}
node default {
        include polices
}" > /etc/puppet/manifests/site.pp

# copy files to puppet directory
mkdir -p /etc/puppet/files
for F in DataAdmin1.conf DataAdmin2.conf DataAdmin3.conf security_officer.conf security_policy_apache security_policy_directory serverg.vars
do
	if [ -f /etc/serverg/samples/$F ]; then
		cp /etc/serverg/samples/$F /etc/puppet/files/$F >/dev/null 2>&1
	fi
done

if [ "`grep -w 'sgl' /etc/hosts`" = "" ]; then
        echo "$BACKUP_DST sgl" >> /etc/hosts
fi

hostname sgl

/etc/init.d/puppetmaster restart >/dev/null 2>&1

# configure rsync daemon
echo "
log file = /var/log/rsyncd.log
transfer logging = true
[SGA-BCKP]
path = /var/opt/backup
uid = root
read only = false
auth users = sga
secrets file = /etc/rsyncd.scrt" > /etc/rsyncd.conf
echo "sga:ohmuedai" > /etc/rsyncd.scrt
chmod 400 /etc/rsyncd.scrt
mkdir -p /var/opt/backup
rsync --port=443 --daemon

exit 0
