diff --git a/app/neato_fns.php b/app/neato_fns.php
index 384683d..fc9537f 100644
--- a/app/neato_fns.php
+++ b/app/neato_fns.php
@@ -44,9 +44,6 @@ function get_perms($kind): int {
if (is_numeric($kind) && (strlen($kind) == 3 || strlen($kind) == 4 )) {
return intval($kind);
}
-// if (is_string_found($kind, '+') || is_string_found($kind, '-')) {
-// return $kind;
-// }
switch ($kind) {
case 'keydir': $perm = 0700;
break;
diff --git a/build/install_neato.sh b/build/install_neato.sh
index 006d172..77a8236 100755
--- a/build/install_neato.sh
+++ b/build/install_neato.sh
@@ -4,7 +4,7 @@ PHPCLI='php8.3-cli'
PHPMBString='php8.3-mbstring'
if [ "$EUID" -ne 0 ]; then
- echo "Please run as root!"
+ /usr/bin/echo "Please run as root!"
exit
fi
@@ -12,16 +12,16 @@ current_directory=$(pwd)
target_directory="/opt/neatoDeploy"
if [ "$current_directory" == "$target_directory" ]; then
- echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
+ /usr/bin/echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
exit 1
fi
-mkdir -p /opt/neatoDeployments
-mv neato_deploy_php_cli.ini /opt/neatoDeployments/
-mv neatoDeploy.phar /opt/neatoDeployments/
-mv neato_deploy.sh /opt/neatoDeployments/
-mv make-sums.sh /opt/neatoDeployments/
-cp config_files/deploy_*.php /opt/neatoDeployments/
+/usr/bin/mkdir -p /opt/neatoDeployments
+/usr/bin/mv neato_deploy_php_cli.ini /opt/neatoDeployments/
+/usr/bin/mv neatoDeploy.phar /opt/neatoDeployments/
+/usr/bin/mv neato_deploy.sh /opt/neatoDeployments/
+/usr/bin/mv make-sums.sh /opt/neatoDeployments/
+/usr/bin/cp config_files/deploy_*.php /opt/neatoDeployments/
pushd /opt/neatoDeployments
@@ -32,17 +32,17 @@ pushd /opt/neatoDeployments
/usr/bin/dpkg -s $PHPMBString 2>/dev/null >/dev/null || /usr/bin/apt-get install -y $PHPMBString
/usr/bin/dpkg -s curl 2>/dev/null >/dev/null || /usr/bin/apt-get install -y curl
-chown www-data:www-data neato*
-chown www-data:www-data make-sums.sh
-chown www-data:www-data deploy_*.php
+/usr/bin/chown www-data:www-data neato*
+/usr/bin/chown www-data:www-data make-sums.sh
+/usr/bin/chown www-data:www-data deploy_*.php
-chmod 775 neatoDeploy.phar
-chmod 775 neato_deploy.sh
-chmod 775 make-sums.sh
-chmod 664 neato_deploy_php_cli.ini
-chmod 664 deploy_*.php
+/usr/bin/chmod 775 neatoDeploy.phar
+/usr/bin/chmod 775 neato_deploy.sh
+/usr/bin/chmod 775 make-sums.sh
+/usr/bin/chmod 664 neato_deploy_php_cli.ini
+/usr/bin/chmod 664 deploy_*.php
popd
-echo -e "\nRemove the install_neato.sh file!"
-echo -e "\nRemove the neato_deploy.tar.gz.self file!"
\ No newline at end of file
+/usr/bin/echo -e "\nRemove the install_neato.sh file!"
+/usr/bin/echo -e "\nRemove the neato_deploy.tar.gz.self file!"
\ No newline at end of file
diff --git a/config_files/deploy_podman.php b/config_files/deploy_podman.php
new file mode 100644
index 0000000..bae7c5e
--- /dev/null
+++ b/config_files/deploy_podman.php
@@ -0,0 +1,72 @@
+ ['/etc/containers'=>''],
+ 'chmod_file_or_dir' =>
+ ['/etc/containers' => 'dir'],
+]);
+
+force_root();
+
+file_loop(Configure::get('pre_actions'));
+
+$is_podman_installed = do_command('is_installed', "podman");
+if ($is_podman_installed['installed'] === false) {
+ do_command('install', "software-properties-common");
+ //do_command("add_repo", "ppa:projectatomic/ppa");
+ do_command('update');
+ do_command('install', "podman");
+}
+
+$policy = '
+{
+ "default": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ],
+ "transports":
+ {
+ "docker-daemon":
+ {
+ "": [{"type":"insecureAcceptAnything"}]
+ }
+ }
+}';
+if (! file_exists("/etc/containers/policy.json")) {
+ append_to_file("/etc/containers/policy.json", $policy);
+ chmod_file_or_dir("/etc/containers/policy.json", "config");
+}
+
+$reg = "# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to TOML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries.search', 'registries.insecure',
+# and 'registries.block'.
+
+[registries.search]
+registries = ['docker.io', 'registry.fedoraproject.org', 'registry.access.redhat.com']
+
+# If you need to access insecure registries, add the registry's fully-qualified name.
+# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+[registries.insecure]
+registries = []
+
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#
+# Docker only
+[registries.block]
+registries = []";
+if (! file_exists("/etc/containers/registries.conf")) {
+ append_to_file("/etc/containers/registries.conf", $reg);
+ chmod_file_or_dir("/etc/containers/registries.conf", "config");
+}
\ No newline at end of file
diff --git a/config_files/deploy_security.php b/config_files/deploy_security_audit.php
similarity index 100%
rename from config_files/deploy_security.php
rename to config_files/deploy_security_audit.php
diff --git a/config_files/deploy_sshd.php b/config_files/deploy_sshd.php
index e3ab2bd..e6542a3 100644
--- a/config_files/deploy_sshd.php
+++ b/config_files/deploy_sshd.php
@@ -81,6 +81,8 @@ AllowUsers $AllowUsers
StrictModes yes
MaxAuthTries 6
MaxSessions 10
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
diff --git a/templates/Ubuntu/apache2/000-default.conf b/templates/Ubuntu/apache2/000-default.conf
deleted file mode 100644
index 84154a3..0000000
--- a/templates/Ubuntu/apache2/000-default.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-
- Include /etc/apache2/sites/allsites.conf
-
- ErrorLog ${APACHE_LOG_DIR}/error.log
- CustomLog ${APACHE_LOG_DIR}/access.log combined
-
diff --git a/templates/Ubuntu/apache2/allsites.conf b/templates/Ubuntu/apache2/allsites.conf
deleted file mode 100644
index 9992dcb..0000000
--- a/templates/Ubuntu/apache2/allsites.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-ServerName dev
-ServerAlias prod
-
-ServerAdmin fake@localhost
-Alias /www /var/www/html
-Alias /tests /var/www/tests
-
-DocumentRoot /var/www/toolz
-
diff --git a/templates/Ubuntu/apache2/default-ssl.conf b/templates/Ubuntu/apache2/default-ssl.conf
deleted file mode 100644
index 7125528..0000000
--- a/templates/Ubuntu/apache2/default-ssl.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-
-
- ServerAdmin webmaster@localhost
-
- Include /etc/apache2/sites/allsites.conf
-
- ErrorLog ${APACHE_LOG_DIR}/error.log
- CustomLog ${APACHE_LOG_DIR}/access.log combined
-
- SSLEngine on
-
- SSLCertificateFile /etc/ssl/certs/mainsite.crt
- SSLCertificateKeyFile /etc/ssl/private/mainsite.key
- SSLCACertificateFile /etc/apache2/ssl/mainsite_bundle.crt
-
-
- #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
- #SSLCACertificatePath /etc/ssl/certs/
- #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-
- #SSLCARevocationPath /etc/apache2/ssl.crl/
- #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
-
- #SSLVerifyClient require
- #SSLVerifyDepth 10
-
-
- SSLOptions +StdEnvVars
-
-
- SSLOptions +StdEnvVars
-
-
-
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/templates/Ubuntu/apache2/security.conf b/templates/Ubuntu/apache2/security.conf
deleted file mode 100644
index 023db9e..0000000
--- a/templates/Ubuntu/apache2/security.conf
+++ /dev/null
@@ -1,87 +0,0 @@
-LimitRequestBody 204800
-ServerTokens Prod
-ServerSignature Off
-TraceEnable Off
-MaxClients 150
-TimeOut 200
-KeepAliveTimeout 3
-LimitRequestFields 60
-LimitRequestFieldSize 4094
-
-Options -Includes
-Options -ExecCGI
-#Options -FollowSymLinks
-
-HostnameLookups off
-
-#
-# deny from all
-#
-
-RewriteEngine ON
-RewriteCond %{THE_REQUEST} !HTTP/1.1$
-RewriteRule .* - [F]
-
-# Forbid access to version control directories
-#
-# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for GIT:
-#
-
- Order deny,allow
- Deny from all
-
-
-
- Order deny,allow
- Deny from all
-
-
-
- SetHandler server-status
- #AuthType basic
- #AuthName "Apache status"
- #AuthUserFile /etc/apache2/conf/server-status_htpasswd
- #Require valid-user
- Order deny,allow
- Deny from all
- Allow from none
-
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-#Header set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-#Header set X-Frame-Options: "sameorigin"
-
-ExtendedStatus Off
-Header unset ETag
-Header always unset X-Powered-By
-FileETag None
-
-Header always append X-Frame-Options SAMEORIGIN
-#Header set X-XSS-Protection "1; mode=block"
-
-Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
-
-Header set Feature-Policy: "geolocation 'none'; microphone 'none'; camera 'self';"
-Header set Referer-Policy: "strict-origin"
-
-SSLProtocol -ALL +TLSv1.2
-# +TLSv1.3
-SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
-# , TLSv1.3
-
-SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
-
-Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload;"
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/templates/Ubuntu/apt.conf.d/10periodic b/templates/Ubuntu/apt.conf.d/10periodic
deleted file mode 100644
index 5d37e9f..0000000
--- a/templates/Ubuntu/apt.conf.d/10periodic
+++ /dev/null
@@ -1,4 +0,0 @@
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
diff --git a/templates/Ubuntu/keys/api.sh b/templates/Ubuntu/keys/api.sh
deleted file mode 100644
index ab4aa88..0000000
--- a/templates/Ubuntu/keys/api.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/bash
-
-CERT_HOSTNAME=10.32.0.1,,,,,,,127.0.0.1,localhost,kubernetes.default
-
-cd ~/kthw
-
-cat > kubernetes-csr.json << EOF
-{
- "CN": "kubernetes",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "Kubernetes",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -hostname=${CERT_HOSTNAME} \
- -profile=kubernetes \
- kubernetes-csr.json | cfssljson -bare kubernetes
-
-cat > service-account-csr.json << EOF
-{
- "CN": "service-accounts",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "Kubernetes",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -profile=kubernetes \
- service-account-csr.json | cfssljson -bare service-account
diff --git a/templates/Ubuntu/keys/ca.sh b/templates/Ubuntu/keys/ca.sh
deleted file mode 100644
index 1ff76e5..0000000
--- a/templates/Ubuntu/keys/ca.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-cd ~/
-mkdir kthw
-cd kthw
-sudo curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
-sudo curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
-sudo curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
-sudo chmod +x /bin/cfssl*
-
-cat > ca-config.json << EOF
-{
- "signing": {
- "default": {
- "expiry": "8760h"
- },
- "profiles": {
- "kubernetes": {
- "usages": ["signing", "key encipherment", "server auth", "client auth"],
- "expiry": "8760h"
- }
- }
- }
-}
-EOF
-
-cat > ca-csr.json << EOF
-{
- "CN": "Kubernetes",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "Kubernetes",
- "OU": "CA",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert -initca ca-csr.json | cfssljson -bare ca
diff --git a/templates/Ubuntu/keys/how_to_move_certs.txt b/templates/Ubuntu/keys/how_to_move_certs.txt
deleted file mode 100644
index 0a0133b..0000000
--- a/templates/Ubuntu/keys/how_to_move_certs.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Move certificate files to the worker nodes:
-
-scp ca.pem -key.pem .pem user@:~/
-scp ca.pem -key.pem .pem user@:~/
-Move certificate files to the controller nodes:
-
-scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
- service-account-key.pem service-account.pem user@:~/
-scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
- service-account-key.pem service-account.pem user@:~/
diff --git a/templates/Ubuntu/keys/workers.sh b/templates/Ubuntu/keys/workers.sh
deleted file mode 100644
index a17f13e..0000000
--- a/templates/Ubuntu/keys/workers.sh
+++ /dev/null
@@ -1,166 +0,0 @@
-#!/bin/bash
-
-#WORKER0_HOST=
-#WORKER0_IP=
-#WORKER1_HOST=
-#WORKER1_IP=
-
-cd ~/kthw
-
-cat > admin-csr.json << EOF
-{
- "CN": "admin",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "system:masters",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -profile=kubernetes \
- admin-csr.json | cfssljson -bare admin
-
-cat > ${WORKER0_HOST}-csr.json << EOF
-{
- "CN": "system:node:${WORKER0_HOST}",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "system:nodes",
- "OU": "Kubernetes The Hard Way",
- "ST": "Oregon"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -hostname=${WORKER0_IP},${WORKER0_HOST} \
- -profile=kubernetes \
- ${WORKER0_HOST}-csr.json | cfssljson -bare ${WORKER0_HOST}
-
-cat > ${WORKER1_HOST}-csr.json << EOF
-{
- "CN": "system:node:${WORKER1_HOST}",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "system:nodes",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -hostname=${WORKER1_IP},${WORKER1_HOST} \
- -profile=kubernetes \
- ${WORKER1_HOST}-csr.json | cfssljson -bare ${WORKER1_HOST}
-
-cat > kube-controller-manager-csr.json << EOF
-{
- "CN": "system:kube-controller-manager",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "system:kube-controller-manager",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -profile=kubernetes \
- kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
-
-cat > kube-proxy-csr.json << EOF
-{
- "CN": "system:kube-proxy",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "system:node-proxier",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -profile=kubernetes \
- kube-proxy-csr.json | cfssljson -bare kube-proxy
-
-cat > kube-scheduler-csr.json << EOF
-{
- "CN": "system:kube-scheduler",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "US",
- "L": "Flint",
- "O": "system:kube-scheduler",
- "OU": "Kubernetes The Hard Way",
- "ST": "Michigan"
- }
- ]
-}
-EOF
-
-cfssl gencert \
- -ca=ca.pem \
- -ca-key=ca-key.pem \
- -config=ca-config.json \
- -profile=kubernetes \
- kube-scheduler-csr.json | cfssljson -bare kube-scheduler
diff --git a/templates/Ubuntu/mysql.conf.d/mysqld.cnf b/templates/Ubuntu/mysql.conf.d/mysqld.cnf
deleted file mode 100644
index 9ef3afe..0000000
--- a/templates/Ubuntu/mysql.conf.d/mysqld.cnf
+++ /dev/null
@@ -1,67 +0,0 @@
-[mysqld_safe]
-socket = /var/run/mysqld/mysqld.sock
-nice = 0
-
-[mysqld]
-user = mysql
-basedir = /usr
-tmpdir = /tmp
-skip-external-locking
-default-authentication-plugin = mysql_native_password
-pid-file = /var/run/mysqld/mysqld.pid
-socket = /var/run/mysqld/mysqld.sock
-port = 3306
-bind-address = 127.0.0.1
-datadir = /var/lib/mysql
-
-innodb_log_file_size = 128MB
-max_connect_errors = 5
-local-infile=0
-skip-show-database
-#
-# * Fine Tuning
-#
-key_buffer_size = 16M
-max_allowed_packet = 16M
-thread_stack = 192K
-thread_cache_size = 8
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched
-myisam-recover-options = BACKUP
-#max_connections = 100
-#table_open_cache = 64
-#thread_concurrency = 10
-#
-
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file = /var/log/mysql/mysql.log
-#general_log = 1
-#
-# Error log - should be very few entries.
-#
-log_error = /var/log/mysql/error.log
-#
-# Here you can see queries with especially long duration
-#slow_query_log = 1
-#slow_query_log_file = /var/log/mysql/mysql-slow.log
-#long_query_time = 2
-#log-queries-not-using-indexes
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-# other settings you may need to change.
-#server-id = 1
-#log_bin = /var/log/mysql/mysql-bin.log
-max_binlog_size = 100M
-#binlog_do_db = include_database_name
-#binlog_ignore_db = include_database_name
-
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
diff --git a/templates/Ubuntu/notice.txt b/templates/Ubuntu/notice.txt
deleted file mode 100644
index c5009da..0000000
--- a/templates/Ubuntu/notice.txt
+++ /dev/null
@@ -1,25 +0,0 @@
-***************************************************************************
-NOTICE TO USERS
-
-
-This computer system is the private property of its owner, whether
-individual, corporate or government. It is for authorized use only.
-Users (authorized or unauthorized) have no explicit or implicit
-expectation of privacy.
-
-Any or all uses of this system and all files on this system may be
-intercepted, monitored, recorded, copied, audited, inspected, and
-disclosed to your employer, to authorized site, government, and law
-enforcement personnel, as well as authorized officials of government
-agencies, both domestic and foreign.
-
-By using this system, the user consents to such interception, monitoring,
-recording, copying, auditing, inspection, and disclosure at the
-discretion of such personnel or officials. Unauthorized or improper use
-of this system may result in civil and criminal penalties and
-administrative or disciplinary action, as appropriate. By continuing to
-use this system you indicate your awareness of and consent to these terms
-and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
-conditions stated in this warning.
-
-****************************************************************************
diff --git a/templates/Ubuntu/php/php.ini b/templates/Ubuntu/php/php.ini
deleted file mode 100644
index 96cdca4..0000000
--- a/templates/Ubuntu/php/php.ini
+++ /dev/null
@@ -1,247 +0,0 @@
-[PHP]
-engine = On
-short_open_tag = Off
-precision = 14
-output_buffering = 4096
-zlib.output_compression = Off
-implicit_flush = Off
-unserialize_callback_func =
-serialize_precision = -1
-open_basedir = "/var/www:/var/lib/php/tmp_upload:/var/lib/php/sessions:/usr/share/phpmyadmin:/etc/phpmyadmin:/usr/share/php/php-php-gettext"
-disable_functions = ini_set,php_uname,getmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo,popen,curl_exec,curl_multi_exec,parse_ini_file,allow_url_fopen,allow_url_include,pcntl_exec,chgrp,chmod,chown,lchgrp,lchown,putenv
-disable_classes =
-zend.enable_gc = On
-expose_php = Off
-max_execution_time = 30
-max_input_time = 60
-memory_limit = 128M
-error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-display_errors = Off
-display_startup_errors = Off
-log_errors = On
-log_errors_max_len = 1024
-ignore_repeated_errors = Off
-ignore_repeated_source = Off
-report_memleaks = On
-track_errors = Off
-html_errors = On
-variables_order = "GPCS"
-request_order = "GP"
-register_argc_argv = Off
-auto_globals_jit = On
-post_max_size = 8M
-auto_prepend_file =
-auto_append_file =
-default_mimetype = "text/html"
-default_charset = "UTF-8"
-doc_root =
-user_dir =
-enable_dl = Off
-file_uploads = On
-upload_max_filesize = 20M
-max_file_uploads = 20
-post_max_size = 20M
-; 256K if no uploading files
-max_input_vars = 100
-allow_url_fopen = Off
-allow_url_include = Off
-default_socket_timeout = 60
-error_log = /var/www/php_error_log
-upload_tmp_dir = /var/lib/php/tmp_upload
-
-[Session]
-session.save_handler = files
-session.hash_function = sha512
-session.bug_compat_42 = 0
-session.bug_compat_warn = 0
-session.save_path = "/var/lib/php/sessions"
-session.use_strict_mode = 1
-session.use_cookies = 1
-session.cookie_secure = 1
-session.use_only_cookies = 1
-session.name = ToolzID
-session.auto_start = 0
-session.cookie_lifetime = 0
-session.cookie_path = /
-session.cookie_domain =
-session.cookie_httponly =
-session.serialize_handler = php
-session.gc_probability = 0
-session.gc_divisor = 1000
-session.gc_maxlifetime = 1440
-session.referer_check =
-session.cache_limiter = nocache
-session.cache_expire = 180
-session.use_trans_sid = 0
-session.sid_length = 26
-session.trans_sid_tags = "a=href,area=href,frame=src,form="
-session.sid_bits_per_character = 5
-
-[CLI Server]
-cli_server.color = On
-
-[Date]
-date.timezone = UTC
-;date.default_latitude = 31.7667
-;date.default_longitude = 35.2333
-;date.sunrise_zenith = 90.583333
-;date.sunset_zenith = 90.583333
-
-[filter]
-;filter.default = unsafe_raw
-;filter.default_flags =
-
-[intl]
-;intl.default_locale =
-; This directive allows you to produce PHP errors when some error
-; happens within intl functions. The value is the level of the error produced.
-; Default is 0, which does not produce any errors.
-;intl.error_level = E_WARNING
-;intl.use_exceptions = 0
-
-[sqlite3]
-;sqlite3.extension_dir =
-
-[Pcre]
-;PCRE library backtracking limit.
-; http://php.net/pcre.backtrack-limit
-;pcre.backtrack_limit=100000
-
-;PCRE library recursion limit.
-;Please note that if you set this value to a high number you may consume all
-;the available process stack and eventually crash PHP (due to reaching the
-;stack size limit imposed by the Operating System).
-; http://php.net/pcre.recursion-limit
-;pcre.recursion_limit=100000
-
-;Enables or disables JIT compilation of patterns. This requires the PCRE
-;library to be compiled with JIT support.
-;pcre.jit=1
-
-[Pdo]
-; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
-; http://php.net/pdo-odbc.connection-pooling
-;pdo_odbc.connection_pooling=strict
-
-;pdo_odbc.db2_instance_name
-
-[Pdo_mysql]
-pdo_mysql.cache_size = 2000
-pdo_mysql.default_socket=
-
-[Phar]
-; http://php.net/phar.readonly
-;phar.readonly = On
-
-; http://php.net/phar.require-hash
-;phar.require_hash = On
-
-;phar.cache_list =
-
-[mail function]
-; For Win32 only.
-; http://php.net/smtp
-SMTP = localhost
-; http://php.net/smtp-port
-smtp_port = 25
-
-; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
-; http://php.net/sendmail-path
-;sendmail_path =
-; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
-mail.add_x_header = On
-
-[SQL]
-; http://php.net/sql.safe-mode
-sql.safe_mode = Off
-
-[ODBC]
-odbc.allow_persistent = On
-odbc.check_persistent = On
-odbc.max_persistent = -1
-odbc.max_links = -1
-odbc.defaultlrl = 4096
-odbc.defaultbinmode = 1
-
-[MySQLi]
-mysqli.max_persistent = -1
-;mysqli.allow_local_infile = On
-mysqli.allow_persistent = On
-mysqli.max_links = -1
-mysqli.cache_size = 2000
-mysqli.default_port = 3306
-mysqli.default_socket =
-mysqli.default_host =
-mysqli.default_user =
-mysqli.default_pw =
-mysqli.reconnect = Off
-
-[mysqlnd]
-mysqlnd.collect_statistics = On
-mysqlnd.collect_memory_statistics = Off
-
-[bcmath]
-bcmath.scale = 0
-
-[Assertion]
-zend.assertions = -1
-
-[Tidy]
-;tidy.default_config = /usr/local/lib/php/default.tcfg
-tidy.clean_output = Off
-
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/var/lib/php/soap_cache"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit = 5
-
-[ldap]
-; Sets the maximum number of open links or -1 for unlimited.
-ldap.max_links = -1
-
-[opcache]
-;opcache.enable=1
-;opcache.enable_cli=0
-;opcache.memory_consumption=128
-;opcache.interned_strings_buffer=8
-;opcache.max_accelerated_files=10000
-;opcache.max_wasted_percentage=5
-;opcache.use_cwd=1
-;opcache.validate_timestamps=1
-;opcache.revalidate_freq=2
-;opcache.revalidate_path=0
-;opcache.save_comments=1
-;opcache.fast_shutdown=0
-;opcache.enable_file_override=0
-;opcache.optimization_level=0xffffffff
-;opcache.inherited_hack=1
-;opcache.dups_fix=0
-;opcache.blacklist_filename=
-;opcache.max_file_size=0
-;opcache.consistency_checks=0
-;opcache.force_restart_timeout=180
-;opcache.error_log=
-;opcache.log_verbosity_level=1
-;opcache.preferred_memory_model=
-;opcache.protect_memory=0
-;opcache.restrict_api=
-;opcache.mmap_base=
-;opcache.file_cache=
-;opcache.file_cache_only=0
-;opcache.file_cache_consistency_checks=1
-;opcache.file_cache_fallback=1
-;opcache.huge_code_pages=1
-;opcache.validate_permission=0
-;opcache.validate_root=0
-
-[curl]
-;curl.cainfo =
-
-[openssl]
-;openssl.cafile=
-;openssl.capath=
-
-; Local Variables:
-; tab-width: 4
-; End:
diff --git a/templates/Ubuntu/ssh/sshd_config b/templates/Ubuntu/ssh/sshd_config
deleted file mode 100644
index bcb6293..0000000
--- a/templates/Ubuntu/ssh/sshd_config
+++ /dev/null
@@ -1,94 +0,0 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-
-# What ports, IPs and protocols we listen for
-Port 2299
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
-Protocol 2
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
-
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin no
-StrictModes yes
-AllowUsers bobs chrisa robot git
-
-RSAAuthentication yes
-PubkeyAuthentication yes
-AuthorizedKeysFile %h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-AllowTcpForwarding no
-AllowStreamLocalForwarding no
-GatewayPorts no
-PermitTunnel no
-#UseLogin no
-
-#MaxStartups 10:30:60
-DebianBanner no
-Banner /etc/notice.txt
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
diff --git a/templates/Ubuntu/ufw/sysctl.conf b/templates/Ubuntu/ufw/sysctl.conf
deleted file mode 100644
index c615896..0000000
--- a/templates/Ubuntu/ufw/sysctl.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# Configuration file for setting network variables. Please note these settings
-# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
-# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
-# Documentation/networking/ip-sysctl.txt in the kernel source code for more
-# information.
-#
-
-# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
-# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
-# traffic to those sites.
-net/ipv4/conf/all/accept_redirects=0
-net/ipv4/conf/default/accept_redirects=0
-net/ipv6/conf/all/accept_redirects=0
-net/ipv6/conf/default/accept_redirects=0
-
-# Ignore bogus ICMP errors
-net/ipv4/icmp_echo_ignore_broadcasts=1
-net/ipv4/icmp_ignore_bogus_error_responses=1
-net/ipv4/icmp_echo_ignore_all=0
-
-# Don't log Martian Packets (impossible addresses)
-# packets
-net/ipv4/conf/all/log_martians=0
-net/ipv4/conf/default/log_martians=0
-
-net/ipv4/tcp/syncookies=1 # Enable syn flood protection
-net/ipv4/conf/all/accept_source_route=0 # Ignore source-routed packets
-net/ipv6/conf/all/accept_source_route=0 # IPv6 - Ignore ICMP redirects
-net/ipv4/conf/default/accept_source_route=0 # Ignore source-routed packets
-net/ipv6/conf/default/accept_source_route=0 # IPv6 - Ignore source-routed packets
-net/ipv4/conf/all/secure_redirects=1 # Ignore ICMP redirects from non-GW hosts
-net/ipv4/conf/default/secure_redirects=1 # Ignore ICMP redirects from non-GW hosts
-net/ipv4/ip_forward=0 # Do not allow traffic between networks or act as a router
-net/ipv6/conf/all/forwarding=0 # IPv6 - Do not allow traffic between networks or act as a router
-net/ipv4/conf/all/send_redirects=0 # Don't allow traffic between networks or act as a router
-net/ipv4/conf/default/send_redirects=0 # Don't allow traffic between networks or act as a router
-net/ipv4/conf/all/rp_filter=1 # Reverse path filtering - IP spoofing protection
-net/ipv4/conf/default/rp_filter=1 # Reverse path filtering - IP spoofing protection
-net/ipv4/tcp_rfc1337=1 # Implement RFC 1337 fix
-kernel/randomize_va_space=2 # Randomize addresses of mmap base, heap, stack and VDSO page
-fs/protected_hardlinks=1 # Provide protection from ToCToU races
-fs/protected_symlinks=1 # Provide protection from ToCToU races
-kernel/kptr_restrict=1 # Make locating kernel addresses more difficult
-kernel/perf_event_paranoid=2 # Set perf only available to root
diff --git a/templates/podman_install.sh b/templates/podman_install.sh
deleted file mode 100644
index f0526a5..0000000
--- a/templates/podman_install.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-sudo apt update
-sudo apt -y install software-properties-common
-sudo add-apt-repository -y ppa:projectatomic/ppa
-sudo apt update
-sudo apt -y install podman
-sudo mkdir -p /etc/containers
-sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
-sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json