podman

2 years ago · ece03017fa
parent 1412fd6a41
commit ece03017fa
20 changed files with 92 additions and 929 deletions
--- a/app/neato_fns.php
+++ b/app/neato_fns.php
@ -44,9 +44,6 @@ function get_perms($kind): int {
    if (is_numeric($kind) && (strlen($kind) == 3 || strlen($kind) == 4 )) {
        return intval($kind);
    }
 //	if (is_string_found($kind, '+') || is_string_found($kind, '-')) {
 //		return $kind;
 //	}
    switch ($kind) {
        case 'keydir': $perm = 0700;
            break;
--- a/build/install_neato.sh
+++ b/build/install_neato.sh
@ -4,7 +4,7 @@ PHPCLI='php8.3-cli'
 PHPMBString='php8.3-mbstring'
 if [ "$EUID" -ne 0 ]; then 
-    echo "Please run as root!"
+    /usr/bin/echo "Please run as root!"
    exit
 fi
@ -12,16 +12,16 @@ current_directory=$(pwd)
 target_directory="/opt/neatoDeploy"
 if [ "$current_directory" == "$target_directory" ]; then
-   echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
+   /usr/bin/echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
   exit 1
 fi
-mkdir -p /opt/neatoDeployments
+/usr/bin/mkdir -p /opt/neatoDeployments
-mv neato_deploy_php_cli.ini /opt/neatoDeployments/
+/usr/bin/mv neato_deploy_php_cli.ini /opt/neatoDeployments/
-mv neatoDeploy.phar /opt/neatoDeployments/
+/usr/bin/mv neatoDeploy.phar /opt/neatoDeployments/
-mv neato_deploy.sh /opt/neatoDeployments/
+/usr/bin/mv neato_deploy.sh /opt/neatoDeployments/
-mv make-sums.sh /opt/neatoDeployments/
+/usr/bin/mv make-sums.sh /opt/neatoDeployments/
-cp config_files/deploy_*.php /opt/neatoDeployments/
+/usr/bin/cp config_files/deploy_*.php /opt/neatoDeployments/
 pushd /opt/neatoDeployments
@ -32,17 +32,17 @@ pushd /opt/neatoDeployments
 /usr/bin/dpkg -s $PHPMBString 2>/dev/null >/dev/null || /usr/bin/apt-get install -y $PHPMBString
 /usr/bin/dpkg -s curl 2>/dev/null >/dev/null || /usr/bin/apt-get install -y curl
-chown www-data:www-data neato*
+/usr/bin/chown www-data:www-data neato*
-chown www-data:www-data make-sums.sh
+/usr/bin/chown www-data:www-data make-sums.sh
-chown www-data:www-data deploy_*.php
+/usr/bin/chown www-data:www-data deploy_*.php
-chmod 775 neatoDeploy.phar
+/usr/bin/chmod 775 neatoDeploy.phar
-chmod 775 neato_deploy.sh
+/usr/bin/chmod 775 neato_deploy.sh
-chmod 775 make-sums.sh
+/usr/bin/chmod 775 make-sums.sh
-chmod 664 neato_deploy_php_cli.ini
+/usr/bin/chmod 664 neato_deploy_php_cli.ini
-chmod 664 deploy_*.php
+/usr/bin/chmod 664 deploy_*.php
 popd
-echo -e "\nRemove the install_neato.sh file!"
+/usr/bin/echo -e "\nRemove the install_neato.sh file!"
-echo -e "\nRemove the neato_deploy.tar.gz.self file!"
+/usr/bin/echo -e "\nRemove the neato_deploy.tar.gz.self file!"
--- a/config_files/deploy_podman.php
+++ b/config_files/deploy_podman.php
@ -0,0 +1,72 @@
 <?php
 Configure::set('display', true); // Show Output
 Configure::set('logfile', false); // Save to log folder
 Configure::set('syslog', false);
 Configure::set('pre_actions', [
        'make_dir' => ['/etc/containers'=>''],
        'chmod_file_or_dir' => 
            ['/etc/containers' => 'dir'],
 ]); 
 force_root();
 file_loop(Configure::get('pre_actions'));
 $is_podman_installed = do_command('is_installed', "podman");
 if ($is_podman_installed['installed'] === false) {
    do_command('install', "software-properties-common");
    //do_command("add_repo", "ppa:projectatomic/ppa");
    do_command('update');
    do_command('install', "podman");
 }
 $policy = '
 {
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
 }';
 if (! file_exists("/etc/containers/policy.json")) {
    append_to_file("/etc/containers/policy.json", $policy);
    chmod_file_or_dir("/etc/containers/policy.json", "config");
 }
 $reg = "# This is a system-wide configuration file used to
 # keep track of registries for various container backends.
 # It adheres to TOML format and does not support recursive
 # lists of registries.
 # The default location for this configuration file is /etc/containers/registries.conf.
 # The only valid categories are: 'registries.search', 'registries.insecure', 
 # and 'registries.block'.
 [registries.search]
 registries = ['docker.io', 'registry.fedoraproject.org', 'registry.access.redhat.com']
 # If you need to access insecure registries, add the registry's fully-qualified name.
 # An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
 [registries.insecure]
 registries = []
 # If you need to block pull access from a registry, uncomment the section below
 # and add the registries fully-qualified name.
 #
 # Docker only
 [registries.block]
 registries = []";
 if (! file_exists("/etc/containers/registries.conf")) {
    append_to_file("/etc/containers/registries.conf", $reg);
    chmod_file_or_dir("/etc/containers/registries.conf", "config");
 }
--- a/config_files/deploy_security_audit.php
+++ b/config_files/deploy_security_audit.php
--- a/config_files/deploy_sshd.php
+++ b/config_files/deploy_sshd.php
@ -81,6 +81,8 @@ AllowUsers $AllowUsers
 StrictModes yes
 MaxAuthTries 6
 MaxSessions 10
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 PubkeyAuthentication yes
 AuthorizedKeysFile	%h/.ssh/authorized_keys
--- a/templates/Ubuntu/apache2/000-default.conf
+++ b/templates/Ubuntu/apache2/000-default.conf
@ -1,6 +0,0 @@
 <VirtualHost *:80>
 	Include /etc/apache2/sites/allsites.conf
 	ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>
--- a/templates/Ubuntu/apache2/allsites.conf
+++ b/templates/Ubuntu/apache2/allsites.conf
@ -1,9 +0,0 @@
 ServerName dev
 ServerAlias prod
 ServerAdmin fake@localhost
 Alias /www /var/www/html
 Alias /tests /var/www/tests
 DocumentRoot /var/www/toolz
--- a/templates/Ubuntu/apache2/default-ssl.conf
+++ b/templates/Ubuntu/apache2/default-ssl.conf
@ -1,36 +0,0 @@
 <IfModule mod_ssl.c>
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
 		Include /etc/apache2/sites/allsites.conf
 		ErrorLog ${APACHE_LOG_DIR}/error.log
 		CustomLog ${APACHE_LOG_DIR}/access.log combined
 		SSLEngine on
 		SSLCertificateFile	/etc/ssl/certs/mainsite.crt
 		SSLCertificateKeyFile /etc/ssl/private/mainsite.key
 		SSLCACertificateFile /etc/apache2/ssl/mainsite_bundle.crt
 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
 		#SSLCACertificatePath /etc/ssl/certs/
 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
 		#SSLCARevocationPath /etc/apache2/ssl.crl/
 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
 		#SSLVerifyClient require
 		#SSLVerifyDepth  10
 		<FilesMatch "\.(cgi|shtml|phtml|php)$">
 				SSLOptions +StdEnvVars
 		</FilesMatch>
 		<Directory /usr/lib/cgi-bin>
 				SSLOptions +StdEnvVars
 		</Directory>
 	</VirtualHost>
 </IfModule>
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/templates/Ubuntu/apache2/security.conf
+++ b/templates/Ubuntu/apache2/security.conf
@ -1,87 +0,0 @@
 LimitRequestBody 204800
 ServerTokens Prod
 ServerSignature Off
 TraceEnable Off
 MaxClients 150
 TimeOut 200
 KeepAliveTimeout 3
 LimitRequestFields 60
 LimitRequestFieldSize 4094
 Options -Includes
 Options -ExecCGI
 #Options -FollowSymLinks
 HostnameLookups off
 #	<LimitExcept POST GET PUT UPDATE DELETE>
 #		deny from all
 #	</LimitExcept>	
 RewriteEngine ON
 RewriteCond %{THE_REQUEST} !HTTP/1.1$
 RewriteRule .* - [F]
 # Forbid access to version control directories
 #
 # If you use version control systems in your document root, you should
 # probably deny access to their directories. For example, for GIT:
 #
 <DirectoryMatch "^/.*/\.git">
   Order deny,allow
   Deny from all
 </DirectoryMatch>
 <FilesMatch "php_error_log">
   Order deny,allow
   Deny from all
 </FilesMatch>
 <Location /server-status>
 SetHandler server-status
 #AuthType basic
 #AuthName "Apache status"
 #AuthUserFile /etc/apache2/conf/server-status_htpasswd
 #Require valid-user
 Order deny,allow
 Deny from all
 Allow from none
 </Location>
 #
 # Setting this header will prevent MSIE from interpreting files as something
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
 #Header set X-Content-Type-Options: "nosniff"
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
 #Header set X-Frame-Options: "sameorigin"
 ExtendedStatus Off
 Header unset ETag
 Header always unset X-Powered-By
 FileETag None
 Header always append X-Frame-Options SAMEORIGIN
 #Header set X-XSS-Protection "1; mode=block"
 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 Header set Feature-Policy: "geolocation 'none'; microphone 'none'; camera 'self';"
 Header set Referer-Policy: "strict-origin"
 SSLProtocol -ALL +TLSv1.2 
 # +TLSv1.3
 SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
 # , TLSv1.3
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
 Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload;"
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/templates/Ubuntu/apt.conf.d/10periodic
+++ b/templates/Ubuntu/apt.conf.d/10periodic
@ -1,4 +0,0 @@
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Download-Upgradeable-Packages "1";
 APT::Periodic::AutocleanInterval "7";
 APT::Periodic::Unattended-Upgrade "1";
--- a/templates/Ubuntu/keys/api.sh
+++ b/templates/Ubuntu/keys/api.sh
@ -1,58 +0,0 @@
 #!/bin/bash
 CERT_HOSTNAME=10.32.0.1,<controller node 1 Private IP>,<controller node 1 hostname>,<controller node 2 Private IP>,<controller node 2 hostname>,<API load balancer Private IP>,<API load balancer hostname>,127.0.0.1,localhost,kubernetes.default
 cd ~/kthw
 cat > kubernetes-csr.json << EOF
 {
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "Kubernetes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=${CERT_HOSTNAME} \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes
 cat > service-account-csr.json << EOF
 {
  "CN": "service-accounts",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "Kubernetes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  service-account-csr.json | cfssljson -bare service-account
--- a/templates/Ubuntu/keys/ca.sh
+++ b/templates/Ubuntu/keys/ca.sh
@ -1,45 +0,0 @@
 #!/bin/bash
 cd ~/
 mkdir kthw
 cd kthw
 sudo curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
 sudo curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
 sudo curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
 sudo chmod +x /bin/cfssl*
 cat > ca-config.json << EOF
 {
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
 }
 EOF
 cat > ca-csr.json << EOF
 {
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert -initca ca-csr.json | cfssljson -bare ca
--- a/templates/Ubuntu/keys/how_to_move_certs.txt
+++ b/templates/Ubuntu/keys/how_to_move_certs.txt
@ -1,10 +0,0 @@
 Move certificate files to the worker nodes:
 scp ca.pem <worker 1 hostname>-key.pem <worker 1 hostname>.pem user@<worker 1 public IP>:~/
 scp ca.pem <worker 2 hostname>-key.pem <worker 2 hostname>.pem user@<worker 2 public IP>:~/
 Move certificate files to the controller nodes:
 scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
    service-account-key.pem service-account.pem user@<controller 1 public IP>:~/
 scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
    service-account-key.pem service-account.pem user@<controller 2 public IP>:~/
--- a/templates/Ubuntu/keys/workers.sh
+++ b/templates/Ubuntu/keys/workers.sh
@ -1,166 +0,0 @@
 #!/bin/bash
 #WORKER0_HOST=<Public hostname of your first worker node cloud server>
 #WORKER0_IP=<Private IP of your first worker node cloud server>
 #WORKER1_HOST=<Public hostname of your second worker node cloud server>
 #WORKER1_IP=<Private IP of your second worker node cloud server>
 cd ~/kthw
 cat > admin-csr.json << EOF
 {
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "system:masters",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin
 cat > ${WORKER0_HOST}-csr.json << EOF
 {
  "CN": "system:node:${WORKER0_HOST}",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "system:nodes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=${WORKER0_IP},${WORKER0_HOST} \
  -profile=kubernetes \
  ${WORKER0_HOST}-csr.json | cfssljson -bare ${WORKER0_HOST}
 cat > ${WORKER1_HOST}-csr.json << EOF
 {
  "CN": "system:node:${WORKER1_HOST}",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "system:nodes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=${WORKER1_IP},${WORKER1_HOST} \
  -profile=kubernetes \
  ${WORKER1_HOST}-csr.json | cfssljson -bare ${WORKER1_HOST}
 cat > kube-controller-manager-csr.json << EOF
 {
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "system:kube-controller-manager",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
 cat > kube-proxy-csr.json << EOF
 {
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "system:node-proxier",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-proxy-csr.json | cfssljson -bare kube-proxy
 cat > kube-scheduler-csr.json << EOF
 {
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Flint",
      "O": "system:kube-scheduler",
      "OU": "Kubernetes The Hard Way",
      "ST": "Michigan"
    }
  ]
 }
 EOF
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-scheduler-csr.json | cfssljson -bare kube-scheduler  
--- a/templates/Ubuntu/mysql.conf.d/mysqld.cnf
+++ b/templates/Ubuntu/mysql.conf.d/mysqld.cnf
@ -1,67 +0,0 @@
 [mysqld_safe]
 socket          = /var/run/mysqld/mysqld.sock
 nice            = 0
 [mysqld]
 user            = mysql
 basedir         = /usr
 tmpdir          = /tmp
 skip-external-locking
 default-authentication-plugin = mysql_native_password
 pid-file        = /var/run/mysqld/mysqld.pid
 socket          = /var/run/mysqld/mysqld.sock
 port            = 3306
 bind-address    = 127.0.0.1
 datadir         = /var/lib/mysql
 innodb_log_file_size = 128MB
 max_connect_errors = 5
 local-infile=0
 skip-show-database
 #
 # * Fine Tuning
 #
 key_buffer_size         = 16M
 max_allowed_packet      = 16M
 thread_stack            = 192K
 thread_cache_size       = 8
 # This replaces the startup script and checks MyISAM tables if needed
 # the first time they are touched
 myisam-recover-options  = BACKUP
 #max_connections        = 100
 #table_open_cache       = 64
 #thread_concurrency     = 10
 #
 #
 # * Logging and Replication
 #
 # Both location gets rotated by the cronjob.
 # Be aware that this log type is a performance killer.
 # As of 5.1 you can enable the log at runtime!
 #general_log_file        = /var/log/mysql/mysql.log
 #general_log             = 1
 #
 # Error log - should be very few entries.
 #
 log_error = /var/log/mysql/error.log
 #
 # Here you can see queries with especially long duration
 #slow_query_log         = 1
 #slow_query_log_file    = /var/log/mysql/mysql-slow.log
 #long_query_time = 2
 #log-queries-not-using-indexes
 #
 # The following can be used as easy to replay backup logs or for replication.
 # note: if you are setting up a replication slave, see README.Debian about
 #       other settings you may need to change.
 #server-id              = 1
 #log_bin                        = /var/log/mysql/mysql-bin.log
 max_binlog_size   = 100M
 #binlog_do_db           = include_database_name
 #binlog_ignore_db       = include_database_name
 # * Security Features
 #
 # Read the manual, too, if you want chroot!
 # chroot = /var/lib/mysql/
--- a/templates/Ubuntu/notice.txt
+++ b/templates/Ubuntu/notice.txt
@ -1,25 +0,0 @@
 ***************************************************************************
 NOTICE TO USERS
 This computer system is the private property of its owner, whether
 individual, corporate or government.  It is for authorized use only.
 Users (authorized or unauthorized) have no explicit or implicit
 expectation of privacy.
 Any or all uses of this system and all files on this system may be
 intercepted, monitored, recorded, copied, audited, inspected, and
 disclosed to your employer, to authorized site, government, and law
 enforcement personnel, as well as authorized officials of government
 agencies, both domestic and foreign.
 By using this system, the user consents to such interception, monitoring,
 recording, copying, auditing, inspection, and disclosure at the
 discretion of such personnel or officials.  Unauthorized or improper use
 of this system may result in civil and criminal penalties and
 administrative or disciplinary action, as appropriate. By continuing to
 use this system you indicate your awareness of and consent to these terms
 and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
 conditions stated in this warning.
 ****************************************************************************
--- a/templates/Ubuntu/php/php.ini
+++ b/templates/Ubuntu/php/php.ini
@ -1,247 +0,0 @@
 [PHP]
 engine = On
 short_open_tag = Off
 precision = 14
 output_buffering = 4096
 zlib.output_compression = Off
 implicit_flush = Off
 unserialize_callback_func =
 serialize_precision = -1
 open_basedir = "/var/www:/var/lib/php/tmp_upload:/var/lib/php/sessions:/usr/share/phpmyadmin:/etc/phpmyadmin:/usr/share/php/php-php-gettext"
 disable_functions = ini_set,php_uname,getmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo,popen,curl_exec,curl_multi_exec,parse_ini_file,allow_url_fopen,allow_url_include,pcntl_exec,chgrp,chmod,chown,lchgrp,lchown,putenv
 disable_classes =
 zend.enable_gc = On
 expose_php = Off
 max_execution_time = 30
 max_input_time = 60
 memory_limit = 128M
 error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
 display_errors = Off
 display_startup_errors = Off
 log_errors = On
 log_errors_max_len = 1024
 ignore_repeated_errors = Off
 ignore_repeated_source = Off
 report_memleaks = On
 track_errors = Off
 html_errors = On
 variables_order = "GPCS"
 request_order = "GP"
 register_argc_argv = Off
 auto_globals_jit = On
 post_max_size = 8M
 auto_prepend_file =
 auto_append_file =
 default_mimetype = "text/html"
 default_charset = "UTF-8"
 doc_root =
 user_dir =
 enable_dl = Off
 file_uploads = On
 upload_max_filesize = 20M
 max_file_uploads = 20
 post_max_size = 20M
 ; 256K if no uploading files
 max_input_vars = 100
 allow_url_fopen = Off
 allow_url_include = Off
 default_socket_timeout = 60
 error_log = /var/www/php_error_log
 upload_tmp_dir = /var/lib/php/tmp_upload
 [Session]
 session.save_handler = files
 session.hash_function = sha512
 session.bug_compat_42 = 0
 session.bug_compat_warn = 0
 session.save_path = "/var/lib/php/sessions"
 session.use_strict_mode = 1
 session.use_cookies = 1
 session.cookie_secure = 1
 session.use_only_cookies = 1
 session.name = ToolzID
 session.auto_start = 0
 session.cookie_lifetime = 0
 session.cookie_path = /
 session.cookie_domain =
 session.cookie_httponly =
 session.serialize_handler = php
 session.gc_probability = 0
 session.gc_divisor = 1000
 session.gc_maxlifetime = 1440
 session.referer_check =
 session.cache_limiter = nocache
 session.cache_expire = 180
 session.use_trans_sid = 0
 session.sid_length = 26
 session.trans_sid_tags = "a=href,area=href,frame=src,form="
 session.sid_bits_per_character = 5
 [CLI Server]
 cli_server.color = On
 [Date]
 date.timezone = UTC
 ;date.default_latitude = 31.7667
 ;date.default_longitude = 35.2333
 ;date.sunrise_zenith = 90.583333
 ;date.sunset_zenith = 90.583333
 [filter]
 ;filter.default = unsafe_raw
 ;filter.default_flags =
 [intl]
 ;intl.default_locale =
 ; This directive allows you to produce PHP errors when some error
 ; happens within intl functions. The value is the level of the error produced.
 ; Default is 0, which does not produce any errors.
 ;intl.error_level = E_WARNING
 ;intl.use_exceptions = 0
 [sqlite3]
 ;sqlite3.extension_dir =
 [Pcre]
 ;PCRE library backtracking limit.
 ; http://php.net/pcre.backtrack-limit
 ;pcre.backtrack_limit=100000
 ;PCRE library recursion limit.
 ;Please note that if you set this value to a high number you may consume all
 ;the available process stack and eventually crash PHP (due to reaching the
 ;stack size limit imposed by the Operating System).
 ; http://php.net/pcre.recursion-limit
 ;pcre.recursion_limit=100000
 ;Enables or disables JIT compilation of patterns. This requires the PCRE
 ;library to be compiled with JIT support.
 ;pcre.jit=1
 [Pdo]
 ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
 ; http://php.net/pdo-odbc.connection-pooling
 ;pdo_odbc.connection_pooling=strict
 ;pdo_odbc.db2_instance_name
 [Pdo_mysql]
 pdo_mysql.cache_size = 2000
 pdo_mysql.default_socket=
 [Phar]
 ; http://php.net/phar.readonly
 ;phar.readonly = On
 ; http://php.net/phar.require-hash
 ;phar.require_hash = On
 ;phar.cache_list =
 [mail function]
 ; For Win32 only.
 ; http://php.net/smtp
 SMTP = localhost
 ; http://php.net/smtp-port
 smtp_port = 25
 ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
 ; http://php.net/sendmail-path
 ;sendmail_path =
 ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
 mail.add_x_header = On
 [SQL]
 ; http://php.net/sql.safe-mode
 sql.safe_mode = Off
 [ODBC]
 odbc.allow_persistent = On
 odbc.check_persistent = On
 odbc.max_persistent = -1
 odbc.max_links = -1
 odbc.defaultlrl = 4096
 odbc.defaultbinmode = 1
 [MySQLi]
 mysqli.max_persistent = -1
 ;mysqli.allow_local_infile = On
 mysqli.allow_persistent = On
 mysqli.max_links = -1
 mysqli.cache_size = 2000
 mysqli.default_port = 3306
 mysqli.default_socket =
 mysqli.default_host =
 mysqli.default_user =
 mysqli.default_pw =
 mysqli.reconnect = Off
 [mysqlnd]
 mysqlnd.collect_statistics = On
 mysqlnd.collect_memory_statistics = Off
 [bcmath]
 bcmath.scale = 0
 [Assertion]
 zend.assertions = -1
 [Tidy]
 ;tidy.default_config = /usr/local/lib/php/default.tcfg
 tidy.clean_output = Off
 [soap]
 soap.wsdl_cache_enabled=1
 soap.wsdl_cache_dir="/var/lib/php/soap_cache"
 soap.wsdl_cache_ttl=86400
 soap.wsdl_cache_limit = 5
 [ldap]
 ; Sets the maximum number of open links or -1 for unlimited.
 ldap.max_links = -1
 [opcache]
 ;opcache.enable=1
 ;opcache.enable_cli=0
 ;opcache.memory_consumption=128
 ;opcache.interned_strings_buffer=8
 ;opcache.max_accelerated_files=10000
 ;opcache.max_wasted_percentage=5
 ;opcache.use_cwd=1
 ;opcache.validate_timestamps=1
 ;opcache.revalidate_freq=2
 ;opcache.revalidate_path=0
 ;opcache.save_comments=1
 ;opcache.fast_shutdown=0
 ;opcache.enable_file_override=0
 ;opcache.optimization_level=0xffffffff
 ;opcache.inherited_hack=1
 ;opcache.dups_fix=0
 ;opcache.blacklist_filename=
 ;opcache.max_file_size=0
 ;opcache.consistency_checks=0
 ;opcache.force_restart_timeout=180
 ;opcache.error_log=
 ;opcache.log_verbosity_level=1
 ;opcache.preferred_memory_model=
 ;opcache.protect_memory=0
 ;opcache.restrict_api=
 ;opcache.mmap_base=
 ;opcache.file_cache=
 ;opcache.file_cache_only=0
 ;opcache.file_cache_consistency_checks=1
 ;opcache.file_cache_fallback=1
 ;opcache.huge_code_pages=1
 ;opcache.validate_permission=0
 ;opcache.validate_root=0
 [curl]
 ;curl.cainfo =
 [openssl]
 ;openssl.cafile=
 ;openssl.capath=
 ; Local Variables:
 ; tab-width: 4
 ; End:
--- a/templates/Ubuntu/ssh/sshd_config
+++ b/templates/Ubuntu/ssh/sshd_config
@ -1,94 +0,0 @@
 # Package generated configuration file
 # See the sshd_config(5) manpage for details
 # What ports, IPs and protocols we listen for
 Port 2299
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 ServerKeyBits 1024
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
 # Authentication:
 LoginGraceTime 120
 PermitRootLogin no
 StrictModes yes
 AllowUsers bobs chrisa robot git
 RSAAuthentication yes
 PubkeyAuthentication yes
 AuthorizedKeysFile	%h/.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Change to no to disable tunnelled clear text passwords
 PasswordAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 X11Forwarding no
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
 AllowTcpForwarding no
 AllowStreamLocalForwarding no
 GatewayPorts no
 PermitTunnel no
 #UseLogin no
 #MaxStartups 10:30:60
 DebianBanner no
 Banner /etc/notice.txt
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
--- a/templates/Ubuntu/ufw/sysctl.conf
+++ b/templates/Ubuntu/ufw/sysctl.conf
@ -1,45 +0,0 @@
 #
 # Configuration file for setting network variables. Please note these settings
 # override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
 # /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
 # Documentation/networking/ip-sysctl.txt in the kernel source code for more
 # information.
 #
 # Disable ICMP redirects. ICMP redirects are rarely used but can be used in
 # MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
 # traffic to those sites.
 net/ipv4/conf/all/accept_redirects=0
 net/ipv4/conf/default/accept_redirects=0
 net/ipv6/conf/all/accept_redirects=0
 net/ipv6/conf/default/accept_redirects=0
 # Ignore bogus ICMP errors
 net/ipv4/icmp_echo_ignore_broadcasts=1
 net/ipv4/icmp_ignore_bogus_error_responses=1
 net/ipv4/icmp_echo_ignore_all=0
 # Don't log Martian Packets (impossible addresses)
 # packets
 net/ipv4/conf/all/log_martians=0
 net/ipv4/conf/default/log_martians=0
 net/ipv4/tcp/syncookies=1                    # Enable syn flood protection
 net/ipv4/conf/all/accept_source_route=0      # Ignore source-routed packets
 net/ipv6/conf/all/accept_source_route=0      # IPv6 - Ignore ICMP redirects
 net/ipv4/conf/default/accept_source_route=0  # Ignore source-routed packets
 net/ipv6/conf/default/accept_source_route=0  # IPv6 - Ignore source-routed packets
 net/ipv4/conf/all/secure_redirects=1         # Ignore ICMP redirects from non-GW hosts
 net/ipv4/conf/default/secure_redirects=1     # Ignore ICMP redirects from non-GW hosts
 net/ipv4/ip_forward=0                        # Do not allow traffic between networks or act as a router
 net/ipv6/conf/all/forwarding=0               # IPv6 - Do not allow traffic between networks or act as a router
 net/ipv4/conf/all/send_redirects=0           # Don't allow traffic between networks or act as a router
 net/ipv4/conf/default/send_redirects=0       # Don't allow traffic between networks or act as a router
 net/ipv4/conf/all/rp_filter=1                # Reverse path filtering - IP spoofing protection
 net/ipv4/conf/default/rp_filter=1            # Reverse path filtering - IP spoofing protection
 net/ipv4/tcp_rfc1337=1                       # Implement RFC 1337 fix
 kernel/randomize_va_space=2                  # Randomize addresses of mmap base, heap, stack and VDSO page
 fs/protected_hardlinks=1                     # Provide protection from ToCToU races
 fs/protected_symlinks=1                      # Provide protection from ToCToU races
 kernel/kptr_restrict=1                       # Make locating kernel addresses more difficult
 kernel/perf_event_paranoid=2                 # Set perf only available to root
--- a/templates/podman_install.sh
+++ b/templates/podman_install.sh
@ -1,9 +0,0 @@
 #!/bin/bash
 sudo apt update
 sudo apt -y  install software-properties-common
 sudo add-apt-repository -y ppa:projectatomic/ppa
 sudo apt update
 sudo apt -y install podman
 sudo mkdir -p /etc/containers
 sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
 sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json