Move configurations into config/.

diff --git a/config/.k5login b/config/.k5login
new file mode 100644 (file)
index 0000000..79bc6fd
--- /dev/null
+++ b/config/.k5login
@@ -0,0 +1 @@
+valtri@META

diff --git a/config/ip6tables.sh b/config/ip6tables.sh
new file mode 100755 (executable)
index 0000000..e2fd74d
--- /dev/null
+++ b/config/ip6tables.sh
@@ -0,0 +1,29 @@
+#! /bin/sh
+/sbin/ip6tables-restore <<EOF
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:CRACKERS - [0:0]
+:NTP - [0:0]
+:SHELL - [0:0]
+
+-A INPUT -j CRACKERS
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -p udp -m udp --dport 123 -j NTP
+-A INPUT -p tcp -m tcp --dport 123 -j NTP
+-A INPUT -p tcp -m tcp --dport 22 -j SHELL
+
+# clock1.zcu.cz
+# clock2.zcu.cz
+-A NTP -s 2001:718:1801:1057::1:10 -j ACCEPT
+-A NTP -s 2001:718:1801:1052::1:11 -j ACCEPT
+-A NTP -j DROP
+
+-A SHELL -m tcp -p tcp --syn -j ACCEPT --match limit --limit 10/min
+-A SHELL -j ACCEPT
+
+COMMIT
+EOF

diff --git a/config/iptables.sh b/config/iptables.sh
new file mode 100755 (executable)
index 0000000..46a2a0e
--- /dev/null
+++ b/config/iptables.sh
@@ -0,0 +1,34 @@
+#! /bin/sh
+/sbin/iptables-restore <<EOF
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:CRACKERS - [0:0]
+:NTP - [0:0]
+:SHELL - [0:0]
+
+-A INPUT -j CRACKERS
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+-A INPUT -p udp -m udp --dport 123 -j NTP
+-A INPUT -p tcp -m tcp --dport 123 -j NTP
+-A INPUT -p tcp -m tcp --dport 22 -j SHELL
+#hador20-1.ics.muni.cz-hador24-2.ics.muni.cz
+-A INPUT -m state --state NEW -m iprange --src-range 147.251.9.220-147.251.9.229 -j ACCEPT
+#hador-c1.ics.muni.cz-hador24.ics.muni.cz
+-A INPUT -m state --state NEW -m iprange --src-range 147.251.9.38-147.251.9.64 -j ACCEPT
+
+#clock1.zcu.cz
+#clock2.zcu.cz
+-A NTP -s 147.228.57.10 -j ACCEPT
+-A NTP -s 147.228.52.11 -j ACCEPT
+-A NTP -j DROP
+
+-A SHELL -m state --state NEW -m recent --set --name SSH --rsource
+-A SHELL -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name SSH --rsource -j DROP
+-A SHELL -m state --state NEW -j ACCEPT
+
+COMMIT
+EOF

diff --git a/config/meta_repo.list b/config/meta_repo.list
new file mode 100644 (file)
index 0000000..a3274f2
--- /dev/null
+++ b/config/meta_repo.list
@@ -0,0 +1,8 @@
+#Managed by Puppet@myriad7.zcu.cz
+
+#METACentrum repository incl. pilot section
+deb ftp://repo.metacentrum.cz/ all main pilot
+deb ftp://repo.metacentrum.cz/ wheezy main pilot
+
+deb-src ftp://repo.metacentrum.cz/ all main pilot
+deb-src ftp://repo.metacentrum.cz/ wheezy main pilot

diff --git a/puppet.conf b/config/puppet.conf
similarity index 90%
rename from puppet.conf
rename to config/puppet.conf
index d02e10a..57e457a 100644 (file)
--- a/puppet.conf
+++ b/config/puppet.conf
@@ -10,5 +10,5 @@ server = myriad7.zcu.cz
 [master]
 # These are needed when the puppetmaster is run by passenger
 # and can safely be removed if webrick is used.
-ssl_client_header = SSL_CLIENT_S_DN 
+ssl_client_header = SSL_CLIENT_S_DN
 ssl_client_verify_header = SSL_CLIENT_VERIFY

diff --git a/lxc.sh b/lxc.sh
index 92ab1d0..7d054d1 100755 (executable)
--- a/lxc.sh
+++ b/lxc.sh
@@ -103,7 +103,7 @@ valtri@ADMIN.META
 xparak@ADMIN.META
 __EOF__
 
-    cp -v ${SRCDIR}/puppet.conf etc/puppet/
+    cp -v ${SRCDIR}/config/puppet.conf etc/puppet/
     sed -i -e 's/^\(START\)=.*/\1=yes/' etc/default/puppet
     rm -rf /var/lib/puppet/ssl/* || :