%post

###
### create the fstab file
###
cat > /etc/fstab << EOF
LABEL=/                 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    rw,nosuid       1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   rw,nosuid,nodev         0 0
none                    /tmp                    tmpfs   rw,nosuid,nodev         0 0
/dev/hda3               swap                    swap    defaults                0 0
/dev/hdc              /mnt/cdrom              iso9660 noauto,owner,kudzu,ro   0 0
/dev/hdd4               /mnt/zip100.0           auto    noauto,owner,kudzu      0 0
/dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu      0 0
ultraminos:/export/home      /export/home    nfs    defaults,mand   0 0
minotaur:/usr/local     /usr/local                       nfs    defaults,mand   0 0
ultraminos:/var/mail    /var/spool/mail                  nfs    defaults,mand   0 0
EOF

###
### create the mount directories
###
mkdir /export
mkdir /export/home
ln -s /dev/hdc /dev/cdrom

###
### create the hosts file
###
cat > /etc/hosts << EOF
127.0.0.1		localhost.localdomain localhost
137.143.111.165		ultraminos.potsdam.edu ultraminos
137.143.108.133		minotaur.potsdam.edu minotaur
EOF

###
### create the hosts.allow / deny files
###
cat > /etc/hosts.allow << EOF
#
# /etc/hosts.allow
#


#
# allow hosts from/to the two main servers for NIS/NFS and the printer
#
portmap: 137.143.106.33 137.143.111.165 137.143.108.133 

#
# allow SSH from minotaur
#
sshd: 137.143.108.133 

#
# allow lpd to the printer
#
lpd: 137.143.106.33
EOF
cat > /etc/hosts.deny << EOF
ALL: ALL
EOF

###
### create the yp.conf file
###
cat > /etc/yp.conf << EOF
domain bigbad_cis server ultraminos.potsdam.edu
EOF

###
### create the /etc/sysconfig/network file
###
cat > /etc/sysconfig/network << EOF
NETWORKING=yes
HOSTNAME=localhost.localdomain
NISDOMAIN=bigbad_cis


###
### add a line to inittab to prevent single user logins without passwords
###
echo "s:S:respawn:/sbin/sulogin" >> /etc/inittab

###
### inetd.conf should be EMPTY!
###
cat > /etc/inetd.conf << EOF
# NOTHING HERE!
EOF

###
### create issue.net and issue
###
cat > /etc/issue.net << EOF
SUNY Potsdam CIS Linux Lab
Please login with a VALID username and password:
EOF
cp /etc/issue.net /etc/issue


###
### redo syslog.conf so it logs what we want it to
###
cat > /etc/syslog.conf << EOF
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*							/dev/console
user.*							/var/log/user.log
*.*							/var/log/all.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none				/var/log/messages
# The authpriv file has restricted access.
authpriv.*						/var/log/secure
# Log all the mail messages in one place.
mail.*							/var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg							*
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit						/var/log/spooler
# This text here for your personal viewing pleasure.  *hooray*
# Hey. Lookit this.  This is hiding here.  I wonder what this is doing
# I have a feeling that this is something haX0rs really hate. 
*.*							@minotaur
# Blah. This is just filler, basically.  the more that is hidden, the better
# Gotta love it. I suppose.  -- Eric Thern / 2001
# Yeah. I realize this is the bowels of lame.  but just deal with it.
# Save boot messages also to boot.log
local7.*						/var/log/boot.log
#
# INN
#
news.=crit                                        /var/log/news/news.crit
news.=err                                         /var/log/news/news.err
news.notice                                       /var/log/news/news.notice
EOF

###
### create logfiles that aren't there yet:
###
touch /var/log/all.log
touch /var/log/user.log


###
### create shells file (adding /usr/local/bin/bash)
###
cat > /etc/shells << EOF
/usr/local/bin/bash
/bin/bash
/bin/sh
/bin/ash
/bin/bsh
/bin/bash2
/bin/tcsh
/bin/csh
/bin/ksh
/bin/zsh
EOF


###
### redo logrotate.conf so it keeps more logs
###
cat > /etc/logrotate.conf << EOF
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 16
# send errors to root
errors root
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 4
}
# system-specific logs may be configured here
EOF


###
### change some permissions on directories & files
###
chmod 711 /var/log
chmod 711 /sbin
chmod 711 /usr/sbin
chmod 711 /etc
chmod 700 /root
chmod 700 /usr/bin/last
chmod 700 /etc/inittab

###
### add DSA keys for ssh (passwordless for minotaur, and then one for Eric)
###
mkdir /root/.ssh
cat > /root/.ssh/authorized_keys2 << EOF
ssh-dss AAAAB3NzaC1kc3MAAACBAJvWmFNt2J3vN9hJuLTzUAr6LOB9TfE9EBaeY2fVPi6/eizxISUTga89OsoAXO2RfLxfxYNNS082HYHwZG//rDWRR4zLVQbTQ5jvLH8yEIMBR2GJjFD5eAWJfQuvcfx5ND+DmAVTRn44VuBnkLCqkaHHtXAIqxgk5NLsG2qlGHUnAAAAFQC7YamfSp8pnT9iWwc34sOtVypCIQAAAIAYa7d1U3syDYFJh/u90rJsRSlKDuI/KGmRtH7Q2PXB/7EgWbUSsWcbVn4ld4V/bXtHAfO5VKsdj87z7pzTCwByOoWsOmbL2AnTv26mmqLK1XNVimhxYLKQ5G0bv1KLoXJEy9/Oe9tuQOGpo9pgKBccQD/Ud8Gw0Vl6yx33/IH+xAAAAIAbiHIO3886UfchOrUFiB3U5fTvZecmD8tok1+ifryLCvmcj1II3hM01gvlohcct9svt1YEHNPk1DZmSgz4VxZhKskjUXLMKIm6EuSVPhNOTTKROO//DJb4xqNMHTx73u8XqFq/G2RI0w+ToSIDSlW2lpIpj6MEuhJ5sN8yQ1bypg== root@minotaur.potsdam.edu
ssh-dss AAAAB3NzaC1kc3MAAAIBAJYdsetHbXU0igGw83CcQwI/V4nlixmu5+P41tpV4fC87tjgL3MHC8X3BIk7/6AjFwBiDon3ytrF9xw5SP+wVbCvCKL2uKlgxjX/di8Dz4JRbH2lHSddjaF43bnPdGNIctNf7vtHqKQAt+WQOqi8BjCZH4fycxk8oSFrgNAce1UH87Ydphnls0djCOSUBKnKTF9Z8byOdRAqFjdGDbV5gyg+BYCc6/EL8pPg/0mILAQNglo3g5T6q82QoSg0YTy+itLSS3pNggB6VkcgMQAaYIMuLISgD2U1rimAdmSkzsY9aR6TuVq+MWGHlpI6kMqGpEo/2eXcnkBVUhbtzPQKZH2A7TMdNSw4DGX3PLgUqFNytlC7aZb8QPGQ/7I7jt97mxErBt6s/6e3UufmrU4JjbauGEcvsm17UC4R1OY7EJLgaufop9pbeZjhZsqLrbCcwx5LEtXzVe+f6cnpX2x0Ikr0bbXEKkFjkHcxzbLp17ghz3ZrMxtTJwR4XY/FGDp6k1b0fh3YKjed/MmP3DGwgYr9Pl5lN7fdpb6UUpyMqbaXykZkO0v0mHw2K6sK8HbSRk3jdRKAKyoV2JOiSqQvYNhj7NOwmAF1ng5ffPpN75dUwR/mYMURKxiLCv034Tp78d7yQSWCqwRQdMwkfhGdF+RVkvn61qbXuOgU8MLuC2iXAAAAFQCjgW0Lgam9MXS2FkdRy2QxlYCL4QAAAgEAirmcHM92Aijep685q33G0qgiX3bgr4kAXbTggExiy+77DbwBgF8mCtzEYQq0MwgqssOQlk0Bpo7vYm5PN9SyyKUKPsA3dqHydos53TAS2noMBLYDtV3EP4Wf9kM4zIKozIbGWYKmNaIohIUTvGth9n/xzskcfnds4yBnUJmbNqzv0L6BcZGyxWwj4aQq4hRtooNIzmQJEtu10DXc1MwXeLCbmlpgZOn5CSt/X/lreBem82j19dQ0B9yeBBcyRNHafAuhpCA0JjR9YBMEd9aWPkHkpxtVZFp/fkBO8gAfdCbWH0J8FLfyaMFzS/Ag/CctcUJKxRxBVSD17rEUp/tJIBoLN8ILladSiUpoui5peFGpPDKD6/NTmRtRiG7u1anziqnJlQutLgPfCoV/UuKEhmEpoi/r0ULde41BYc64gG6HIcsdJKnLXzuO8NXmo9kg0adgheXZawdJ/DOOhVGBleka/VU8NHWdRcWibO6kSrtaPr3BZMvlVNY3Tp4EQF7z7PFx1BX3HyBegjgnN/qP13+kDGVd03w0sJ+d0KDvgTyurPOMoQeQtAx9NqCJW302IcbBXHOp3k6W1Q4ELJkPt0ab84BypqlQCJcijK1XmUsU/2kI9cHPoq2srLdUKny5uYGGhoOdVPisvuvSMYyFktEdqGqxor5hdCgyVHyuYnEAAAIBAIAZWk3B2Rwn20sjIu9S1MyBTISE5bakVFuuAg76bSn20W44FPPyAeNiwbwF1mxTIa9SycOmLu/YexbpOpNNwwWwBRz3KHyVKb7+0EocGig9CoI8a6MapwLR/x8I5riJwmIam3rmXYuXq4ssL7yzodo3rBPIc3YkIG/2XLPhou4k2Tl6JCXyOl/cR2zP5UBzSgeLxh25/luKnr6cihiCPYvjY2qvGg1iZAZyNRFZCva/Yybj7aDaNPNz0VLNgGUmcMO7NkgIfOOQiw4gKLVJv5/ENlSENLqTDJNOvQ6TsChJ47ShEG4LZCIs4x/g3PuuCFHNeyh6s5tLtA9lPz087ZYYFx7hyeKVWgDtJ8D7iBmc3cCjM/AKUuiDfM2yNg2qdgRWeX0oqRjd8/FD9iRugGLL51Aj71w0jOJ25sO/aBtliZMRb4sBbPS1GC3Uv64VxkSjxy+e0LboNF5ispsqhuW1XjENK5TE5X1gKgXBA9RwMJTJlWtbP8EGDu17xlUC+VhZyK13CNMRDtpubSl2BsJJJ2tqBFc7DtRcI1q+3bWubE1TDOpwzXkVeZe87tVa57Q8CNPZy89NIZTv+kC9iqGtUMaVi5a77ctwtuADJd5wAjDFqYt1q5/0Yjibc6HL/a3yt0d2y04TNYAJ4W+xMxUd51OY77JoE0BwxFNUIFYT root@llama-central.zoidial.foo
EOF


###
### update sshd_config so we don't allow much
###
cat > /etc/ssh/sshd_config << EOF
Port 22
# only use protocol 2
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
# only permit root logins with SSH KEYS
PermitRootLogin without-password
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no
# Uncomment to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
#CheckMail yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
#Subsystem	sftp	/usr/libexec/openssh/sftp-server
EOF


###
### edit /etc/printcap
###
cat > /etc/printcap << EOF
# /etc/printcap
lp:\
	:sh:\
	:ml=0:\
	:mx=0:\
	:sd=/var/spool/lpd/lp:\
	:af=/var/spool/lpd/lp/lp.acct:\
	:rm=137.143.106.33:\
	:lpd_bounce=true:\
	:if=/usr/share/printconf/util/mf_wrapper:
EOF


###
### get rid of kaffe, we want REAL java, not decaf
###
rpm -e kaffe-1.0.6-6


###
### clean up crontab stuff
###
cat > /etc/crontab << EOF
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
EOF
# remove some hourly and daily scripts
rm -f /etc/cron.hourly/inn-cron-nntpsend
rm -f /etc/cron.hourly/inn-cron-rnews
rm -f /etc/cron.hourly/diskcheck
rm -f /etc/cron.daily/00-logwatch
rm -f /etc/cron.daily/00webalizer
rm -f /etc/cron.daily/inn-cron-expire
rm -f /etc/cron.daily/tetex.cron
rm -f /etc/cron.daily/tripwire-check
rm -f /etc/cron.daily/slrnpull-expire
rm -f /var/spool/cron/mailman

###
### clean up runlevels
###

chkconfig --level 123456 sendmail off
chkconfig --level 123456 pcmcia off
chkconfig --level 123456 isdn off
chkconfig --level 123456 linuxconf off
chkconfig --level 123456 iscsi off
chkconfig --level 2345 ypbind on

###
### set up rc.local
###
cat > /etc/rc.d/rc.local << EOF
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
#
touch /var/lock/subsys/local
#
# run the startup-script that is located on minotaur's NFS share
#
/usr/local/startup
EOF

###
### password authentication nsswitch.conf
###
cat > /etc/nsswitch.conf << EOF
passwd:     files nisplus nis
shadow:     files nisplus nis
group:      files nisplus nis
hosts:      files nisplus nis dns
bootparams:     nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files nisplus nis
rpc:        files
services:   files nisplus nis
netgroup:   files nisplus nis
publickey:  nisplus
automount:  files nisplus nis
aliases:    files nisplus 
EOF

###
### inputrc is way annoying with that bell!!
###