neue Abschnitte für Teil 3

.gitmodules

@@ -1,5 +1,5 @@
-[submodule "aufgabe4/gitolite-admin"]
-	path = aufgabe4/gitolite-admin
+[submodule "aufgabe2.4/gitolite-admin"]
+	path = aufgabe2.4/gitolite-admin
 	url = git@141.76.90.104:gitolite-admin.git
 [submodule "logs"]
 	path = logs

aufgabe2.2/computenode/internal

@@ -0,0 +1,6 @@
+Description='LAN Interface'
+Interface=enp1s0
+Connection=ethernet
+IP=static
+Address=('10.20.0.101/24')
+Gateway='10.20.0.1'

aufgabe2.2/headnode/internal

@@ -0,0 +1,17 @@
+Description='LAN Interface'
+Interface=eth1
+Connection=ethernet
+IP=static
+Address=('10.20.0.1/24')
+#Routes=('192.168.0.0/24 via 192.168.1.2')
+#Gateway='141.76.90.1'
+#DNS=('8.8.8.8')
+
+## For IPv6 autoconfiguration
+#IP6=stateless
+
+## For IPv6 static address configuration
+#IP6=static
+#Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')
+#Routes6=('abcd::1234')
+#Gateway6='1234:0:123::abcd'

aufgabe2.2/headnode/network

@@ -0,0 +1,17 @@
+Description='A basic static ethernet connection'
+Interface=eth0
+Connection=ethernet
+IP=static
+Address=('141.76.90.104/24')
+#Routes=('192.168.0.0/24 via 192.168.1.2')
+Gateway='141.76.90.1'
+DNS=('8.8.8.8')
+
+## For IPv6 autoconfiguration
+#IP6=stateless
+
+## For IPv6 static address configuration
+#IP6=static
+#Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')
+#Routes6=('abcd::1234')
+#Gateway6='1234:0:123::abcd'

aufgabe2.3/deleteuser

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# check for arguments
+if [[ $# -ne 1 || -z "$1" ]]; then
+        echo "USAGE: $0 username" 1>&2
+        exit 1
+fi
+
+userdel -r "$1"

aufgabe2.3/iptables.rules

@@ -0,0 +1,58 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0] 
+
+# allow established connections
+-A INPUT   -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow traffic from private LAN
+-A INPUT   -i eth1 -j ACCEPT
+-A FORWARD -i eth1 -j ACCEPT
+
+# allow icmp
+-A INPUT -p icmp -j ACCEPT
+
+# allow loopback
+-A INPUT -i lo -j ACCEPT
+
+# uni subnets
+:uni - [0:0]
+-A INPUT -s 141.30.0.0/16 -j uni
+-A INPUT -s 141.76.0.0/16 -j uni
+
+# reject unknown traffic with nice errors
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+# ---------------------------------------------------------------
+# internal traffic
+#
+
+:internal - [0:0]
+-A uni -j internal
+-A internal -p tcp --dport 22 -j ACCEPT
+-A internal -p tcp --dport 80 -j ACCEPT
+-A internal -p tcp --dport 443 -j ACCEPT
+
+# ---------------------------------------------------------------
+# public traffic  
+
+:public - [0:0]
+-A INPUT -j public
+
+# ---------------------------------------------------------------
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0] 
+
+# masquerading
+-A POSTROUTING -o eth0 -j MASQUERADE
+
+COMMIT

aufgabe2.3/newuser

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+
+# check for root
+if [[ $EUID -ne 0 ]]; then
+  echo "This script must be run as root" 1>&2
+  exit 1
+fi
+
+# check for arguments
+if [[ $# -ne 1 ]]; then
+  echo "USAGE: $0 username" 1>&2
+  exit 1
+fi
+
+# check if user already exists
+if ! id "$1" &> /dev/null; then
+  echo "Adding user..."
+  useradd --base-dir /home --create-home "$1"
+fi
+
+# check if SSH key for user already exists
+if [[ ! -f "/home/$1/.ssh/id_ecdsa" ]]; then
+  echo "Generating SSH key for user..."
+  sudo --user "$1" ssh-keygen -t ecdsa -N "" -b 521 -f "/home/$1/.ssh/id_ecdsa" > /dev/null
+fi
+
+# check if SSH key is already added to list of authorized keys
+sudo -u "$1" touch /home/$1/.ssh/authorized_keys
+if ! grep -q "`cat /home/$1/.ssh/id_ecdsa.pub`" /home/$1/.ssh/authorized_keys; then
+  echo "Adding SSH key to list of authorized keys for user..."
+  cat "/home/$1/.ssh/id_ecdsa.pub" | sudo --user "$1" tee "/home/$1/.ssh/authorized_keys" > /dev/null
+fi
+
+export DIR="`mktemp -d`"
+trap "cd /; rm -rf $DIR" EXIT
+cd "$DIR"
+export GIT_AUTHOR_NAME=$SUDO_USER
+git clone "git@zotac0:gitolite-admin" "$DIR" > /dev/null
+
+# check if SSH key is already registered with git
+if [[ ! -f "$DIR/keydir/$1@$HOSTNAME.pub" ]]; then
+  echo "Adding SSH key to git..."
+  cp "/home/$1/.ssh/id_ecdsa.pub" "$DIR/keydir/$1@$HOSTNAME.pub"
+  git add "$DIR/keydir/$1@$HOSTNAME.pub"
+  git commit --all --message="User \"$1\" added" > /dev/null
+  git push > /dev/null
+fi

aufgabe2.3/sshd_config

@@ -0,0 +1,130 @@
+#	$OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner /etc/motd
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	ForceCommand cvs server

aufgabe2.4/cron.daily/etckeeper

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+if [ -x /usr/bin/etckeeper ] && [ -e /etc/etckeeper/etckeeper.conf ]; then
+        . /etc/etckeeper/etckeeper.conf
+        if [ "$AVOID_DAILY_AUTOCOMMITS" != "1" ]; then
+                # avoid autocommit if an install run is in progress
+                lockfile=/var/cache/etckeeper/packagelist.pre-install
+                if [ -e "$lockfile" ] && [ -n "$(find "$lockfile" -mtime +1)" ];
+then
+                        rm -f "$lockfile" # stale
+                fi
+                if [ ! -e "$lockfile" ]; then
+                        AVOID_SPECIAL_FILE_WARNING=1
+                        export AVOID_SPECIAL_FILE_WARNING
+                        if etckeeper unclean; then
+                                etckeeper commit "daily autocommit" >/dev/null
+                        fi
+                fi
+        fi
+fi

aufgabe2.4/cron.daily/git-log-rotate

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+cd /var/log
+find . -iname \*.log | xargs git add 
+git commit --all --message "daily autocommit"
+git push --force origin master:logs

aufgabe2.4/etckeeper.conf

@@ -0,0 +1,42 @@
+# The VCS to use.
+#VCS="hg"
+VCS="git"
+#VCS="bzr"
+#VCS="darcs"
+
+# Options passed to git commit when run by etckeeper.
+GIT_COMMIT_OPTIONS=""
+
+# Options passed to hg commit when run by etckeeper.
+HG_COMMIT_OPTIONS=""
+
+# Options passed to bzr commit when run by etckeeper.
+BZR_COMMIT_OPTIONS=""
+
+# Options passed to darcs record when run by etckeeper.
+DARCS_COMMIT_OPTIONS="-a"
+
+# Uncomment to avoid etckeeper committing existing changes
+# to /etc automatically once per day.
+#AVOID_DAILY_AUTOCOMMITS=1
+
+# Uncomment the following to avoid special file warning
+# (the option is enabled automatically by cronjob regardless).
+#AVOID_SPECIAL_FILE_WARNING=1
+
+# Uncomment to avoid etckeeper committing existing changes to 
+# /etc before installation. It will cancel the installation,
+# so you can commit the changes by hand.
+#AVOID_COMMIT_BEFORE_INSTALL=1
+
+# The high-level package manager that's being used.
+# (apt, pacman-g2, yum, zypper etc)
+HIGHLEVEL_PACKAGE_MANAGER=yaourt
+
+# The low-level package manager that's being used.
+# (dpkg, rpm, pacman, pacman-g2, etc)
+LOWLEVEL_PACKAGE_MANAGER=pacman
+
+# To push each commit to a remote, put the name of the remote here.
+# (eg, "origin" for git).
+PUSH_REMOTE="origin"

aufgabe2.4/journald.conf

@@ -0,0 +1,33 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+# See journald.conf(5) for details
+
+[Journal]
+#Storage=auto
+#Compress=yes
+#Seal=yes
+#SplitMode=login
+#SyncIntervalSec=5m
+#RateLimitInterval=30s
+#RateLimitBurst=1000
+#SystemMaxUse=
+#SystemKeepFree=
+#SystemMaxFileSize=
+#RuntimeMaxUse=
+#RuntimeKeepFree=
+#RuntimeMaxFileSize=
+#MaxRetentionSec=
+#MaxFileSec=1month
+ForwardToSyslog=yes
+#ForwardToKMsg=no
+#ForwardToConsole=no
+#TTYPath=/dev/console
+#MaxLevelStore=debug
+#MaxLevelSyslog=debug
+#MaxLevelKMsg=notice
+#MaxLevelConsole=info

aufgabe2.4/pacman

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+if [[ "$1" != -S && "$1" != -S*u && "$1" != -U ]]; then
+    /usr/bin/pacman "$@"
+    exit $?
+fi
+
+[[ $EUID -eq 0 ]] && etckeeper pre-install
+
+/usr/bin/pacman "$@"
+EXIT_CODE=$?
+
+[[ $EUID -eq 0 ]] && etckeeper post-install
+exit $EXIT_CODE

aufgabe2.4/yaourt

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+sudo etckeeper pre-install
+
+/usr/bin/yaourt "$@"
+EXIT_CODE=$?
+
+sudo etckeeper post-install
+exit $EXIT_CODE

aufgabe2.5/genders

@@ -0,0 +1,2 @@
+zotac0		headnode
+zotac[1-4]	computenode

aufgabe2.5/pdsh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+PDSH_RCMD_TYPE="`cat /etc/pdsh/rcmd_default`" /usr/bin/pdsh $@

aufgabe2.5/rcmd_default

@@ -0,0 +1 @@
+ssh

aufgabe2.6/munin-node.conf

@@ -0,0 +1,64 @@
+#
+# Example config-file for munin-node
+#
+
+log_level 4
+log_file /var/log/munin/munin-node.log
+pid_file /run/munin/munin-node.pid
+
+background 1
+setsid 1
+
+user root
+group root
+
+# This is the timeout for the whole transaction.
+# Units are in sec. Default is 15 min
+#
+# global_timeout 900
+
+# This is the timeout for each plugin.
+# Units are in sec. Default is 1 min
+#
+# timeout 60
+
+# Regexps for files to ignore
+ignore_file [\#~]$
+ignore_file DEADJOE$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+ignore_file \.pod$
+
+# Set this if the client doesn't report the correct hostname when
+# telnetting to localhost, port 4949
+#
+#host_name myhostname
+
+# A list of addresses that are allowed to connect.  This must be a
+# regular expression, since Net::Server does not understand CIDR-style
+# network notation unless the perl module Net::CIDR is installed.  You
+# may repeat the allow line as many times as you'd like
+
+allow ^127\.0\.0\.1$
+allow ^10\.42\.0
+allow ^::1$
+
+# If you have installed the Net::CIDR perl module, you can use one or more
+# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
+# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
+# *must* be provided, even if it's /32
+#
+# Example:
+#
+# cidr_allow 127.0.0.1/32
+# cidr_allow 192.0.2.0/24
+# cidr_deny  192.0.2.42/32
+
+# Which address to bind to;
+host *
+# host 127.0.0.1
+
+# And which port
+port 4949

aufgabe2.6/munin.conf

@@ -0,0 +1,149 @@
+# Example configuration file for Munin, generated by 'make build'
+
+# The next three variables specifies where the location of the RRD
+# databases, the HTML output, logs and the lock/pid files.  They all
+# must be writable by the user running munin-cron.  They are all
+# defaulted to the values you see here.
+#
+#dbdir	/var/lib/munin
+htmldir /usr/share/munin/www
+#logdir /var/log/munin
+#rundir  /run/munin
+
+# Where to look for the HTML templates
+#
+#tmpldir	/etc/munin/templates
+
+# Where to look for the static www files
+#
+#staticdir /etc/munin/static
+
+# temporary cgi files are here. note that it has to be writable by 
+# the cgi user (usually nobody or httpd).
+#
+# cgitmpdir /var/lib/munin/cgi-tmp
+
+# (Exactly one) directory to include all files from.
+includedir /etc/munin/munin-conf.d
+
+# You can choose the time reference for "DERIVE" like graphs, and show
+# "per minute", "per hour" values instead of the default "per second"
+#
+#graph_period second
+
+# Graphics files are generated either via cron or by a CGI process.
+# See http://munin-monitoring.org/wiki/CgiHowto2 for more
+# documentation.
+# Since 2.0, munin-graph has been rewritten to use the cgi code. 
+# It is single threaded *by design* now.
+#
+graph_strategy cgi
+
+# munin-cgi-graph is invoked by the web server up to very many times at the
+# same time.  This is not optimal since it results in high CPU and memory
+# consumption to the degree that the system can thrash.  Again the default is
+# 6.  Most likely the optimal number for max_cgi_graph_jobs is the same as
+# max_graph_jobs.
+#
+#munin_cgi_graph_jobs 6
+
+# If the automatic CGI url is wrong for your system override it here:
+#
+#cgiurl_graph /munin-cgi/munin-cgi-graph
+
+# max_size_x and max_size_y are the max size of images in pixel.
+# Default is 4000. Do not make it too large otherwise RRD might use all
+# RAM to generate the images.
+# 
+#max_size_x 4000
+#max_size_y 4000
+
+# HTML files are normally generated by munin-html, no matter if the
+# files are used or not. You can change this to on-demand generation
+# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2
+# 
+# Notes: 
+# - moving to CGI for HTML means you cannot have graph generated by cron.
+# - cgi html has some bugs, mostly you still have to launch munin-html by hand
+# 
+html_strategy cgi
+
+# munin-update runs in parallel.
+#
+# The default max number of processes is 16, and is probably ok for you.
+#
+# If set too high, it might hit some process/ram/filedesc limits.
+# If set too low, munin-update might take more than 5 min.
+#
+# If you want munin-update to not be parallel set it to 0.
+#
+#max_processes 16
+
+# RRD updates are per default, performed directly on the rrd files.
+# To reduce IO and enable the use of the rrdcached, uncomment it and set it to
+# the location of the socket that rrdcached uses.
+#
+#rrdcached_socket /var/run/rrdcached.sock
+
+# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
+# something changes (OK -> WARNING, CRITICAL -> OK, etc)
+#contact.someuser.command mail -s "Munin notification" somejuser@fnord.comm
+#contact.anotheruser.command mail -s "Munin notification" anotheruser@blibb.comm
+#
+# For those with Nagios, the following might come in handy. In addition,
+# the services must be defined in the Nagios server as well.
+#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
+
+# a simple host tree
+[zotac0]
+    address 127.0.0.1
+    use_node_name yes
+
+[zotac1]
+    address 10.20.0.101
+    use_node_name yes
+
+#
+# A more complex example of a host tree
+#
+## First our "normal" host.
+# [fii.foo.com]
+#       address foo
+#
+## Then our other host...
+# [fay.foo.com]
+#       address fay
+#
+## IPv6 host. note that the ip adress has to be in brackets
+# [ip6.foo.com]
+#       address [2001::1234:1]
+#
+## Then we want totals...
+# [foo.com;Totals] #Force it into the "foo.com"-domain...
+#       update no   # Turn off data-fetching for this "host".
+#
+#   # The graph "load1". We want to see the loads of both machines...
+#   # "fii=fii.foo.com:load.load" means "label=machine:graph.field"
+#       load1.graph_title Loads side by side
+#       load1.graph_order fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#
+#   # The graph "load2". Now we want them stacked on top of each other.
+#       load2.graph_title Loads on top of each other
+#       load2.dummy_field.stack fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#       load2.dummy_field.draw AREA # We want area instead the default LINE2.
+#       load2.dummy_field.label dummy # This is needed. Silly, really.
+#
+#   # The graph "load3". Now we want them summarised into one field
+#       load3.graph_title Loads summarised
+#       load3.combined_loads.sum fii.foo.com:load.load fay.foo.com:load.load
+#       load3.combined_loads.label Combined loads # Must be set, as this is
+#                                                 # not a dummy field!
+#
+## ...and on a side note, I want them listen in another order (default is
+## alphabetically)
+#
+# # Since [foo.com] would be interpreted as a host in the domain "com", we
+# # specify that this is a domain by adding a semicolon.
+# [foo.com;]
+#       node_order Totals fii.foo.com fay.foo.com
+#

aufgabe2.6/nginx/fastcgi.conf

@@ -0,0 +1,25 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

aufgabe2.6/nginx/fastcgi_params

@@ -0,0 +1,24 @@
+
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

aufgabe2.6/nginx/mime.types

@@ -0,0 +1,80 @@
+
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+    text/xml                              xml;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    application/x-javascript              js;
+    application/atom+xml                  atom;
+    application/rss+xml                   rss;
+
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/x-component                      htc;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+    image/svg+xml                         svg svgz;
+    image/webp                            webp;
+
+    application/java-archive              jar war ear;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/x-7z-compressed           7z;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-perl                    pl pm;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            der pem crt;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/zip                       zip;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              eot;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/ogg                             ogg;
+    audio/x-m4a                           m4a;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mp4                             mp4;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-m4v                           m4v;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}

aufgabe2.6/nginx/nginx.conf

@@ -0,0 +1,59 @@
+
+user http;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    access_log  /var/log/nginx/access.log;
+
+    sendfile        on;
+    keepalive_timeout  65;
+    gzip  on;
+    gzip_static on;
+    gzip_http_version 1.0;
+    gzip_comp_level 2;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_min_length 1100;
+    gzip_buffers 4 8k;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types
+	# text/html is always compressed by HttpGzipModule
+	text/css
+	text/javascript
+	text/xml
+	text/plain
+	text/x-component
+	application/javascript
+	application/x-javascript
+	application/json
+	application/xml
+	application/rss+xml
+	font/truetype
+	font/opentype
+	application/vnd.ms-fontobject
+	image/svg+xml;
+
+    server_tokens off;
+    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 5m;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+
+    upstream backend {
+      server unix:/run/php-fpm/php-fpm.sock;
+    }
+    include sites/*.conf;
+}

aufgabe2.6/nginx/sites/default.conf

@@ -0,0 +1,27 @@
+server {
+  listen [::]:80;
+  listen 80;
+  #listen [::]:443 ssl;
+  #listen 443 ssl;
+
+  root /srv/http/lctp;
+
+  location ^~ /munin-cgi/munin-cgi-graph/ {
+    fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
+    include fastcgi_params;
+  }
+
+  location /munin/static/ {
+    alias /etc/munin/static/;
+    expires modified +1w;
+  }
+
+  location /munin/ {
+    fastcgi_split_path_info ^(/munin)(.*);
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_pass unix:/var/run/munin/fcgi-html.sock;
+    include fastcgi_params;
+  }
+}

bericht/abschnitte/sv-filesystems.tex

@@ -0,0 +1,3 @@
+%GlusterFS
+%- fdisk /dev/sda -> extended partition -> 50G partition
+%- mkfs.xfs -i size=512 /dev/sda5

bericht/abschnitte/sv.tex

@@ -0,0 +1,9 @@
+\section{Verteilte Dateisysteme und Dienste}
+
+\input{abschnitte/sv-iptables}
+
+\input{abschnitte/sv-dhcp_dns}
+
+\input{abschnitte/sv-filesystems}
+
+\input{abschnitte/sv-filesystems}

bericht/bericht.tex

@@ -36,6 +36,8 @@
 
 \input{abschnitte/bs}
 
+\input{abschnitte/sv}
+
 \input{abschnitte/burnin}
 
 \input{abschnitte/anhang}