├── README.md
└── SetupCasperDPServer.sh


/README.md:
--------------------------------------------------------------------------------
 1 | Casper Distribution Server Automated Build Script
 2 | =================================================
 3 | 
 4 | Version 2.1 - 9th November 2015.
 5 | 
 6 | This script is meant to be run as part of a Casper Imaging workflow and will happily set up
 7 | an OS X Server with the following services:
 8 | 
 9 | 1) Casper AFP/HTTPS Distribution Point
10 | 
11 | 2) Casper rsync to other servers
12 | 
13 | 3) Netboot Server (both NFS and HTTP based)
14 | 
15 | 4) SNMP Monitoring
16 | 
17 | 
18 | The process can take a few hours depending on your network connection. Yes, HOURS. This is because
19 | the script will attempt to rsync your new server with your primary Casper server including Netboot image.
20 | 
21 | Six plus hours over 100Mb network are not unheard of for this.
22 | 
23 | I HIGHLY encourage you to go through the script for your own customisations. I've sanitised the script to
24 | remove all references from where I work ;)
25 | 
26 | Areas for Improvement
27 | =====================
28 | 
29 | 1) Admin password for root and admin accounts should really be passed to this script for security rather than baked in.
30 | 
31 | Current Known Issues
32 | ====================
33 | 
34 | 1) Netboot service does not start up again. Currently requires manual start.
35 | 
36 | 2) SNMP service also does not start up again. Same as 1)
37 | 
38 | 3) HTTP service alias info is not being set up. Serveradmin appears to be igoring the data being passed to it.
39 | 


--------------------------------------------------------------------------------
/SetupCasperDPServer.sh:
--------------------------------------------------------------------------------
   1 | #!/bin/bash
   2 | 
   3 | # Script to automate setup and config of an OS X Server
   4 | 
   5 | # Author  : contact@richard-purves.com
   6 | # Version : 0.1 - 10-04-2014 - Initial Version
   7 | # Version : 0.2 – 15-04-2014 – Added command= line to use validate-rsync script on root ssh access
   8 | # Version : 0.3 - 16-04-2014 - Found major bugs in code. Removed AppleRAID code for safety. Added serveradmin account to share ACL.
   9 | # Version : 0.4 - 17-04-2014 - Fixed bugs to do with SSH enabling for appropriate users. Added code to auto add servers to known_hosts file.
  10 | # Version : 0.5 - 18-04-2014 - Added check to initial rsync. Primary server will now not attempt to replicate from itself!
  11 | # Version : 0.6 - 22-04-2014 - Massively overhauled known_hosts code to make it more elegant and use existing commands rather than directly messing with files.
  12 | # Version : 0.7 - 23-04-2014 - Moved IP address code to back of script for non server VLAN builds. And now sets up user dock!
  13 | # Version : 0.8 - 24-04-2014 - Everything works as expected! Now added code to set admin account desktop background and fixed rsync script generation.
  14 | # Version : 1.0 - 24-04-2014 - Initial Release.
  15 | # Version : 1.1 - 29-04-2014 - Now enables CasperShare to be shared via HTTP alias as well as AFP
  16 | # Version : 1.5 - 29-06-2014 - Massively improved logging. Fixed various silly rsync script bugs.
  17 | # Version : 1.6 - 06-08-2014 - Removed netboot configuration. It configures itself from the images ... d'oh!
  18 | 
  19 | # Version : 2.0 - 29-09-2015 - Code from Rich Trouton & Charles Edge to auto setup Server.app. Cleaned up logging code to something less primitive.
  20 | # Version : 2.1 - 09-11-2015 - Added CocoaDialog based prompting so we're not waiting on a blank screen for a reboot. This requires loceee's CD fork from his github.
  21 | 
  22 | # Current supported version of OS X Server is 5.03. Please don't use anything earlier than this!
  23 | 
  24 | # Set variables here
  25 | 
  26 | MacModel=$( ioreg -l | awk '/product-name/ { split($0, line, "\""); printf("%s\n", line[4]); }' )
  27 | PrefModel=$( defaults read /Library/Preferences/SystemConfiguration/preferences.plist Model )
  28 | osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
  29 | sw_vers=$(sw_vers -productVersion)
  30 | sw_build=$(sw_vers -buildVersion)
  31 | errorcode=1
  32 | SERVERADMIN=admin
  33 | SERVERPW=password
  34 | computername=$( scutil --get ComputerName )
  35 | cd=/usr/local/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog
  36 | DU=/usr/local/scripts/dockutil.py
  37 | LOGFOLDER="/private/var/log/organisation name here"
  38 | LOG=$LOGFOLDER"/Server-Setup.log"
  39 | 
  40 | if [ ! -d "$LOGFOLDER" ];
  41 | then
  42 | 	mkdir $LOGFOLDER
  43 | fi
  44 | 
  45 | # Set functions here
  46 | 
  47 | function logme()
  48 | {
  49 | # Check to see if function has been called correctly
  50 | 	if [ -z "$1" ]
  51 | 	then
  52 | 		echo $( date )" - logme function call error: no text passed to function! Please recheck code!"
  53 | 		exit 1
  54 | 	fi
  55 | 
  56 | # Log the passed details
  57 | 	echo $( date )" - "$1 >> $LOG
  58 | 	echo "" >> $LOG
  59 | }
  60 | 
  61 | function cdmsg ()
  62 | {
  63 | 	$cd msgbox --icon info --title "$1" --text "$2" --informative-text "$3" --float &
  64 | 	cdpid=$!
  65 | 	sleep 3
  66 | }
  67 | 
  68 | function multiplejamf ()
  69 | {
  70 | 	# Check to see if jamf binary is running, and wait for it to finish.
  71 | 	# Trying to avoid multiple triggers running at once at the expense of time taken.
  72 | 	# There are two existing jamf processes running at all times. More than that is bad for us!
  73 | 
  74 | 	TEST=$( pgrep jamf | wc -l )
  75 | 
  76 | 	while [ $TEST -gt 2 ]
  77 | 	do
  78 | 		/bin/echo "Waiting for existing jamf processes to finish ..." >> $LOG
  79 | 		sleep 3
  80 | 		TEST=$( pgrep jamf | wc -l )
  81 | 	done
  82 | }
  83 | 
  84 | # Print a message to let people know what's happening and go from there!
  85 | 
  86 | cdmsg "Mac Server Configuration" "Configuration in Progress" "This will take some time to complete. Please wait."
  87 | kill $cdpid
  88 | 
  89 | # Set System Timezone to avoid clock sync issues and record imaging time.
  90 | 
  91 | cdmsg "Mac Server Configuration" "Time Settings" "Stage (1/31). Please Wait."
  92 | 	systemsetup -settimezone Europe/London
  93 | 	systemsetup -setusingnetworktime on
  94 | 	systemsetup -setnetworktimeserver timeserver.address
  95 | 	/usr/sbin/ntpd -g -q
  96 | kill $cdpid
  97 | 
  98 | # Check and start log file
  99 | 
 100 | echo "Server Build - started at "$( date ) >> $LOG
 101 | 
 102 | # Save last imaged time
 103 | 
 104 | touch /usr/lastimaged
 105 | echo "`date`" > /usr/lastimaged
 106 | 
 107 | # Set energy saving settings to never sleep
 108 | 
 109 | cdmsg "Mac Server Configuration" "Sleep Settings" "Stage (2/31). Please Wait."
 110 | 	logme "Disabling sleep settings"
 111 | 	/usr/bin/pmset -a sleep 0 | tee -a ${LOG}
 112 | 	/usr/bin/pmset -a displaysleep 0 | tee -a ${LOG}
 113 | 	/usr/bin/pmset -a disksleep 0 | tee -a ${LOG}
 114 | kill $cdpid
 115 | 
 116 | # Hiding under UID500 users and setting login window to username/password entry.
 117 | 
 118 | cdmsg "Mac Server Configuration" "LoginWindow Settings" "Stage (3/31). Please Wait."
 119 | 	logme "Hiding admin users and setting login window settings"
 120 | 	defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool true | tee -a ${LOG}
 121 | 	defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true | tee -a ${LOG}
 122 | kill $cdpid
 123 | 
 124 | # Disable auto check for Software Updates
 125 | 
 126 | cdmsg "Mac Server Configuration" "Apple Software Update Settings" "Stage (4/31). Please Wait."
 127 | 	logme "Disabling Apple Software Update Checking"
 128 | 	softwareupdate --schedule off | tee -a ${LOG}
 129 | 	launchctl unload -w /System/Library/LaunchDaemons/com.apple.softwareupdatecheck.initial.plist | tee -a ${LOG}
 130 | 	launchctl unload -w /System/Library/LaunchDaemons/com.apple.softwareupdatecheck.periodic.plist | tee -a ${LOG}
 131 | kill $cdpid
 132 | 
 133 | # Make sure the computer has enrolled
 134 | 
 135 | cdmsg "Mac Server Configuration" "Waiting for JSS Enrollment" "Stage (5/31). Please Wait."
 136 | 	logme "Checking to see if JAMF enroll.sh is still running"
 137 | 
 138 | 	while [ -d '/Library/Application Support/JAMF/FirstRun/Enroll' ]
 139 | 	do
 140 | 	   echo $( date )" - Computer enrolment into JSS in progress."
 141 | 	   sleep 5
 142 | 	done
 143 | kill $cdpid
 144 | 
 145 | # Create Server local admin account
 146 | 
 147 | cdmsg "Mac Server Configuration" "Creating admin account" "Stage (6/31). Please Wait."
 148 | 	logme "Creating admin account"
 149 | 	jamf createAccount -username $SERVERADMIN -realname $SERVERADMIN -password $SERVERPW -home /Users/admin -shell /bin/bash -admin | tee -a ${LOG}
 150 | kill $cdpid
 151 | 
 152 | # New code curtesy of Rich Trouton & Charles Edge to auto setup Server.app before proceeding
 153 | # See https://derflounder.wordpress.com/2015/10/29/automating-the-setup-of-os-x-server-on-el-capitan-and-yosemite/
 154 | 
 155 | # Check for server.app presense, quit if not there
 156 | 
 157 | cdmsg "Mac Server Configuration" "Registering Server.app" "Stage (7/31). Please Wait."
 158 | 	if [[ ! -e "/Applications/Server.app/Contents/ServerRoot/usr/sbin/server" ]]; then
 159 | 	  logme "/Applications/Server.app/Contents/ServerRoot/usr/sbin/server is not present."
 160 | 	  kill $cdpid
 161 | 	  exit 0
 162 | 	fi
 163 | 
 164 | 	logme "/Applications/Server.app/Contents/ServerRoot/usr/sbin/server detected. Proceeding."
 165 | 
 166 | # Export temporary user's username and password as environment values.
 167 | # This export will allow these values to be used by the expect section
 168 | 
 169 | 	export setupadmin="$SERVERADMIN"
 170 | 	export setupadmin_password="$SERVERPW"
 171 | 
 172 | # Accept the Server.app license and set up the server tools
 173 | 
 174 | /usr/bin/expect<<EOF
 175 | set timeout 300
 176 | spawn /Applications/Server.app/Contents/ServerRoot/usr/sbin/server setup
 177 | puts "$setupadmin"
 178 | puts "$setupadmin_password"
 179 | expect "Press Return to view the software license agreement." { send \r }
 180 | expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" }
 181 | expect "User name:" { send "$setupadmin\r" }
 182 | expect "Password:" { send "$setupadmin_password\r" }
 183 | expect "%"
 184 | EOF
 185 | 
 186 | logme "Server.app licence accepted. Proceeding."
 187 | 
 188 | # That should have registered server.app correctly.
 189 | 
 190 | kill $cdpid
 191 | 
 192 | # Disable spotlight indexing
 193 | 
 194 | cdmsg "Mac Server Configuration" "Disabling Spotlight Indexing" "Stage (8/31). Please Wait."
 195 | 	logme "Disabling spotlight indexing"
 196 | 	mdutil -i off / | tee -a ${LOG}
 197 | 	mdutil -d / | tee -a ${LOG}
 198 | kill $cdpid
 199 | 
 200 | # Disable iCloud and Diagnostics popup.
 201 | # My original hack has stopped working since 10.9 so replaced with Rich Trouton's more elegant method.
 202 | # https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/disable_apple_icloud_and_diagnostic_pop_ups
 203 | 
 204 | cdmsg "Mac Server Configuration" "Disabling iCloud and Diagnostics messages" "Stage (9/31). Please Wait."
 205 | 	logme "Disabling iCloud and Diagnostics messages"
 206 | 
 207 | 	for USER_HOME in /Users/*
 208 | 	  do
 209 | 		USER_UID=`basename "${USER_HOME}"`
 210 | 		if [ ! "${USER_UID}" = "Shared" ]; then
 211 | 		  if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
 212 | 			/bin/mkdir -p "${USER_HOME}"/Library/Preferences
 213 | 			/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
 214 | 			/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
 215 | 		  fi
 216 | 		  if [ -d "${USER_HOME}"/Library/Preferences ]; then
 217 | 			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
 218 | 			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
 219 | 			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
 220 | 			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
 221 | 			/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant.plist
 222 | 		  fi
 223 | 		fi
 224 | 	  done
 225 | 	fi
 226 | kill $cdpid
 227 | 
 228 | # Enable ARD for remote access for all users.
 229 | 
 230 | cdmsg "Mac Server Configuration" "Enabling Apple Remote Management" "Stage (10/31). Please Wait."
 231 | 	logme "Enabling Apple Remote Management"
 232 | 	/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all | tee -a ${LOG}
 233 | kill $cdpid
 234 | 
 235 | # Fix the incorrect model name in /Library/Preferences/SystemConfiguration/preferences.plist
 236 | # Also make sure the .plist is in the correct format
 237 | 
 238 | cdmsg "Mac Server Configuration" "Fixing network settings and interfaces" "Stage (11/31). Please Wait."
 239 | 	logme "Fixing network settings and interfaces"
 240 | 
 241 | 	if [[ "$PrefModel" != "$MacModel" ]];
 242 | 	then
 243 | 	  /bin/echo $AdminPW | sudo -S defaults write /Library/Preferences/SystemConfiguration/preferences.plist Model $MacModel
 244 | 	  /bin/echo $AdminPW | sudo -S plutil -convert xml1 /Library/Preferences/SystemConfiguration/preferences.plist
 245 | 	fi
 246 | kill $cdpid
 247 | 
 248 | # Fix the incorrect network service names
 249 | # Script lovingly stolen from https://jamfnation.jamfsoftware.com/discussion.html?id=3422
 250 | 
 251 | cdmsg "Mac Server Configuration" "Fixing incorrect network service names" "Stage (12/31). Please Wait."
 252 | 	# Detect new network hardware
 253 | 	networksetup -detectnewhardware
 254 | 
 255 | 	# List all network services and read one by one
 256 | 	networksetup -listallnetworkservices | tail -n +2 | while read service
 257 | 	do
 258 | 
 259 | 	# Remove asterisk from string for renaming disabled services
 260 | 		service=${service#*\*}
 261 | 
 262 | 	# Use filter to select next line which has the hardware port defined
 263 | 		filter=false
 264 | 
 265 | 	# Display network services
 266 | 		networksetup -listnetworkserviceorder | while read serviceorder
 267 | 		do
 268 | 			if [[ ${filter} == true ]]
 269 | 			then
 270 | 				# Grab hardware port
 271 | 				hardwareport=`echo ${serviceorder} | sed -e 's/(Hardware Port: //;s/, Device:.*//'`
 272 | 			
 273 | 				# Check if service name if different
 274 | 				if [[ ${service} != ${hardwareport} ]]
 275 | 				then
 276 | 					# Rename the network service
 277 | 					networksetup -renamenetworkservice "${service}" "${hardwareport}"
 278 | 					echo -e "Renamed network service \"${service}\" to \"${hardwareport}\""
 279 | 				fi
 280 | 			fi
 281 | 
 282 | 			if [[ ${serviceorder} == *${service} ]]
 283 | 			then		
 284 | 				# Got the line with the service. Set the filter to true to grab the next line which contains the hardware port
 285 | 				filter=true
 286 | 				else
 287 | 				filter=false
 288 | 			fi
 289 | 		done
 290 | 	done
 291 | kill $cdpid
 292 | 
 293 | # Set the building to put the computer in the Unmanaged building
 294 | 
 295 | cdmsg "Mac Server Configuration" "Configuring Server JSS Record" "Stage (13/31). Please Wait."
 296 | 	logme "Configuring JSS record for server"
 297 | 	
 298 | 	multiplejamf	
 299 | 	jamf recon -building Unmanaged | tee -a ${LOG}
 300 | 	
 301 | 	# Now set the department details to the Casper DP department.
 302 | 	
 303 | 	multiplejamf
 304 | 	jamf recon -department CasperDP | tee -a ${LOG}
 305 | kill $cdpid
 306 | 
 307 | # Install server specific software via manual trigger.
 308 | 
 309 | cdmsg "Mac Server Configuration" "Installing Server specific software" "Stage (14/31). Please Wait."
 310 | 	multiplejamf
 311 | 	jamf policy -trigger CasperServer | tee -a ${LOG}
 312 | kill $cdpid
 313 | 
 314 | # Final recon to make sure Inventory is up to date.
 315 | 
 316 | cdmsg "Mac Server Configuration" "Taking Casper Inventory of Server" "Stage (15/31). Please Wait."
 317 | 	multiplejamf
 318 | 	jamf recon | tee -a ${LOG}
 319 | kill $cdpid
 320 | 
 321 | # Enable root user for rsync purposes
 322 | 
 323 | cdmsg "Mac Server Configuration" "Enabling root account for rsync only" "Stage (16/31). Please Wait."
 324 | 	logme "Enabling root account"
 325 | 	dsenableroot -u admin -p $SERVERPW -r $SERVERPW
 326 | kill $cdpid
 327 | 
 328 | # Enable SSH access for root and serveradmin users
 329 | 
 330 | cdmsg "Mac Server Configuration" "Enabling SSH access" "Stage (17/31). Please Wait."
 331 | 	logme "Enabling SSH access"
 332 | 	dseditgroup -o delete -t group com.apple.access_ssh | tee -a ${LOG}
 333 | 	dseditgroup -o create -q com.apple.access_ssh | tee -a ${LOG}
 334 | 	dseditgroup -o edit -a caspermgt -t user com.apple.access_ssh | tee -a ${LOG}
 335 | 	dseditgroup -o edit -a root -t user com.apple.access_ssh | tee -a ${LOG}
 336 | 	dseditgroup -o edit -a admin -t user com.apple.access_ssh | tee -a ${LOG}
 337 | kill $cdpid
 338 | 
 339 | # Create CasperAdmin and CasperInstall accounts. These must not have user folders or user shells!
 340 | 
 341 | cdmsg "Mac Server Configuration" "Creating Casper service accounts" "Stage (18/31). Please Wait."
 342 | 	logme "Creating casperadmin account"
 343 | 	dscl . create /Users/casperadmin | tee -a ${LOG}
 344 | 	dscl . create /Users/casperadmin UserShell /usr/bin/false | tee -a ${LOG}
 345 | 	dscl . create /Users/casperadmin RealName casperadmin | tee -a ${LOG}
 346 | 	dscl . create /Users/casperadmin UniqueID 502 | tee -a ${LOG}
 347 | 	dscl . create /Users/casperadmin PrimaryGroupID 20 | tee -a ${LOG}
 348 | 	dscl . passwd /Users/casperadmin c4sper4dmin | tee -a ${LOG}
 349 | 
 350 | 	logme "Creating casperinstall account"
 351 | 	dscl . create /Users/casperinstall | tee -a ${LOG}
 352 | 	dscl . create /Users/casperinstall UserShell /usr/bin/false | tee -a ${LOG}
 353 | 	dscl . create /Users/casperinstall RealName casperinstall | tee -a ${LOG}
 354 | 	dscl . create /Users/casperinstall UniqueID 503 | tee -a ${LOG}
 355 | 	dscl . create /Users/casperinstall PrimaryGroupID 20 | tee -a ${LOG}
 356 | 	dscl . passwd /Users/casperinstall c4sper4dmin | tee -a ${LOG}
 357 | kill $cdpid
 358 | 
 359 | # Create caspershare folder and set ACL permissions for casperadmin, casperinstall and serveradmin users.
 360 | 
 361 | cdmsg "Mac Server Configuration" "Creating CasperShare folder and ACL's" "Stage (19/31). Please Wait."
 362 | 	mkdir /CasperShare
 363 | 	chmod -R +a "admin allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /CasperShare
 364 | 	chmod -R +a "casperadmin allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /CasperShare
 365 | 	chmod -R +a "casperinstall allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit" /CasperShare
 366 | 	chmod -R +a "_www allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /CasperShare
 367 | kill $cdpid
 368 | 
 369 | # Create SSH folder for root user
 370 | 
 371 | cdmsg "Mac Server Configuration" "Configuring rsync SSH access" "Stage (20/31). Please Wait."
 372 | 
 373 | 	mkdir /var/root/.ssh >> $LOG
 374 | 	chown root:wheel /var/root/.ssh >> $LOG
 375 | 	chmod 700 /var/root/.ssh >> $LOG
 376 | 
 377 | # Create SSH key
 378 | 
 379 | touch /var/root/.ssh/rsync-key >> $LOG
 380 | cat > /var/root/.ssh/rsync-key << ENDRSAKEY
 381 | -----BEGIN RSA PRIVATE KEY-----
 382 | key goes here
 383 | -----END RSA PRIVATE KEY-----
 384 | ENDRSAKEY
 385 | 
 386 | touch /var/root/.ssh/rsync-key.pub >> $LOG
 387 | cat > /var/root/.ssh/rsync-key.pub << ENDRSAKEY
 388 | ssh-rsa key goes here mac_root
 389 | ENDRSAKEY
 390 | 
 391 | # Lock down SSH access to rsync service only
 392 | 
 393 | logme "Lock root ssh to rsync command"
 394 | 
 395 | touch /var/root/.ssh/authorized_keys
 396 | cat > /var/root/.ssh/authorized_keys << ENDAUTHKEY
 397 | command="/usr/local/scripts/validate-rsync" ssh-rsa key goes here mac_root
 398 | ENDAUTHKEY
 399 | 
 400 | chown root:wheel /var/root/.ssh/authorized_keys >> $LOG
 401 | chmod 644 /var/root/.ssh/authorized_keys >> $LOG
 402 | 
 403 | # Make and lock down working folder
 404 | 
 405 | logme "Create scripts folder, ssh key and validate-rsync file"
 406 | 
 407 | mkdir /usr/local/
 408 | mkdir /usr/local/scripts
 409 | chown root:wheel /usr/local/scripts
 410 | 
 411 | # Create SSH validation script
 412 | 
 413 | touch /usr/local/scripts/validate-rsync
 414 | 
 415 | cat > /usr/local/scripts/validate-rsync << ENDVALIDATE
 416 | #!/bin/sh
 417 | case "\$SSH_ORIGINAL_COMMAND" in
 418 | rsync\ --server*)
 419 | \$SSH_ORIGINAL_COMMAND
 420 | ;;
 421 | \/usr\/local\/scripts\/casper-sync.sh*)
 422 | \$SSH_ORIGINAL_COMMAND
 423 | ;;
 424 | *)
 425 | echo "Rejected"
 426 | ;;
 427 | esac
 428 | ENDVALIDATE
 429 | 
 430 | # Set the correct permissions and owner on the files we just created
 431 | 
 432 | chown root:wheel /usr/local/scripts/validate-rsync | tee -a ${LOG}
 433 | chmod 755 /usr/local/scripts/validate-rsync | tee -a ${LOG}
 434 | 
 435 | chown root:wheel /usr/local/scripts/authorized_keys | tee -a ${LOG}
 436 | chmod 755 /usr/local/scripts/authorized_keys | tee -a ${LOG}
 437 | 
 438 | chown root:wheel /var/root/.ssh/rsync-key | tee -a ${LOG}
 439 | chmod 600 /var/root/.ssh/rsync-key | tee -a ${LOG}
 440 | 
 441 | chown root:wheel /var/root/.ssh/rsync-key.pub | tee -a ${LOG}
 442 | chmod 600 /var/root/.ssh/rsync-key.pub | tee -a ${LOG}
 443 | 
 444 | kill $cdpid
 445 | 
 446 | # Add servers to /var/root/.ssh/known_hosts file.
 447 | 
 448 | cdmsg "Mac Server Configuration" "Adding known servers to authorised hosts file" "Stage (21/31). Please Wait."
 449 | 	logme "Adding current casper dp servers to known_hosts file"
 450 | 
 451 | 	[ -e /var/root/.ssh/known_hosts ] || touch /var/root/.ssh/known_hosts
 452 | 	for host in \
 453 | 		server1 \
 454 | 		server2 \
 455 | 		server3 \
 456 | 	; do
 457 | 		ssh-keygen -R $host -f /var/root/.ssh/known_hosts
 458 | 		ssh -q -o StrictHostKeyChecking=no -o BatchMode=yes -o UserKnownHostsFile=/var/root/.ssh/known_hosts $host echo '' || true
 459 | 	done
 460 | 
 461 | 	chown root:wheel /var/root/.ssh/known_hosts
 462 | 	chmod 755 /var/root/.ssh/known_hosts
 463 | kill $cdpid
 464 | 
 465 | # Create rsync script for specific server computernames.
 466 | # There's a lot of \ being used in places. That's to stop the cat command expanding variables/commands out and breaking the generated files.
 467 | 
 468 | cdmsg "Mac Server Configuration" "Create rsync script and LaunchDaemon" "Stage (22/31). Please Wait."
 469 | 
 470 | case $computername in
 471 | 
 472 | server1 )
 473 | echo "" >> $LOG
 474 | echo $( date )" - Creating rsync scripts for server: "$computername >> $LOG
 475 | 
 476 | mkdir /usr/local/scripts >> $LOG
 477 | touch /usr/local/scripts/casper-sync.sh >> $LOG
 478 | 
 479 | cat  > /usr/local/scripts/casper-sync.sh << CASPER-SYNC
 480 | #!/bin/sh
 481 | 
 482 | # rsync script for server1
 483 | # implemented   : contact@richard-purves.com
 484 | 
 485 | LOGS=/var/log/casper-sync.log
 486 | LOCKS=/var/run/casper-sync.lck
 487 | TEST=""
 488 | TEST=\`/bin/ps -ef \\
 489 |      |/usr/bin/grep casper-sync \\
 490 |      |/usr/bin/grep -v grep \\
 491 |      |/usr/bin/grep -v casper-sync.log \\
 492 |      |/usr/bin/wc -l\`
 493 | 
 494 | if [ \$TEST -gt 2 ]; then
 495 | echo "\`date\` Another rsync instance running .... exiting" >> \$LOGS;
 496 | exit 0;
 497 | else
 498 |    echo "Starting rsync at \`date\`" >> \$LOGS;
 499 |    while true ; do
 500 |     if [ ! -e \$LOCKS ] ;then
 501 |         touch \$LOCKS ;
 502 | 
 503 | # Sync server2 first
 504 | 
 505 | # Sync CasperShare
 506 |         
 507 |         echo "Syncing server server2" >> \$LOGS;
 508 |         /usr/bin/rsync -a4hxvz --delete-after --force  --bwlimit=100000 -e "ssh -i /var/root/.ssh/rsync-key" /CasperShare/ root@server2:/CasperShare >> \$LOGS 2>&1
 509 | 
 510 | # Sync Netboot image
 511 | 
 512 |         echo "Syncing netboot image server2" >> \$LOGS;
 513 |         /usr/bin/rsync -a4hxvz --delete-after --force  --bwlimit=100000 -e "ssh -i /var/root/.ssh/rsync-key" /Library/NetBoot/NetBootSP0/ root@server2:/Library/NetBoot/NetBootSP0/ >> \$LOGS 2>&1
 514 | 
 515 | # Start external sync from server2
 516 | # Background this so that the rest of the rsync will finish while this works. They "should" be ok for this.
 517 | 
 518 | 	echo "Starting sync from server2 outward" >> \$LOGS;
 519 | 	ssh -i /var/root/.ssh/rsync-key root@server2 /usr/local/scripts/casper-sync.sh &
 520 | 
 521 | # All done for this server!
 522 |         
 523 |         /bin/rm \$LOCKS ;
 524 |         echo "Sync finished at \`date\`" >> \$LOGS ;
 525 |         exit 0;
 526 |     else
 527 |         sleep 60 ;
 528 |     fi;
 529 |    done;
 530 | fi;
 531 | CASPER-SYNC
 532 | 
 533 | touch /Library/LaunchDaemons/com.org.casper-rsync.plist
 534 | 
 535 | cat > /Library/LaunchDaemons/com.org.casper-rsync.plist << CASPER-SYNC-LAUNCHD
 536 | <?xml version="1.0" encoding="UTF-8"?>
 537 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 538 | <plist version="1.0">
 539 | <dict>
 540 | 	<key>Label</key>
 541 | 	<string>com.org.casper-rsync</string>
 542 | 	<key>ProgramArguments</key>
 543 | 	<array>
 544 | 		<string>/usr/local/scripts/casper-sync.sh</string>
 545 | 	</array>
 546 | 	<key>StartInterval</key>
 547 | 	<integer>900</integer>
 548 | </dict>
 549 | </plist>
 550 | CASPER-SYNC-LAUNCHD
 551 | 
 552 | chown root:wheel /usr/local/scripts/casper-sync.sh >> $LOG
 553 | chmod 755 /usr/local/scripts/casper-sync.sh >> $LOG
 554 | 
 555 | chown root:wheel /Library/LaunchDaemons/com.org.casper-rsync.plist >> $LOG
 556 | chmod 644 /Library/LaunchDaemons/com.org.casper-rsync.plist >> $LOG
 557 | ;;
 558 | 
 559 | server2 )
 560 | echo "" >> $LOG
 561 | echo $( date )" - Creating rsync scripts for server: "$computername >> $LOG
 562 | 
 563 | mkdir /usr/local/scripts >> $LOG
 564 | touch /usr/local/scripts/casper-sync.sh >> $LOG
 565 | 
 566 | cat > /usr/local/scripts/casper-sync.sh << CASPER-SYNC
 567 | #!/bin/sh
 568 | 
 569 | # rsync script for server2
 570 | # implemented   : contact@richard-purves.com
 571 | 
 572 | LOGS=/var/log/casper-sync.log
 573 | LOCKS=/var/run/casper-sync.lck
 574 | TEST=""
 575 | TEST=\`/bin/ps -ef \\
 576 |      |/usr/bin/grep casper-sync \\
 577 |      |/usr/bin/grep -v grep \\
 578 |      |/usr/bin/grep -v casper-sync.log \\
 579 |      |/usr/bin/wc -l\`
 580 | 
 581 | if [ \$TEST -gt 2 ]; then
 582 | echo "\`date\` Another process running .... exiting" >> \$LOGS;
 583 | exit 0;
 584 | else
 585 |    echo "Starting rsync at \`date\`" >> \$LOGS;
 586 |    while true ; do
 587 |     if [ ! -e \$LOCKS ] ;then
 588 |         touch \$LOCKS ;
 589 | 
 590 | # Sync server3
 591 | 
 592 | # Sync CasperShare
 593 |         
 594 |         echo "Syncing server server3" >> \$LOGS;
 595 |         /usr/bin/rsync -a4hxvz --delete-after --force  --bwlimit=100000 -e "ssh -i /var/root/.ssh/rsync-key" /CasperShare/ root@server3:/CasperShare >> \$LOGS 2>&1
 596 | 
 597 | # Sync Netboot image
 598 | 
 599 |         echo "Syncing netboot image server3" >> \$LOGS;
 600 |         /usr/bin/rsync -a4hxvz --delete-after --force  --bwlimit=100000 -e "ssh -i /var/root/.ssh/rsync-key" /Library/NetBoot/NetBootSP0/ root@server3:/Library/NetBoot/NetBootSP0/ >> \$LOGS 2>&1
 601 | 
 602 | # All done for this server!
 603 |         
 604 |         /bin/rm \$LOCKS ;
 605 |         echo "Sync finished at \`date\`" >> \$LOGS ;
 606 |         exit 0;
 607 |     else
 608 |         sleep 60 ;
 609 |     fi;
 610 |    done;
 611 | fi;
 612 | CASPER-SYNC
 613 | 
 614 | chown root:wheel /usr/local/scripts/casper-sync.sh >> $LOG
 615 | chmod 755 /usr/local/scripts/casper-sync.sh >> $LOG
 616 | ;;
 617 | 
 618 | esac
 619 | 
 620 | kill $cdpid
 621 | 
 622 | # Make sure the five services we need are off
 623 | 
 624 | cdmsg "Mac Server Configuration" "Stopping any Server.app services" "Stage (23/31). Please Wait."
 625 | 	logme "Stopping services before configuration"
 626 | 
 627 | 	serveradmin stop afp | tee -a ${LOG}
 628 | 	serveradmin stop smb | tee -a ${LOG}
 629 | 	serveradmin stop web | tee -a ${LOG}
 630 | 	serveradmin stop nfs | tee -a ${LOG}
 631 | 	serveradmin stop netboot | tee -a ${LOG}
 632 | 	serveradmin stop sharing | tee -a ${LOG}
 633 | 	serveradmin settings info:enableSNMP = no | tee -a ${LOG}
 634 | kill $cdpid
 635 | 
 636 | # Initial Sync of CasperShare
 637 | 
 638 | cdmsg "Mac Server Configuration" "Syncing CasperShare from existing servers" "Stage (24/31). Please Wait. This really will take some time!"
 639 | 
 640 | # Is this the primary server? If so, sync from secondary server
 641 | 
 642 | 	if [ "$computername" == "server1" ]
 643 | 	then
 644 | 		logme "Initial CasperShare sync from server server2"
 645 | 		/usr/bin/rsync -a4hxvz --delete-after --force -e "ssh -i /var/root/.ssh/rsync-key" root@server2:/CasperShare/ /CasperShare >> $LOG
 646 | 	else
 647 | 		logme "Initial CasperShare sync from server server1"
 648 | 		/usr/bin/rsync -a4hxvz --delete-after --force -e "ssh -i /var/root/.ssh/rsync-key" root@server1:/CasperShare/ /CasperShare >> $LOG
 649 | 	fi
 650 | kill $cdpid 
 651 | 
 652 | # Sync Netboot image
 653 | 
 654 | cdmsg "Mac Server Configuration" "Syncing NetBoot .nbi(s) from existing servers" "Stage (25/31). Please Wait. This really will take some time!"
 655 | 
 656 | # Is this the primary server? If so, sync from secondary server
 657 | 
 658 | 	if [ "$computername" == "server1" ]
 659 | 	then
 660 | 		logme "Initial netboot image sync from server server2"
 661 | 		/usr/bin/rsync -a4hxvz --delete-after --force -e "ssh -i /var/root/.ssh/rsync-key" root@server2:/Library/NetBoot/NetBootSP0/ /Library/NetBoot/NetBootSP0/ >> $LOG
 662 | 	else
 663 | 		logme "Initial netboot image sync from server server1"
 664 | 		/usr/bin/rsync -a4hxvz --delete-after --force -e "ssh -i /var/root/.ssh/rsync-key" root@server1:/Library/NetBoot/NetBootSP0/ /Library/NetBoot/NetBootSP0/ >> $LOG
 665 | 	fi
 666 | kill $cdpid
 667 | 
 668 | # Set IP address depending on server computername for Ethernet only
 669 | 
 670 | cdmsg "Mac Server Configuration" "Configuring Network Settings" "Stage (26/31). Please Wait."
 671 | 
 672 | logme "Server computer name set to: $computername"
 673 | 
 674 | 	case $computername in
 675 | 
 676 | 		server1 )
 677 | 		logme "Setting Ethernet IP address to 10.1.2.1"
 678 | 		networksetup -setmanual Ethernet 10.1.2.1 255.255.255.0 10.1.1.1 | tee -a ${LOG}
 679 | 		;;
 680 | 
 681 | 		server2 )
 682 | 		logme "Setting Ethernet IP address to 10.2.2.1"
 683 | 		networksetup -setmanual Ethernet 10.2.2.1 255.255.255.0 10.2.1.1 | tee -a ${LOG}
 684 | 		;;
 685 | 
 686 | 		server3 )
 687 | 		logme "Setting Ethernet IP address to 10.3.2.1"
 688 | 		networksetup -setmanual Ethernet 10.3.2.1 255.255.255.0 10.3.1.1 | tee -a ${LOG}
 689 | 		;;
 690 | 
 691 | 	esac
 692 | 
 693 | # Now set proxy server so rest of system can see out
 694 | 
 695 | 	logme "Setting proxy server information"
 696 | 	networksetup -setwebproxy Ethernet proxy.server port | tee -a ${LOG}
 697 | 	networksetup -setsecurewebproxy Ethernet proxy.server port | tee -a ${LOG}
 698 | 
 699 | # Force DNS and Search Domain server settings
 700 | 
 701 | 	logme "Setting DNS and Search Domain information"
 702 | 	networksetup -setdnsservers Ethernet dns1 dns2 | tee -a ${LOG}
 703 | 	networksetup -setsearchdomains Ethernet domain1 domain2 | tee -a ${LOG}
 704 | 
 705 | # Set proxy server environment variables so JAMF binary can see out
 706 | 
 707 | 	logme "Setting proxy cache settings"
 708 | 	echo "export HTTP_PROXY="proxy.server:port"" >> /etc/profile
 709 | 	echo "export http_proxy="proxy.server:port"" >> /etc/profile
 710 | 	echo "export HTTP_PROXY="proxy.server:port"" >> /etc/bashrc
 711 | 	echo "export http_proxy="proxy.server:port"" >> /etc/bashrc
 712 | kill $cdpid
 713 | 
 714 | # Default AFP share configuration
 715 | cdmsg "Mac Server Configuration" "Configuring Services" "Stage (27/31). Please Wait."
 716 | 
 717 | logme "Configuring AFP service"
 718 | 
 719 | cat << SERVERADMIN_AFP | sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings
 720 | afp:attemptAdminAuth = no
 721 | afp:maxGuests = -1
 722 | afp:afpTCPPort = 548
 723 | afp:clientSleepTime = 24
 724 | afp:replyCacheQuantum = 32
 725 | afp:maxConnections = -1
 726 | afp:sendGreetingOnce = no
 727 | afp:reconnectTTLInMin = 1440
 728 | afp:clientSleepOnOff = yes
 729 | afp:loginGreeting = ""
 730 | afp:errorLogPath = "/Library/Logs/AppleFileService/AppleFileServiceError.log"
 731 | afp:errorLogTime = 14
 732 | afp:activityLogTime = 7
 733 | afp:errorLogSize = 1000
 734 | afp:kerberosPrincipal = "afpserver"
 735 | afp:recon1SrvrKeyTTLHrs = 168
 736 | afp:idleDisconnectOnOff = no
 737 | afp:reconnectFlag = "no_admin_kills"
 738 | afp:activityLog = yes
 739 | afp:reconnectKeyLocation = "/private/etc/AFP.conf"
 740 | afp:loginGreetingTime = 1315436086
 741 | afp:adminGetsSp = yes
 742 | afp:fullServerMode = yes
 743 | afp:idleDisconnectMsg = ""
 744 | afp:updateHomeDirQuota = yes
 745 | afp:activityLogPath = "/Library/Logs/AppleFileService/AppleFileServiceAccess.log"
 746 | afp:authenticationMode = "standard_and_kerberos"
 747 | afp:admin31GetsSp = no
 748 | afp:shutdownThreshold = 3
 749 | afp:TCPQuantum = 1048576
 750 | afp:allowSendMessage = yes
 751 | afp:idleDisconnectTime = 10
 752 | afp:loggingAttributes:logOpenFork = yes
 753 | afp:loggingAttributes:logDelete = yes
 754 | afp:loggingAttributes:logCreateDir = yes
 755 | afp:loggingAttributes:logLogin = yes
 756 | afp:loggingAttributes:logLogout = yes
 757 | afp:loggingAttributes:logCreateFile = yes
 758 | afp:tickleTime = 30
 759 | afp:specialAdminPrivs = no
 760 | afp:noNetworkUsers = no
 761 | afp:idleDisconnectFlag:adminUsers = yes
 762 | afp:idleDisconnectFlag:registeredUsers = yes
 763 | afp:idleDisconnectFlag:usersWithOpenFiles = yes
 764 | afp:idleDisconnectFlag:guestUsers = yes
 765 | afp:recon1TokenTTLMins = 10080
 766 | afp:guestAccess = yes
 767 | afp:allowRootLogin = no
 768 | afp:activityLogSize = 1000
 769 | afp:afpServerEncoding = 0
 770 | afp:createHomeDir = yes
 771 | afp:reconnectTTLInMin=120
 772 | SERVERADMIN_AFP
 773 | 
 774 | # Default SMB share configuration
 775 | 
 776 | logme "Configuring SMB service"
 777 | 
 778 | cat << SERVERADMIN_SMB | sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings
 779 | smb:EnabledServices:_array_index:0 = "disk"
 780 | smb:Workgroup = "WORKGROUP"
 781 | smb:AllowGuestAccess = no
 782 | smb:DOSCodePage = "850"
 783 | SERVERADMIN_SMB
 784 | 
 785 | # Default Web configuration for HTTPS distribution
 786 | 
 787 | logme "Configuring HTTP service"
 788 | 
 789 | cat << SERVERADMIN_WEB | sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings
 790 | web:defaultSite:aliases:_array_index:0:matchType = 0
 791 | web:defaultSite:aliases:_array_index:0:fileSystemPath = "/CasperShare"
 792 | web:defaultSite:aliases:_array_index:0:urlPathOrRegularExpression = "/CasperShare"
 793 | SERVERADMIN_WEB
 794 | 
 795 | # Default Sharing configuration
 796 | 
 797 | logme "Configuring Sharing service"
 798 | 
 799 | cat << SERVERADMIN_SHARING | sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings
 800 | sharing:sharePointList:_array_id:/CasperShare:smbName = "CasperShare"
 801 | sharing:sharePointList:_array_id:/CasperShare:afpIsGuestAccessEnabled = no
 802 | sharing:sharePointList:_array_id:/CasperShare:webDAVName = "CasperShare"
 803 | sharing:sharePointList:_array_id:/CasperShare:smbDirectoryMask = "0755"
 804 | sharing:sharePointList:_array_id:/CasperShare:afpName = "CasperShare"
 805 | sharing:sharePointList:_array_id:/CasperShare:smbCreateMask = "0644"
 806 | sharing:sharePointList:_array_id:/CasperShare:nfsExportRecord = _empty_array
 807 | sharing:sharePointList:_array_id:/CasperShare:path = "/CasperShare"
 808 | sharing:sharePointList:_array_id:/CasperShare:smbUseStrictLocking = yes
 809 | sharing:sharePointList:_array_id:/CasperShare:smbIsGuestAccessEnabled = no
 810 | sharing:sharePointList:_array_id:/CasperShare:name = "CasperShare"
 811 | sharing:sharePointList:_array_id:/CasperShare:smbInheritPermissions = yes
 812 | sharing:sharePointList:_array_id:/CasperShare:ftpName = "CasperShare"
 813 | sharing:sharePointList:_array_id:/CasperShare:smbIsShared = yes
 814 | sharing:sharePointList:_array_id:/CasperShare:afpIsShared = yes
 815 | sharing:sharePointList:_array_id:/CasperShare:isTimeMachineBackup = no
 816 | sharing:sharePointList:_array_id:/CasperShare:smbUseOplocks = yes
 817 | sharing:sharePointList:_array_id:/CasperShare:mountedOnPath = "/"
 818 | sharing:sharePointList:_array_id:/CasperShare:isIndexingEnabled = yes
 819 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbName = "NetBootClients0"
 820 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:afpIsGuestAccessEnabled = yes
 821 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbDirectoryMask = "755"
 822 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:ftpIsShared = no
 823 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:afpName = "NetBootClients0"
 824 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbCreateMask = "644"
 825 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:ftpIsGuestAccessEnabled = no
 826 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:nfsExportRecord = _empty_array
 827 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:path = "/Library/NetBoot/NetBootClients0"
 828 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbUseStrictLocking = yes
 829 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbIsGuestAccessEnabled = no
 830 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:name = "NetBootClients0"
 831 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbInheritPermissions = yes
 832 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:ftpName = "NetBootClients0"
 833 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbIsShared = no
 834 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:afpIsShared = yes
 835 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:smbUseOplocks = yes
 836 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:isIndexingEnabled = no
 837 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootClients0:mountedOnPath = "/"
 838 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbName = "NetBootSP0"
 839 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:afpIsGuestAccessEnabled = no
 840 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbDirectoryMask = "755"
 841 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:ftpIsShared = no
 842 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:afpName = "NetBootSP0"
 843 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbCreateMask = "644"
 844 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:ftpIsGuestAccessEnabled = no
 845 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:nfsExportRecord:_array_id:/Library/NetBoot/NetBootSP0:path = "/Library/NetBoot/NetBootSP0"
 846 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:nfsExportRecord:_array_id:/Library/NetBoot/NetBootSP0:mapAllUser = ""
 847 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:nfsExportRecord:_array_id:/Library/NetBoot/NetBootSP0:mapRootUser = "root"
 848 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:nfsExportRecord:_array_id:/Library/NetBoot/NetBootSP0:isReadOnly = yes
 849 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:nfsExportRecord:_array_id:/Library/NetBoot/NetBootSP0:shareAllDirectories = no
 850 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:path = "/Library/NetBoot/NetBootSP0"
 851 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbUseStrictLocking = yes
 852 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbIsGuestAccessEnabled = no
 853 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:name = "NetBootSP0"
 854 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbInheritPermissions = yes
 855 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:ftpName = "NetBootSP0"
 856 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbIsShared = no
 857 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:afpIsShared = no
 858 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:smbUseOplocks = yes
 859 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:isIndexingEnabled = no
 860 | sharing:sharePointList:_array_id:/Library/NetBoot/NetBootSP0:mountedOnPath = "/"
 861 | SERVERADMIN_SHARING
 862 | 
 863 | # Write a snmpd.conf file that will allow monitoring via opsview/cacti
 864 | 
 865 | logme "Configuring SNMP service"
 866 | 
 867 | rm /etc/snmp/snmpd.conf
 868 | touch /etc/snmp/snmpd.conf
 869 | 
 870 | cat > /etc/snmp/snmpd.conf << SNMP_CONF
 871 | 
 872 | ###########################################################################
 873 | #
 874 | # snmpd.conf
 875 | #
 876 | #   - created by the snmpconf configuration program
 877 | #
 878 | ###########################################################################
 879 | # SECTION: Access Control Setup
 880 | #
 881 | #   This section defines who is allowed to talk to your running
 882 | #   snmp agent.
 883 | 
 884 | # rwuser: a SNMPv3 read-write user
 885 | #   arguments:  user [noauth|auth|priv] [restriction_oid]
 886 | 
 887 | rwuser  admin  
 888 | 
 889 | # rocommunity: a SNMPv1/SNMPv2c read-only access community name
 890 | #   arguments:  community [default|hostname|network/bits] [oid]
 891 | 
 892 | rocommunity  snmp_monitor #default .1.3.6.1.2.1.1.4
 893 | 
 894 | ###########################################################################
 895 | # SECTION: Extending the Agent
 896 | #
 897 | #   You can extend the snmp agent to have it return information
 898 | #   that you yourself define.
 899 | 
 900 | # exec: run a simple command using exec()
 901 | #   arguments:  [oid] name /path/to/executable arguments
 902 | 
 903 | exec echotest /bin/echo hello world
 904 | exec web_status /usr/sbin/serveradmin status web
 905 | exec wo_status /usr/sbin/serveradmin status webobjects
 906 | 
 907 | ###########################################################################
 908 | # SECTION: Monitor Various Aspects of the Running Host
 909 | #
 910 | #   The following check up on various aspects of a host.
 911 | 
 912 | # proc: Check for processes that should be running.
 913 | #     proc NAME [MAX=0] [MIN=0]
 914 | #   
 915 | #     NAME:  the name of the process to check for.  It must match
 916 | #            exactly (ie, http will not find httpd processes).
 917 | #     MAX:   the maximum number allowed to be running.  Defaults to 0.
 918 | #     MIN:   the minimum number to be running.  Defaults to 0.
 919 | #   
 920 | #   The results are reported in the prTable section of the UCD-SNMP-MIB tree
 921 | #   Special Case:  When the min and max numbers are both 0, it assumes
 922 | #   you want a max of infinity and a min of 1.
 923 | 
 924 | proc httpd
 925 | 
 926 | # disk: Check for disk space usage of a partition.
 927 | #   The agent can check the amount of available disk space, and make
 928 | #   sure it is above a set limit.  
 929 | #   
 930 | #    disk PATH [MIN=100000]
 931 | #   
 932 | #    PATH:  mount path to the disk in question.
 933 | #    MIN:   Disks with space below this value will have the Mib's errorFlag set.
 934 | #           Can be a raw integer value (units of kB) or a percentage followed by the %
 935 | #           symbol.  Default value = 100000.
 936 | #   
 937 | #   The results are reported in the dskTable section of the UCD-SNMP-MIB tree
 938 | 
 939 | disk / 10000
 940 | 
 941 | # load: Check for unreasonable load average values.
 942 | #   Watch the load average levels on the machine.
 943 | #   
 944 | #    load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
 945 | #   
 946 | #    1MAX:   If the 1 minute load average is above this limit at query
 947 | #            time, the errorFlag will be set.
 948 | #    5MAX:   Similar, but for 5 min average.
 949 | #    15MAX:  Similar, but for 15 min average.
 950 | #   
 951 | #   The results are reported in the laTable section of the UCD-SNMP-MIB tree
 952 | 
 953 | load 12 14 14
 954 | 
 955 | ###########################################################################
 956 | # SECTION: System Information Setup
 957 | #
 958 | #   This section defines some of the information reported in
 959 | #   the "system" mib group in the mibII tree.
 960 | 
 961 | # syslocation: The [typically physical] location of the system.
 962 | #   Note that setting this value here means that when trying to
 963 | #   perform an snmp SET operation to the sysLocation.0 variable will make
 964 | #   the agent return the "notWritable" error code.  IE, including
 965 | #   this token in the snmpd.conf file will disable write access to
 966 | #   the variable.
 967 | #   arguments:  location_string
 968 | 
 969 | syslocation Organisation name here.
 970 | 
 971 | # syscontact: The contact information for the administrator
 972 | #   Note that setting this value here means that when trying to
 973 | #   perform an snmp SET operation to the sysContact.0 variable will make
 974 | #   the agent return the "notWritable" error code.  IE, including
 975 | #   this token in the snmpd.conf file will disable write access to
 976 | #   the variable.
 977 | #   arguments:  contact_string
 978 | 
 979 | syscontact Administrator <admin@email.com>
 980 | 
 981 | # sysservices: The proper value for the sysServices object.
 982 | #   arguments:  sysservices_number
 983 | 
 984 | sysservices 76
 985 | 
 986 | #
 987 | # Unknown directives read in from other files by snmpconf
 988 | #
 989 | com2sec local     localhost       public
 990 | com2sec mynetwork NETWORK/24      public
 991 | group MyRWGroup	v1         local
 992 | group MyRWGroup	v2c        local
 993 | group MyRWGroup	usm        local
 994 | group MyROGroup v1         mynetwork
 995 | group MyROGroup v2c        mynetwork
 996 | group MyROGroup usm        mynetwork
 997 | view all    included  .1.3.6.1.2.1.25.1.1                               80
 998 | access MyROGroup ""      any       noauth    exact  all    none   none
 999 | access MyRWGroup ""      any       noauth    exact  all    all    none
1000 | 
1001 | SNMP_CONF
1002 | 
1003 | kill $cdpid
1004 | 
1005 | # Make sure the services we need are re-enabled
1006 | 
1007 | cdmsg "Mac Server Configuration" "Restarting Services" "Stage (28/31). Please Wait."
1008 | 
1009 | 	logme "Restarting Services"
1010 | 
1011 | 	serveradmin start netboot | tee -a ${LOG}
1012 | 	serveradmin settings info:enableRemoteAdministration = yes | tee -a ${LOG}
1013 | 	serveradmin settings info:enableSNMP = yes | tee -a ${LOG}
1014 | 	serveradmin start afp | tee -a ${LOG}
1015 | 	serveradmin start smb | tee -a ${LOG}
1016 | 	serveradmin start sharing | tee -a ${LOG}
1017 | 	serveradmin start web | tee -a ${LOG}
1018 | 	serveradmin start nfs | tee -a ${LOG}
1019 | kill $cdpid
1020 | 
1021 | # Finally set up the admin user dock the way we like it
1022 | 
1023 | cdmsg "Mac Server Configuration" "Setting up Dock" "Stage (29/31). Please Wait."
1024 | 	logme "Setting up the dock"
1025 | 
1026 | # Clear the dock!
1027 | 
1028 | 	$DU --remove all --allhomes | tee -a ${LOG}
1029 | 
1030 | # Now put the right stuff in place!
1031 | 
1032 | 	$DU --add /Applications/Launchpad.app --allhomes | tee -a ${LOG}
1033 | 	$DU --add /Applications/App\ Store.app --allhomes | tee -a ${LOG}
1034 | 	$DU --add /Applications/Safari.app --allhomes | tee -a ${LOG}
1035 | 	$DU --add /Applications/System\ Preferences.app --allhomes | tee -a ${LOG}
1036 | 	$DU --add /Applications/Server.app --allhomes | tee -a ${LOG}
1037 | 
1038 | 	$DU --add /Applications/Utilities/Activity\ Monitor.app --allhomes | tee -a ${LOG}
1039 | 	$DU --add /Applications/Utilities/Console.app --allhomes | tee -a ${LOG}
1040 | 	$DU --add /Applications/Utilities/Disk\ Utility.app --allhomes | tee -a ${LOG}
1041 | 	$DU --add /Applications/Utilities/Terminal.app --allhomes | tee -a ${LOG}
1042 | kill $cdpid
1043 | 
1044 | # Last of all, configure the desktop background!
1045 | 
1046 | cdmsg "Mac Server Configuration" "Setting up Desktop Background" "Stage (30/31). Please Wait."
1047 | 
1048 | logme "Setting up the desktop background"
1049 | 
1050 | sqlite3 /Users/$SERVERADMIN/Library/Application\ Support/Dock/desktoppicture.db << EOF
1051 | UPDATE data SET value = "/Library/Desktop Pictures/default_black2560x1600.jpg";
1052 | .quit
1053 | EOF
1054 | 
1055 | killall Dock
1056 | 
1057 | kill $cdpid
1058 | 
1059 | # All done!
1060 | 
1061 | cdmsg "Mac Server Configuration" "Server Build Completed!" "Stage (31/31). Pending Reboot."
1062 | 
1063 | logme "Completed server build"
1064 | 
1065 | # Making sure the JAMF firstrun folder is empty as this occasionally doesn't clear itself up.
1066 | rm -rf /Library/Application\ Support/JAMF/FirstRun/*
1067 | 
1068 | kill $cdpid
1069 | 
1070 | exit 0
1071 | 


--------------------------------------------------------------------------------