#!/usr/bin/bash
#
# ng-server config post-install script
# !IMPORTANT! this script *MUST* be idempotent
#

#########################################
# Audit rules installation
#########################################
augenrules --load || :

# passwd/group back file permissions for CIS benchmark
chmod -f 0600 /etc/passwd- /etc/group-


#########################################
# Authseed Generation
#########################################
# SSH key generation will run during the kickstart package installation (%packages)
# However, this happens BEFORE the authseed has been generated in the kickstart %post
# Therefore we will either retrieve or create an authseed here

AUTHSEEDFILE=/etc/sysconfig/authseed
if [ ! -s "$AUTHSEEDFILE" ]; then
	# If the authseed is empty (doesn't exist), attempt to pull the authseed from the cmdline arguments
	AUTHSEED=$(sed -nre 's/^.* (--)?(noggin.)?authseed=([^ ]+).*$/\3/ p' < /proc/cmdline)
	if [ -z "$AUTHSEED" ]; then
		# Nothing on the cmdline, but We really really need one, so we generate the authseed here
		AUTHSEED=$(dd if=/dev/urandom bs=1 count=24 2>/dev/null | base64)
	fi
	# We have the authseed now
	printf "$AUTHSEED" >$AUTHSEEDFILE
	# Its a key file, set those permissions!
	chmod 0600 "$AUTHSEEDFILE"
fi

# Install custom config overrides from %{_sysconfdir}/%{name}/overrides
SRCDIR=/etc/ng-server-config/overrides
for i in `find $SRCDIR -type f -printf '%P\n'`; do
  SRC="$SRCDIR/$i"
  DST="/$i"

  # Make a backup of the existing file if we haven't already
  [ -e "$DST" ] && [ ! -e "$DST.ngbak" ] && cp "$DST" "$DST.ngbak"

  # Replace the contents of the existing file with the contents of
  # the override file, this should ensure that security contexts etc
  # of the original target file are maintained
  cat $SRC >$DST
done


#########################################
# RPM Config
#########################################
# import our trusted keys (NB: Some files might be missing on RHEL)
find /etc/pki/rpm-gpg/RPM-GPG-KEY-{CentOS-7,EPEL-7,mysql,noggin} -print0 2>/dev/null \
  | xargs --null --max-lines=1 --no-run-if-empty rpmkeys --import

# Accumulate everything for augeas into a single file for performance reasons
AUGSCRIPT=$(mktemp)

# (re)configure atd to be safer (90% load max, 1 job per second spawn max
if [ -f /etc/sysconfig/atd ]; then
	echo set /files/etc/sysconfig/atd/OPTS "'\"-l $(getconf _NPROCESSORS_ONLN | awk '{print ($1+1)*0.9}') -b 1\"'" >>$AUGSCRIPT
fi

# enable automated freshclam updates for clamav (random offset per hostid)
if [ -f /etc/sysconfig/freshclam ]; then
	echo set /files/etc/sysconfig/freshclam/FRESHCLAM_DELAY random  >>$AUGSCRIPT
fi

# Configure named to be IPv4 only
echo "set /files/etc/sysconfig/named/OPTIONS -4" >>$AUGSCRIPT

# SSHD Configuration
# Check for ng keygen script and (re)generate keys if needed
if [ -f /usr/libexec/ng-server-config/sshd-keygen ]; then
	/usr/libexec/ng-server-config/sshd-keygen
fi

# If sshd_config is marked as immutable, it's almost certainly because we used to
# use the immutable flag to block autoconfig modifications, so convert it to the
# new embdedded comment approach
if [ "$(lsattr /etc/ssh/sshd_config | cut -c 5)" == "i" ]; then
	chattr -i /etc/ssh/sshd_config
	if ! grep -qiP '^#\s*@Noggin-AutoConfig:\s*No\s*$' /etc/ssh/sshd_config; then
		sed -i -re '2 s/^.*$/\n# Disable Auto Configuration by ng-server-config\n# @Noggin-AutoConfig: No\n\0/' \
		    /etc/ssh/sshd_config
	fi
fi

# Update sshd_config unless it's been flagged as Noggin-AutoConfig: No
# TODO: perform post verification of new config using "sshd -T"
if ! grep -qiP '^#\s*@Noggin-AutoConfig:\s*No\s*$' /etc/ssh/sshd_config; then

	# We also don't mess with pam unless we're managing sshd_config....
	# but if we are then require @wheel for su
	sed -i -re 's/^#(auth[ \t]+required[ \t]+pam_wheel.so[ \t]use_uid[ \t]*)$/\1/g' /etc/pam.d/su

	# We need to delete / re-add global items because we have Matches
	# and need to ensure the globals come before the matches

	cat <<-EOD >>$AUGSCRIPT

		rm /files/etc/ssh/sshd_config/Match[Condition/User = "root"][Condition/Group = "!auth-by-key,auth-by-pw"]
		defnode cond /files/etc/ssh/sshd_config/Match[Condition/User = "root"][Condition/Group = "!auth-by-key,auth-by-pw"]/Condition/User "root"
		set \$cond/../../Condition/Group "!auth-by-key,auth-by-pw"
		set \$cond/../../Settings/PermitRootLogin yes

		rm /files/etc/ssh/sshd_config/Match[Condition/Group = "!auth-by-key,auth-by-pw"]
		defnode cond /files/etc/ssh/sshd_config/Match[Condition/Group = "!auth-by-key,auth-by-pw"]/Condition/Group "!auth-by-key,auth-by-pw"
		set \$cond/../../Settings/AuthenticationMethods password

		rm /files/etc/ssh/sshd_config/Match[Condition/Group = "!auth-by-pw,auth-by-key"]
		defnode cond /files/etc/ssh/sshd_config/Match[Condition/Group = "!auth-by-pw,auth-by-key"]/Condition/Group "!auth-by-pw,auth-by-key"
		set \$cond/../../Settings/AuthenticationMethods publickey

		rm /files/etc/ssh/sshd_config/Match[Condition/Group = "auth-by-pw,auth-by-key"]
		defnode cond /files/etc/ssh/sshd_config/Match[Condition/Group = "auth-by-pw,auth-by-key"]/Condition/Group "auth-by-key,auth-by-pw"
		set \$cond/../../Settings/AuthenticationMethods 'password publickey'

		rm /files/etc/ssh/sshd_config/Banner
		rm /files/etc/ssh/sshd_config/ChallengeResponseAuthentication
		rm /files/etc/ssh/sshd_config/PermitRootLogin
		rm /files/etc/ssh/sshd_config/AuthenticationMethods

		ins Banner                          before /files/etc/ssh/sshd_config/Match[1]
		ins ChallengeResponseAuthentication before /files/etc/ssh/sshd_config/Match[1]
		ins PermitRootLogin                 before /files/etc/ssh/sshd_config/Match[1]
		ins AuthenticationMethods           before /files/etc/ssh/sshd_config/Match[1]

		set /files/etc/ssh/sshd_config/Banner /etc/issue.net
		set /files/etc/ssh/sshd_config/ChallengeResponseAuthentication no
		set /files/etc/ssh/sshd_config/PermitRootLogin forced-commands-only
		set /files/etc/ssh/sshd_config/AuthenticationMethods publickey,password


		rm  /files/etc/ssh/sshd_config/PasswordAuthentication
		rm  /files/etc/ssh/sshd_config/KexAlgorithms
		rm  /files/etc/ssh/sshd_config/Ciphers
		rm  /files/etc/ssh/sshd_config/MACs
		rm  /files/etc/ssh/sshd_config/PubkeyAcceptedKeyTypes

		ins PasswordAuthentication before /files/etc/ssh/sshd_config/Match[1]
		ins KexAlgorithms          before /files/etc/ssh/sshd_config/Match[1]
		ins Ciphers                before /files/etc/ssh/sshd_config/Match[1]
		ins MACs                   before /files/etc/ssh/sshd_config/Match[1]
		ins PubkeyAcceptedKeyTypes before /files/etc/ssh/sshd_config/Match[1]

		set /files/etc/ssh/sshd_config/PasswordAuthentication yes

		# dh-group14-sha1 is included for backwards compatibility with centos 5 (strongest supported mac)
		set /files/etc/ssh/sshd_config/KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
		set /files/etc/ssh/sshd_config/Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
		set /files/etc/ssh/sshd_config/MACs/1 hmac-sha2-512-etm@openssh.com
		set /files/etc/ssh/sshd_config/MACs/2 hmac-sha2-256-etm@openssh.com
		set /files/etc/ssh/sshd_config/MACs/3 umac-128-etm@openssh.com
		set /files/etc/ssh/sshd_config/MACs/4 hmac-sha2-512
		set /files/etc/ssh/sshd_config/MACs/5 hmac-sha2-256
		set /files/etc/ssh/sshd_config/MACs/6 umac-128@openssh.com
		# ripemd160 is included for backwards compatibility with centos 5 (strongest supported mac)
		set /files/etc/ssh/sshd_config/MACs/7 hmac-ripemd160
		set /files/etc/ssh/sshd_config/MACs/8 hmac-ripemd160@openssh.com

		set /files/etc/ssh/sshd_config/PubkeyAcceptedKeyTypes -ssh-dss,-ssh-dss-cert-v01@openssh.com

		rm  /files/etc/ssh/sshd_config/MaxAuthTries
		rm  /files/etc/ssh/sshd_config/IgnoreRhosts
		rm  /files/etc/ssh/sshd_config/PermitUserEnvironment
		rm  /files/etc/ssh/sshd_config/LoginGraceTime
		rm  /files/etc/ssh/sshd_config/ClientAliveInterval
		rm  /files/etc/ssh/sshd_config/ClientAliveCountMax
		rm  /files/etc/ssh/sshd_config/HostbasedAuthentication
		rm  /files/etc/ssh/sshd_config/LogLevel
		rm  /files/etc/ssh/sshd_config/PermitEmptyPasswords
		rm  /files/etc/ssh/sshd_config/X11Forwarding
		rm  /files/etc/ssh/sshd_config/Protocol
		rm  /files/etc/ssh/sshd_config/DenyUsers

		ins MaxAuthTries            before /files/etc/ssh/sshd_config/Match[1]
		ins IgnoreRhosts            before /files/etc/ssh/sshd_config/Match[1]
		ins PermitUserEnvironment   before /files/etc/ssh/sshd_config/Match[1]
		ins LoginGraceTime          before /files/etc/ssh/sshd_config/Match[1]
		ins ClientAliveInterval     before /files/etc/ssh/sshd_config/Match[1]
		ins ClientAliveCountMax     before /files/etc/ssh/sshd_config/Match[1]
		ins HostbasedAuthentication before /files/etc/ssh/sshd_config/Match[1]
		ins LogLevel                before /files/etc/ssh/sshd_config/Match[1]
		ins PermitEmptyPasswords    before /files/etc/ssh/sshd_config/Match[1]
		ins X11Forwarding           before /files/etc/ssh/sshd_config/Match[1]
		ins Protocol                before /files/etc/ssh/sshd_config/Match[1]
		ins DenyUsers               before /files/etc/ssh/sshd_config/Match[1]

		set /files/etc/ssh/sshd_config/MaxAuthTries            4
		set /files/etc/ssh/sshd_config/IgnoreRhosts            yes
		set /files/etc/ssh/sshd_config/PermitUserEnvironment   no
		set /files/etc/ssh/sshd_config/LoginGraceTime          60
		set /files/etc/ssh/sshd_config/ClientAliveInterval     900
		set /files/etc/ssh/sshd_config/ClientAliveCountMax     3
		set /files/etc/ssh/sshd_config/HostbasedAuthentication no
		set /files/etc/ssh/sshd_config/LogLevel                INFO
		set /files/etc/ssh/sshd_config/PermitEmptyPasswords    no
		set /files/etc/ssh/sshd_config/X11Forwarding           no
		set /files/etc/ssh/sshd_config/Protocol                2
		set /files/etc/ssh/sshd_config/DenyUsers/1             bin
		set /files/etc/ssh/sshd_config/DenyUsers/2             daemon
		set /files/etc/ssh/sshd_config/DenyUsers/3             lp
		set /files/etc/ssh/sshd_config/DenyUsers/4             sync
		set /files/etc/ssh/sshd_config/DenyUsers/5             shutdown
		set /files/etc/ssh/sshd_config/DenyUsers/6             halt
		set /files/etc/ssh/sshd_config/DenyUsers/7             mail
		set /files/etc/ssh/sshd_config/DenyUsers/8             games
		set /files/etc/ssh/sshd_config/DenyUsers/9             nobody
		set /files/etc/ssh/sshd_config/DenyUsers/10            nfsnobody
		set /files/etc/ssh/sshd_config/DenyUsers/11            named

		# CIS Password history controls
		set /files/etc/pam.d/system-auth/*[type="password"][control="sufficient"][module="pam_unix.so"]/argument[last()+1] 'remember=5'
		set /files/etc/pam.d/password-auth/*[type="password"][control="sufficient"][module="pam_unix.so"]/argument[last()+1] 'remember=5'


	EOD

	# INFRA-768: Modify pwquality.conf for better CIS benchmark compliance
	# We can't do this in the main AUGSCRIPT because we need a custom lens mapping
	augtool --autosave --backup --noautoload >/dev/null <<-'EOD'
	        set /augeas/load/Simplevars/lens "Simplevars.lns"
	        set /augeas/load/Simplevars/incl "/etc/security/pwquality.conf"
	        load

	        set /files/etc/security/pwquality.conf/minlen 9
	        set /files/etc/security/pwquality.conf/ucredit -1
	        set /files/etc/security/pwquality.conf/lcredit -1
	        set /files/etc/security/pwquality.conf/dcredit -1
	        set /files/etc/security/pwquality.conf/ocredit -1

	        rm /files/etc/security/pwquality.conf/#comment[.=~regexp('minlen=14')]
	        ins #comment before /files/etc/security/pwquality.conf/minlen
	        set /files/etc/security/pwquality.conf/#comment[following-sibling::minlen][last()] 'Set this to minlen=14 for CIS benchmark compliance'
	EOD


	# el7 sshd doesn't accept -keytype, so do that ourselves
	SSH_PUB_KEYTYPES=$( ssh -Q key | grep -v 'ssh-dss' | tr '\n' ',' | sed -re 's/,$//g')

	if [ -n "${SSH_PUB_KEYTYPES}" ] && [ "$(tr -dc ',' <<< $SSH_PUB_KEYTYPES | wc -c)" -gt 4 ]; then
		cat <<-EOD >>$AUGSCRIPT
			rm  /files/etc/ssh/sshd_config/PubkeyAcceptedKeyTypes
			ins PubkeyAcceptedKeyTypes before /files/etc/ssh/sshd_config/Match[1]
			set /files/etc/ssh/sshd_config/PubkeyAcceptedKeyTypes ${SSH_PUB_KEYTYPES}
		EOD
	fi
fi

# Disable (client) ssh roaming (CVE-0216-0777, CVE-0216-0778)
cat <<-EOD >>$AUGSCRIPT
	set /files/etc/ssh/ssh_config/Host *
	set "/files/etc/ssh/ssh_config/Host[.='*']/UseRoaming" no
EOD


#########################################
# Setup named?
#########################################
# NOTE: This will fail in kickstart
if [ ! -f /etc/named/cluster-zones.conf ]; then
	if [ -f /etc/sysconfig/ng-kickstart ] && grep -Pq '^clustersoa=' /etc/sysconfig/ng-kickstart; then
		/usr/libexec/ng-server-config/init-named-soa --from-ksconfig
	fi
fi

#########################################
# Apache config
#########################################

# Apache needs access to homedirs
if ! getsebool httpd_enable_homedirs | grep -Pq ' on$'; then
	setsebool -P httpd_enable_homedirs 1
fi

# Disable welcome.conf
if grep -Pq '^[^#]' /etc/httpd/conf.d/welcome.conf; then
	sed -i -r \
	    -e 's/^/#/g' \
	    -e '1 s/^/##\n## This file disabled by ng-server-config\n##\n/g' \
	    /etc/httpd/conf.d/welcome.conf
fi

# Disable /icons/ alias
if grep -Pqi '^[ \t]*Alias[ \t]+/icons/[ \t]+' /etc/httpd/conf.d/autoindex.conf; then
	sed -i -r \
	    -e 's|^[ \t]*Alias[ \t]+/icons/[ \t]+|#\0|ig' \
	    /etc/httpd/conf.d/autoindex.conf
fi

# Disable ssl.conf Listen & VirtualHost
if grep -Pq '^[ \t]*Listen' /etc/httpd/conf.d/ssl.conf; then
	sed -i -r \
	    -e '/^[ \t]*<VirtualHost/,/^[ \t]*<\/VirtualHost/ s/^/#/g' \
 	    -e '1 s/^/##\n## This file disabled by ng-server-config\n##\n/g' \
	    /etc/httpd/conf.d/ssl.conf
fi

# Make php.conf conditional on mod_php5.c
if ! grep -Pq 'IfModule' /etc/httpd/conf.d/php.conf; then
	sed  -i -r \
	     -e '1 s/^/<IfModule mod_php5.c>\n/g' \
	     -e '$ s/^.*$/\0\n<\/IfModule>/g' \
	    /etc/httpd/conf.d/php.conf
fi

# Disable the built-in mod_proxy, we're using our own build with unix socket support
if grep -Pq '^[^#]' /etc/httpd/conf.modules.d/00-proxy.conf; then
	sed -i -r \
	    -e 's/^/#/g' \
	    -e '1 s/^/##\n## This file disabled by ng-server-config\n##\n/g' \
	    /etc/httpd/conf.modules.d/00-proxy.conf
fi

# Disable extraneous modules we don't need (ignore any symlinked config though!)
# Include subdirectories (eg alternative mod_proxy), but exclude the mod_ocaproxy config
sed -i -r \
	-e 's/^[ \t]*LoadModule[ \t]+(dav(_.*?)?|lua|auth[nz]_(anon|dbd|dbm|socache|owner)|cache(_.*?)?)_module[ \t]/#\0/ig' \
	-e 's/^[ \t]*LoadModule[ \t]+(data|dbd|dumpio|echo|ext_filter|include|socache_(dbm|memcache)|substitute)_module[ \t]/#\0/ig' \
	-e 's/^[ \t]*LoadModule[ \t]+(suexec|userdir|apreq2?)_module[ \t]/#\0/ig' \
	-e 's/^[ \t]*LoadModule[ \t]+(lbmethod_.*?|proxy_(ajp|balancer|connect|express|fdpass|ftp|scgi))_module[ \t]/#\0/ig' \
	$(find /etc/httpd/conf.modules.d/ -type f -iname '*.conf' -not -iname '*-ocaproxy.conf' )

# Switch from prefork to event
if grep -Pq '^\s*LoadModule\s+mpm_prefork' /etc/httpd/conf.modules.d/00-mpm.conf; then
	sed -i -r \
		-e 's/^[ \t]*LoadModule[ \t]+mpm_prefork/#\0/' \
		-e 's/^[ \t]*#+[ \t]*(LoadModule[ \t]+mpm_event)/\1/' \
		/etc/httpd/conf.modules.d/00-mpm.conf
fi


# Create a self-signed last-resort fallback SSL certificate for the system default vhost
if [ ! -f /etc/pki/tls/certs/ng-fallback.crt ]; then
	# Find unique id for this host
	HOSTID=
	[[ -z "$HOSTID" && -f /sys/class/dmi/id/product_uuid ]] && HOSTID=$(</sys/class/dmi/id/product_uuid)
	[[ -z "$HOSTID" ]] && command -v hostid >/dev/null      && HOSTID=$(hostid)
	[[ -z "$HOSTID"                                      ]] && HOSTID="unknown-host-id"

	# Cryptographically mask it
	HOSTUNIQ=$(/usr/libexec/ng-server-config/mk-auth-token X509::HTTPS/machineid/${HOSTID}@self-signed 16)

	# Now generate the private key
	/usr/libexec/ng-server-config/mk-rsa-key httpd::ng-fallback@${HOSTNAME} 2048 >/etc/pki/tls/private/ng-fallback.key
	chmod 0600 /etc/pki/tls/private/ng-fallback.key

	# And the TLS certificate
	BASEDATE=$(date '+%Y-%m-01 00:00:00')
	env TZ=UTC faketime -f "${BASEDATE}" openssl req -new -x509 -utf8 -batch \
		-key /etc/pki/tls/private/ng-fallback.key \
		-subj "/C=AU/ST=New South Wales/O=Noggin Pty Ltd/OU=Noggin Server Autoconfig (${HOSTUNIQ})/CN=${HOSTNAME}" \
		-days $[3*365] \
		-set_serial 0x$(echo -n "httpd::ng-fallback@${HOSTNAME}/machine/${HOSTUNIQ}" | sha512sum | cut -c 1-16) \
		-outform PEM -out /etc/pki/tls/certs/ng-fallback.crt

	# Make sure we trust ourself....
	SUBJHASH=$(openssl x509 -in /etc/pki/tls/certs/ng-fallback.crt -noout -subject_hash)
	if [ ! -e /etc/pki/tls/certs/$SUBJHASH.0 ]; then
		ln -s ng-fallback.crt /etc/pki/tls/certs/$SUBJHASH.0
	fi
fi


#########################################
# PHP config
#########################################

# Copy the system TZ to PHP
if [ -L /etc/localtime ]; then
	ZONE=$(readlink /etc/localtime | sed -re 's|^.*/zoneinfo(/posix)?/(.*)$|\2|g')
elif [ -f /etc/sysconfig/clock ]; then
	source /etc/sysconfig/clock
fi
if [ -n "$ZONE" ]; then
	cat <<-EOD >>$AUGSCRIPT
		set /files/etc/php.d/zz-15-timezone.ini/.anon/date.timezone $ZONE
	EOD
fi


# Disable the default php-fpm pool
if grep -Pq '^[^;]' /etc/php-fpm.d/www.conf; then
	sed -i -r \
	    -e 's/^/;/g' \
	    -e '1 s/^/;;\n;; This file disabled by ng-server-config\n;;\n/g' \
	    /etc/php-fpm.d/www.conf
fi

############################################
# Postfix
############################################
cat <<-EOD >>$AUGSCRIPT
	set /files/etc/postfix/main.cf/inet_protocols ipv4
	set /files/etc/postfix/main.cf/mynetworks_style host
	set /files/etc/postfix/main.cf/smtpd_helo_restrictions 'permit_mynetworks, reject_invalid_helo_hostname'
	set /files/etc/postfix/main.cf/smtpd_sender_restrictions reject_unknown_sender_domain
	set /files/etc/postfix/main.cf/smtpd_data_restrictions 'reject_unauth_pipelining, permit'
	set /files/etc/postfix/main.cf/disable_vrfy_command yes
EOD

augtool --autosave <$AUGSCRIPT

rm -f ${AUGSCRIPT}

# Configure the audit subsystem and auditd
augtool --autosave --backup --noautoload >/dev/null <<'EOD'
	transform simplevars.lns incl /etc/audit/auditd.conf
	transform simplevars.lns incl /etc/audisp/plugins.d/syslog.conf
	transform shellvars_list.lns incl /etc/default/grub
	load

	# Configure auditd native log preservation
	set /files/etc/audit/auditd.conf/max_log_file 10
	set /files/etc/audit/auditd.conf/num_logs 25

	# Enable the auditd syslog plugin
	set /files/etc/audisd/plugins.d/syslog.conf/active yes
	set /files/etc/audisd/plugins.d/syslog.conf/args   LOG_AUTHPRIV

	# Enable early boot audit (before auditd starts)
	set /files/etc/default/grub/GRUB_CMDLINE_LINUX/value[. =~ regexp('.*audit=.*','i')] 'audit=1'

	# Disable Transparent Hugetables, this is known to cause XFS corruption and system crashes on some AWS instance types
	set /files/etc/default/grub/GRUB_CMDLINE_LINUX/value[. =~ regexp('.*transparent_hugepage=.*','i')] 'transparent_hugepage=never'

EOD

# Do we need to regenerate grub.cfg?
[ /etc/default/grub -nt /boot/grub2/grub.cfg ] && grub2-mkconfig -o /boot/grub2/grub.cfg



# INFRA-276: Modify the crond PAM stack to read environment variables (PATH) from our environment file
# What is augtool doing?:
# Remove our configuration (line) if it already exists
# AFTER the last entry in the file which has a type of "session"
# Insert the configuration (node) this line - use a node value of 999 - this doesnt actually effect ordering in the file
# Insert our remaining configuration after this node
augtool --autosave --backup --noautoload >/dev/null <<'EOD'
        set /augeas/load/pam/lens "pam.lns"
        set /augeas/load/pam/incl "/etc/pam.d/crond"
        load
        rm /files/etc/pam.d/crond/*[type = 'session'][control='optional'][module='pam_env.so']

        ins 999 after /files/etc/pam.d/crond/*[type="session"][last()]
        defvar entry /files/etc/pam.d/crond/999
        set $entry/type 'session'
        set $entry/control 'optional'
        set $entry/module 'pam_env.so'
        set $entry/argument[1] 'envfile=/run/crond.env'
EOD


# For any new drop-ins we may have added
systemctl daemon-reload

# Reload the audit subsystem
systemctl -q reload-or-try-restart auditd

# enable and (re)start services
systemctl -q --no-block reload-or-try-restart atd sshd
systemctl -q enable httpd psacct sysstat

# named-chroot should be used not named, make accidents harder
systemctl -q mask named
systemctl -q mask php-fpm

# Migrate php-fpm pools from sockets.target to php-fpm-pool.service
systemctl -q enable php-fpm-pool.service
if [ -n "$(find /etc/systemd/system/sockets.target.wants -type l -lname /usr/lib/systemd/system/php-fpm-pool@.socket -print -quit)" ]; then
	find /etc/systemd/system/sockets.target.wants -type l -lname /usr/lib/systemd/system/php-fpm-pool@.socket -printf '%f\0' \
	  | xargs --null --no-run-if-empty systemctl -q reenable
	systemctl -q --no-block start php-fpm-pool.service
fi

# Enable mysqld log filter
systemctl -q enable mysqld-log-filter.service

# (Re)run service autotune
find $(dirname $(readlink -f $0)) -name 'autotune-*' -type f -executable -exec '{}' ';'

# Reload any php-fpm worker pools in case the config has been updated
systemctl -q --no-block reload php-fpm-pool.service

# reload apache if the config passes
apachectl configtest && systemctl -q --no-block reload httpd

# Kick mysqld config (via reconf-mysql) for any updates we may have made
# Currently disabled through systemctl reload due to permission issues
#mysqladmin ping && systemctl -q --no-block reload mysqld
/usr/libexec/ng-server-config/reconf-mysql --verbose --log-only --apply

