johnybradshaw/ocp_builder.sh

## ocp_builder.sh
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root"
   exit 1
fi
#############################
#
# OCP4 on Skytap Builder
#
#############################
# Version 1.1
# jbradshaw@skytap.com
#############################
# Boot ISO: https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.1/latest/
#############################
# Variables
#############################
# paths
haproxy_path="/etc/haproxy"
bind_path="/etc/bind"
dhcp_path="/etc/dhcp"
apache_path="/etc/apache2"
#############################
# env
server_user="networking"
#############################
# networking values
ip_networking="192.168.1.5"
ip_broadcast="192.168.1.255"
ip_gateway="192.168.1.254"
ip_range_lower="192.168.1.2"
ip_range_upper="192.168.1.250"
ip_subnet="192.168.1.0"
# servers
ip_bootstrap="192.168.1.96"
ip_master0="192.168.1.97"
ip_master1="192.168.1.98"
ip_master2="192.168.1.99"
ip_worker0="192.168.1.11"
ip_worker1="192.168.1.7"
ip_worker2="192.168.1.15"
if_nfs="192.168.1.1"
domain="skytap.ninja"
cluster="ocp4"
#############################
# files
oc_linux_version="4.1.6" #client
oci_linux_version="4.1.9" #installer
ocp_version="4.1"
ocp_version_long="4.1.0"
#############################
#DO NOT EDIT ANY FURTHER
#############################
echo "This will configure your networking server to support an OCP4 installation"
echo "Enter your Pull Secret, followed by [ENTER]:"
read pullSecret
echo "Download files? (yes or no)"
read downloadFiles
# Initialise
apt-get update
apt-get upgrade -y
apt-get autoremove -y
# get the client binaries
if [[ downloadFiles=="yes" ]]; then
    wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${oc_linux_version}/openshift-client-linux-${oc_linux_version}.tar.gz
    tar xvf openshift-client-linux-${oc_linux_version}.tar.gz
    rm -f openshift-client-linux-${oc_linux_version}.tar.gz
    rm -f README.md
    mv kubectl /usr/local/bin/
    mv oc /usr/local/bin/
fi
# haproxy installation
apt-get install haproxy -y
config_haproxy="
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
#---------------------------------------------------------------------

listen stats
    bind :9000
    mode http
    stats enable
    stats uri /
    monitor-uri /healthz

frontend openshift-api-server
    bind *:6443
    default_backend openshift-api-server
    mode tcp
    option tcplog

backend openshift-api-server
    balance source
    mode tcp
    server bootstrap ${ip_bootstrap}:6443 check
    server master0 ${ip_master0}:6443 check
    server master1 ${ip_master1}:6443 check
    server master2 ${ip_master2}:6443 check

frontend machine-config-server
    bind *:22623
    default_backend machine-config-server
    mode tcp
    option tcplog

backend machine-config-server
    balance source
    mode tcp
    server bootstrap ${ip_bootstrap}:22623 check
    server master0 ${ip_master0}:22623 check
    server master1 ${ip_master1}:22623 check
    server master2 ${ip_master2}:22623 check

frontend ingress-http
    bind *:80
    default_backend ingress-http
    mode tcp
    option tcplog

backend ingress-http
    balance source
    mode tcp
    server worker0 ${ip_worker0}:80 check
    server worker1 ${ip_worker1}:80 check
    server worker2 ${ip_worker2}:80 check

frontend ingress-https
    bind *:443
    default_backend ingress-https
    mode tcp
    option tcplog

backend ingress-https
    balance source
    mode tcp
    server worker0 ${ip_worker0}:443 check
    server worker1 ${ip_worker1}:443 check
    server worker2 ${ip_worker2}:443 check
#---------------------------------------------------------------------"
echo "${config_haproxy}" > ${haproxy_path}/haproxy.cfg
systemctl haproxy enable
service haproxy restart
#############################
# bind 						#
#############################
apt-get install bind9 bind9utils bind9-doc dnsutils -y
config_bind_local="zone \"${domain}\" {
	type master;
	file \"/var/lib/bind/${domain}\";
};"
echo "${config_bind_local}" > "${bind_path}/named.conf.local"
config_bind_zone="\$TTL 1W
@	IN	SOA	ns1.${domain}. root (
			2019070702
			3H
			30M
			2W
			1W )
	IN	NS	ns1.${domain}.
	IN	MX 10	smtp.${domain}.
;
;
ns1	IN	A	${ip_networking}
smtp	IN	A	${ip_networking}
;
helper	IN	A	${ip_networking}
helper.${cluster}	IN	A	${ip_networking}
;
; The api points to the IP of your load balancer
api.${cluster}		IN	A	${ip_networking}
api-int.${cluster}		IN	A	${ip_networking}
;
; The wildcard also points to the load balancer
*.apps.${cluster}		IN	A	${ip_networking}
;
; Create entry for the bootstrap host
bootstrap.${cluster}	IN	A	${ip_bootstrap}
;
; Create entries for the master hosts
master0.${cluster}		IN	A	${ip_master0}
master1.${cluster}		IN	A	${ip_master1}
master2.${cluster}		IN	A	${ip_master2}
;
; Create entries for the worker hosts
worker0.${cluster}		IN	A	${ip_worker0}
worker1.${cluster}		IN	A	${ip_worker1}
worker2.${cluster}      IN  A   ${ip_worker2}
;
; The ETCd cluster lives on the masters...so point these to the IP of the masters
etcd-0.${cluster}	IN	A	${ip_master0}
etcd-1.${cluster}	IN	A	${ip_master1}
etcd-2.${cluster}	IN	A	${ip_master2}
;
; The SRV records are IMPORTANT....make sure you get these right...note the trailing dot at the end...
_etcd-server-ssl._tcp.${cluster}	IN	SRV	0 10 2380 etcd-0.${cluster}.${domain}.
_etcd-server-ssl._tcp.${cluster}	IN	SRV	0 10 2380 etcd-1.${cluster}.${domain}.
_etcd-server-ssl._tcp.${cluster}	IN	SRV	0 10 2380 etcd-2.${cluster}.${domain}.
;
;EOF"
echo "${config_bind_zone}" > "/var/lib/bind/${domain}"
config_bind_options="acl \"trusted\" {
        10.254.0.0/16;    #
        192.168.0.0/16;
        172.30.0.0/16;
        127.0.0.0/8; #allow networking server to resolve externals
};
options {
	directory \"/var/cache/bind\";
	recursion yes;                 # enables resursive queries
	allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
    #listen-on { ${ip_networking}; };   # ns1 private IP address - listen on private network only
    allow-transfer { none; };      # disable zone transfers by default
	forwarders {
		1.1.1.1;
		1.0.0.1;
	};
	dnssec-validation auto;
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};"
echo "${config_bind_options}" > "${bind_path}/named.conf.options"
service bind9 restart
#############################
# install webserver			#
#############################
apt install apache2 -y
#service apache2 start
cd ~
config_apache="DefaultRuntimeDir \${APACHE_RUN_DIR}
PidFile \${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User \${APACHE_RUN_USER}
Group \${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog \${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
    Order allow,deny
    Allow from all
</Directory>
AccessFileName .htaccess
<FilesMatch "^\\.ht">
	Require all denied
</FilesMatch>
LogFormat \"%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"\" vhost_combined
LogFormat \"%h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"\" combined
LogFormat \"%h %l %u %t \\"%r\\" %>s %O\" common
LogFormat \"%{Referer}i -> %U\" referer
LogFormat \"%{User-agent}i\" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf"
echo "$config_apache" > $apache_path/apache2.conf
config_apache_site="<VirtualHost *:8000>
ServerAdmin webmaster@localhost
	ErrorLog \${APACHE_LOG_DIR}/error.log
	CustomLog \${APACHE_LOG_DIR}/access.log combined
	DocumentRoot /var/www/html
IndexOptions
</VirtualHost>"
echo "$config_apache_site" > $apache_path/sites-available/000-default.conf
#Update port numbers
config_apache_port="Listen 8000
<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>"
echo "$config_apache_port" > $apache_path/ports.conf
if [[ downloadFiles=="yes" ]]; then
    cd /var/www/html
    wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/${ocp_version}/latest/rhcos-${ocp_version_long}-x86_64-metal-bios.raw.gz
    mv rhcos-${ocp_version_long}-x86_64-metal-bios.raw.gz rhcos.gz #rename to something simpler
fi
cd ~
systemctl enable apache2
systemctl start apache2
systemctl reload apache2
#############################
# prep ignition file		#
#############################
ssh-keygen -f ~/id_rsa -t rsa -b 4096 -N ''
sshkey_pub=$(<id_rsa.pub)
yaml="apiVersion: v1
baseDomain: $domain
compute:
- hyperthreading: Enabled
  name: worker
  replicas: 0
controlPlane:
  hyperthreading: Enabled
  name: master
  replicas: 3
metadata:
  name: $cluster
networking:
  clusterNetworks:
  - cidr: 10.254.0.0/16
    hostPrefix: 24
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  none: {}
pullSecret: '${pullSecret}'
sshKey: '${sshkey_pub}'"
mkdir ~/ocp4
cd ~/ocp4
echo "$yaml" > install-config.yaml
if [[ downloadFiles=="yes" ]]; then
    wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${oci_linux_version}/openshift-install-linux-${oci_linux_version}.tar.gz
    tar xvf openshift-install-linux-${oci_linux_version}.tar.gz
fi
./openshift-install create ignition-configs
mv *.ign /var/www/html/
rm /var/www/html/index.html
#############################
# prep files for serving 	#
#############################
chown -R ${server_user}:www-data /var/www/html
chmod -R a+r /var/www/html
service apache2 restart
#############################
# tidy up 					#
#############################
sed -i "/^[^#]*PasswordAuthentication[[:space:]]no/c\PasswordAuthentication yes" /etc/ssh/sshd_config
sudo service sshd restart

#Configure firewall
ufw default deny incoming
ufw allow 53
ufw allow ssh
ufw allow 80
ufw allow 8000 #local webhost
ufw allow 443
ufw allow 9000 #haproxy status
ufw allow 22623 #machine config
ufw allow 6443 #api
echo "When finished, remove /usr/local/bin/oc and /usr/local/bin/kubectl"
	#!/bin/bash
	if [[ $EUID -ne 0 ]]; then
	echo "This script must be run as root"
	exit 1
	fi
	#############################
	#
	# OCP4 on Skytap Builder
	#
	#############################
	# Version 1.1
	# jbradshaw@skytap.com
	#############################
	# Boot ISO: https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.1/latest/
	#############################
	# Variables
	#############################
	# paths
	haproxy_path="/etc/haproxy"
	bind_path="/etc/bind"
	dhcp_path="/etc/dhcp"
	apache_path="/etc/apache2"
	#############################
	# env
	server_user="networking"
	#############################
	# networking values
	ip_networking="192.168.1.5"
	ip_broadcast="192.168.1.255"
	ip_gateway="192.168.1.254"
	ip_range_lower="192.168.1.2"
	ip_range_upper="192.168.1.250"
	ip_subnet="192.168.1.0"
	# servers
	ip_bootstrap="192.168.1.96"
	ip_master0="192.168.1.97"
	ip_master1="192.168.1.98"
	ip_master2="192.168.1.99"
	ip_worker0="192.168.1.11"
	ip_worker1="192.168.1.7"
	ip_worker2="192.168.1.15"
	if_nfs="192.168.1.1"
	domain="skytap.ninja"
	cluster="ocp4"
	#############################
	# files
	oc_linux_version="4.1.6" #client
	oci_linux_version="4.1.9" #installer
	ocp_version="4.1"
	ocp_version_long="4.1.0"
	#############################
	#DO NOT EDIT ANY FURTHER
	#############################
	echo "This will configure your networking server to support an OCP4 installation"
	echo "Enter your Pull Secret, followed by [ENTER]:"
	read pullSecret
	echo "Download files? (yes or no)"
	read downloadFiles
	# Initialise
	apt-get update
	apt-get upgrade -y
	apt-get autoremove -y
	# get the client binaries
	if [[ downloadFiles=="yes" ]]; then
	wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${oc_linux_version}/openshift-client-linux-${oc_linux_version}.tar.gz
	tar xvf openshift-client-linux-${oc_linux_version}.tar.gz
	rm -f openshift-client-linux-${oc_linux_version}.tar.gz
	rm -f README.md
	mv kubectl /usr/local/bin/
	mv oc /usr/local/bin/
	fi
	# haproxy installation
	apt-get install haproxy -y
	config_haproxy="
	#---------------------------------------------------------------------
	# Global settings
	#---------------------------------------------------------------------

	global
	log 127.0.0.1 local2
	chroot /var/lib/haproxy
	pidfile /var/run/haproxy.pid
	maxconn 4000
	user haproxy
	group haproxy
	daemon
	# turn on stats unix socket
	stats socket /var/lib/haproxy/stats

	#---------------------------------------------------------------------
	# common defaults that all the 'listen' and 'backend' sections will
	# use if not designated in their block
	#---------------------------------------------------------------------

	defaults
	mode http
	log global
	option httplog
	option dontlognull
	option http-server-close
	option forwardfor except 127.0.0.0/8
	option redispatch
	retries 3
	timeout http-request 10s
	timeout queue 1m
	timeout connect 10s
	timeout client 1m
	timeout server 1m
	timeout http-keep-alive 10s
	timeout check 10s
	maxconn 3000
	#---------------------------------------------------------------------

	listen stats
	bind :9000
	mode http
	stats enable
	stats uri /
	monitor-uri /healthz

	frontend openshift-api-server
	bind *:6443
	default_backend openshift-api-server
	mode tcp
	option tcplog

	backend openshift-api-server
	balance source
	mode tcp
	server bootstrap ${ip_bootstrap}:6443 check
	server master0 ${ip_master0}:6443 check
	server master1 ${ip_master1}:6443 check
	server master2 ${ip_master2}:6443 check

	frontend machine-config-server
	bind *:22623
	default_backend machine-config-server
	mode tcp
	option tcplog

	backend machine-config-server
	balance source
	mode tcp
	server bootstrap ${ip_bootstrap}:22623 check
	server master0 ${ip_master0}:22623 check
	server master1 ${ip_master1}:22623 check
	server master2 ${ip_master2}:22623 check

	frontend ingress-http
	bind *:80
	default_backend ingress-http
	mode tcp
	option tcplog

	backend ingress-http
	balance source
	mode tcp
	server worker0 ${ip_worker0}:80 check
	server worker1 ${ip_worker1}:80 check
	server worker2 ${ip_worker2}:80 check

	frontend ingress-https
	bind *:443
	default_backend ingress-https
	mode tcp
	option tcplog

	backend ingress-https
	balance source
	mode tcp
	server worker0 ${ip_worker0}:443 check
	server worker1 ${ip_worker1}:443 check
	server worker2 ${ip_worker2}:443 check
	#---------------------------------------------------------------------"
	echo "${config_haproxy}" > ${haproxy_path}/haproxy.cfg
	systemctl haproxy enable
	service haproxy restart
	#############################
	# bind #
	#############################
	apt-get install bind9 bind9utils bind9-doc dnsutils -y
	config_bind_local="zone \"${domain}\" {
	type master;
	file \"/var/lib/bind/${domain}\";
	};"
	echo "${config_bind_local}" > "${bind_path}/named.conf.local"
	config_bind_zone="\$TTL 1W
	@ IN SOA ns1.${domain}. root (
	2019070702
	3H
	30M
	2W
	1W )
	IN NS ns1.${domain}.
	IN MX 10 smtp.${domain}.
	;
	;
	ns1 IN A ${ip_networking}
	smtp IN A ${ip_networking}
	;
	helper IN A ${ip_networking}
	helper.${cluster} IN A ${ip_networking}
	;
	; The api points to the IP of your load balancer
	api.${cluster} IN A ${ip_networking}
	api-int.${cluster} IN A ${ip_networking}
	;
	; The wildcard also points to the load balancer
	*.apps.${cluster} IN A ${ip_networking}
	;
	; Create entry for the bootstrap host
	bootstrap.${cluster} IN A ${ip_bootstrap}
	;
	; Create entries for the master hosts
	master0.${cluster} IN A ${ip_master0}
	master1.${cluster} IN A ${ip_master1}
	master2.${cluster} IN A ${ip_master2}
	;
	; Create entries for the worker hosts
	worker0.${cluster} IN A ${ip_worker0}
	worker1.${cluster} IN A ${ip_worker1}
	worker2.${cluster} IN A ${ip_worker2}
	;
	; The ETCd cluster lives on the masters...so point these to the IP of the masters
	etcd-0.${cluster} IN A ${ip_master0}
	etcd-1.${cluster} IN A ${ip_master1}
	etcd-2.${cluster} IN A ${ip_master2}
	;
	; The SRV records are IMPORTANT....make sure you get these right...note the trailing dot at the end...
	_etcd-server-ssl._tcp.${cluster} IN SRV 0 10 2380 etcd-0.${cluster}.${domain}.
	_etcd-server-ssl._tcp.${cluster} IN SRV 0 10 2380 etcd-1.${cluster}.${domain}.
	_etcd-server-ssl._tcp.${cluster} IN SRV 0 10 2380 etcd-2.${cluster}.${domain}.
	;
	;EOF"
	echo "${config_bind_zone}" > "/var/lib/bind/${domain}"
	config_bind_options="acl \"trusted\" {
	10.254.0.0/16; #
	192.168.0.0/16;
	172.30.0.0/16;
	127.0.0.0/8; #allow networking server to resolve externals
	};
	options {
	directory \"/var/cache/bind\";
	recursion yes; # enables resursive queries
	allow-recursion { trusted; }; # allows recursive queries from "trusted" clients
	#listen-on { ${ip_networking}; }; # ns1 private IP address - listen on private network only
	allow-transfer { none; }; # disable zone transfers by default
	forwarders {
	1.1.1.1;
	1.0.0.1;
	};
	dnssec-validation auto;
	auth-nxdomain no; # conform to RFC1035
	listen-on-v6 { any; };
	};"
	echo "${config_bind_options}" > "${bind_path}/named.conf.options"
	service bind9 restart
	#############################
	# install webserver #
	#############################
	apt install apache2 -y
	#service apache2 start
	cd ~
	config_apache="DefaultRuntimeDir \${APACHE_RUN_DIR}
	PidFile \${APACHE_PID_FILE}
	Timeout 300
	KeepAlive On
	MaxKeepAliveRequests 100
	KeepAliveTimeout 5
	User \${APACHE_RUN_USER}
	Group \${APACHE_RUN_GROUP}
	HostnameLookups Off
	ErrorLog \${APACHE_LOG_DIR}/error.log
	LogLevel warn
	IncludeOptional mods-enabled/*.load
	IncludeOptional mods-enabled/*.conf
	Include ports.conf
	<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
	</Directory>

	<Directory /usr/share>
	AllowOverride None
	Require all granted
	</Directory>

	<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
	Order allow,deny
	Allow from all
	</Directory>
	AccessFileName .htaccess
	<FilesMatch "^\\.ht">
	Require all denied
	</FilesMatch>
	LogFormat \"%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"\" vhost_combined
	LogFormat \"%h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"\" combined
	LogFormat \"%h %l %u %t \\"%r\\" %>s %O\" common
	LogFormat \"%{Referer}i -> %U\" referer
	LogFormat \"%{User-agent}i\" agent
	IncludeOptional conf-enabled/*.conf
	IncludeOptional sites-enabled/*.conf"
	echo "$config_apache" > $apache_path/apache2.conf
	config_apache_site="<VirtualHost *:8000>
	ServerAdmin webmaster@localhost
	ErrorLog \${APACHE_LOG_DIR}/error.log
	CustomLog \${APACHE_LOG_DIR}/access.log combined
	DocumentRoot /var/www/html
	IndexOptions
	</VirtualHost>"
	echo "$config_apache_site" > $apache_path/sites-available/000-default.conf
	#Update port numbers
	config_apache_port="Listen 8000
	<IfModule ssl_module>
	Listen 443
	</IfModule>

	<IfModule mod_gnutls.c>
	Listen 443
	</IfModule>"
	echo "$config_apache_port" > $apache_path/ports.conf
	if [[ downloadFiles=="yes" ]]; then
	cd /var/www/html
	wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/${ocp_version}/latest/rhcos-${ocp_version_long}-x86_64-metal-bios.raw.gz
	mv rhcos-${ocp_version_long}-x86_64-metal-bios.raw.gz rhcos.gz #rename to something simpler
	fi
	cd ~
	systemctl enable apache2
	systemctl start apache2
	systemctl reload apache2
	#############################
	# prep ignition file #
	#############################
	ssh-keygen -f ~/id_rsa -t rsa -b 4096 -N ''
	sshkey_pub=$(<id_rsa.pub)
	yaml="apiVersion: v1
	baseDomain: $domain
	compute:
	- hyperthreading: Enabled
	name: worker
	replicas: 0
	controlPlane:
	hyperthreading: Enabled
	name: master
	replicas: 3
	metadata:
	name: $cluster
	networking:
	clusterNetworks:
	- cidr: 10.254.0.0/16
	hostPrefix: 24
	networkType: OpenShiftSDN
	serviceNetwork:
	- 172.30.0.0/16
	platform:
	none: {}
	pullSecret: '${pullSecret}'
	sshKey: '${sshkey_pub}'"
	mkdir ~/ocp4
	cd ~/ocp4
	echo "$yaml" > install-config.yaml
	if [[ downloadFiles=="yes" ]]; then
	wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${oci_linux_version}/openshift-install-linux-${oci_linux_version}.tar.gz
	tar xvf openshift-install-linux-${oci_linux_version}.tar.gz
	fi
	./openshift-install create ignition-configs
	mv *.ign /var/www/html/
	rm /var/www/html/index.html
	#############################
	# prep files for serving #
	#############################
	chown -R ${server_user}:www-data /var/www/html
	chmod -R a+r /var/www/html
	service apache2 restart
	#############################
	# tidy up #
	#############################
	sed -i "/^[^#]*PasswordAuthentication[[:space:]]no/c\PasswordAuthentication yes" /etc/ssh/sshd_config
	sudo service sshd restart

	#Configure firewall
	ufw default deny incoming
	ufw allow 53
	ufw allow ssh
	ufw allow 80
	ufw allow 8000 #local webhost
	ufw allow 443
	ufw allow 9000 #haproxy status
	ufw allow 22623 #machine config
	ufw allow 6443 #api
	echo "When finished, remove /usr/local/bin/oc and /usr/local/bin/kubectl"