Merge pull request #93 from shahaan/master

Merging based on the conversation we've had.

buildKaraage3.x.yml

+---
+-
+  hosts: ldap-server
+  pre_tasks:
+    - sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
+      ignore_errors: yes
+    - service: name=network state=restarted
+      when: ansible_os_family == 'Redhat'
+  roles:
+   - etcHosts
+   - easy-rsa-CA
+   - easy-rsa-certificate
+   - ldapserver
+  sudo: true
+  vars:
+   - x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+   - countryName: "AU"
+   - reginalName: "Victoria"
+   - cityName: "Melbourne"
+   - organizationName: "Monash University"
+   - emailAddress: "shahaan@gmail.com"
+   - organizationUnit: "defaultUnit"
+   - ldapDomain: "dc=monash,dc=edu,dc=au"
+   - ldapManager: "cn=Manager,dc=monash,dc=edu,dc=au"
+   - ldapBindDN: "cn=ldapuser,ou=users,dc=monash,dc=edu,dc=au"
+   - ldapUserBase: "ou=users,dc=monash,dc=edu,dc=au"
+   - ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
+   - ldapBase: "dc=monash,dc=edu,dc=au"
+   - ldapURI: "{% for host in groups['ldap-server'] %}ldaps://{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+   - smtp_smarthost: "{{ ansible_hostname }}"
+   - ldapManagerPassword: "imldap"
+   - ldapBindDNPassword: "imbinddn"
+   - domain: ""
+   - karaage_sql_password: "imkaraage"
+   - mysql_root_password: "immysql"
+   - x509_key_file: "/etc/ssl/private/server.key"
+   - x509_cert_file: "/etc/ssl/certs/server.crt"
+   - x509_cacert_file: "/etc/ssl/certs/ca.crt"
+   - x509_csr_args: ""
+   - x509_sign_args: "{{ x509_csr_args }}"
+   - x509_common_name: "{{ inventory_hostname }}"
+- 
+  hosts: karaage-server
+  pre_tasks:
+    - sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
+      ignore_errors: yes
+    - service: name=network state=restarted
+      when: ansible_os_family == 'Redhat'
+  roles:
+    - etcHosts
+    - easy-rsa-certificate
+    - karaage3.1.17
+  sudo: true
+  vars:
+   - x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+   - countryName: "AU"
+   - reginalName: "Victoria"
+   - cityName: "Melbourne"
+   - organizationName: "Monash University"
+   - emailAddress: "shahaan@gmail.com"
+   - organizationUnit: "defaultUnit"
+   - ldapDomain: "dc=monash,dc=edu,dc=au"
+   - ldapManager: "cn=Manager,dc=monash,dc=edu,dc=au"
+   - ldapBindDN: "cn=ldapuser,ou=users,dc=monash,dc=edu,dc=au"
+   - ldapUserBase: "ou=users,dc=monash,dc=edu,dc=au"
+   - ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
+   - ldapBase: "dc=monash,dc=edu,dc=au"
+   - ldapURI: "{% for host in groups['ldap-server'] %}ldaps://{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+   - smtp_smarthost: "{{ ansible_hostname }}"
+   - ldapManagerPassword: "imldap"
+   - ldapBindDNPassword: "imbinddn"
+   - domain: ""
+   - karaage_sql_password: "imkaraage"
+   - mysql_root_password: "immysql"
+   - x509_key_file: "/etc/ssl/private/server.key"
+   - x509_cert_file: "/etc/ssl/certs/server.crt"
+   - x509_cacert_file: "/etc/ssl/certs/ca.crt"
+   - x509_csr_args: ""
+   - x509_sign_args: "{{ x509_csr_args }}"
+   - x509_common_name: "{{ inventory_hostname }}"

headNode.yaml

@@ -25,6 +25,7 @@ resources:
     flavor: m1.small
     image: { get_param: image_id }
     key_name: { get_param: key_name }
+    security_groups: [OpenVPN, NSF, default]
     metadata:
      ansible_host_group: headNode
      ansible_ssh_user: ec2-user

roles/OpenVPN-Client/vars/main.yml

+readme.txt
\ No newline at end of file

roles/OpenVPN-Server/vars/main.yml

+readme.txt
\ No newline at end of file

roles/easy-rsa-certificate/vars/main.yml

+readme.txt
\ No newline at end of file

roles/easy-rsa-common/defaults/main.yml

+readme.txt
\ No newline at end of file

roles/easy-rsa-common/tasks/installEasyRsa.yml → roles/easy-rsa-common/tasks/installEasyRsaSource.yml

---- 
-- 
-  name: "Installing easy-rsa"
-  yum: "name=easy-rsa state=latest"
-  sudo: True
-  when: ansible_os_family == 'RedHat'
-- 
-  name: "Installing easy-rsa"
-  apt: "name=openvpn state=present update_cache=yes"
-  sudo: True
-  when: ansible_os_family == 'Debian'
-- 
-  name: "Moving easy-rsa to /etc"
-  shell: "cp -rf /usr/share/easy-rsa /etc/"
-  args:
-    creates: /etc/easy-rsa
-  sudo: True
-  when: ansible_os_family == 'RedHat'
+---
+
+-
+ name: Download easy-rsa 2.2.2
+ get_url: url=https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz dest=/tmp/2.2.2.tar.gz
+-
+ name: Untar the source
+ shell: tar xvfz 2.2.2.tar.gz chdir=/tmp creates=/tmp/easy-rsa-2.2.2
 - 
   name: "Moving easy-rsa to /etc"
-  shell: "cp -rf /usr/share/doc/openvpn/examples/easy-rsa /etc/"
-  args:
-    creates: /etc/easy-rsa
+  shell: cp -rf /tmp/easy-rsa-2.2.2/easy-rsa /etc/ creates=/etc/easy-rsa
   sudo: True
-  when: ansible_os_family == 'Debian'
   register: installed
 
 - name: "Clean all"
@@ -31,3 +18,4 @@
     creates: "/etc/easy-rsa/2.0/keys/"
   when: installed|changed
   sudo: true
+ 

roles/easy-rsa-common/tasks/main.yml

 ---
 -
-  include: installEasyRsa.yml
+  include: installEasyRsaSource.yml
 -
   include: copyConfigurationFile.yml

roles/easy-rsa-common/tasks/yumList.yml

@@ -3,11 +3,14 @@
   name: "Install these yum packages"
   with_items:
     - gcc
-    - rsync
     - make
     - tcsh
     - bind-utils
-    - openssl-devel
-    - nfs-utils
   yum: "name={{ item }} state=present"
   sudo: true
+-
+  name: "Setting hostname"
+  shell: sysctl kernel.hostname={{ inventory_hostname }} 
+-
+  name: "Restarting Network"
+  service: name=network state=restarted

roles/etcHosts/files/makehosts.py

 #!/usr/bin/python
 import sys
 import json
+import socket
 filename = sys.argv[1]
-domain = sys.argv[2]
+try:
+ domain = sys.argv[2]
+except IndexError:
+ domain = None
 f=open(filename,'r')
 s=f.read()
 d=json.loads(s)
@@ -12,7 +16,10 @@ hosts={}
 for group in d['groups'].keys():
     i=0
     for h in d['groups'][group]:
-        hosts[h] = ['%s.%s %s'%(h, domain, h)]
+      if not domain:
+        hosts[h] = [h]
+      else:
+        hosts[h] = ['%s.%s %s'%(h,domain,h)]
 
 for h in hosts.keys():
     if d['hostvars'].has_key(h):

roles/karaage3.1.17/tasks/apache.yml

+---
+-
+ name: "Install Apache2"
+ apt: name=apache2 state=present
+-
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
+-
+ name: "Templating default site"
+ template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
+-
+ name: "Templating ssl configuration"
+ template: src=ssl.conf.j2 dest=/etc/apache2/mods-available/ssl.conf owner=www-data group=www-data
+-
+ name: "Enable ssl module"
+ apache2_module: state=present name=ssl
+
+-
+ name: "Enable default-ssl site"
+ shell: a2ensite default-ssl
+
+-
+ name: "Restarting Apache2"
+ service: name=apache2 state=restarted

roles/karaage3.1.17/tasks/karaage.yml

+---
+-
+ name: "Installing prerequisites"
+ apt: name={{ item }} update_cache=yes
+ with_items:
+  - libxml2-dev
+  - libxslt1-dev
+  - python-lxml
+  - libcrack2-dev
+  - csstidy
+  - ldap-utils
+  - python-cracklib
+  - git
+-
+ name: "Getting Karaage from Github"
+ git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7"
+-
+ name: "Installing Karaage Dependencies"
+ pip: name={{ item }} extra_args="--upgrade"
+ with_items:
+  - six
+  - MySQL-python
+  - mincss
+  - slimit
+  - ply
+-
+ name: "Restrict Django version to 1.7.8"
+ replace: dest=/root/karaage3.1.7/setup.py regexp="Django >= 1.7" replace="Django == 1.7.8"
+-
+ name: "Installing Karaage from source"
+ shell: python setup.py install 
+ args:
+  chdir: /root/karaage3.1.7
+  creates: /root/karaage3.1.7/build/bdist.linux-x86_64
+-
+ name: "Templating Karaage settings"
+ template: src=settings.py.j2 dest=/etc/karaage3/settings.py owner=root group=www-data mode=0640
+-
+ name: "Creating karaage3 in /var/log"
+ file: path=/var/log/karaage3 state=directory owner=www-data group=www-data mode=0755 
+-
+ name: "Creating karaage3 in /var/lib"
+ file: path=/var/lib/karaage3 state=directory owner=root group=www-data mode=0775
+-
+ name: "Change permissions for /var/www"
+ file: path=/var/www state=directory owner=root group=www-data mode=0775
+-
+ name: "enabling Karaage configuration"
+ shell: a2enconf karaage3-wsgi
+-
+ name: "Installing other packages"
+ apt: name={{ item }} update_cache=yes
+ with_items:
+  - python-kgusage
+  - karaage-cluster-tools
+  - karaage3-celery
+-
+ name: "Set Secret Key"
+ lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
+-
+ name: " Create DB tables"
+ shell: kg-manage migrate 
+-
+ name: "Restarting Celery"
+ service: name=karaage3-celery state=restarted
+-
+ name: "Reloading apache"
+ service: name=apache2 state=reloaded

roles/karaage3.1.17/tasks/main.yml

+---
+ - include: prerequisites.yml
+ - include: apache.yml
+ - include: mysql.yml
+ - include: karaage.yml

roles/karaage3.1.17/tasks/mysql.yml

+---
+- 
+ name: "Installing MySQL"
+ apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
+ with_items:
+  - python
+  - python-dev
+  - libmysqlclient-dev
+  - python-pip
+  - libapache2-mod-wsgi
+  - python-mysql.connector
+  - mysql-server
+  - python-mysqldb
+- 
+ name: "Starting MySQL"
+ service: name=mysql state=started enabled=true
+-
+ name: "Templating karaage.cnf"
+ template: src="karaage.cnf.j2" dest=/etc/mysql/conf.d/karaage.cnf owner=root group=root
+-
+ name: "Adding root"
+ sudo: true
+ mysql_user: name=root host="{{ item }}" password="{{ mysql_root_password }}" login_user=root login_password="{{ mysql_root_password }}" check_implicit_admin=yes priv="*.*:ALL,GRANT"
+ with_items:
+  - "{{ ansible_hostname }}"
+  - 127.0.0.1
+  - ::1
+  - localhost
+-
+ name: "Adding Karaage Database"
+ mysql_db: name=karaage state=present login_user=root login_password={{ mysql_root_password }} 
+-
+ name: "Giving priviliges to karaage user"
+ mysql_user: name=karaage password={{ karaage_sql_password }} login_user=root login_password={{ mysql_root_password }} priv=karaage.*:ALL state=present
+
+- 
+ name: "Starting MySQL"
+ service: name=mysql state=restarted

roles/karaage3.1.17/tasks/prerequisites.yml

+---
+-
+  name: "Installing prereq packages"
+  apt: name={{ item }} update_cache=yes
+  with_items:
+   - debian-keyring
+- 
+  apt_key: "url=http://code.vpac.org/debian/vpac-debian-key.gpg state=present"
+  name: "Installing the VPAC Debian Archive signing key"
+- 
+  apt_repository: "repo='deb     http://code.vpac.org/debian  jessie main' state=present"
+  name: "Adding VPAC repository in the source list"
+- 
+  apt_repository: "repo='deb-src http://code.vpac.org/debian  jessie main' state=present"
+  name: "Adding VPAC source repository"
+- 
+  apt: update_cache=yes
+  name: "Upgrading apt..."

roles/karaage3.1.17/templates/default-ssl.j2

+<IfModule mod_ssl.c>
+<VirtualHost _default_:443>
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    /etc/ssl/certs/server.crt
+	SSLCertificateKeyFile /etc/ssl/private/server.key
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	SSLCACertificatePath /etc/ssl/certs/
+	SSLCACertificateFile /etc/ssl/certs/ca.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   Access Control:
+	#   With SSLRequire you can do per-directory access control based
+	#   on arbitrary complex boolean expressions containing server
+	#   variable checks and other lookup directives.  The syntax is a
+	#   mixture between C and Perl.  See the mod_ssl documentation
+	#   for more details.
+	#<Location />
+	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+	#</Location>
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#     Translate the client X.509 into a Basic Authorisation.  This means that
+	#     the standard Auth/DBMAuth methods can be used for access control.  The
+	#     user name is the `one line' version of the client's X.509 certificate.
+	#     Note that no password is obtained from the user. Every entry in the user
+	#     file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#     This exports two additional environment variables: SSL_CLIENT_CERT and
+	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#     server (always existing) and the client (only existing when client
+	#     authentication is used). This can be used to import the certificates
+	#     into CGI scripts.
+	#   o StdEnvVars:
+	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#     Per default this exportation is switched off for performance reasons,
+	#     because the extraction step is an expensive operation and is usually
+	#     useless for serving static content. So one usually enables the
+	#     exportation for CGI and SSI requests only.
+	#   o StrictRequire:
+	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+	#     under a "Satisfy any" situation, i.e. when it applies access is denied
+	#     and no other module can change it.
+	#   o OptRenegotiate:
+	#     This enables optimized SSL connection renegotiation handling when SSL
+	#     directives are used in per-directory context.
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+</VirtualHost>
+</IfModule>

roles/karaage3.1.17/templates/default.j2

+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+		ServerName {{ ansible_nodename }}
+		Redirect permanent / https://{{ ansible_nodename }}/
+
+        DocumentRoot /var/www
+        <Directory />
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+        <Directory /var/www/>
+                Options Indexes FollowSymLinks MultiViews
+                AllowOverride None
+                Order allow,deny
+                allow from all
+        </Directory>
+		<Directory /etc/karaage3>
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+
+        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+        <Directory "/usr/lib/cgi-bin">
+                AllowOverride None
+                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+                Order allow,deny
+                Allow from all
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

roles/karaage3.1.17/templates/karaage.cnf.j2

+[mysqld]
+character_set_server=utf8
+default-storage-engine = innodb
+sql_mode = STRICT_ALL_TABLES
+
+[client]
+default-character-set = utf8

roles/karaage3.1.17/templates/settings.py.j2

+# -*- coding: utf-8 -*-
+
+# Globally defined Karaage settings
+# These settings will be used for karaage-admin and karaage-registration.
+
+# Some of these values have sensible defaults. Settings that don't have a
+# sensible default must be configured manually.
+
+# Other Django settings are also possible, this list is not a comprehensive
+# list of all settings.
+
+# Copyright 2010-2011, 2014-2015 VPAC
+# Copyright 2010-2011 The University of Melbourne
+#
+# Django settings
+#
+
+# A boolean that turns on/off debug mode.
+#
+# Never deploy a site into production with DEBUG turned on.
+#
+# Did you catch that? NEVER deploy a site into production with DEBUG turned on.
+#
+# One of the main features of debug mode is the display of detailed error
+# pages. If your app raises an exception when DEBUG is True, Django will
+# display a detailed traceback, including a lot of metadata about your
+# environment, such as all the currently defined Django settings (from
+# settings.py).
+#
+# default: DEBUG = False
+#
+# DEBUG = True
+
+# Implemented by Shahaan due to the django-pipeline bug
+PIPELINE_ENABLED = False
+STATICFILES_STORAGE = 'pipeline.storage.PipelineStorage'
+
+# FQDN host, used in default settings for :setting:`ALLOWED_HOSTS`,
+# :setting:`REGISTRATION_BASE_URL`, and :setting:`ADMIN_BASE_URL`.
+#
+# default: HTTP_HOST = FQDN hostname
+#
+HTTP_HOST = "{{ x509_common_name }}"
+
+# A list of strings representing the host/domain names that this Django site
+# can serve. This is a security measure to prevent an attacker from poisoning
+# caches and password reset emails with links to malicious hosts by submitting
+# requests with a fake HTTP Host header, which is possible even under many
+# seemingly-safe web server configurations.
+#
+# %(HOST) will be substituted with the HTTP_HOST setting.
+#
+# default: ALLOWED_HOSTS = ["%(HOST)s"]
+#
+# ALLOWED_HOSTS = ["www.example.org"]
+
+# Whether to use a secure cookie for the session cookie. If this is set to
+# True, the cookie will be marked as “secure,” which means browsers may ensure
+# that the cookie is only sent under an HTTPS connection.
+#
+# default: SESSION_COOKIE_SECURE = True
+#
+# SESSION_COOKIE_SECURE = False
+
+# A tuple that lists people who get code error notifications. When DEBUG=False
+# and a view raises an exception, Django will email these people with the full
+# exception information. Each member of the tuple should be a tuple of (Full
+# name, email address).
+ADMINS = (
+    # ('Your Name', 'your_email@domain.com'),
+)
+
+# A tuple in the same format as ADMINS that specifies who should get broken
+# link notifications when BrokenLinkEmailsMiddleware is enabled.
+MANAGERS = ADMINS
+
+# A dictionary containing the settings for all databases to be used with
+# Django. It is a nested dictionary whose contents maps database aliases to a
+# dictionary containing the options for an individual database.
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'karaage',
+        'USER': 'karaage',
+        'PASSWORD': 'imkaraage',
+        'HOST': 'localhost',
+        'PORT': '',
+        'ATOMIC_REQUESTS': True,
+    }
+}
+
+LDAP = {
+     'default': {
+          'ENGINE': 'tldap.backend.fake_transactions',
+          'URI': 'ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}/',
+          'USER': '{{ ldapManager }}',
+          'PASSWORD': '{{ ldapManagerPassword }}',
+          'REQUIRE_TLS': True,
+          'START_TLS': True,
+          'TLS_CA': '{{ x509_cacert_file }}',
+     }
+}
+
+MACHINE_CATEGORY_DATASTORES = {
+     'ldap': [
+          {
+                'DESCRIPTION': 'LDAP datastore',
+                'ENGINE': 'karaage.datastores.ldap.MachineCategoryDataStore',
+                'LDAP': 'default',
+                'ACCOUNT': 'karaage.datastores.ldap_schemas.openldap_account',
+                'GROUP': 'karaage.datastores.ldap_schemas.openldap_account_group',
+                'PRIMARY_GROUP': "institute",
+                'DEFAULT_PRIMARY_GROUP': "ldap",
+                'HOME_DIRECTORY': "/home/%(uid)s",
+                'LOCKED_SHELL': "/usr/local/sbin/locked",
+                'NUMBER_SCHEME': 'default',
+                'LDAP_ACCOUNT_BASE': 'ou=Accounts,dc=monash,dc=edu,dc=au',
+                'LDAP_GROUP_BASE': 'ou=Groups,dc=monash,dc=edu,dc=au',
+          },
+    ],
+     'dummy': [
+     ],
+}
+
+GLOBAL_DATASTORES = [
+      {
+            'DESCRIPTION': 'LDAP datastore',
+            'ENGINE': 'karaage.datastores.ldap.GlobalDataStore',
+            'LDAP': 'default',
+            'PERSON': 'karaage.datastores.ldap_schemas.openldap_person',
+            'GROUP': 'karaage.datastores.ldap_schemas.openldap_person_group',
+            'NUMBER_SCHEME': 'global',
+            'LDAP_PERSON_BASE': 'ou=People,dc=monash,dc=edu,dc=au',
+            'LDAP_GROUP_BASE': 'ou=People_Groups,dc=monash,dc=edu,dc=au',
+      },
+]
+# The email address that error messages come from, such as those sent to ADMINS
+# and MANAGERS.
+SERVER_EMAIL = 'karaage@example.org'
+
+# The host to use for sending email.
+EMAIL_HOST = 'localhost'
+
+# Subject-line prefix for email messages sent with django.core.mail.mail_admins
+# or django.core.mail.mail_managers. You’ll probably want to include the
+# trailing space.
+EMAIL_SUBJECT_PREFIX = '[Karaage] - '
+
+# Local time zone for this installation. Choices can be found here:
+# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
+# although not all choices may be available on all operating systems.
+# If running in a Windows environment this must be set to the same as your
+# system time zone.
+TIME_ZONE = 'Australia/Melbourne'
+
+# Language code for this installation. All choices can be found here:
+# http://www.i18nguy.com/unicode/language-identifiers.html
+LANGUAGE_CODE = 'en-au'
+
+# A secret key for a particular Django installation. This is used to provide
+# cryptographic signing, and should be set to a unique, unpredictable value.
+SECRET_KEY = ''
+
+# A data structure containing configuration information. The contents of this
+# data structure will be passed as the argument to the configuration method
+# described in LOGGING_CONFIG.
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'formatters': {
+        'verbose': {
+            'format': '%(levelname)s %(asctime)s '
+            '%(module)s %(process)d %(thread)d %(message)s'
+        },
+        'simple': {
+            'format': '%(levelname)s %(message)s'
+        },
+    },
+    'handlers': {
+        'mail_admins': {
+            'level': 'ERROR',
+            'class': 'django.utils.log.AdminEmailHandler'
+        },
+        'django_file': {
+            'level': 'WARNING',
+            'class': 'karaage.common.logging.FileHandler',
+            'filename': '/var/log/karaage3/django.log',
+            'formatter': 'verbose',
+            'owner': ['www-data', 'www-data'],
+        },
+        'karaage_file': {
+            'level': 'WARNING',
+            'class': 'karaage.common.logging.FileHandler',
+            'filename': '/var/log/karaage3/karaage.log',
+            'formatter': 'verbose',
+            'owner': ['www-data', 'www-data'],
+        },
+        # 'ldap_file': {
+        #     'level': 'DEBUG',
+        #     'class': 'karaage.common.logging.FileHandler',
+        #     'filename': '/var/log/karaage3/ldap.log',
+        #     'formatter': 'verbose',
+        #     'owner': ['www-data', 'www-data'],
+        # },
+        # 'mam_file': {
+        #     'level': 'DEBUG',
+        #     'class': 'karaage.common.logging.FileHandler',
+        #     'filename': '/var/log/karaage3/mam.log',
+        #     'formatter': 'verbose',
+        #     'owner': ['www-data', 'www-data'],
+        # },
+        # 'slurm_file': {
+        #     'level': 'DEBUG',
+        #     'class': 'karaage.common.logging.FileHandler',
+        #     'filename': '/var/log/karaage3/slurm.log',
+        #     'formatter': 'verbose',
+        #     'owner': ['www-data', 'www-data'],
+        # },
+    },
+    'loggers': {
+        '': {
+            'handlers': ['mail_admins'],
+            'level': 'ERROR',
+            'propagate': True,
+        },
+        'django': {
+            'handlers': ['django_file'],
+            'level': 'DEBUG',
+            'propagate': True,
+        },
+        'karaage': {
+            'handlers': ['karaage_file'],
+            'level': 'DEBUG',
+            'propagate': True,
+        },
+        # 'karaage.datastores.ldap': {
+        #     'handlers': ['ldap_file'],
+        #     'level': 'DEBUG',
+        #     'propagate': True,
+        # },
+        # 'karaage.datastores.mam': {
+        #     'handlers': ['mam_file'],
+        #     'level': 'DEBUG',
+        #     'propagate': True,
+        # },
+        # 'karaage.datastores.slurm': {
+        #     'handlers': ['slurm_file'],
+        #     'level': 'DEBUG',
+        #     'propagate': True,
+        # },
+    },
+}
+
+
+#
+# Karaage settings
+#
+
+# Users are advised to contact this address if having problems.
+# This is also used as the from address in outgoing emails.
+ACCOUNTS_EMAIL = 'accounts@example.com'
+
+# This organisation name, used in outgoing emails.
+ACCOUNTS_ORG_NAME = 'Example'
+
+# Registration base URL - Used in email templates
+# Uncomment to override default
+#
+# %(HOST) will be substituted with the HTTP_HOST setting.
+#
+# default: REGISTRATION_BASE_URL = 'https://%(HOST)s/users'
+#
+# REGISTRATION_BASE_URL = 'https://accounts.example.org/users'
+
+# Admin base URL - Used in email templates
+# Uncomment to override default
+#
+# %(HOST) will be substituted with the HTTP_HOST setting.
+#
+# default: ADMIN_BASE_URL = 'https://%(HOST)s/kgadmin'
+#
+# ADMIN_BASE_URL = 'https://accounts.example.org/kgadmin'
+
+# Is Shibboleth supported?
+#
+# default: SHIB_SUPPORTED = False
+#
+# SHIB_SUPPORTED = True
+
+# Path to AUP policy. Note that setting this will not disable the Karaage
+# default page, it might be better to replace the AUP with a file in
+# the templates directory ``karaage/common/aup-detail.html`` if required.
+#
+# default: Django template ``karaage/common/aup-detail.html``
+#
+# AUP_URL = "https://site.example.org/users/aup/"
+
+# Do we allow anonymous users to request accounts?
+#
+# default:  ALLOW_REGISTRATIONS = False
+#
+# ALLOW_REGISTRATIONS = True
+
+# Do we allow any logged in user to access all usage information?
+#
+# default: USAGE_IS_PUBLIC = True
+#
+# USAGE_IS_PUBLIC = False
+
+# Settings to restrict the valid list of email addresses we allow in
+# applications.  EMAIL_MATCH_TYPE can be "include" or "exclude".  If "include"
+# then the email address must match one of the RE entries in EMAIL_MATCH_LIST.
+# If "exclude" then then email address must not match of the the RE entries in
+# EMAIL_MATCH_LIST.
+#
+# default: allow any email address
+#
+# EMAIL_MATCH_TYPE="include"
+# EMAIL_MATCH_LIST=["@vpac.org$", "@v3.org.au$", "^tux@.*au$"]
+
+# List of Karaage plugins
+#
+# default: PLUGINS = []
+#
+PLUGINS = [
+     'karaage.plugins.kgapplications.plugin',
+     'karaage.plugins.kgsoftware.plugin',
+     'karaage.plugins.kgsoftware.applications.plugin',
+     'karaage.plugins.kgusage.plugin',
+ ]