33 files changed, 1649 insertions, 0 deletions
diff --git a/setup/configs/labels.yml b/setup/configs/labels.yml
new file mode 100644
index 0000000..1c5f19f
--- /dev/null
+++ b/setup/configs/labels.yml
@@ -0,0 +1,6 @@
+---
+ands_openshift_labels: 
+  region: "infra"
+  zone: "default"
+  master: "{{ ( 'masters' in group_names ) | ternary(1, 0) }}"
+  fat_storage: "{{ ( 'storage_nodes' in group_names ) | ternary(1, 0) }}"
diff --git a/setup/configs/openshift.yml b/setup/configs/openshift.yml
new file mode 100644
index 0000000..eb3af3e
--- /dev/null
+++ b/setup/configs/openshift.yml
@@ -0,0 +1,12 @@
+---
+ands_openshift_projects:
+    katrin: KArlsruhe TRItium Neutrino
+
+ands_openshift_users:
+  pdv: IPE Administation Account
+  katrin: KATRIN Project
+  csa: Suren A. Chilingaryan <csa@suren.me>
+
+ands_openshift_roles:
+  cluster-admin: csa, pdv
+  katrin/admin: katrin
diff --git a/setup/configs/secrets.yml b/setup/configs/secrets.yml
new file mode 100644
index 0000000..5005be0
--- /dev/null
+++ b/setup/configs/secrets.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+30383738386265633133306363326639656331333736303966633133333661383561373533303966
+6361396564626437656237663035616461656661316265610a306336373231616136393330616632
+39376265346133303332363235303635383239336463633234616261643161643639313732313536
+3264636131353136640a623238663037336261303063313564303665386561643030373064356536
+61633136393138656533336563346635656531376161376639656436343437326538366336643734
+35363464646131316366626234613737366633626166376339313832646239626265333637613261
+32353535356537323533373831396138326239643937623865613731373165393633626331623839
+66323039393136313431383264633731653965386261613336376263396531333862306562313337
+38346465613831613566353233346634373032663537353633643330363136343264
diff --git a/setup/configs/volumes.yml b/setup/configs/volumes.yml
new file mode 100644
index 0000000..2546f1c
--- /dev/null
+++ b/setup/configs/volumes.yml
@@ -0,0 +1,37 @@
+---
+ands_paths:
+  provision: /mnt/provision
+  openshift: /mnt/openshift
+  temporary: /mnt/temporary
+
+ands_heketi_domain:
+  servers: "storage_nodes"
+  volumes:
+    heketidbstorage: { type: "cfg" }    
+
+ands_storage_domains:
+  - servers: "ands_storage_servers"
+    clients: "ands_servers"
+    volumes:
+      provision: { type: "cfg", mount: "{{ ands_paths.provision }}" }
+  - servers: "storage_nodes"
+    clients: "nodes"
+    volumes: 
+      openshift: { type: "cfg", mount: "{{ ands_paths.openshift }}" }
+      temporary: { type: "tmp", mount: "{{ ands_paths.temporary }}" }
+#  - ovirt:
+#  - pdv:
+
+
+# Per project list (to distribute in multiple namespaces later)
+ands_openshift_volumes:
+  etc: { volume: "openshift", path: "/etc" }
+  src: { volume: "openshift", path: "/src" }
+  www: { volume: "openshift", path: "/www" }
+  log: { volume: "temporary", path: "/log", write: true}
+  tmp: { volume: "temporary", path: "/tmp", write: true}
+
+
+# Global list, we only take things from the volume of project
+ands_openshift_files:
+  - { osv: "etc", path: "apache2-kaas", state: "directory" }
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.d/README b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/README
new file mode 100644
index 0000000..f5e9661
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/README
@@ -0,0 +1,9 @@
+
+This directory holds configuration files for the Apache HTTP Server;
+any files in this directory which have the ".conf" extension will be
+processed as httpd configuration files.  The directory is used in
+addition to the directory /etc/httpd/conf.modules.d/, which contains
+configuration files necessary to load modules.
+
+Files are processed in alphabetical order.
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.d/autoindex.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/autoindex.conf
new file mode 100644
index 0000000..55f658e
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/autoindex.conf
@@ -0,0 +1,94 @@
+#
+# Directives controlling the display of server-generated directory listings.
+#
+# Required modules: mod_authz_core, mod_authz_host,
+#                   mod_autoindex, mod_alias
+#
+# To see the listing of a directory, the Options directive for the
+# directory must include "Indexes", and the directory must not contain
+# a file matching those listed in the DirectoryIndex directive.
+#
+
+#
+# IndexOptions: Controls the appearance of server-generated directory
+# listings.
+#
+IndexOptions FancyIndexing HTMLTable VersionSort
+
+# We include the /icons/ alias for FancyIndexed directory listings.  If
+# you do not use FancyIndexing, you may comment this out.
+#
+Alias /icons/ "/opt/rh/httpd24/root/usr/share/httpd/icons/"
+
+<Directory "/opt/rh/httpd24/root/usr/share/httpd/icons">
+    Options Indexes MultiViews FollowSymlinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+#
+# AddIcon* directives tell the server which icon to show for different
+# files or filename extensions.  These are only displayed for
+# FancyIndexed directories.
+#
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif /core
+AddIcon /icons/bomb.gif */core.*
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+#
+# DefaultIcon is which icon to show for files which do not have an icon
+# explicitly set.
+#
+DefaultIcon /icons/unknown.gif
+
+#
+# AddDescription allows you to place a short description after a file in
+# server-generated indexes.  These are only displayed for FancyIndexed
+# directories.
+# Format: AddDescription "description" filename
+#
+#AddDescription "GZIP compressed document" .gz
+#AddDescription "tar archive" .tar
+#AddDescription "GZIP compressed tar archive" .tgz
+
+#
+# ReadmeName is the name of the README file the server will look for by
+# default, and append to directory listings.
+#
+# HeaderName is the name of a file which should be prepended to
+# directory indexes. 
+ReadmeName README.html
+HeaderName HEADER.html
+
+#
+# IndexIgnore is a set of filenames which directory indexing should ignore
+# and not include in the listing.  Shell-style wildcarding is permitted.
+#
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.d/ssl.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/ssl.conf
new file mode 100644
index 0000000..a70324b
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/ssl.conf
@@ -0,0 +1,217 @@
+#
+# When we also provide SSL we have to listen to the 
+# the HTTPS port in addition.
+#
+Listen 0.0.0.0:8443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/opt/rh/httpd24/root/var/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:8443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:8443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog |/usr/bin/cat
+TransferLog |/usr/bin/cat
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect.  Disable SSLv2 access by default:
+SSLProtocol all -SSLv2
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+
+#   Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate.  If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase.  Note that a kill -HUP will prompt again.  A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is send or allowed to received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is send and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog |/usr/bin/cat \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>                                  
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.d/userdir.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/userdir.conf
new file mode 100644
index 0000000..b5d7a49
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/userdir.conf
@@ -0,0 +1,36 @@
+#
+# UserDir: The name of the directory that is appended onto a user's home
+# directory if a ~user request is received.
+#
+# The path to the end user account 'public_html' directory must be
+# accessible to the webserver userid.  This usually means that ~userid
+# must have permissions of 711, ~userid/public_html must have permissions
+# of 755, and documents contained therein must be world-readable.
+# Otherwise, the client will only receive a "403 Forbidden" message.
+#
+<IfModule mod_userdir.c>
+    #
+    # UserDir is disabled by default since it can confirm the presence
+    # of a username on the system (depending on home directory
+    # permissions).
+    #
+    UserDir disabled
+
+    #
+    # To enable requests to /~user/ to serve the user's public_html
+    # directory, remove the "UserDir disabled" line above, and uncomment
+    # the following line instead:
+    # 
+    #UserDir public_html
+</IfModule>
+
+#
+# Control access to UserDir directories.  The following is an example
+# for a site where these directories are restricted to read-only.
+#
+<Directory "/home/*/public_html">
+    AllowOverride FileInfo AuthConfig Limit Indexes
+    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    Require method GET POST OPTIONS
+</Directory>
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.d/welcome.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/welcome.conf
new file mode 100644
index 0000000..34b4b72
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.d/welcome.conf
@@ -0,0 +1,18 @@
+# 
+# This configuration file enables the default "Welcome" page if there
+# is no default index page present for the root URL.  To disable the
+# Welcome page, comment out all the lines below. 
+#
+# NOTE: if this file is removed, it will be restored on upgrades.
+#
+<LocationMatch "^/+$">
+    Options -Indexes
+    ErrorDocument 403 /.noindex.html
+</LocationMatch>
+
+<Directory /opt/rh/httpd24/root/usr/share/httpd/noindex>
+    AllowOverride None
+    Require all granted
+</Directory>
+
+Alias /.noindex.html /opt/rh/httpd24/root/usr/share/httpd/noindex/index.html
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-base.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-base.conf
new file mode 100644
index 0000000..c109de6
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-base.conf
@@ -0,0 +1,67 @@
+#
+# This file loads most of the modules included with the Apache HTTP
+# Server itself.
+#
+
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule actions_module modules/mod_actions.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule allowmethods_module modules/mod_allowmethods.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule auth_digest_module modules/mod_auth_digest.so
+LoadModule authn_anon_module modules/mod_authn_anon.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authn_dbd_module modules/mod_authn_dbd.so
+LoadModule authn_dbm_module modules/mod_authn_dbm.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_socache_module modules/mod_authn_socache.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_dbd_module modules/mod_authz_dbd.so
+LoadModule authz_dbm_module modules/mod_authz_dbm.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_owner_module modules/mod_authz_owner.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule cache_module modules/mod_cache.so
+LoadModule cache_disk_module modules/mod_cache_disk.so
+LoadModule cache_socache_module modules/mod_cache_socache.so
+LoadModule data_module modules/mod_data.so
+LoadModule dbd_module modules/mod_dbd.so
+LoadModule deflate_module modules/mod_deflate.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule dumpio_module modules/mod_dumpio.so
+LoadModule echo_module modules/mod_echo.so
+LoadModule env_module modules/mod_env.so
+LoadModule expires_module modules/mod_expires.so
+LoadModule ext_filter_module modules/mod_ext_filter.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule http2_module modules/mod_http2.so
+LoadModule include_module modules/mod_include.so
+LoadModule info_module modules/mod_info.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule logio_module modules/mod_logio.so
+LoadModule macro_module modules/mod_macro.so
+LoadModule mime_magic_module modules/mod_mime_magic.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule remoteip_module modules/mod_remoteip.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule request_module modules/mod_request.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+LoadModule socache_dbm_module modules/mod_socache_dbm.so
+LoadModule socache_memcache_module modules/mod_socache_memcache.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule status_module modules/mod_status.so
+LoadModule substitute_module modules/mod_substitute.so
+LoadModule suexec_module modules/mod_suexec.so
+LoadModule unique_id_module modules/mod_unique_id.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule userdir_module modules/mod_userdir.so
+LoadModule version_module modules/mod_version.so
+LoadModule vhost_alias_module modules/mod_vhost_alias.so
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-dav.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-dav.conf
new file mode 100644
index 0000000..e6af8de
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-dav.conf
@@ -0,0 +1,3 @@
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+LoadModule dav_lock_module modules/mod_dav_lock.so
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-lua.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-lua.conf
new file mode 100644
index 0000000..9e0d0db
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-lua.conf
@@ -0,0 +1 @@
+LoadModule lua_module modules/mod_lua.so
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-mpm.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-mpm.conf
new file mode 100644
index 0000000..7bfd1d4
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-mpm.conf
@@ -0,0 +1,19 @@
+# Select the MPM module which should be used by uncommenting exactly
+# one of the following LoadModule lines:
+
+# prefork MPM: Implements a non-threaded, pre-forking web server
+# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
+LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+
+# worker MPM: Multi-Processing Module implementing a hybrid
+# multi-threaded multi-process web server
+# See: http://httpd.apache.org/docs/2.4/mod/worker.html
+#
+#LoadModule mpm_worker_module modules/mod_mpm_worker.so
+
+# event MPM: A variant of the worker MPM with the goal of consuming
+# threads only for connections with active processing
+# See: http://httpd.apache.org/docs/2.4/mod/event.html
+#
+#LoadModule mpm_event_module modules/mod_mpm_event.so
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-optional.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-optional.conf
new file mode 100644
index 0000000..70bda5e
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-optional.conf
@@ -0,0 +1,20 @@
+#
+# This file lists modules included with the Apache HTTP Server
+# which are not enabled by default.
+# 
+
+#LoadModule asis_module modules/mod_asis.so
+#LoadModule buffer_module modules/mod_buffer.so
+#LoadModule file_cache_module modules/mod_file_cache.so
+#LoadModule watchdog_module modules/mod_watchdog.so
+#LoadModule heartbeat_module modules/mod_heartbeat.so
+#LoadModule heartmonitor_module modules/mod_heartmonitor.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule dialup_module modules/mod_dialup.so
+#LoadModule charset_lite_module modules/mod_charset_lite.so
+#LoadModule log_debug_module modules/mod_log_debug.so
+#LoadModule log_forensic_module modules/mod_log_forensic.so
+#LoadModule ratelimit_module modules/mod_ratelimit.so
+#LoadModule reflector_module modules/mod_reflector.so
+#LoadModule sed_module modules/mod_sed.so
+#LoadModule speling_module modules/mod_speling.so
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-proxy.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-proxy.conf
new file mode 100644
index 0000000..cc0bca0
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-proxy.conf
@@ -0,0 +1,16 @@
+# This file configures all the proxy modules:
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
+LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
+LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
+LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
+LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
+LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+LoadModule proxy_connect_module modules/mod_proxy_connect.so
+LoadModule proxy_express_module modules/mod_proxy_express.so
+LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
+LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
+LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
+LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-ssl.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-ssl.conf
new file mode 100644
index 0000000..53235cd
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-ssl.conf
@@ -0,0 +1 @@
+LoadModule ssl_module modules/mod_ssl.so
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-systemd.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-systemd.conf
new file mode 100644
index 0000000..b208c97
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/00-systemd.conf
@@ -0,0 +1,2 @@
+# This file configures systemd module:
+LoadModule systemd_module modules/mod_systemd.so
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/01-cgi.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/01-cgi.conf
new file mode 100644
index 0000000..5b8b936
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf.modules.d/01-cgi.conf
@@ -0,0 +1,14 @@
+# This configuration file loads a CGI module appropriate to the MPM
+# which has been configured in 00-mpm.conf.  mod_cgid should be used
+# with a threaded MPM; mod_cgi with the prefork MPM.
+
+<IfModule mpm_worker_module>
+   LoadModule cgid_module modules/mod_cgid.so
+</IfModule>
+<IfModule mpm_event_module>
+   LoadModule cgid_module modules/mod_cgid.so
+</IfModule>
+<IfModule mpm_prefork_module>
+   LoadModule cgi_module modules/mod_cgi.so
+</IfModule>
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf/httpd.conf b/setup/projects/katrin/files/etc/apache2-kaas/conf/httpd.conf
new file mode 100644
index 0000000..88fcb97
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf/httpd.conf
@@ -0,0 +1,353 @@
+#
+# This is the main Apache HTTP server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see 
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
+# with ServerRoot set to '/www' will be interpreted by the
+# server as '/www/log/access_log', where as '/log/access_log' will be
+# interpreted as '/log/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path.  If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used.  If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "/opt/rh/httpd24/root/etc/httpd"
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to 
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 0.0.0.0:8080
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+Include conf.modules.d/*.conf
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.  
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User default
+Group root
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin root@localhost
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other 
+# <Directory> blocks below.
+#
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/opt/rh/httpd24/root/var/www/html"
+
+#
+# Relax access to content within /opt/rh/httpd24/root/var/www.
+#
+<Directory "/opt/rh/httpd24/root/var/www">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+
+# Further relax access to the default document root:
+<Directory "/opt/rh/httpd24/root/var/www/html">
+    #
+    # Possible values for the Options directive are "None", "All",
+    # or any combination of:
+    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+    #
+    # Note that "MultiViews" must be named *explicitly* --- "Options All"
+    # doesn't give it to you.
+    #
+    # The Options directive is both complicated and important.  Please see
+    # http://httpd.apache.org/docs/2.4/mod/core.html#options
+    # for more information.
+    #
+    Options Indexes FollowSymLinks
+
+    #
+    # AllowOverride controls what directives may be placed in .htaccess files.
+    # It can be "All", "None", or any combination of the keywords:
+    #   Options FileInfo AuthConfig Limit
+    #
+    AllowOverride All
+
+    #
+    # Controls who can get stuff from this server.
+    #
+    Require all granted
+</Directory>
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ".ht*">
+    Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog |/usr/bin/cat
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    #CustomLog "logs/access_log" common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    CustomLog |/usr/bin/cat combined
+</IfModule>
+
+<IfModule alias_module>
+    #
+    # Redirect: Allows you to tell clients about documents that used to 
+    # exist in your server's namespace, but do not anymore. The client 
+    # will make a new request for the document at its new location.
+    # Example:
+    # Redirect permanent /foo http://www.example.com/bar
+
+    #
+    # Alias: Maps web paths into filesystem paths and is used to
+    # access content that does not live under the DocumentRoot.
+    # Example:
+    # Alias /webpath /full/filesystem/path
+    #
+    # If you include a trailing / on /webpath then the server will
+    # require it to be present in the URL.  You will also likely
+    # need to provide a <Directory> section to allow access to
+    # the filesystem path.
+
+    #
+    # ScriptAlias: This controls which directories contain server scripts. 
+    # ScriptAliases are essentially the same as Aliases, except that
+    # documents in the target directory are treated as applications and
+    # run by the server when requested rather than as documents sent to the
+    # client.  The same rules about trailing "/" apply to ScriptAlias
+    # directives as to Alias.
+    #
+    ScriptAlias /cgi-bin/ "/opt/rh/httpd24/root/var/www/cgi-bin/"
+
+</IfModule>
+
+#
+# "/opt/rh/httpd24/root/var/www/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/opt/rh/httpd24/root/var/www/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    #
+    # TypesConfig points to the file containing the list of mappings from
+    # filename extension to MIME-type.
+    #
+    TypesConfig /etc/mime.types
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file specified in TypesConfig for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    # For type maps (negotiated resources):
+    #AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+#
+# Specify a default charset for all content served; this enables
+# interpretation of all content as UTF-8 by default.  To use the 
+# default browser choice (ISO-8859-1), or to allow the META tags
+# in HTML content to override this choice, comment out this
+# directive:
+#
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    #
+    # The mod_mime_magic module allows the server to use various hints from the
+    # contents of the file itself to determine its type.  The MIMEMagicFile
+    # directive tells the module where the hint definitions are located.
+    #
+    MIMEMagicFile conf/magic
+</IfModule>
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it, 
+# memory-mapping or the sendfile syscall may be used to deliver
+# files.  This usually improves server performance, but must
+# be turned off when serving from networked-mounted 
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults if commented: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+EnableSendfile on
+
+# Supplemental configuration
+#
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/conf/magic b/setup/projects/katrin/files/etc/apache2-kaas/conf/magic
new file mode 100644
index 0000000..7c56119
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/conf/magic
@@ -0,0 +1,385 @@
+# Magic data for mod_mime_magic Apache module (originally for file(1) command)
+# The module is described in /manual/mod/mod_mime_magic.html
+#
+# The format is 4-5 columns:
+#    Column #1: byte number to begin checking from, ">" indicates continuation
+#    Column #2: type of data to match
+#    Column #3: contents of data to match
+#    Column #4: MIME type of result
+#    Column #5: MIME encoding of result (optional)
+
+#------------------------------------------------------------------------------
+# Localstuff:  file(1) magic for locally observed files
+# Add any locally observed files here.
+
+#------------------------------------------------------------------------------
+# end local stuff
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# Java
+
+0	short		0xcafe
+>2	short		0xbabe		application/java
+
+#------------------------------------------------------------------------------
+# audio:  file(1) magic for sound formats
+#
+# from Jan Nicolai Langfeldt <janl@ifi.uio.no>,
+#
+
+# Sun/NeXT audio data
+0	string		.snd
+>12	belong		1		audio/basic
+>12	belong		2		audio/basic
+>12	belong		3		audio/basic
+>12	belong		4		audio/basic
+>12	belong		5		audio/basic
+>12	belong		6		audio/basic
+>12	belong		7		audio/basic
+
+>12	belong		23		audio/x-adpcm
+
+# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format
+# that uses little-endian encoding and has a different magic number
+# (0x0064732E in little-endian encoding).
+0	lelong		0x0064732E	
+>12	lelong		1		audio/x-dec-basic
+>12	lelong		2		audio/x-dec-basic
+>12	lelong		3		audio/x-dec-basic
+>12	lelong		4		audio/x-dec-basic
+>12	lelong		5		audio/x-dec-basic
+>12	lelong		6		audio/x-dec-basic
+>12	lelong		7		audio/x-dec-basic
+#                                       compressed (G.721 ADPCM)
+>12	lelong		23		audio/x-dec-adpcm
+
+# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM"
+#					AIFF audio data
+8	string		AIFF		audio/x-aiff	
+#					AIFF-C audio data
+8	string		AIFC		audio/x-aiff	
+#					IFF/8SVX audio data
+8	string		8SVX		audio/x-aiff	
+
+# Creative Labs AUDIO stuff
+#					Standard MIDI data
+0	string	MThd			audio/unknown	
+#>9 	byte	>0			(format %d)
+#>11	byte	>1			using %d channels
+#					Creative Music (CMF) data
+0	string	CTMF			audio/unknown	
+#					SoundBlaster instrument data
+0	string	SBI			audio/unknown	
+#					Creative Labs voice data
+0	string	Creative\ Voice\ File	audio/unknown	
+## is this next line right?  it came this way...
+#>19	byte	0x1A
+#>23	byte	>0			- version %d
+#>22	byte	>0			\b.%d
+
+# [GRR 950115:  is this also Creative Labs?  Guessing that first line
+#  should be string instead of unknown-endian long...]
+#0	long		0x4e54524b	MultiTrack sound data
+#0	string		NTRK		MultiTrack sound data
+#>4	long		x		- version %ld
+
+# Microsoft WAVE format (*.wav)
+# [GRR 950115:  probably all of the shorts and longs should be leshort/lelong]
+#					Microsoft RIFF
+0	string		RIFF		audio/unknown
+#					- WAVE format
+>8	string		WAVE		audio/x-wav
+# MPEG audio.
+0   beshort&0xfff0  0xfff0  audio/mpeg
+# C64 SID Music files, from Linus Walleij <triad@df.lth.se>
+0   string      PSID        audio/prs.sid
+
+#------------------------------------------------------------------------------
+# c-lang:  file(1) magic for C programs or various scripts
+#
+
+# XPM icons (Greg Roelofs, newt@uchicago.edu)
+# ideally should go into "images", but entries below would tag XPM as C source
+0	string		/*\ XPM		image/x-xbm	7bit
+
+# this first will upset you if you're a PL/1 shop... (are there any left?)
+# in which case rm it; ascmagic will catch real C programs
+#					C or REXX program text
+0	string		/*		text/plain
+#					C++ program text
+0	string		//		text/plain
+
+#------------------------------------------------------------------------------
+# compress:  file(1) magic for pure-compression formats (no archives)
+#
+# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc.
+#
+# Formats for various forms of compressed data
+# Formats for "compress" proper have been moved into "compress.c",
+# because it tries to uncompress it to figure out what's inside.
+
+# standard unix compress
+0	string		\037\235	application/octet-stream	x-compress
+
+# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver)
+0       string          \037\213        application/octet-stream	x-gzip
+
+# According to gzip.h, this is the correct byte order for packed data.
+0	string		\037\036	application/octet-stream
+#
+# This magic number is byte-order-independent.
+#
+0	short		017437		application/octet-stream
+
+# XXX - why *two* entries for "compacted data", one of which is
+# byte-order independent, and one of which is byte-order dependent?
+#
+# compacted data
+0	short		0x1fff		application/octet-stream
+0	string		\377\037	application/octet-stream
+# huf output
+0	short		0145405		application/octet-stream
+
+# Squeeze and Crunch...
+# These numbers were gleaned from the Unix versions of the programs to
+# handle these formats.  Note that I can only uncrunch, not crunch, and
+# I didn't have a crunched file handy, so the crunch number is untested.
+#				Keith Waclena <keith@cerberus.uchicago.edu>
+#0	leshort		0x76FF		squeezed data (CP/M, DOS)
+#0	leshort		0x76FE		crunched data (CP/M, DOS)
+
+# Freeze
+#0	string		\037\237	Frozen file 2.1
+#0	string		\037\236	Frozen file 1.0 (or gzip 0.5)
+
+# lzh?
+#0	string		\037\240	LZH compressed data
+
+#------------------------------------------------------------------------------
+# frame:  file(1) magic for FrameMaker files
+#
+# This stuff came on a FrameMaker demo tape, most of which is
+# copyright, but this file is "published" as witness the following:
+#
+0	string		\<MakerFile	application/x-frame
+0	string		\<MIFFile	application/x-frame
+0	string		\<MakerDictionary	application/x-frame
+0	string		\<MakerScreenFon	application/x-frame
+0	string		\<MML		application/x-frame
+0	string		\<Book		application/x-frame
+0	string		\<Maker		application/x-frame
+
+#------------------------------------------------------------------------------
+# html:  file(1) magic for HTML (HyperText Markup Language) docs
+#
+# from Daniel Quinlan <quinlan@yggdrasil.com>
+# and Anna Shergold <anna@inext.co.uk>
+#
+0   string      \<!DOCTYPE\ HTML    text/html
+0   string      \<!doctype\ html    text/html
+0   string      \<HEAD      text/html
+0   string      \<head      text/html
+0   string      \<TITLE     text/html
+0   string      \<title     text/html
+0   string      \<html      text/html
+0   string      \<HTML      text/html
+0   string      \<!--       text/html
+0   string      \<h1        text/html
+0   string      \<H1        text/html
+
+# XML eXtensible Markup Language, from Linus Walleij <triad@df.lth.se>
+0   string      \<?xml      text/xml
+
+#------------------------------------------------------------------------------
+# images:  file(1) magic for image formats (see also "c-lang" for XPM bitmaps)
+#
+# originally from jef@helios.ee.lbl.gov (Jef Poskanzer),
+# additions by janl@ifi.uio.no as well as others. Jan also suggested
+# merging several one- and two-line files into here.
+#
+# XXX - byte order for GIF and TIFF fields?
+# [GRR:  TIFF allows both byte orders; GIF is probably little-endian]
+#
+
+# [GRR:  what the hell is this doing in here?]
+#0	string		xbtoa		btoa'd file
+
+# PBMPLUS
+#					PBM file
+0	string		P1		image/x-portable-bitmap	7bit
+#					PGM file
+0	string		P2		image/x-portable-greymap	7bit
+#					PPM file
+0	string		P3		image/x-portable-pixmap	7bit
+#					PBM "rawbits" file
+0	string		P4		image/x-portable-bitmap
+#					PGM "rawbits" file
+0	string		P5		image/x-portable-greymap
+#					PPM "rawbits" file
+0	string		P6		image/x-portable-pixmap
+
+# NIFF (Navy Interchange File Format, a modification of TIFF)
+# [GRR:  this *must* go before TIFF]
+0	string		IIN1		image/x-niff
+
+# TIFF and friends
+#					TIFF file, big-endian
+0	string		MM		image/tiff
+#					TIFF file, little-endian
+0	string		II		image/tiff
+
+# possible GIF replacements; none yet released!
+# (Greg Roelofs, newt@uchicago.edu)
+#
+# GRR 950115:  this was mine ("Zip GIF"):
+#					ZIF image (GIF+deflate alpha)
+0	string		GIF94z		image/unknown
+#
+# GRR 950115:  this is Jeremy Wohl's Free Graphics Format (better):
+#					FGF image (GIF+deflate beta)
+0	string		FGF95a		image/unknown
+#
+# GRR 950115:  this is Thomas Boutell's Portable Bitmap Format proposal
+# (best; not yet implemented):
+#					PBF image (deflate compression)
+0	string		PBF		image/unknown
+
+# GIF
+0	string		GIF		image/gif
+
+# JPEG images
+0	beshort		0xffd8		image/jpeg
+
+# PC bitmaps (OS/2, Windoze BMP files)  (Greg Roelofs, newt@uchicago.edu)
+0	string		BM		image/bmp
+#>14	byte		12		(OS/2 1.x format)
+#>14	byte		64		(OS/2 2.x format)
+#>14	byte		40		(Windows 3.x format)
+#0	string		IC		icon
+#0	string		PI		pointer
+#0	string		CI		color icon
+#0	string		CP		color pointer
+#0	string		BA		bitmap array
+
+0	string		\x89PNG		image/png
+0	string		FWS		application/x-shockwave-flash
+0	string		CWS		application/x-shockwave-flash
+
+#------------------------------------------------------------------------------
+# lisp:  file(1) magic for lisp programs
+#
+# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
+0	string	;;			text/plain	8bit
+# Emacs 18 - this is always correct, but not very magical.
+0	string	\012(			application/x-elc
+# Emacs 19
+0	string	;ELC\023\000\000\000	application/x-elc
+
+#------------------------------------------------------------------------------
+# mail.news:  file(1) magic for mail and news
+#
+# There are tests to ascmagic.c to cope with mail and news.
+0	string		Relay-Version: 	message/rfc822	7bit
+0	string		#!\ rnews	message/rfc822	7bit
+0	string		N#!\ rnews	message/rfc822	7bit
+0	string		Forward\ to 	message/rfc822	7bit
+0	string		Pipe\ to 	message/rfc822	7bit
+0	string		Return-Path:	message/rfc822	7bit
+0	string		Path:		message/news	8bit
+0	string		Xref:		message/news	8bit
+0	string		From:		message/rfc822	7bit
+0	string		Article 	message/news	8bit
+#------------------------------------------------------------------------------
+# msword: file(1) magic for MS Word files
+#
+# Contributor claims:
+# Reversed-engineered MS Word magic numbers
+#
+
+0	string		\376\067\0\043			application/msword
+0	string		\333\245-\0\0\0			application/msword
+
+# disable this one because it applies also to other
+# Office/OLE documents for which msword is not correct. See PR#2608.
+#0	string		\320\317\021\340\241\261	application/msword
+
+
+
+#------------------------------------------------------------------------------
+# printer:  file(1) magic for printer-formatted files
+#
+
+# PostScript
+0	string		%!		application/postscript
+0	string		\004%!		application/postscript
+
+# Acrobat
+# (due to clamen@cs.cmu.edu)
+0	string		%PDF-		application/pdf
+
+#------------------------------------------------------------------------------
+# sc:  file(1) magic for "sc" spreadsheet
+#
+38	string		Spreadsheet	application/x-sc
+
+#------------------------------------------------------------------------------
+# tex:  file(1) magic for TeX files
+#
+# XXX - needs byte-endian stuff (big-endian and little-endian DVI?)
+#
+# From <conklin@talisman.kaleida.com>
+
+# Although we may know the offset of certain text fields in TeX DVI
+# and font files, we can't use them reliably because they are not
+# zero terminated. [but we do anyway, christos]
+0	string		\367\002	application/x-dvi
+#0	string		\367\203	TeX generic font data
+#0	string		\367\131	TeX packed font data
+#0	string		\367\312	TeX virtual font data
+#0	string		This\ is\ TeX,	TeX transcript text	
+#0	string		This\ is\ METAFONT,	METAFONT transcript text
+
+# There is no way to detect TeX Font Metric (*.tfm) files without
+# breaking them apart and reading the data.  The following patterns
+# match most *.tfm files generated by METAFONT or afm2tfm.
+#2	string		\000\021	TeX font metric data
+#2	string		\000\022	TeX font metric data
+#>34	string		>\0		(%s)
+
+# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com)
+#0	string		\\input\ texinfo	Texinfo source text
+#0	string		This\ is\ Info\ file	GNU Info text
+
+# correct TeX magic for Linux (and maybe more)
+# from Peter Tobias (tobias@server.et-inf.fho-emden.de)
+#
+0	leshort		0x02f7		application/x-dvi
+
+# RTF - Rich Text Format
+0	string		{\\rtf		application/rtf
+
+#------------------------------------------------------------------------------
+# animation:  file(1) magic for animation/movie formats
+#
+# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8)
+#						MPEG file
+0	string		\000\000\001\263	video/mpeg
+#
+# The contributor claims:
+#   I couldn't find a real magic number for these, however, this
+#   -appears- to work.  Note that it might catch other files, too,
+#   so BE CAREFUL!
+#
+# Note that title and author appear in the two 20-byte chunks
+# at decimal offsets 2 and 22, respectively, but they are XOR'ed with
+# 255 (hex FF)! DL format SUCKS BIG ROCKS.
+#
+#						DL file version 1 , medium format (160x100, 4 images/screen)
+0	byte		1			video/unknown
+0	byte		2			video/unknown
+# Quicktime video, from Linus Walleij <triad@df.lth.se>
+# from Apple quicktime file format documentation.
+4   string      moov        video/quicktime
+4   string      mdat        video/quicktime
+
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/logs b/setup/projects/katrin/files/etc/apache2-kaas/logs
new file mode 120000
index 0000000..2a478fd
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/logs
@@ -0,0 +1 @@
+/var/log/httpd24
+\ No newline at end of file
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/modules b/setup/projects/katrin/files/etc/apache2-kaas/modules
new file mode 120000
index 0000000..a4c456b
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/modules
@@ -0,0 +1 @@
+/opt/rh/httpd24/root/usr/lib64/httpd/modules
+\ No newline at end of file
diff --git a/setup/projects/katrin/files/etc/apache2-kaas/run b/setup/projects/katrin/files/etc/apache2-kaas/run
new file mode 120000
index 0000000..c1a28cf
--- /dev/null
+++ b/setup/projects/katrin/files/etc/apache2-kaas/run
@@ -0,0 +1 @@
+/opt/rh/httpd24/root/var/run/httpd
+\ No newline at end of file
diff --git a/setup/projects/katrin/files/www/kaas/index.html b/setup/projects/katrin/files/www/kaas/index.html
new file mode 100644
index 0000000..906ee19
--- /dev/null
+++ b/setup/projects/katrin/files/www/kaas/index.html
@@ -0,0 +1 @@
+<html><body>KAAS</body></html>
diff --git a/setup/projects/katrin/keys/kaas.crt b/setup/projects/katrin/keys/kaas.crt
new file mode 100644
index 0000000..82ef723
--- /dev/null
+++ b/setup/projects/katrin/keys/kaas.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDmTCCAoGgAwIBAgIJAOnpyunJRkjVMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
+BAYTAkRFMQswCQYDVQQIDAJCVzESMBAGA1UEBwwJS2FybHNydWhlMQwwCgYDVQQK
+DANLSVQxDDAKBgNVBAsMA0lQRTEXMBUGA1UEAwwOa2F0cmluLmtpdC5lZHUwHhcN
+MTQxMjE5MDEwMTEyWhcNMjQxMjE2MDEwMTEyWjBjMQswCQYDVQQGEwJERTELMAkG
+A1UECAwCQlcxEjAQBgNVBAcMCUthcmxzcnVoZTEMMAoGA1UECgwDS0lUMQwwCgYD
+VQQLDANJUEUxFzAVBgNVBAMMDmthdHJpbi5raXQuZWR1MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAyJ9+nKbhK4AaVyVH/jmAxPFC/o2shejmFL9jIE4I
+ryrdnirepxcgvd2xcpTYeOb5TMKKFtJmqeW3jPOB3jAEyLzvuy1aYwd/DNx4A9VU
+GO2shdqjPMaBOk4KjsjZnt+8toWJeABYsJ4nATpbM0ijkX6RqQoRboiaKWlvo10n
+qMfGmQjMR+lC5uhF5hWhHwD+qPigEFGYis73dgFDhydfl4pzPXBySv4hM4zHvHHH
+DO0QipGIxwmMrw4U/y4snN1hDCPFDJN3WehK4lt7tD8Ea1VwikCLh2eZ+v94BQC3
+060hHIC4lEhtTaDsNXrGIwzqVP9TPuOVEOgEAjxyN12D0wIDAQABo1AwTjAdBgNV
+HQ4EFgQUGTmlNR3S73QucufU1P+8TehunFQwHwYDVR0jBBgwFoAUGTmlNR3S73Qu
+cufU1P+8TehunFQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAfwuL
+ayz7Mg1YzX3RUISmN0rJYFS9u57qaWkGK5LX5s/6T9Ppzjd3sPcFwryycumcNJ3x
+G9iIuTX1n1/uPdwdulgGRtsq3vl1zLgI/at0UIZJxnQPxr73n8o5o9W5FFVRsJTs
+WN2t7DurOQi0nLiIG+qmHHrRmFpSsgeegM720VCS9Wf434r0XZVMNl1ngIk4ppo6
+/ecuRTxpv+iOM4j/QqFwXNZQwjGv3o1UZELJ9RMDVY7zGyL/77cu6Iz6aLVy3QrE
+qMexD5/zZTnrKc4dWmuQSDqgMJeLdyebxZnYT8LLLr/QtUMmm1iLCw1MuY4tmPIp
+j5rXZ3Oda5tHYrnPsA==
+-----END CERTIFICATE-----
diff --git a/setup/projects/katrin/keys/kaas.key b/setup/projects/katrin/keys/kaas.key
new file mode 100644
index 0000000..3d766c8
--- /dev/null
+++ b/setup/projects/katrin/keys/kaas.key
@@ -0,0 +1,90 @@
+$ANSIBLE_VAULT;1.1;AES256
+38323634333239303134316164343132636432356331393634343164663065353733323732656339
+6363343738363234626565343665326365343366363166370a623263626134646332393231656566
+37366136353864366562633832316338353233653930333430383235643337623433393464613765
+3734626432316164300a656139383462653761306435346433346637616565393132396137376661
+64643835393132633831386638613764613164663036356233663861653138613465663434643161
+36333666323862636665396261333532313833393038326339343136363239356235313463333661
+61316664366437333064336531333538333734356238323561626163313031383833613233386438
+64616337323230626463643535393831666363373864393432633539323732393266356232636663
+63303263393337643831376537386666373737656364663162663164353961323264373462366636
+38346163396139636131323134613337613164623533353163616539643333623264336434333662
+33386538646239336639303230653335626434633131336135393831656666326130383034656664
+65313766623466663138333062343061393532353630363532656139373939643362613265626461
+31666166393433646135353936373836636435613432646435643264653338306532656361316537
+62316164393638356635633931316537326262343561663165643837396365653461356432666433
+32326262336164376663343363353134373563653933616531653936333265383762613534363832
+36393765383032383762383961623462306334323463353739663362363336343130633935383064
+35396531343032656335623239373565376633313665313132656162626535656133633063396131
+31333936623738653435633562623061393961343736323539373464303735376266353232393639
+61353661663934313333363935346164316664616632396434353436646437313861303763326430
+34363335653564373963376162393836353234306534306334666263633261366434663265333134
+63633431303530616637633731366539613538313839653864336436633230303730653935366661
+62303765383834663230303334373865346630643739363336366537343465346361313530643436
+35653533313565663638363432656239366261316261613437353933643365623766353838386430
+39386539636332373732356334656365646362336539623934353337623264663866323866323966
+62633932316136623866393461333866396333373934333461323533323866303533333737366261
+33383131303932663231646238343661363565613466333463303262343831653839323162613134
+64633465343932643465653934646533366266656437616337643537383932623238633230346462
+39396263393431663631383931303063666539336432663730623338366439343739316539663364
+38626233333561313836616634306437653662323265633832343632336633396634326364323531
+38633836343063653037623666396534303032366136333737663562633763323831663265343466
+65643361643436613533386139336238633032616235363035396532646637383338383639393861
+65346661616534313764313738363131336235333662353735333466656635393233336332616435
+39326338323436646337313935373535396165386338626563363863633139353038373434613466
+35613565313734346361643664366533666663396664326164396534303638333831666631323063
+33343032636331643464633237363561653236656663346232663465663936633335643765666435
+62306536313464363333656437313264323065663436373464356338623264313464623937313934
+32623234393163653732376663333263633031626335353033613937393661336338383463626534
+30373261663732373535643831626565666136336666396130636434373034316132353238656234
+37646133383164356566306665393432376561383435653463363239343136303133373433346231
+38623833643863633433306466376639633066623733333435316233326539303239666232616264
+62306436613931303032653734633737613066653235623930386261626565643436653632336639
+36313066663933366562366236633965323534336361646131383432393634646564306532656162
+39303430643534333338663962346266663532623064303133366662313661626139373236636664
+63326435623838613039386134303663323439373639616634633266353334653737666434383037
+34306638306264393434653630373661373564613935303766363039666333303161373533316134
+36343632626265306239656361383939353736343139373437373162303437623236666137633666
+62626364353164373237306330313464623363643466343439653465353938663831323634363634
+37386635396261306366376630326534613337356235613863313632326435356461353730343339
+34393636316333373435326236363238656332616333393663653465326434396262313466336365
+38336635363762313530616666666335653865376363623965333064366462373030333735333630
+62653965666630613061646265376130626263313032323038626430383233666563646639373339
+30313032393237623634666464383635396431393866303530383235633265313161383563363532
+66336261336638616335356262303436633765363336616535633734313037383136313635313366
+33303963383135343064613637353432666461353661643834376666386633663964663565386465
+39616634343835323362613362376662326463633139653163313437636238386430623234663936
+63623566393434303937343461366361363661653364626265366630333036623735323435306332
+35666265383130313438353965353239343135663937613362323530323734626234633037326135
+32336266373734623534353239373238333333626537666433636261653333626137653335656331
+30326563666664316537316633643661626239366536333134376662643735386634396430633132
+39636266656131363063343731643366376664623062656262396235663636386564346364373533
+63633961656539386630643639383162303661656134363334373166303233346263646335393535
+37373131633834316239326265326266386230383430653564663138636334323736313363303561
+32353932366637316433333538353032396339366538636261613963613865396231646437313339
+63376635656466346165626361336161333638366166356431336361343761613431303161626462
+36613266393633643333386238656161393337326637353464646264356139326466353763393465
+33383564323333313861336565323762386539303737306362613930646330653636396466303238
+38636365343234663436363334303439666366366462633537393362623133376430616136376235
+33616561353764643236636633633561633230303338613136343537353236316666376537393836
+35383336626662353562383034653532303663613033316534623832333633633737613266343665
+34393235623231336533613331643566303237623238663762393331373636623065643666393137
+61383264356564663165326266626263303363376634303238323861633533396137666163343162
+64636633333033373138313133346539333634373265396231653665323062396432383435393864
+32633763646230343639646637626434353336346265643439653863366335363935343934623334
+32636534366435383863353065393731613361343336633364303061303432366230393431393939
+33666632656135343263373934326262643936383337343137353434633434636535623835346439
+30653437376538373961306439343966343039303262396339343866313937383231616465336332
+64663434643466336665376462356561353266313730336435623832643230376434636536356163
+34613964343132356233623966316462643737613234373466643164353133303837653237306536
+62616661373466383232353861653734363562343337343333353763656562616535373536306461
+66303131616163623835363366653737643933383938383735353635646234613064316533346330
+63633732326434653939323534366637333932313637326536316430326338666263343163363735
+35333435353238396236316132393838663430313137346362313865386135646234346530346261
+63373062303637336662373763393239646133633933613066643263326130396134343332633464
+32613061383665666266353264653732663765353832656364396235313339626565656133653735
+63663230316533666462396436396465363333363862356330656565633466363439363338383339
+37386462623035393931313938653064376239393863643831633431333633373938363132333030
+61623539636430316431616162383963663061353164313735306365353965336233663239656336
+30346531383561356439323062333263646536646232643263353533653563653634633962343933
+36356164306132386530373437396263393461373036333938343763386664653462
diff --git a/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl b/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl
new file mode 100644
index 0000000..d155267
--- /dev/null
+++ b/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl
@@ -0,0 +1,43 @@
+---
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: v1
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+groups:
+- system:authenticated
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: restricted denies access to all host features and requires
+      pods to be run with a UID, and SELinux context that are allocated to the namespace.  This
+      is the most restrictive SCC.
+  creationTimestamp: null
+  name: katrin-restricted
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SYS_CHROOT
+- SETUID
+- SETGID
+runAsUser:
+  type: MustRunAsRange
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+- glusterfs
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- secret
diff --git a/setup/projects/katrin/templates/katrin.yml.j2.bk b/setup/projects/katrin/templates/katrin.yml.j2.bk
new file mode 100644
index 0000000..5d032b3
--- /dev/null
+++ b/setup/projects/katrin/templates/katrin.yml.j2.bk
@@ -0,0 +1,135 @@
+---
+apiVersion: v1
+kind: Template
+metadata:
+  name: kaas
+  annotations:
+    descriptions: "KATRIN Routing Service"
+objects:
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: kaas
+    spec:
+      selector:
+        name: kaas
+      ports:
+        - name: http
+          port: 80
+          targetPort: 8080
+        - name: https
+          port: 443
+          targetPort: 8443
+  - apiVersion: v1
+    kind: Route
+    metadata:
+      name: kaas
+    spec:
+      host: {{ kaas_project_config.katrin_node }}
+      to:
+        kind: Service
+        name: kaas
+      port:
+        targetPort: http
+      tls:
+        termination: edge   
+        insecureEdgeTerminationPolicy: Allow
+        certificate: |-
+          -----BEGIN CERTIFICATE-----
+          MIIDmTCCAoGgAwIBAgIJAOnpyunJRkjVMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
+          BAYTAkRFMQswCQYDVQQIDAJCVzESMBAGA1UEBwwJS2FybHNydWhlMQwwCgYDVQQK
+          DANLSVQxDDAKBgNVBAsMA0lQRTEXMBUGA1UEAwwOa2F0cmluLmtpdC5lZHUwHhcN
+          MTQxMjE5MDEwMTEyWhcNMjQxMjE2MDEwMTEyWjBjMQswCQYDVQQGEwJERTELMAkG
+          A1UECAwCQlcxEjAQBgNVBAcMCUthcmxzcnVoZTEMMAoGA1UECgwDS0lUMQwwCgYD
+          VQQLDANJUEUxFzAVBgNVBAMMDmthdHJpbi5raXQuZWR1MIIBIjANBgkqhkiG9w0B
+          AQEFAAOCAQ8AMIIBCgKCAQEAyJ9+nKbhK4AaVyVH/jmAxPFC/o2shejmFL9jIE4I
+          ryrdnirepxcgvd2xcpTYeOb5TMKKFtJmqeW3jPOB3jAEyLzvuy1aYwd/DNx4A9VU
+          GO2shdqjPMaBOk4KjsjZnt+8toWJeABYsJ4nATpbM0ijkX6RqQoRboiaKWlvo10n
+          qMfGmQjMR+lC5uhF5hWhHwD+qPigEFGYis73dgFDhydfl4pzPXBySv4hM4zHvHHH
+          DO0QipGIxwmMrw4U/y4snN1hDCPFDJN3WehK4lt7tD8Ea1VwikCLh2eZ+v94BQC3
+          060hHIC4lEhtTaDsNXrGIwzqVP9TPuOVEOgEAjxyN12D0wIDAQABo1AwTjAdBgNV
+          HQ4EFgQUGTmlNR3S73QucufU1P+8TehunFQwHwYDVR0jBBgwFoAUGTmlNR3S73Qu
+          cufU1P+8TehunFQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAfwuL
+          ayz7Mg1YzX3RUISmN0rJYFS9u57qaWkGK5LX5s/6T9Ppzjd3sPcFwryycumcNJ3x
+          G9iIuTX1n1/uPdwdulgGRtsq3vl1zLgI/at0UIZJxnQPxr73n8o5o9W5FFVRsJTs
+          WN2t7DurOQi0nLiIG+qmHHrRmFpSsgeegM720VCS9Wf434r0XZVMNl1ngIk4ppo6
+          /ecuRTxpv+iOM4j/QqFwXNZQwjGv3o1UZELJ9RMDVY7zGyL/77cu6Iz6aLVy3QrE
+          qMexD5/zZTnrKc4dWmuQSDqgMJeLdyebxZnYT8LLLr/QtUMmm1iLCw1MuY4tmPIp
+          j5rXZ3Oda5tHYrnPsA==
+          -----END CERTIFICATE-----
+        key: |-
+          -----BEGIN PRIVATE KEY-----
+          MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIn36cpuErgBpX
+          JUf+OYDE8UL+jayF6OYUv2MgTgivKt2eKt6nFyC93bFylNh45vlMwooW0map5beM
+          84HeMATIvO+7LVpjB38M3HgD1VQY7ayF2qM8xoE6TgqOyNme37y2hYl4AFiwnicB
+          OlszSKORfpGpChFuiJopaW+jXSeox8aZCMxH6ULm6EXmFaEfAP6o+KAQUZiKzvd2
+          AUOHJ1+XinM9cHJK/iEzjMe8cccM7RCKkYjHCYyvDhT/Liyc3WEMI8UMk3dZ6Eri
+          W3u0PwRrVXCKQIuHZ5n6/3gFALfTrSEcgLiUSG1NoOw1esYjDOpU/1M+45UQ6AQC
+          PHI3XYPTAgMBAAECggEAFFXubIyR2Gn0wY6a3I8RmWTnKIxNx4kTAVlg/95JDRBo
+          RGcOCJvUispU+UtTIfYvoPM7MhMDqwcI8vWf3Vi6s2pLVorDVbRl0XTriV/vVVOK
+          IEtILpnkcXeFpHGBdZQyOcIRbCOE2eo+A+bZZbpgMhhFRYAqwiyAi+APG90ObxIb
+          AqTEeTyztqyrKfnTdr50owL2KT7adS6XuSUNX681IJc+szbQ7piXN57Kdxd2PydM
+          JnSZAOBpQHkbiOEDUseeDjYRT23loeMIS7nWTwo1Y1LwsEKL5S7C0fKBfZV9xARw
+          TntGuM87HzbAk4535We8qW3t/5EqpzurgK7u9/PEEQKBgQDjy8CjDdobGK9+VUDg
+          iHbANbzEB4LrpVJiE+esr0iLXOoMdfTPwpd4XpbPPOjx/A9+6VfpdGt1EdZwLMpy
+          qryPW0iumsri3iPSVBS79mN6WmwYhNOcOTWlmbs4pEhubht9aNBi7rZ7QZgV3PLN
+          7YBZHzxfyxTcIBCAzzoF7zaUeQKBgQDhdneOijWAYx0AMKTBzJw52KO/gloTDl9M
+          mOhvUIuYxkUE/mDE5EqI6k9VkbAqUvlD3z2S7yNY+h2hldO+u3w8GPo+bTCMyNDB
+          0tQGCZnbKl8mfmItUlTyJ/MmNbanmYI2VmhDTMh6S8d8qKW9txXfDEXrzY2p7z/X
+          gRF3Ow9PqwKBgGw7CMHv+Ora5bbehr6n19QnNBLnhrqzh9r1niOb/JnKgaF+Ad0c
+          lZ8pQfog9ITUwAAKmixflha/bOVLQr0Mhh6Ovo/HGBKGfPqX3GoZ/NXLVISpx2j4
+          fZa63gthctCVHBaP0ELRLH6PgdURb4OMDmlJwAO7l6Om0HCDBQyAxavxAoGAZPUJ
+          QBh/MIgxGj6t5+HZKsXpPP3/m3zaC5CEtCOa/sP5b+0AI+odvgU9lRFxkuIon828
+          4qiWaWdGEW7nrAaD8N02YPG/xaq+X6wqKLHv5QWqKbB6AdVWGEDvTfLLYW0Js48p
+          jMk7FBgOsbFK1hK/hmsWfCpE/w0Ux0kSKxOVHZUCgYEA41rhW18+KdxJyQTZaQRV
+          0KQr8/30L116XYYTYrkILa6504nXMr7xSHuMxaPNl20b/sBz8a8VuKJt2CLZQ0Q3
+          oW3GAG2Fk+mvrauLriiJ2KgZkS5IJweJKHbIk1GQrucNArNojk9unrqN8wpa3Ywo
+          9GafqnfUGu+FVd1CKolicSA=
+          -----END PRIVATE KEY-----
+  - apiVersion: v1
+    kind: DeploymentConfig
+    metadata:
+      name: kaas
+    spec:
+      replicas: 1
+      selector:
+        name: kaas
+      template:
+        metadata:
+          name: kaas
+          labels:
+            name: kaas
+        strategy:
+          type: Rolling
+        triggers:
+          - type: ConfigChange
+        spec:
+          nodeSelector:
+            master: "1"
+          containers:
+            - name: kaas
+              image: centos/httpd-24-centos7
+              imagePullPolicy: Always
+              ports:
+                - containerPort: 8080
+                - containerPort: 8443
+              volumeMounts:
+                - name: config
+                  subPath: etc/apache2-kaas
+                  mountPath: /etc/httpd
+                - name: config
+                  subPath: log/apache2-kaas
+                  mountPath: /var/log/httpd24
+                - name: config
+                  subPath: htdocs/kaas
+                  mountPath: /opt/rh/httpd24/root/var/www/html
+              livenessProbe:
+                timeoutSeconds: 1
+                initialDelaySeconds: 3
+                httpGet: 
+                  path: /index.html
+                  port: 8080
+          volumes:
+            - name: config
+              persistentVolumeClaim: 
+                claimName: openshift
diff --git a/setup/projects/katrin/vars/globals.yml b/setup/projects/katrin/vars/globals.yml
new file mode 100644
index 0000000..50776ff
--- /dev/null
+++ b/setup/projects/katrin/vars/globals.yml
@@ -0,0 +1,2 @@
+#katrin_node: katrin.kit.edu
+katrin_node: "katrin.{{ openshift_master_default_subdomain }}"
diff --git a/setup/projects/katrin/vars/katrin.yml b/setup/projects/katrin/vars/katrin.yml
new file mode 100644
index 0000000..c825654
--- /dev/null
+++ b/setup/projects/katrin/vars/katrin.yml
@@ -0,0 +1,7 @@
+#katrin_openshift_volumes:
+#adei_openshift_volumes:
+
+#volumes: "{{ ands_openshift_volumes | combine (katrin_openshift_volumes, adei_openshift_volumes) }}"
+#files: "{{ ands_openshift_files | union([]) }}"
+#file_owner: katrin
+#file_group: katrin
+\ No newline at end of file
diff --git a/setup/projects/katrin/vars/pods.yml b/setup/projects/katrin/vars/pods.yml
new file mode 100644
index 0000000..3bfcfd7
--- /dev/null
+++ b/setup/projects/katrin/vars/pods.yml
@@ -0,0 +1,22 @@
+# First port is exposed
+pods:
+  kaas:
+    service: { host: "{{ katrin_node }}", ports: [ 80/8080, 443/8043 ] }
+    sched: { replicas: 1, selector: { master: 1 } }
+    selector: { master: 1 }
+    images:
+      - image: "centos/httpd-24-centos7"
+        mappings: 
+          - { name: "etc", path: "apache2-kaas", mount: "/etc/httpd24" }
+          - { name: "www", path: "kaas", mount: "/opt/rh/httpd24/root/var/www/html" }
+          - { name: "log", path: "apache2-kaas", mount: "/var/log/httpd24" }
+        probes:
+          - { port: 8080, path: '/index.html' }
+
+#oc:
+#  - template: "[0-3]*"
+#  - template: "[4-6]*"
+#  - resource: "route/apache" 
+#    oc: "expose svc/kaas --name apache --hostname=apache.{{ openshift_master_default_subdomain }}"
+#  - template: "*"
+  
+\ No newline at end of file
diff --git a/setup/users/htpasswd b/setup/users/htpasswd
new file mode 100644
index 0000000..cf0d67e
--- /dev/null
+++ b/setup/users/htpasswd
@@ -0,0 +1,3 @@
+pdv:$apr1$ACvj6uUa$Nm1Vq8hZq3RzTtaYpAHv01
+csa:$apr1$IqEwdnzy$UAdd8ZSFnXommBbj29w3c0
+katrin:$apr1$/hxgbxC4$/MxeHtIYvAJcIQFR5Jz0E0
diff --git a/setup/users/users.yml b/setup/users/users.yml
new file mode 120000
index 0000000..b201d8a
--- /dev/null
+++ b/setup/users/users.yml
@@ -0,0 +1 @@
+../configs/openshift.yml
+\ No newline at end of file