commit 39fbe6669b21249cb5fef41a6b36fe01801ab054 Author: Kazuhiro MUSASHI Date: Sun Mar 3 16:50:49 2019 +0800 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f55e725 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +vendor +*.swp +.bundle/ +./nodes/ diff --git a/.rubocop-todo.yml b/.rubocop-todo.yml new file mode 100644 index 0000000..b7b73d5 --- /dev/null +++ b/.rubocop-todo.yml @@ -0,0 +1,14 @@ +MethodLength: + Enabled: false + +LineLength: + Enabled: false + +NumericLiterals: + Enabled: false + +AmbiguousRegexpLiteral: + Enabled: false + +AbcSize: + Enabled: false diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..e70f78b --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,16 @@ +inherit_from: .rubocop-todo.yml + +AllCops: + Exclude: + - 'cookbooks/**/*' + - 'tmp/**/*' + - 'vendor/bundle/**/*' + - 'site-cookbooks/sensu-custom/files/default/tw.rb' + - 'images/**/*' + +Style/CommandLiteral: + EnforcedStyle: mixed + AllowInnerBackticks: true + +Style/PerlBackrefs: + Enabled: false diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 0000000..005119b --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +2.4.1 diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..1c22f2d --- /dev/null +++ b/Gemfile @@ -0,0 +1,9 @@ +source 'https://rubygems.org' + +gem 'itamae' +gem 'serverspec' + +gem 'itamae-plugin-resource-encrypted_remote_file' +gem 'reversible_cryptography' + +gem 'rubocop' diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..6e4a4e3 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,81 @@ +GEM + remote: https://rubygems.org/ + specs: + ansi (1.5.0) + ast (2.4.0) + diff-lcs (1.3) + hashie (3.6.0) + itamae (1.10.1) + ansi + hashie + schash (~> 0.1.0) + specinfra (>= 2.64.0, < 3.0.0) + thor + itamae-plugin-resource-encrypted_remote_file (0.0.2) + itamae (>= 1.2) + reversible_cryptography + jaro_winkler (1.5.1) + multi_json (1.13.1) + net-scp (1.2.1) + net-ssh (>= 2.6.5) + net-ssh (5.0.2) + net-telnet (0.1.1) + parallel (1.12.1) + parser (2.5.3.0) + ast (~> 2.4.0) + powerpack (0.1.2) + rainbow (3.0.0) + reversible_cryptography (0.5.0) + thor + rspec (3.8.0) + rspec-core (~> 3.8.0) + rspec-expectations (~> 3.8.0) + rspec-mocks (~> 3.8.0) + rspec-core (3.8.0) + rspec-support (~> 3.8.0) + rspec-expectations (3.8.2) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.8.0) + rspec-its (1.2.0) + rspec-core (>= 3.0.0) + rspec-expectations (>= 3.0.0) + rspec-mocks (3.8.0) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.8.0) + rspec-support (3.8.0) + rubocop (0.61.1) + jaro_winkler (~> 1.5.1) + parallel (~> 1.10) + parser (>= 2.5, != 2.5.1.1) + powerpack (~> 0.1) + rainbow (>= 2.2.2, < 4.0) + ruby-progressbar (~> 1.7) + unicode-display_width (~> 1.4.0) + ruby-progressbar (1.10.0) + schash (0.1.2) + serverspec (2.41.3) + multi_json + rspec (~> 3.0) + rspec-its + specinfra (~> 2.72) + sfl (2.3) + specinfra (2.76.3) + net-scp + net-ssh (>= 2.7) + net-telnet (= 0.1.1) + sfl + thor (0.20.3) + unicode-display_width (1.4.0) + +PLATFORMS + ruby + +DEPENDENCIES + itamae + itamae-plugin-resource-encrypted_remote_file + reversible_cryptography + rubocop + serverspec + +BUNDLED WITH + 1.16.1 diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..99233bd --- /dev/null +++ b/Rakefile @@ -0,0 +1,3 @@ +#!/usr/bin/env rake + +Dir['tasks/**/*.rake'].each { |path| load path } diff --git a/cookbooks/base/aws_ec2.rb b/cookbooks/base/aws_ec2.rb new file mode 100644 index 0000000..6dea5fd --- /dev/null +++ b/cookbooks/base/aws_ec2.rb @@ -0,0 +1,27 @@ +# Make swap file: +[ + 'dd if=/dev/zero of=/swap.img bs=1M count=2048 && chomod 600 /swap.img', + 'mkswap /swap.img' +].each do |cmd| + execute cmd do + user 'root' + + only_if 'test ! -f /swap.img -a `cat /proc/swaps | wc -l` -eq 1' + end +end + +# Add the fstab entry: +file '/etc/fstab' do + action :edit + + block do |content| + content << "/swap.img /dev/null swap defaults 0 2\n" + end + + not_if 'grep swap.img /etc/fstab' +end + +# Mount the swap file: +execute 'swapon -ae' do + only_if 'test `cat /proc/swaps | wc -l` -eq 1' +end diff --git a/cookbooks/base/cron-apt.rb b/cookbooks/base/cron-apt.rb new file mode 100644 index 0000000..9083ce4 --- /dev/null +++ b/cookbooks/base/cron-apt.rb @@ -0,0 +1,44 @@ +# Install `cron-apt`: +package 'cron-apt' + +# From here, we are going to set up `cron-apt` to +# install the important security updates every day. +remote_file '/etc/cron-apt/config' do + user 'root' + + owner 'root' + group 'root' + mode '644' +end + +remote_file '/etc/cron-apt/action.d/3-download' do + user 'root' + + owner 'root' + group 'root' + mode '644' +end + +execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do + user 'root' + + not_if 'test -e /etc/apt/security.sources.list' +end + +file '/var/log/cron-apt/log' do + user 'root' + + content 'foo\n' + + owner 'root' + group 'root' + mode '666' + + not_if 'test -e /var/log/cron-apt/log' +end + +execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do + user 'root' + + not_if 'test -e /var/log/cron-apt/log' +end diff --git a/cookbooks/base/default.rb b/cookbooks/base/default.rb new file mode 100644 index 0000000..97ad48e --- /dev/null +++ b/cookbooks/base/default.rb @@ -0,0 +1,74 @@ +[ + # only install amd64 package + # http://d.hatena.ne.jp/ritchey/20121229 + 'dpkg --remove-architecture i386', + + # Execute `apt update` + 'apt update', +].each do |cmd| + execute cmd do + user 'root' + + only_if 'dpkg --print-architecture | grep i386' + end +end + +# Create /etc/sudoers.d/ +directory '/etc/sudoers.d/' do + owner 'root' + group 'root' + mode '750' +end + +# motd configurations: +remote_file '/etc/motd.tail' do + owner 'root' + group 'root' + mode '644' +end + +remote_file '/etc/update-motd.d/99-motd-update' do + owner 'root' + group 'root' + mode '755' +end + +# Install the necessary packages: +include_recipe './packages.rb' + +# Lang Setting: +include_recipe './lang.rb' + +# `cron-apt` settings: +include_recipe './cron-apt.rb' + +# `ufw` configurations: +include_recipe './ufw.rb' + +# `sshd` configurations: +include_recipe './ssh.rb' + +# `fortune` configurations: +include_recipe './fortune.rb' + +# timezone configurations: +include_recipe './timezone.rb' + +# ntp configurations: +include_recipe './ntp.rb' + +# kernel configurations: +include_recipe './kernel.rb' + +# Install mc command: +include_recipe './mc.rb' + +# unnecessary configurations: +if node['platform_version'].to_f == 16.04 + include_recipe './unnecessary.rb' +end + +# AWS EC2 Swap Setting: +if node['is_ec2'] + include_recipe './aws_ec2.rb' +end diff --git a/cookbooks/base/files/etc/cron-apt/action.d/3-download b/cookbooks/base/files/etc/cron-apt/action.d/3-download new file mode 100644 index 0000000..93d2631 --- /dev/null +++ b/cookbooks/base/files/etc/cron-apt/action.d/3-download @@ -0,0 +1,2 @@ +autoclean -y +upgrade -y -o APT::Get::Show-Upgraded=true diff --git a/cookbooks/base/files/etc/cron-apt/config b/cookbooks/base/files/etc/cron-apt/config new file mode 100644 index 0000000..8c21dc6 --- /dev/null +++ b/cookbooks/base/files/etc/cron-apt/config @@ -0,0 +1,11 @@ +# Configuration for cron-apt. For further information about the possible +# configuration settings see the README file. + +SYSLOGON="always" +DEBUG="verbose" + +MAILON="" + +APTCOMMAND=/usr/bin/apt + +OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list" diff --git a/cookbooks/base/files/etc/motd.tail b/cookbooks/base/files/etc/motd.tail new file mode 100644 index 0000000..746887f --- /dev/null +++ b/cookbooks/base/files/etc/motd.tail @@ -0,0 +1,15 @@ + +          +          +          +                      +                                  +                                                          +                                                                      +                                                                                  +                                                                                  +                                                                                  +                                                                                  +                                                                      +                                              + diff --git a/cookbooks/base/files/etc/ntp.conf b/cookbooks/base/files/etc/ntp.conf new file mode 100644 index 0000000..cd75b19 --- /dev/null +++ b/cookbooks/base/files/etc/ntp.conf @@ -0,0 +1,66 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# Specify one or more NTP servers. + +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for +# more information. +pool 0.ubuntu.pool.ntp.org iburst +pool 1.ubuntu.pool.ntp.org iburst +pool 2.ubuntu.pool.ntp.org iburst +pool 3.ubuntu.pool.ntp.org iburst + +# Use Ubuntu's ntp server as a fallback. +pool ntp.ubuntu.com + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient + +#Changes recquired to use pps synchonisation as explained in documentation: +#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918 + +#server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS +#fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware + +#server 127.127.22.1 # ATOM(PPS) +#fudge 127.127.22.1 flag3 1 # enable PPS API diff --git a/cookbooks/base/files/etc/ssh/sshd_config b/cookbooks/base/files/etc/ssh/sshd_config new file mode 100644 index 0000000..6ed1d68 --- /dev/null +++ b/cookbooks/base/files/etc/ssh/sshd_config @@ -0,0 +1,91 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 10022 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# Do not use DNS: +UseDNS no diff --git a/cookbooks/base/files/etc/ssh/sshd_config.1804 b/cookbooks/base/files/etc/ssh/sshd_config.1804 new file mode 100644 index 0000000..449ac09 --- /dev/null +++ b/cookbooks/base/files/etc/ssh/sshd_config.1804 @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 10022 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/cookbooks/base/files/etc/sysctl.d/90-vfs-cache-pressure.conf b/cookbooks/base/files/etc/sysctl.d/90-vfs-cache-pressure.conf new file mode 100644 index 0000000..599fc1c --- /dev/null +++ b/cookbooks/base/files/etc/sysctl.d/90-vfs-cache-pressure.conf @@ -0,0 +1,8 @@ +# `vfs_cache_pressure` configures how much the system will choose to cache inode +# and dentry information over other data. +# +# Basically, this is access data about the filesystem. +# This is generally very costly to look up and very frequently requested, +# so it's an excellent thing for your system to cache. + +vm.vfs_cache_pressure = 50 diff --git a/cookbooks/base/files/etc/sysctl.d/90-vm-swappiness.conf b/cookbooks/base/files/etc/sysctl.d/90-vm-swappiness.conf new file mode 100644 index 0000000..f50fd15 --- /dev/null +++ b/cookbooks/base/files/etc/sysctl.d/90-vm-swappiness.conf @@ -0,0 +1,9 @@ +# The swappiness parameter configures how often your system swaps data out of RAM to the swap space. +# This is a value between 0 and 100 that represents a percentage. +# +# With values close to zero, the kernel will not swap data to the disk unless absolutely necessary. +# Remember, interactions with the swap file are "expensive" in that they take a lot longer than +# interactions with RAM and they can cause a significant reduction in performance. +# Telling the system not to rely on the swap much will generally make your system faster. + +vm.swappiness = 10 diff --git a/cookbooks/base/files/etc/timezone b/cookbooks/base/files/etc/timezone new file mode 100644 index 0000000..df777d1 --- /dev/null +++ b/cookbooks/base/files/etc/timezone @@ -0,0 +1 @@ +Asia/Tokyo diff --git a/cookbooks/base/files/etc/update-motd.d/99-motd-update b/cookbooks/base/files/etc/update-motd.d/99-motd-update new file mode 100644 index 0000000..0aaee6e --- /dev/null +++ b/cookbooks/base/files/etc/update-motd.d/99-motd-update @@ -0,0 +1,4 @@ +#!/bin/sh + +echo +cat /etc/motd.tail diff --git a/cookbooks/base/files/usr/share/git-core/templates/hooks/pre-commit b/cookbooks/base/files/usr/share/git-core/templates/hooks/pre-commit new file mode 100644 index 0000000..db30ef6 --- /dev/null +++ b/cookbooks/base/files/usr/share/git-core/templates/hooks/pre-commit @@ -0,0 +1,17 @@ +#!/bin/sh + +# if the commit is first one, then pass + +if [ -z "$(git branch)" ]; then + exit 0 +fi + +# Otherwise, check if the branch is master, and if it is, fail. + +branch="$(git symbolic-ref HEAD 2>/dev/null)" || \ + "$(git describe --contains --all HEAD)" + +if [ "${branch##refs/heads/}" = "master" ]; then + echo "Do not commit on the master branch!" + exit 1 +fi diff --git a/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg b/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg new file mode 100644 index 0000000..15a8694 --- /dev/null +++ b/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg @@ -0,0 +1,18 @@ +#!/bin/sh + +if [ "$2" = "" ]; then + mv $1 $1.tmp + + ID=`git branch | grep ^\* | awk '{print $2}' | cut -f 2 -d "/"` + + cat < $1 + + +This commit refs/fixes #${ID}. +# ^^^^^^^^^^ +EOF + + cat $1.tmp >> $1 +fi + +exit 0 diff --git a/cookbooks/base/fortune.rb b/cookbooks/base/fortune.rb new file mode 100644 index 0000000..92476bd --- /dev/null +++ b/cookbooks/base/fortune.rb @@ -0,0 +1,21 @@ +# Install `fortune` package: +package 'fortune' do + not_if 'test -e /usr/games/fortune' +end + +URL='http://www.splitbrain.org/_media/projects/fortunes/fortune-starwars.tgz' +TGZ='fortune-starwars.tgz' + +[ + "wget #{URL} -O #{TGZ}", + "tar xf #{TGZ}", + 'cp fortune-starwars/starwars.dat /usr/share/games/fortunes/', + 'cp fortune-starwars/starwars /usr/share/games/fortunes/' +].each do |cmd| + execute cmd do + user 'root' + cwd '/tmp/itamae_tmp/' + + not_if 'test -e /usr/share/games/fortunes/starwars.dat' + end +end diff --git a/cookbooks/base/kernel.rb b/cookbooks/base/kernel.rb new file mode 100644 index 0000000..2ce9e8e --- /dev/null +++ b/cookbooks/base/kernel.rb @@ -0,0 +1,12 @@ +STORAGE = '/etc/sysctl.d' + +[ + "#{STORAGE}/90-vm-swappiness.conf", + "#{STORAGE}/90-vfs-cache-pressure.conf" +].each do |conf| + remote_file conf do + owner 'root' + group 'root' + mode '644' + end +end diff --git a/cookbooks/base/lang.rb b/cookbooks/base/lang.rb new file mode 100644 index 0000000..b1e7217 --- /dev/null +++ b/cookbooks/base/lang.rb @@ -0,0 +1,20 @@ +# Language Settings: +package 'language-pack-ja-base' + +execute 'locale-gen ja_JP.UTF-8' do + user 'root' + + not_if 'locale -a | grep ja_JP.utf8' +end + +execute 'dpkg-reconfigure --frontend=noninteractive locales' do + user 'root' + + not_if 'locale -a | grep ja_JP.utf8' +end + +execute 'update-locale LANG=ja_JP.UTF-8' do + user 'root' + + not_if 'strings /etc/default/locale | grep ja_JP.UTF-8' +end diff --git a/cookbooks/base/mc.rb b/cookbooks/base/mc.rb new file mode 100644 index 0000000..2b8d877 --- /dev/null +++ b/cookbooks/base/mc.rb @@ -0,0 +1,12 @@ +MC = 'https://dl.minio.io/client/mc/release/linux-amd64/mc' +LOCATION = '/usr/local/bin/mc' + +execute "wget #{MC} -O #{LOCATION}" do + not_if "test -e #{LOCATION}" +end + +file LOCATION do + mode '755' + user 'root' + group 'root' +end diff --git a/cookbooks/base/ntp.rb b/cookbooks/base/ntp.rb new file mode 100644 index 0000000..aaf520d --- /dev/null +++ b/cookbooks/base/ntp.rb @@ -0,0 +1,18 @@ +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + # do nothing +else + package 'ntp' + + remote_file '/etc/ntp.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[ntp]' + end + + service 'ntp' do + action :nothing + end +end diff --git a/cookbooks/base/packages.rb b/cookbooks/base/packages.rb new file mode 100644 index 0000000..333a531 --- /dev/null +++ b/cookbooks/base/packages.rb @@ -0,0 +1,64 @@ +# Execute `apt update`: +execute 'apt update' + +# Install the necessary packages: +%w[build-essential zsh vim-nox debian-keyring screen curl dstat].each do |pkg| + package pkg +end + +# Install the extra kernel: +unless node['is_ec2'] + case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp + when "18.04" + package 'linux-image-extra-virtual' + else + KERNEL = run_command("uname -r").stdout.chomp + package "linux-image-extra-#{KERNEL}" + end +end + +### Here we are going to install git. +# Constants: +KEYSRV = 'hkp://keyserver.ubuntu.com:80' +ID = 'E1DF1F24' + +GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push' +PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push' + +# Retrieve the Ubuntu code: +DIST = run_command('lsb_release -cs').stdout.chomp + +# Add the public key file to install `git` +execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do + not_if 'apt-key list | grep E1DF1F24' +end + +# Deploy the `apt` sources: +template '/etc/apt/sources.list.d/git.list' do + action :create + variables(distribution: DIST) +end + +execute 'apt update' do + not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa' +end + +execute 'apt install git -y' do + not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa' +end + +execute "wget #{PREPUSH} -O #{GIT_PREPUSH}" do + not_if "test -e #{GIT_PREPUSH}" +end + +[ + '/usr/share/git-core/templates/hooks/pre-commit', + '/usr/share/git-core/templates/hooks/prepare-commit-msg', +].each do |conf| + remote_file conf do + user 'root' + owner 'root' + group 'root' + mode '644' + end +end diff --git a/cookbooks/base/ssh.rb b/cookbooks/base/ssh.rb new file mode 100644 index 0000000..728ff4d --- /dev/null +++ b/cookbooks/base/ssh.rb @@ -0,0 +1,35 @@ +# ToDo: `iptables` setting must be here: +execute 'ufw allow 10022' do + user 'root' + + not_if 'LANG=c ufw status | grep 10022' + + notifies :run, 'execute[ufw reload-or-enable]' +end + +# Deploy the `sshd` configuration file: +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + remote_file '/etc/ssh/sshd_config' do + user 'root' + owner 'root' + group 'root' + mode '644' + + source 'files/etc/ssh/sshd_config.1804' + end +else + remote_file '/etc/ssh/sshd_config' do + user 'root' + owner 'root' + group 'root' + mode '644' + end +end + + +# Apply the changes: +execute 'systemctl reload ssh.service ' do + action :nothing + subscribes :run, 'remote_file[/etc/ssh/sshd_config]' +end diff --git a/cookbooks/base/templates/etc/apt/sources.list.d/git.list b/cookbooks/base/templates/etc/apt/sources.list.d/git.list new file mode 100644 index 0000000..dbb2a29 --- /dev/null +++ b/cookbooks/base/templates/etc/apt/sources.list.d/git.list @@ -0,0 +1 @@ +deb "http://ppa.launchpad.net/git-core/ppa/ubuntu" <%= @distribution %> main diff --git a/cookbooks/base/timezone.rb b/cookbooks/base/timezone.rb new file mode 100644 index 0000000..2c76108 --- /dev/null +++ b/cookbooks/base/timezone.rb @@ -0,0 +1,23 @@ +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + execute 'timedatectl set-timezone Asia/Tokyo' do + not_if 'timedatectl | grep Tokyo' + end +else + remote_file '/etc/timezone' do + user 'root' + owner 'root' + group 'root' + mode '644' + end + + [ + 'cp -f /usr/share/zoneinfo/Asia/Tokyo /etc/localtime' + ].each do |cmd| + execute cmd do + user 'root' + + not_if 'diff /usr/share/zoneinfo/Asia/Tokyo /etc/localtime' + end + end +end diff --git a/cookbooks/base/ufw.rb b/cookbooks/base/ufw.rb new file mode 100644 index 0000000..d9ecd41 --- /dev/null +++ b/cookbooks/base/ufw.rb @@ -0,0 +1,6 @@ +execute 'ufw reload-or-enable' do + user 'root' + command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0' + + action :nothing +end diff --git a/cookbooks/base/unnecessary.rb b/cookbooks/base/unnecessary.rb new file mode 100644 index 0000000..2132304 --- /dev/null +++ b/cookbooks/base/unnecessary.rb @@ -0,0 +1,5 @@ +%w( apparmor iscsid lxc lxcfs lxd-containers lxd open-iscsi ).each do |s| + service s do + action :disable + end +end diff --git a/cookbooks/blog/attributes.rb b/cookbooks/blog/attributes.rb new file mode 100644 index 0000000..fd090ea --- /dev/null +++ b/cookbooks/blog/attributes.rb @@ -0,0 +1,9 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +node.reverse_merge!({ + 'blog' => { + 'FQDN' => 'blog.kazu634.com', + 'production' => true + } +}) diff --git a/cookbooks/blog/default.rb b/cookbooks/blog/default.rb new file mode 100644 index 0000000..d41bb85 --- /dev/null +++ b/cookbooks/blog/default.rb @@ -0,0 +1,6 @@ +include_recipe './attributes.rb' + +if node['blog']['production'] + include_recipe './ssl.rb' + include_recipe './nginx.rb' +end diff --git a/cookbooks/blog/files/etc/cron.d/blog b/cookbooks/blog/files/etc/cron.d/blog new file mode 100644 index 0000000..0418f45 --- /dev/null +++ b/cookbooks/blog/files/etc/cron.d/blog @@ -0,0 +1,2 @@ +@reboot webadm cp -pr /home/webadm/works/public/* /var/www/blog/ +12 3 * * * root openssl rand 48 > /etc/letsencrypt/live/blog.kazu634.com/ticket.key diff --git a/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem b/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem new file mode 100644 index 0000000..9507300 --- /dev/null +++ b/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAqY1i3j1m5Udr7eJxrsxBDK3NqsXJbPgfj2tdH+RlY8Bb7NuTPl9Z +e5KtZ2UQlPcth9sSPgulg/V+g4GQhge8xACSl1joAenDpPF8BGyBcv/o9QwNpdzj +yP9o4X/TQkDxGKTJItpfKMHdmBPYC8Sxv0NpPlkKT27kfwOpSRuj17ZWAl+AnOjS +TjLzSq85/Ao7C0rgAhJRG38iZ36DXGWYtrA7n/F6wTlmelRwkNCGEypF79GWSU8P +xCpVLTY6MIhDq5NBO3mzkeYyl0M1M8c7dwUAPAMCK43Fl6nfQbbbwSIxlxQy8WIq +48s5TaJEp1hU2CXTgTa+cmm1JQziFBlwOZNAeAAIi6JcJRHCFhpUrTVirqPRIoUc +c99xUs91aELi/nZggt0vrGd4kyQ6eB5pxB6kAJwNfP3URMjucttcukyhuu/jzDMd +GNg1J75dAF606yunta8ZohecrabpkACQz9ZR+VOM0z4IGbI39M+EohFcxL7+8gSU +VP537jDrlAjU2DtbE2Dr+dotg1LfIE4P5AGFIAPfKYE+YXJ85SNin7POMttw8TP2 +WlMVFAG159CBjPvGPuXqInBv6U5QHWxINSevHL6vdD12d7L9LjUHQQNaAborPe2Z +rN7fPDbDib5vnxUBAayHgic8qw1/eqWIhAXyBGRG/EOuwKgr2DU5U3sCAQI= +-----END DH PARAMETERS----- diff --git a/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf b/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf new file mode 100644 index 0000000..dda15cb --- /dev/null +++ b/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf @@ -0,0 +1,2 @@ +check file nginx-blog with path /var/log/nginx/blog.access.log + if timestamp > 2 minutes for 5 cycles then exec "/bin/systemctl restart nginx" diff --git a/cookbooks/blog/files/etc/nginx/sites-available/blog b/cookbooks/blog/files/etc/nginx/sites-available/blog new file mode 100644 index 0000000..549d9b5 --- /dev/null +++ b/cookbooks/blog/files/etc/nginx/sites-available/blog @@ -0,0 +1,90 @@ +server { + # allow access from localhost + listen 80 reuseport backlog=1024; + listen 443 ssl http2 backlog=1024; + server_name blog.kazu634.com; + + ssl_certificate /etc/letsencrypt/live/blog.kazu634.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/blog.kazu634.com/privkey.pem; + ssl_dhparam /etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem; + + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_timeout 10m; + + ssl_session_tickets on; + ssl_session_ticket_key /etc/letsencrypt/live/blog.kazu634.com/ticket.key; + + ssl_protocols TLSv1.2 TLSv1.1 TLSv1; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + root /var/www/blog; + index index.html index.htm; + + access_log /var/log/nginx/blog.access.log ltsv; + error_log /var/log/nginx/blog.error.log; + + location / { + gzip on; + gunzip on; + gzip_vary on; + + # http2 server push: + http2_push_preload on; + + http2_push /css/sanitize.css; + http2_push /css/responsive.css; + http2_push /css/highlight_monokai.css; + http2_push /css/theme.css; + http2_push /css/custom.css; + http2_push /images/profile.png; + http2_push /js/highlight.pack.js; + + if (-e "/tmp/maintenance") { + return 503; + } + + location /feed { + return 301 http://blog.kazu634.com/index.xml; + } + + location /wp-content { + return 404; + } + + location ~* \.css { + gzip_static always; + + expires max; + } + + location ~* \.js { + gzip_static always; + + expires max; + } + + location /images { + gzip_static always; + + expires max; + } + + location = /favicon.ico { + access_log off; + empty_gif; + expires max; + } + + try_files $uri $uri/ /index.html; + } +} diff --git a/cookbooks/blog/nginx.rb b/cookbooks/blog/nginx.rb new file mode 100644 index 0000000..19ab20c --- /dev/null +++ b/cookbooks/blog/nginx.rb @@ -0,0 +1,63 @@ +# Deploy the nginx configuration file: +remote_file '/etc/nginx/sites-available/blog' do + owner 'root' + group 'root' + mode '644' +end + +# Deploy cron tab configuration for nginx +remote_file '/etc/cron.d/blog' do + owner 'root' + group 'root' + mode '644' +end + +# Create link: +link '/etc/nginx/sites-enabled/blog' do + user 'root' + to '/etc/nginx/sites-available/blog' + + notifies :restart, 'service[nginx]' +end + +service 'nginx' do + action :nothing +end + +# Create the nginx directory: +directory '/var/www/blog' do + owner 'www-data' + group 'webadm' + mode '770' +end + +# Add the fstab entry: +file '/etc/fstab' do + action :edit + + block do |content| + content << "tmpfs /var/www/blog tmpfs size=250m,noatime 0 0\n" + end + + not_if 'grep /var/www/blog /etc/fstab' + + notifies :run, 'execute[fstab -a]' +end + +execute 'mount -a' do + action :nothing +end + +# Add monit configuration file for monitoring nginx logs: +remote_file '/etc/monit/conf.d/blog-log.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :reload, 'service[monit]' +end + +service 'monit' do + action :nothing +end + diff --git a/cookbooks/blog/ssl.rb b/cookbooks/blog/ssl.rb new file mode 100644 index 0000000..b57731b --- /dev/null +++ b/cookbooks/blog/ssl.rb @@ -0,0 +1,16 @@ +[ + 'rm -f /etc/nginx/sites-enabled/*', + 'ln -f -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance', + 'systemctl reload nginx', + "test -e /etc/letsencrypt/live/#{node['blog']['FQDN']}/cert.pem || certbot certonly --webroot -d #{node['blog']['FQDN']} --webroot-path /usr/share/nginx/html/ --email simoom634@yahoo.co.jp --agree-tos -n", + '/home/webadm/bin/nginx-config.sh', +].each do |cmd| + execute cmd +end + +remote_file "/etc/letsencrypt/live/#{node['blog']['FQDN']}/dhparams_4096.pem" do + owner 'root' + group 'root' +end + +execute "openssl rand 48 > /etc/letsencrypt/live/#{node['blog']['FQDN']}/ticket.key" diff --git a/cookbooks/consul-template/attributes.rb b/cookbooks/consul-template/attributes.rb new file mode 100644 index 0000000..808ffaa --- /dev/null +++ b/cookbooks/consul-template/attributes.rb @@ -0,0 +1,10 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +node.reverse_merge!({ + 'consul-template' => { + 'base_binary_url' => 'https://releases.hashicorp.com/consul-template/', + 'arch' => node['kernel']['machine'] =~ /x86_64/ ? 'amd64' : '386', + 'tmp_path' => '/tmp/itamae_tmp/consul-template.zip' + } +}) diff --git a/cookbooks/consul-template/default.rb b/cookbooks/consul-template/default.rb new file mode 100644 index 0000000..69dfe7d --- /dev/null +++ b/cookbooks/consul-template/default.rb @@ -0,0 +1,6 @@ +include_recipe './attributes.rb' + +include_recipe './prerequisites.rb' +include_recipe './install.rb' + +include_recipe './setup.rb' diff --git a/cookbooks/consul-template/install.rb b/cookbooks/consul-template/install.rb new file mode 100644 index 0000000..f938c32 --- /dev/null +++ b/cookbooks/consul-template/install.rb @@ -0,0 +1,47 @@ +# ------------------------------------------- +# Calculating the latest `consul-template` version: +# ------------------------------------------- +download_url = '' + +begin + require 'net/http' + + uri = URI.parse('https://releases.hashicorp.com/consul-template/') + + Timeout.timeout(3) do + response = Net::HTTP.get_response(uri) + + if response.body =~ /consul-template_(\d+\.\d+\.\d+)/ + tag_version = $1 + download_url = \ + "#{node['consul-template']['base_binary_url']}#{tag_version}/consul-template_#{tag_version}_linux_#{node['consul-template']['arch']}.zip" + end + end +rescue + # Abort the chef client process: + raise 'Cannot connect to https://releases.hashicorp.com/consul-template/' +end + +# ------------------------------------------- +# Main Part +# ------------------------------------------- + +# Download: +execute "wget #{download_url} -O #{node['consul-template']['tmp_path']}" + +# Unzip: +execute "unzip -qo #{node['consul-template']['tmp_path']}" do + cwd '/opt/consul/bin/' +end + +file '/opt/consul/bin/consul-template' do + owner 'root' + group 'root' + mode '755' +end + +# Create link: +link '/usr/local/bin/consul-template' do + user 'root' + to '/opt/consul/bin/consul-template' +end diff --git a/cookbooks/consul-template/prerequisites.rb b/cookbooks/consul-template/prerequisites.rb new file mode 100644 index 0000000..ea061dd --- /dev/null +++ b/cookbooks/consul-template/prerequisites.rb @@ -0,0 +1,14 @@ +# Ensure that `unzip` and `dnsmasq` are available: +%w( unzip ).each do |p| + package p do + action :install + end +end + +%w( /opt/consul/bin ).each do |d| + directory d do + owner 'root' + group 'root' + mode '755' + end +end diff --git a/cookbooks/consul-template/setup.rb b/cookbooks/consul-template/setup.rb new file mode 100644 index 0000000..61dc148 --- /dev/null +++ b/cookbooks/consul-template/setup.rb @@ -0,0 +1,9 @@ +# `consul-template`-related paths: +%w( /etc/consul-template.d ).each do |d| + directory d do + owner 'root' + group 'root' + + mode '755' + end +end diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb new file mode 100644 index 0000000..2b259de --- /dev/null +++ b/cookbooks/consul/attributes.rb @@ -0,0 +1,21 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v 127.0.0.1 | cut -d" " -f10' +else + cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v 127.0.0.1 | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' +end +ipaddr = run_command(cmd).stdout.chomp + +node.reverse_merge!({ + 'consul' => { + 'base_binary_url' => 'https://releases.hashicorp.com/consul/', + 'arch' => node['kernel']['machine'] =~ /x86_64/ ? 'amd64' : '386', + 'tmp_path' => '/tmp/itamae_tmp/consul.zip', + 'manager' => true, + 'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]', + 'ipaddr' => ipaddr + } +}) diff --git a/cookbooks/consul/default.rb b/cookbooks/consul/default.rb new file mode 100644 index 0000000..9d0f7ee --- /dev/null +++ b/cookbooks/consul/default.rb @@ -0,0 +1,11 @@ +include_recipe './attributes.rb' + +include_recipe './prerequisites.rb' + +include_recipe './install.rb' + +include_recipe './setup.rb' + +include_recipe './dnsmasq.rb' + +include_recipe './monitoring.rb' diff --git a/cookbooks/consul/dnsmasq.rb b/cookbooks/consul/dnsmasq.rb new file mode 100644 index 0000000..c8e48f5 --- /dev/null +++ b/cookbooks/consul/dnsmasq.rb @@ -0,0 +1,47 @@ +%w(dnsmasq resolvconf systemd-resolved).each do |s| + service s do + action :nothing + end +end + +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + remote_file '/etc/dnsmasq.conf' do + owner 'root' + group 'root' + mode '644' + + source 'files/etc/dnsmasq.conf.1804' + + notifies :reload, 'service[dnsmasq]' + end +else + remote_file '/etc/dnsmasq.conf' do + owner 'root' + group 'root' + mode '644' + + source 'files/etc/dnsmasq.conf.1804' + + notifies :reload, 'service[dnsmasq]' + end +end + +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + remote_file '/etc/systemd/resolved.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[systemd-resolved]' + end +else + remote_file '/etc/resolvconf/resolv.conf.d/head' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[resolvconf]' + end +end diff --git a/cookbooks/consul/files/etc/consul.d/check-disk.json b/cookbooks/consul/files/etc/consul.d/check-disk.json new file mode 100644 index 0000000..61093b4 --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/check-disk.json @@ -0,0 +1,9 @@ +{ + "check": { + "id": "disk-capacity", + "name": "Check for Disk Capacity", + "args": ["/usr/lib/nagios/plugins/check_disk", "-w", "25%", "-c", "10%", "-p", "/"], + "interval": "3600s", + "timeout": "10s" + } +} diff --git a/cookbooks/consul/files/etc/consul.d/check-load.json b/cookbooks/consul/files/etc/consul.d/check-load.json new file mode 100644 index 0000000..6dc0bc3 --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/check-load.json @@ -0,0 +1,9 @@ +{ + "check": { + "id": "load-average", + "name": "Check for Load Average", + "args": ["/usr/lib/nagios/plugins/check_load", "-r", "--warning=1,1,1", "--critical=2,2,2"], + "interval": "60s", + "timeout": "10s" + } +} diff --git a/cookbooks/consul/files/etc/consul.d/check-memory.json b/cookbooks/consul/files/etc/consul.d/check-memory.json new file mode 100644 index 0000000..c3ed76e --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/check-memory.json @@ -0,0 +1,9 @@ +{ + "check": { + "id": "memory", + "name": "Check for Memory", + "args": ["/usr/lib/nagios/plugins/check_memory"], + "interval": "60s", + "timeout": "10s" + } +} diff --git a/cookbooks/consul/files/etc/consul.d/check-reboot-required.json b/cookbooks/consul/files/etc/consul.d/check-reboot-required.json new file mode 100644 index 0000000..55a514f --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/check-reboot-required.json @@ -0,0 +1,9 @@ +{ + "check": { + "id": "reboot-required", + "name": "Check for Reboot Required", + "args": ["/usr/lib/nagios/plugins/check_file", "/var/run/reboot-required"], + "interval": "86400s", + "timeout": "10s" + } +} diff --git a/cookbooks/consul/files/etc/consul.d/check-ssh.json b/cookbooks/consul/files/etc/consul.d/check-ssh.json new file mode 100644 index 0000000..7479488 --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/check-ssh.json @@ -0,0 +1,9 @@ +{ + "check": { + "id": "ssh", + "name": "SSH TCP on port 10022", + "tcp": "localhost:10022", + "interval": "10s", + "timeout": "1s" + } +} diff --git a/cookbooks/consul/files/etc/consul.d/check-swap.json b/cookbooks/consul/files/etc/consul.d/check-swap.json new file mode 100644 index 0000000..c215677 --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/check-swap.json @@ -0,0 +1,9 @@ +{ + "check": { + "id": "swap-capacity", + "name": "Check for Swap Capacity", + "args": ["/usr/lib/nagios/plugins/check_swap", "-a", "-w", "50%", "-c", "25%", "-n", "ok"], + "interval": "300s", + "timeout": "10s" + } +} diff --git a/cookbooks/consul/files/etc/consul.d/service-consul.json b/cookbooks/consul/files/etc/consul.d/service-consul.json new file mode 100644 index 0000000..10e7840 --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/service-consul.json @@ -0,0 +1,6 @@ +{ + "service": { + "name": "consul", + "port": 8600 + } +} diff --git a/cookbooks/consul/files/etc/dnsmasq.conf b/cookbooks/consul/files/etc/dnsmasq.conf new file mode 100644 index 0000000..b1e342a --- /dev/null +++ b/cookbooks/consul/files/etc/dnsmasq.conf @@ -0,0 +1,667 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 +server=/consul/127.0.0.1#8600 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface= +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC alogrithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overriden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the Infiniband interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also the they [] around the IPv6 address are obilgatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1:1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2:2m + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fasion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf diff --git a/cookbooks/consul/files/etc/dnsmasq.conf.1804 b/cookbooks/consul/files/etc/dnsmasq.conf.1804 new file mode 100644 index 0000000..dc3d785 --- /dev/null +++ b/cookbooks/consul/files/etc/dnsmasq.conf.1804 @@ -0,0 +1,666 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +server=/consul/127.0.0.1#8600 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface= +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC algorithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overridden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the InfiniBand interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also that the [] around the IPv6 address are obligatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1,1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2,2m + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php + +# Encapsulated options for iPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fashion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf diff --git a/cookbooks/consul/files/etc/monit/conf.d/consul.conf b/cookbooks/consul/files/etc/monit/conf.d/consul.conf new file mode 100644 index 0000000..5a54067 --- /dev/null +++ b/cookbooks/consul/files/etc/monit/conf.d/consul.conf @@ -0,0 +1,10 @@ +check process consul + with pidfile /var/run/consul.pid + start program = "/usr/bin/supervisorctl start consul" + stop program = "/usr/bin/supervisorctl stop consul" + + if failed + host localhost + port 8500 + protocol HTTP + then restart diff --git a/cookbooks/consul/files/etc/resolvconf/resolv.conf.d/head b/cookbooks/consul/files/etc/resolvconf/resolv.conf.d/head new file mode 100644 index 0000000..ea210bc --- /dev/null +++ b/cookbooks/consul/files/etc/resolvconf/resolv.conf.d/head @@ -0,0 +1,3 @@ +# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +nameserver localhost diff --git a/cookbooks/consul/files/etc/supervisor/conf.d/consul.conf b/cookbooks/consul/files/etc/supervisor/conf.d/consul.conf new file mode 100644 index 0000000..8e9d360 --- /dev/null +++ b/cookbooks/consul/files/etc/supervisor/conf.d/consul.conf @@ -0,0 +1,9 @@ +[program:consul] +command=/usr/local/bin/consul agent -pid-file /var/run/consul.pid -config-dir=/etc/consul.d +stdout_logfile=/var/log/supervisor/consul.log +environment=GOMAXPROC="2" +redirect_stderr=true +stdout_logfile_maxbytes=1MB +stdout_logfile_backups=5 +autorestart=true +stopsignal=TERM diff --git a/cookbooks/consul/files/etc/systemd/resolved.conf b/cookbooks/consul/files/etc/systemd/resolved.conf new file mode 100644 index 0000000..1368180 --- /dev/null +++ b/cookbooks/consul/files/etc/systemd/resolved.conf @@ -0,0 +1,22 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See resolved.conf(5) for details + +[Resolve] +DNS=127.0.0.1 +#FallbackDNS= +#Domains= +#LLMNR=no +#MulticastDNS=no +#DNSSEC=no +#Cache=yes +#DNSStubListener=yes diff --git a/cookbooks/consul/files/usr/lib/nagios/plugins/check_file b/cookbooks/consul/files/usr/lib/nagios/plugins/check_file new file mode 100644 index 0000000..8622cee --- /dev/null +++ b/cookbooks/consul/files/usr/lib/nagios/plugins/check_file @@ -0,0 +1,9 @@ +#!/bin/bash + +TARGET=$1 + +if [ -f ${TARGET} ]; then + exit 1 +fi + +exit 0 diff --git a/cookbooks/consul/install.rb b/cookbooks/consul/install.rb new file mode 100644 index 0000000..5fe4fb2 --- /dev/null +++ b/cookbooks/consul/install.rb @@ -0,0 +1,47 @@ +# ------------------------------------------- +# Calculating the latest `consul` version: +# ------------------------------------------- +download_url = '' + +begin + require 'net/http' + + uri = URI.parse('https://www.consul.io/downloads.html') + + Timeout.timeout(3) do + response = Net::HTTP.get_response(uri) + + if response.body =~ /consul_(\d+\.\d+\.\d+)/ + tag_version = $1 + download_url = \ + "#{node['consul']['base_binary_url']}#{tag_version}/consul_#{tag_version}_linux_#{node['consul']['arch']}.zip" + end + end +rescue + # Abort the chef client process: + raise 'Cannot connect to https://www.consul.io/downloads.html' +end + +# ------------------------------------------- +# Main Part +# ------------------------------------------- + +# Download: +execute "wget #{download_url} -O #{node['consul']['tmp_path']}" + +# Unzip: +execute "unzip -qo #{node['consul']['tmp_path']}" do + cwd '/opt/consul/bin/' +end + +file '/opt/consul/bin/consul' do + owner 'root' + group 'root' + mode '755' +end + +# Create link: +link '/usr/local/bin/consul' do + user 'root' + to '/opt/consul/bin/consul' +end diff --git a/cookbooks/consul/monitoring.rb b/cookbooks/consul/monitoring.rb new file mode 100644 index 0000000..1724950 --- /dev/null +++ b/cookbooks/consul/monitoring.rb @@ -0,0 +1,41 @@ +package 'nagios-plugins' do + action :install + + options '--no-install-recommends' +end + +remote_file '/usr/lib/nagios/plugins/check_file' do + owner 'root' + group 'root' + mode '555' + + notifies :restart, 'service[supervisor]' +end + +# Deploy the check_memory script: +package 'bc' do + action :install +end + +URL = 'https://raw.githubusercontent.com/zwindler/check_mem_ng/master/check_mem_ng.sh' +TARGET = '/usr/lib/nagios/plugins/check_memory' + +execute "wget #{URL} -O #{TARGET}" do + not_if "test -e #{TARGET}" +end + +file TARGET do + owner 'root' + group 'root' + mode '755' +end + +%w(disk load ssh swap reboot-required memory).each do |conf| + remote_file "/etc/consul.d/check-#{conf}.json" do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[supervisor]' + end +end diff --git a/cookbooks/consul/prerequisites.rb b/cookbooks/consul/prerequisites.rb new file mode 100644 index 0000000..87f6d3f --- /dev/null +++ b/cookbooks/consul/prerequisites.rb @@ -0,0 +1,14 @@ +# Ensure that `unzip` and `dnsmasq` are available: +%w( unzip dnsmasq ).each do |p| + package p do + action :install + end +end + +%w(/etc/consul.d /var/opt/consul /opt/consul/bin).each do |d| + directory d do + owner 'root' + group 'root' + mode '755' + end +end diff --git a/cookbooks/consul/setup.rb b/cookbooks/consul/setup.rb new file mode 100644 index 0000000..3ba8fa7 --- /dev/null +++ b/cookbooks/consul/setup.rb @@ -0,0 +1,49 @@ +remote_file '/etc/supervisor/conf.d/consul.conf' do + owner 'root' + group 'root' + mode '644' +end + +template '/etc/consul.d/config.json' do + owner 'root' + group 'root' + mode '644' + + variables(manager: node['consul']['manager'], + manager_hosts: node['consul']['manager_hosts'], + ipaddr: node['consul']['ipaddr'], + ) +end + +remote_file '/etc/consul.d/service-consul.json' do + owner 'root' + group 'root' + mode '644' + + only_if '{ node["consul"]["manager"]}' +end + +remote_file '/etc/monit/conf.d/consul.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[monit]' +end + +execute 'Reload supervisor' do + user 'root' + + command '/usr/bin/supervisorctl update' +end + +# iptables settings here: +%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp ).each do |port| + execute "ufw allow #{port}" do + user 'root' + + not_if "LANG=c ufw status | grep #{port}" + + notifies :run, 'execute[ufw reload-or-enable]' + end +end diff --git a/cookbooks/consul/templates/etc/consul.d/config.json.erb b/cookbooks/consul/templates/etc/consul.d/config.json.erb new file mode 100644 index 0000000..f0baf2a --- /dev/null +++ b/cookbooks/consul/templates/etc/consul.d/config.json.erb @@ -0,0 +1,23 @@ +{ + "datacenter": "aws", + <% if @manager then%> + "bootstrap_expect": 3, + "addresses": { + "http": "0.0.0.0" + }, + "ui": true, + <% end %> + "bind_addr": "<%= @ipaddr %>", + "disable_remote_exec": false, + "disable_update_check": true, + "leave_on_terminate": true, + "retry_interval": "30s", + "data_dir": "/var/opt/consul", + "log_level": "INFO", + "enable_syslog": false, + "enable_script_checks": true, + "rejoin_after_leave": true, + "retry_join": <%= @manager_hosts %>, + "encrypt": "LPKrNBQZnJIc8tJpViI4ug==", + "server": <%= @manager %> +} diff --git a/cookbooks/digdag/attributes.rb b/cookbooks/digdag/attributes.rb new file mode 100644 index 0000000..045dad6 --- /dev/null +++ b/cookbooks/digdag/attributes.rb @@ -0,0 +1,12 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v 127.0.0.1 | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' +ipaddr = run_command(cmd).stdout.chomp + +node.reverse_merge!({ + 'digdag' => { + 'binary_url' => 'https://dl.digdag.io/digdag-latest', + 'install_path' => '/opt/digdag' + } +}) diff --git a/cookbooks/digdag/default.rb b/cookbooks/digdag/default.rb new file mode 100644 index 0000000..1a4f1e1 --- /dev/null +++ b/cookbooks/digdag/default.rb @@ -0,0 +1,10 @@ +include_recipe './attributes.rb' + +include_recipe './install.rb' + +include_recipe './setup.rb' + +# AWS EC2 Swap Setting: +if !node['is_ec2'] + include_recipe './shared_dir.rb' +end diff --git a/cookbooks/digdag/files/etc/digdag/digdag.config b/cookbooks/digdag/files/etc/digdag/digdag.config new file mode 100644 index 0000000..c7ba253 --- /dev/null +++ b/cookbooks/digdag/files/etc/digdag/digdag.config @@ -0,0 +1,6 @@ +database.type=postgresql +database.user=postgres +database.password=Holiday88 +database.host=192.168.10.200 +database.port=15432 +database.database=digdag diff --git a/cookbooks/digdag/files/etc/digdag/digdag.sh b/cookbooks/digdag/files/etc/digdag/digdag.sh new file mode 100644 index 0000000..3996956 --- /dev/null +++ b/cookbooks/digdag/files/etc/digdag/digdag.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +exec /usr/local/bin/digdag server --config /etc/digdag/digdag.config + diff --git a/cookbooks/digdag/files/etc/supervisor/conf.d/digdag.conf b/cookbooks/digdag/files/etc/supervisor/conf.d/digdag.conf new file mode 100644 index 0000000..eaf346d --- /dev/null +++ b/cookbooks/digdag/files/etc/supervisor/conf.d/digdag.conf @@ -0,0 +1,7 @@ +[program:digdag] +command=/etc/digdag/digdag.sh +stdout_logfile=/var/log/supervisor/digdag.log +redirect_stderr=true +stdout_logfile_maxbytes=1MB +stdout_logfile_backups=5 +autorestart=true diff --git a/cookbooks/digdag/install.rb b/cookbooks/digdag/install.rb new file mode 100644 index 0000000..f636e38 --- /dev/null +++ b/cookbooks/digdag/install.rb @@ -0,0 +1,33 @@ +# Create installation directory: +directory node['digdag']['install_path'] do + owner 'root' + group 'root' + mode '755' +end + +# Download and install: +URL = "#{node['digdag']['binary_url']}" +TARGET = "#{node['digdag']['install_path']}/digdag" + +execute "wget #{URL} -O #{TARGET}" do + not_if "test -e #{TARGET}" +end + +file TARGET do + owner 'root' + group 'root' + mode '755' +end + +# Create link: +link '/usr/local/bin/digdag' do + user 'root' + to TARGET +end + +# Install the Java Runtime: +%w(nkf default-jre).each do |p| + package p do + action :install + end +end diff --git a/cookbooks/digdag/setup.rb b/cookbooks/digdag/setup.rb new file mode 100644 index 0000000..a9abd6b --- /dev/null +++ b/cookbooks/digdag/setup.rb @@ -0,0 +1,50 @@ +# Create directory for digdag: +directory '/etc/digdag' do + owner 'root' + group 'root' + mode '755' +end + +# Deploy the files: +remote_file "/etc/digdag/digdag.sh" do + owner 'root' + group 'root' + mode '755' +end + +remote_file "/etc/digdag/digdag.config" do + owner 'root' + group 'root' + mode '644' +end + +# Firewall settings here: +%w( 65432/tcp ).each do |p| + execute "ufw allow #{p}" do + user 'root' + + not_if "LANG=c ufw status | grep #{p}" + + notifies :run, 'execute[ufw reload-or-enable]' + end +end + +execute 'ufw reload-or-enable' do + user 'root' + command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0' + + action :nothing +end + +# Deploy the config file for `supervisor`: +remote_file '/etc/supervisor/conf.d/digdag.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[supervisor]' +end + +service 'supervisor' do + action :nothing +end diff --git a/cookbooks/digdag/shared_dir.rb b/cookbooks/digdag/shared_dir.rb new file mode 100644 index 0000000..9542530 --- /dev/null +++ b/cookbooks/digdag/shared_dir.rb @@ -0,0 +1,34 @@ +package 'cifs-utils' + +%w(shared tmp img).each do |d| + directory "/mnt/#{d}/" do + owner 'root' + group 'root' + mode '777' + end +end + +# Add the fstab entry: +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/Shared/shared /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" + end + + not_if 'grep shared /etc/fstab' +end + +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" + end + + not_if 'grep img /etc/fstab' +end + +execute 'mount -a' do + not_if 'df -h | grep shared' +end diff --git a/cookbooks/docker/default.rb b/cookbooks/docker/default.rb new file mode 100644 index 0000000..a1a8dc3 --- /dev/null +++ b/cookbooks/docker/default.rb @@ -0,0 +1,3 @@ +include_recipe './install.rb' + +include_recipe './setup.rb' diff --git a/cookbooks/docker/files/etc/cron.d/docker-housekeep b/cookbooks/docker/files/etc/cron.d/docker-housekeep new file mode 100644 index 0000000..f1ab55d --- /dev/null +++ b/cookbooks/docker/files/etc/cron.d/docker-housekeep @@ -0,0 +1,6 @@ +MAILTO="" + +DOCKER=/usr/bin/docker + +0 13 * * * root ${DOCKER} image prune -f +0 23 * * * root ${DOCKER} container prune -f diff --git a/cookbooks/docker/install.rb b/cookbooks/docker/install.rb new file mode 100644 index 0000000..1425af5 --- /dev/null +++ b/cookbooks/docker/install.rb @@ -0,0 +1,22 @@ +%w(apt-transport-https ca-certificates curl software-properties-common).each do |p| + package p do + action :install + end +end + +execute 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -' do + not_if 'apt-key fingerprint 0EBFCD88 | grep 9DC8' +end + +execute 'add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable"' do + not_if 'which docker' +end + +execute 'apt-get update' do + not_if 'which docker' +end + +package 'docker-ce' diff --git a/cookbooks/docker/setup.rb b/cookbooks/docker/setup.rb new file mode 100644 index 0000000..121cff4 --- /dev/null +++ b/cookbooks/docker/setup.rb @@ -0,0 +1,37 @@ +# install `cifs-utils` +package 'cifs-utils' + +directory '/mnt/backup/' do + owner 'root' + group 'root' +end + +# Add the fstab entry: +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/Shared/backup /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" + end + + not_if 'grep backup /etc/fstab' +end + +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" + end + + not_if 'grep apt-mirror /etc/fstab' +end + +execute 'mount -a' + +# Deploy the cron.d file: +remote_file '/etc/cron.d/docker-housekeep' do + owner 'root' + group 'root' + mode '644' +end diff --git a/cookbooks/embulk/attributes.rb b/cookbooks/embulk/attributes.rb new file mode 100644 index 0000000..8c533e9 --- /dev/null +++ b/cookbooks/embulk/attributes.rb @@ -0,0 +1,14 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v 127.0.0.1 | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' +ipaddr = run_command(cmd).stdout.chomp + +node.reverse_merge!({ + 'embulk' => { + 'base_binary_url' => 'https://dl.bintray.com/embulk/maven/embulk-', + 'version' => '0.8.33', + 'extension' => '.jar', + 'install_path' => '/opt/embulk' + } +}) diff --git a/cookbooks/embulk/default.rb b/cookbooks/embulk/default.rb new file mode 100644 index 0000000..2f8afef --- /dev/null +++ b/cookbooks/embulk/default.rb @@ -0,0 +1,5 @@ +include_recipe './attributes.rb' + +include_recipe './install.rb' + +include_recipe './setup.rb' diff --git a/cookbooks/embulk/files/root/.ssh/amazon.pem b/cookbooks/embulk/files/root/.ssh/amazon.pem new file mode 100644 index 0000000..c97d437 --- /dev/null +++ b/cookbooks/embulk/files/root/.ssh/amazon.pem @@ -0,0 +1,38 @@ +md5:e0486d739e65e30fdde604d901bbe9ab:salt:42-187-238-208-244-207-139-173:aes-256-cfb:ACTalT4qSks0TrcXAr6EWg6lddGsfZqIM9dRSlXiFVhNso373y1C93N2YKGz +DBrWZ+EmISAuS6c9ZugiTzJHfF+i2VDJZxc/8iQ6MOZ5IRfcEQobjWcMUOhJ +Op4hf9gLgr1DlZRGoSs/VCS5b7LUs9xSXV3rpjTTV23oxfTmwAKvGPV+iMNs +xwt9JIE5qXX4Q0Zj4fXSzVJMX3nYKsnEZmCW73C9uCl7IrVap/ZR+5MWvY26 +uAtiBnrBa/vPAVcuHw+hWBEEs4iL+hpvWMYOb4ANy3dNKdg1j0nHsHtncQWr +4YNpTGaWxoi0z2lA6ersLrAy8DAyrsKiQZNasCmK/lRx3lACUi2Fl3pfsZcp +Go4HHvTXVoe+lyjT21TucRqYKZYGDXgKFhBECM4IkGPqFJHEafYvqKcVCW0d +hhxZsGecoIULnp9KI+rCtcm7RHTleWnRufK3Cg3m3X0zQjm5MkYkkJPvzv7i +7OwsnYPHs0RDtRMfCgMN55iKH/tQHvhf5X0lrEuT+i43nm8DziG4MdN/TOHG +44j2PQwI3tS/iRo4V5RFo1volqb/p7CZFo7G+jm9gljPJ9v2hFW5dVaXK44b +QWCCdxIV30ASAYQkpN3DYixNXxeseHd2mALKXAHkgdt0PIZFbsbMJd6zXVw7 +8yTa2agO1NKL62SFhorq4WTvwYi1jan88VVfCpS5SfMa44uu13LHtfYgXtG0 +6FiSeUZzOVSZKcUA7tSZVYXW4+BFM9kjFPgYjlCVtupfedBGrRaZGYZNdKjO +ZEkfUIsT7P1DMRxBrLm4hBhIbc0GZrCNAQH5ONpc+44Mi7QrSu+7KKpCJbCx +KRusMN/qbDrJSKI7L0z3xd0Gdfxbp3ZI9Lm/3WpQeiy58y1FzTl4Y53U6M6V +/mtYN5PZErAnJ1V1T0Uwu8L42sHV3dqzbFdKHxsSDVdKhygi9P/y7aAcXDFw +UV3C77J7j4iM3jGBYQ2p54a/bepHCa9VilGOZlWyV33Lqa6deiMrnsEvLlE7 +0b63U3TS/BYYZbBs9abG8QamgXwT5kgsjO21pSZE+mECTQ4oa0bUQ6hOgsaM +GwKdh7BPF6mXFcJUm5LrGXMbeht5YvGj9EZrCrudQnpnhj1jA/Dx5eVt0mKx +kDvqPiqfnHLlSRDQme7c0xnvuyDaL2wL6cgkpSStwNc21KH5G8Vbh/rQix/0 +PhR5UsAb1c53yWnmxVCmLMS75sBCqjXObWa+YVwfirZIjU0VmArlbd/Nq+0H +AMtJdTNBfiWV/eZqNksiw+zQ9LFa+YUuRCq3ylaU/ZMLoTpdRQRmYRb2X3KJ +H99hHeZfqw+Bky/v3xfs64+T8jYfgGzpPl5O2FR8GBv4k1chwYHceAGsdG2S +NkaHKk582AUnNNAaW629KmBGsRUgrVMge1iJuEtQjxAn/u7lC5UGZOXPtYts +o7AkxEFbpXhWQZhHU5UrLIwf7xLVP+DlrDqKbKZeV7vDrLeC58bCIyL4vI2g +ZcGtNxv8Q181nxzlU+fAqIsPor94K0nYnSM1sOKKkuPB8v2wQ5m44eyK6rWY +lxR9Jcua768j2B4QD3NQKIiS5mKx2aX3BhnBJDkXfOMrwttcgC/in4vkTnAW +5rVBwoU2TDGvNtvy+JxKs1V8rE/Y6qEXiRl8zz54lFJvKjtzbhdscbF5Kmt7 +FQMuKD2AeqjkRhUD2mbQwCaRQjGQ4hs8zTjbsLxJzBnRqtGuB0xUbj4tDNBy +7pzJk1Lwd+4cplaTc2GssVe3SP6iKq1cJ40cS159c81oPr+3otVcOQeoGRyJ +KQC8lR60XM6lXfvH3/eVhuxmS//5uvkElnyB7Ec8l8gjX2mEV7AUqN5EOaa0 +WHgW7j3TgwadXvVeQdwFSbrddwtfE9Bq4Cj6Egb9auNl8/Q4/sRHxhc+yGDA +ttl589yqc7VCh5n7UiTF2rXK963XGDwpgosC2d7P6bQM9TKSde+8rRUh9jZ9 +kSMdkdQ4+TL5+UCGT8jFJSBfwrk38vf9IJZzETSLW9ugNEVp/yAUZGXY/WRs +/7nyRBh23xpwH2oLaIK7gi9RgP6jqDW3K7g+Y7z5Or/Q46CYHLko18BhE7ow +rwqjTGbMBcNVUm33c9Bt5TAfHy1gjyL4Nioqdt+sE1uEisegjVZCWt2zddL2 +fRQQfTS7HTyo0upUn47SCqf5ACpW4UdL/rXnd+fA1V4oxNpWf3bx6InLWIXr +Ynxpos42aw== \ No newline at end of file diff --git a/cookbooks/embulk/files/root/.ssh/authorized_keys b/cookbooks/embulk/files/root/.ssh/authorized_keys new file mode 100644 index 0000000..5a5fd2d --- /dev/null +++ b/cookbooks/embulk/files/root/.ssh/authorized_keys @@ -0,0 +1,38 @@ +md5:b940e33c24842e81a2ac83c3a61a5605:salt:59-103-63-243-177-210-254-59:aes-256-cfb:+j+wg5NSjQMEEAZ3+HEseUoYHJ2KLGkk0ia6a6MOd78FikQFs7gWAQQys+vj +/aOx+7jYoZxZ+8DluR8fYSi8uwoIceE7uekfPOgXFkTfI868K8Cd95M1oyda +jxZe2Rc9GiXK+wmBbwciPv8xIQcpeQK262zU8eJiMxaIAojlZD7p/8vVTEwZ +8mM0+Y+NpQFASGsdMswpxeS5kdk986pvEOob0hjpxVxz0SCebjqdNxmZTivJ +mXGDCI1bshhJAVNLhtnS4mvNb4w5+9hyp0xElkYVVUSK/7PFow3OLjC7QwZw +HjHEKwAS5cPf0QibaPE6FvhYzTw19H90g2s2KkB/lrpNIOSZj0KpefDA41M9 +xtQKO/GmBrYFNZC3EFDUhJpavPxiiGzYpXEN2lUjjf3NMpRs4MoYH7fGgRma +93y3z8blLwGtSQMKJimNYdvLnxwGMiRyDyRQ7TCmLIVMR4wdrJBOP4zJ6K7h ++WvgePTUH28zyEqOpdcmr//izvkr6vvtoA6DPDhToKR7lCIduxowx5qdj63D +2RgbajRfbKNMh0s0XiAwM70b15y7SLkIejx2zuUnLCa9MHIfsN6jjFeyO1Zw +bMHq4ukA/3aQzz6OgGY8rLfIhEvEV/PjGOnjd/BQcb33ACSo9c3Ase2H/lGn +T7Q0hK78fadEDH/cM0VtYuBHTr8THZzIgsz8dfhfBU01+vxfa7nFNPwvlthD +UrcMF9V0gNi4wQHPx9hjNXX/iJmHVVau2QcV+m3wdBpgoG6vyp8guYc7el8o +YjxiJ2HHDwOIhW8WOa3LgKk2GIPjfa5yocB2HylWDvgG1OUWZ0A9CboQ57AB +WfLJso/OYyD3MZcAJnM/Oou30vlzmq/aNuh+Xz3ycITlYhQOSfmQ4OcqwRo3 +vJ9oZaH/uFacRUmHwhsuvldbdHgv97iIPXF0LwG3Cim8cOYfgjvdhFgLygtD +P8vMU8z7W0PODw4Sh5vJy3P+M/gSK6uDrPpdjiYGOtCInxC5N8HuFGpL6ZcX +jpuC8Hn0LxjVmRFP0Kdz9NTmd67kaiyifAOHTTNMR1rIl52zFT26R6u0hB+/ +h87EwDWSjsNt+7Z4lKgBRI6nM6aj6/JQlmN0cC9puUc6QczSxsHr7Mr48jf0 +HF2ejuA3PGBIFf/KgzQ5/LpQwKfyV08fuH1sgGcHMUcuT4jcs3ZuvMO9y9Wi +pq1WzO8+8MOnpePdsx2zN/8G4Ufy0GdLLV08y5RPugdk2wF6BYsl/erIkB1H +xlsbSetLWXxIl3wnnnMpRdJjrK3IkW/jlAlzDlyMuhXPcbdEfCfgU9oHpFIp +YYIebxUMM5H1XwDiUQlFBMlDTk848JiwBnXAtDR5pVxQK42dSKPz22d5jvLM +rYlFzraI9dkA0mOJoQQ+TM79k7EFdm1NiDIeC+Px9Ud2Iu/lBGlA2d38YPnS +JeDhe6NPiOjhsd6A6YFKkA3ZcJAJpqg0pJAc5lELMrB7ZT8rDM3W0rZft2Yb +vcWan8s71NW1LPrQMZwQw8FMGM8OysKtbPA5b9Q98qn/elCV7nP8yOTR19Jl ++kk73smvjnkGdslpXKt9RzhnE/cQPpShVVdmoTlLzwY/nNaHu9CV5DDPWpmw +ynWDKuFvpOT3ajnJOOkt/9BOQ55yG5DJL0EclxTfpBaq5CUfAQ0A3vba9isD +VfxPYSx5nhNkv2r1eDBpMiGdN8GgUW2BuSLzx7I65aEQMDk+c4z7nvxy5FFZ +2t0IfCjVSCyv1yb0k3ALRmzftQhnPJZhzkbNJ7PRoda+CgoPk5pwkLW46cSA +1KVm1HN53RIZuzAEnSW/EsKFmlK7OegV1n30O3cij+KNdUUmKldhIvg1W/RV +UVejeruRe53K954ucIHhojL5REwBHiMVGmRnVYaftUTTzEzcPe3t4NiMBgFS +agbXDv0X0EHJ5tzi6TuGpUChR6FHabsEbLHiCCk41TnPI6tpIadnr5gidTE+ +l1RF0OeEMWRO9mmgwSEwyD7hgPQgCgPDd0MIasTteDkAb94zqO2TP+j4df8x +YoHfwNMzf8A5wkYi18GGp8mQIpmNE5BJyxhsz6qdZcfTY1tNgye94ORlIseK +wGdadtpwTLWH7PZ+ryVlXYfng0N52QK2SzmjJnvdIatfoCI8/ri1i89K5bdU +PNid2Qov1nTeuvucUhcyEDhgIHBZ4Yu9DtaiDFUBlWMOqKcdmdOWQ1DFZzMi +POKsqyBc70v4fLqFoIgAezgVxhsDmn+elrg5x/E1fg== \ No newline at end of file diff --git a/cookbooks/embulk/files/root/.ssh/config b/cookbooks/embulk/files/root/.ssh/config new file mode 100644 index 0000000..53f7a25 --- /dev/null +++ b/cookbooks/embulk/files/root/.ssh/config @@ -0,0 +1,11 @@ +Host bitbucket.org + HostName bitbucket.org + IdentityFile ~/.ssh/id_rsa.bitbucket + Port 22 + User git + +Host github.com + HostName github.com + IdentityFile ~/.ssh/id_rsa.github + Port 22 + User git diff --git a/cookbooks/embulk/files/root/.ssh/id_rsa.chef b/cookbooks/embulk/files/root/.ssh/id_rsa.chef new file mode 100644 index 0000000..4025c97 --- /dev/null +++ b/cookbooks/embulk/files/root/.ssh/id_rsa.chef @@ -0,0 +1,38 @@ +md5:37086e711fa7bf46d618f23d91feaa4f:salt:182-65-33-210-46-24-105-147:aes-256-cfb:Mde5spOzswSrR4BZ86rsjXNjgMAN9FZOOH3jehSvQ9qWZk0WKqkOJgVUzTdZ +skdxEQBWTLhsZlIwK0t3rZxwnePeUq2jCvWitJhWLAh+eFu4xTgQrx2kQjFA +E8z4jJfzU77ZEUyGyre8BQncgHkMgVggs1ktbVBGkHGBaeM37HC35xEcxssM +yp5SwsoOSRledSWHqIxbzV4TMbUKs7KOfSwAAAq6Nxu5+83UQx1Dp4oOVsbz +c2NlX/BJnk3vD2Ls6JWldcT5yffrqHegb8323Kpyd5MvMEhYDDZDb4bmTM84 +f3fdnfpA4lCxca1czWqOVuLTx0MGc3dV3jjoMR89oZYXik/a4kWvYKU+0U84 +rfKttLefEK8GltMTPDaIsuiXA1HScPRQyBnj791yCeuVNBsT0jsxMZCxaKZm +ghnWnlhu1U+Rl3MP6kHkyCeBc1t+2zn1wcfB6y5QkMM9EujJCUPZuUjwWVzn +pZXYjwzP1am7a4MO5Ya5GysahMuFEsiKptMCvbybQQ8xvI9HX04/fALWtAl/ +7GMmTb3EwgUZdQGYr15eQLUKFiyO/xO+JQ/U1fVHG5EP06TxLKf2PZ7lekuO +zHjBc1lORRYX4i+mKzFWbbc4uSsZ6k9ive2cCB8ndY8kfOADxYuSIjPOsVGL +aT+PfPlbnKUZfmEo/sViSEokO5iE7zE8vbDtxDiQ23BlCSXzJJ15bPp/m/ii +sUE8whxjoeb+TxTGWT1eM0Ah/B836rs0UVZUMrbI2011AFX/LPS8Dwmoz+o0 +1VcIpqGxTVBNuuBl38IOHwLstyzP4t9yMvfOXvrqWcqwDforK+xplQxuHiUa +CSUlFeeCTMKqrslGOm34WYo5x5o0rZ3Chtnoota9PmVcY4k8n5OjK1RX4sUE +n0NkkRzBxducxYl5Z7Y5sFP0xrGY0VdLejYOsuL6u6CjWtAotJPMEv0MtOCb +rEqpAkFGNUxbKvo3ER0O+xjxZk53ghbiC9his+BNgV37fSNGw18ebvisSeHW +RYErU8AnSh5QgnQBlwfDBjoMp06yjMoq9C83ZWvQ/ltdVZcTDbmnATPlUXF2 +F9rHINtw3N5/9oyqvNRnQKByVlBBUKcaNuVOLumJYAHVlrbSDLXhh3SDpdf9 +Xee/S00HJQC71zOKjyr9vDy1ZmpB8PltMy/rM6iLApVPvRlKmso3qdID0lLC +SOjkEzZwtVXbcGzFdxBAN7j/GUG/VEo/1mSBXuJxfJdVEqSRYGTyA2gO8xF6 +R/MX0s+EZxa3eUesf3O/ZGkyfEUxjXBqiay0QD4eC4y83/da6YroPpSImRbF +tgoXcvo5GkQnLg8fYc6vBuOq2YvJtJECr/epuUJ7U24CuO9E0RJlQgYOO0jj +IUEpyN6AxSLvLnUw9g9YxdV+otVuFIuZXx7DbpY0r1eySj1w4b0FPyAHZgMo +o0m5QAa1NAZGr5n2P/pjAZGe3WS/ypAqjluNFC5SWazw2L4qIPW7wVpeUItj +stpvGzNdg/w9iXAalKhxE1zOe58mA13dOXgbBLPorQ2lL74C7PIhRhhz9Z46 +k98aSQxxs4ptZpXnCFmARjYThS4/4ueU2orqxMKTWMIRQ0I23ELmXuphS4dM +DSz995TrOqkzH9+6AB/a7SOg9aWc4Vycp2LYgsOpxONdmD620jfqLP9RSQ/R +WliRqGOtTMVkV0U9z1gCyc+F/uWQ57OhASLteIGwwm0HN79yatIrxuDFqNAv +Dof7bYHv5rkiPOF6CTBXkKxY/G7AzPgDL49AkMiu5xJV7Wil92DBAV+7MJRZ +Qu8Uzt3zdGOiJrF9gOoT8kdNQ6APAMv2cOoJ+qPsdJpN5mi+U+G3D+wDtQlE +67oqqQJXq47w2geNkV93Rx5NjFwOOCsbDYAbdgco+X630kq1Otnep0fjo/pE +fQzC+vFltcsG2Xq8215k7ubED8PsAC0hx3ZieqsaPvf70c6F4rIFHNJ4R4wx +CpdBD3rNRQJ0vwr3Dvfzq/DBMM6bhOt95nAVLvBT4WhTEMnBeMC+TtSUW+Fg +QzLHl5/1MWk+8X/lic/4186rGDyZByvupBPjL1aT1vPScSu5s/VieRLqFmc7 +u39sNWZRdONMKfF26HtDfHMbwqGO7y/U2Bmrqszk0VIn4zURN/wvSZlJOSrw +4+CM6P9GMcqWaY0d7MqT5WMsNGioazeEMJWNfIkuMcyk8CfjD7fLssxm0dC2 +bICNWzrocylXXw== \ No newline at end of file diff --git a/cookbooks/embulk/files/root/.ssh/id_rsa.github b/cookbooks/embulk/files/root/.ssh/id_rsa.github new file mode 100644 index 0000000..931b700 --- /dev/null +++ b/cookbooks/embulk/files/root/.ssh/id_rsa.github @@ -0,0 +1,38 @@ +md5:86b365bb51904196f7cd6a819f097d6b:salt:159-92-154-253-242-134-41-71:aes-256-cfb:7CGP5FXxiGhSHmsxtxQYoLnru7R1rTD1mfvI2ehjS2LfztoG+8fxJnB0oZ93 +z43QWkW8g7/36lT1iiCiKSbXkRpCLEimSNL9iDRfP+P9GrDNfnQzgreq0KCU +fCJCKo9bYrJOGrXeY9NS535kE21NlgmimDZbsaVicCsHPn4X71oxoK+neBtv +IMNEf2QKavJLvZpDtG5YHKcTF96WM+yEKS8KaiK2DLp9PDaDb7zI9wGHZd7Z +n0hwO4ZxMW+vFHg7EUMHV0MPBH4MLRbX5xX4m3enclcp9ulfkxzNMMSKSnfE +DVuJKdTr9vvEQO1tpye6NvNZAKepsaGOYUF6NxHAlKj7vhCq6U2KDEZ161oh +K65eg8YqirulQg9ekETzIc3ktHfPxUMTDNpnuBLcx//oOnYPWYnONg6EQDis +NjdeaSz+RT0BhRoNJgU5rQz0D2twYmMDLykz7sgS7Z6DHHAWTDYSU9xGdjbQ +CPQpF1XUOTWei28MBcpyrq3leZplKxwwUGOCL77Fy+aASTmdZhu1QPSDwPlC +FFuFBeJnihJUt8e9GhIX2Tx67o5b46X5A0AyLzzuWAgg+w7fgVBhBzoOqwFK +YvR0cR1k0xJ/UXMmKRTno4SUZ0ghw9tFPCg+ptXLQuwYkPTi9yZRMJGhEEWE +BD3kXYWSfa27kCr6AWca/6/7L+250CE//WSYvh/j3Jba++ZcWPfRj7TgT9oT +IjtS+YEa1EUCaJmC1zpNEWXES1u/WSMZSEIbEyUgb0lbSV4AKMBTxRwOhs8I +5jTZYqzGWnFTIIgoWvzoqRP5e/CdijzMCTpXO2SRM7OqiYjBO2p7p1GQQrnA +ttsaT0u9vYvpbaND+ThFSFpF0+d1/ueUgi7Fv59GmZz+MQamvdzFkji5wwF7 +mUfRBkrchV2P9NyRvUnkiyRtWOoPkIuGTWoWaQPErtc3/OzBVmgjsatv2Blk +rIejRL+n74zdElcLRI2fwQfpDmjYYVyb8GudC4L0HVdcAVOevp93NAtgu+jn +lNFsmB+JvkWuoaXm5JOOGtq7mYI1gtnF3Y/v+4HqvixBpE0+5HtPzVebzGoW +YkvISaLx5tXNzjQded4pIb+AhfttSc+BqUz94yQRaXz71mjciyr8Vrrjt8NR +Yxm2dM/kV09pm+fnH2QNXloVF6HfaozepmPSbQBnJ7QqbjeD18f0QIgXyPWJ +vuyCvkaFrehudPH1o4GppRQf7fcqS46vTwzVG5bksK86Y9AFvw/utQ267DV4 +JMJBGl+ZoaXKXGeCfe9L/a2OxrVMg0QJdAKpkby8Ht2Cq8OvIzEtFK/0O0lo +pBViOeX02d/crdSRgX9Kpw0swjhQHqqz97Ilf3EzbmSydGbzPKgseBdkZGlF +T9BticaM0Xvt99/BUhBz1r5g/60kqp53HtRzdpU3Enexa1gk1MOZUsJNrxGm +xdRNtMew2GYU/bbFrG4sJeLpM5aXXLg/q3Z0LxW4FIM2tzf84Y4hNtNhm8TD +jbAtSfg3+nXaUyXfybsZ98rPwIYVd+SmqVozxeHmOi/rn8wP/zjR5TeFHPbd +riYgVh7E0nVLCoiowVpvBX3x+kYbj2o6dC+ArQW+wj8pGP3N6FL4P8SUv9WC +eb/BmND02uTKinxIr32qZFprqtM0k8enTcU2tjsmOS2lnfgEnFaJlnMxds85 +pUon4qtwJgQg21w3SgHFaeCYqgSFrQVl8JXsMafB5rjD7bovL8j6BGxgpLI4 +0bgcr5W3yFlg4xMuXc7CDvO2+VR/a1YVFHFx2GCwwTfhJNRpmXNWTjlGG2EU +ZzZwWAOA/wLRvnE4wTnE9VIz8WgVw9eEth54k9SJ1vyc4e++SGrSvVe+qDF8 +BcyRiMi1Y8ukFtVaFMO6s7eRRuQL9hloDwC/k7M/g9u7JExpj+kYcN3i0FQM +z/9XI6K67OVDsNFxctHjr42urYIhcWtqDmF+G6Mz1+f/9cRBKntsXYBwCAd1 +JT/eo9FMemhDSFGwNGROrlzLAsyM0ylNyXagC1xlhPbw0We7gkpUI25dY3R8 +IV9dvmch/PE4swRicmZmc6IatulcO6+Z9FXg+PHwT7p7CqTD+kLsc8HmaUzW +HHht5B+UDIam/GLc/CdBnQiiq4x8i4hAl8HrdPFda7mOQ/mQwt9Uzs2RsJDD +Q7KsSAazeARw+QG5HUuRvDjcsdh9V9phXrC9cD/Ef9QEZEajpWgyx92tWAJ5 +BRM1EObviIL/v+OJbPo= \ No newline at end of file diff --git a/cookbooks/embulk/install.rb b/cookbooks/embulk/install.rb new file mode 100644 index 0000000..fc8c09b --- /dev/null +++ b/cookbooks/embulk/install.rb @@ -0,0 +1,30 @@ +# Create installation directory: +directory node['embulk']['install_path'] do + owner 'root' + group 'root' + mode '755' +end + +URL = "#{node['embulk']['base_binary_url']}#{node['embulk']['version']}#{node['embulk']['extension']}" +TARGET = "#{node['embulk']['install_path']}/embulk" + +# Download and install: +execute "wget #{URL} -O #{TARGET}" do + not_if "test -e #{TARGET}" +end + +file TARGET do + owner 'root' + group 'root' + mode '755' +end + +# Create link: +link '/usr/local/bin/embulk' do + user 'root' + to TARGET +end + +package 'default-jre' do + action :install +end diff --git a/cookbooks/embulk/setup.rb b/cookbooks/embulk/setup.rb new file mode 100644 index 0000000..61c3a5d --- /dev/null +++ b/cookbooks/embulk/setup.rb @@ -0,0 +1,41 @@ +directory '/root/.ssh' do + owner 'root' + group 'root' + mode '700' +end + +# Deploy `~/.ssh/.ssh/authorized_keys`: +encrypted_remote_file '/root/.ssh/authorized_keys' do + owner 'root' + group 'root' + mode '600' + source 'files/root/.ssh/authorized_keys' + password ENV['ITAMAE_PASSWORD'] +end + +# Deploy secret keys +%w( id_rsa.github id_rsa.chef amazon.pem ).each do |conf| + encrypted_remote_file "/root/.ssh/#{conf}" do + owner 'root' + group 'root' + mode '600' + source "files/root/.ssh/#{conf}" + password ENV['ITAMAE_PASSWORD'] + end +end + +# Deploy .ssh/config: +remote_file '/root/.ssh/config' do + owner 'root' + group 'root' + mode '644' +end + + +%w(filter-column output-mysql).each do |p| + execute "embulk gem install embulk-#{p}" do + user 'root' + + not_if "embulk gem list | grep #{p}" + end +end diff --git a/cookbooks/fluentd/attributes.rb b/cookbooks/fluentd/attributes.rb new file mode 100644 index 0000000..df35d4f --- /dev/null +++ b/cookbooks/fluentd/attributes.rb @@ -0,0 +1,11 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +node.reverse_merge!({ + 'td-agent' => { + 'user' => 'td-agent', + 'group' => 'td-agent', + 'forward' => false, + 'role' => 'primary' + } +}) diff --git a/cookbooks/fluentd/auth.rb b/cookbooks/fluentd/auth.rb new file mode 100644 index 0000000..e69de29 diff --git a/cookbooks/fluentd/default.rb b/cookbooks/fluentd/default.rb new file mode 100644 index 0000000..0cac0d9 --- /dev/null +++ b/cookbooks/fluentd/default.rb @@ -0,0 +1,40 @@ +##################################### +# Common Settings: +##################################### + +include_recipe './attributes.rb' + +include_recipe './prerequisites.rb' +include_recipe './install.rb' + +include_recipe './setup.rb' + +##################################### +# Manager Settings: +##################################### + +if node['td-agent']['forward'] + include_recipe './processor.rb' + include_recipe './syslog.rb' + include_recipe './slack.rb' +end + +##################################### +# monitoring Settings: +##################################### + +include_recipe './nginx.rb' + +%w( aptitude auth cron-apt monit consul ).each do |c| + remote_file "/etc/td-agent/conf.d/forwarder_#{c}.conf" do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[td-agent]' + end +end + +service 'td-agent' do + action :restart +end diff --git a/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf b/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf new file mode 100644 index 0000000..c7760a3 --- /dev/null +++ b/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf @@ -0,0 +1,4 @@ +check process td-agent + with pidfile /var/run/td-agent/td-agent.pid + start program = "/etc/init.d/td-agent start" + stop program = "/etc/init.d/td-agent stop" diff --git a/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf b/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf new file mode 100644 index 0000000..929b7b8 --- /dev/null +++ b/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf @@ -0,0 +1,6 @@ +# - nofile - max number of open files + +root soft nofile 65536 +root hard nofile 65536 +* soft nofile 65536 +* hard nofile 65536 diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf new file mode 100644 index 0000000..48eaad0 --- /dev/null +++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf @@ -0,0 +1,38 @@ + diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf new file mode 100644 index 0000000..abda2a5 --- /dev/null +++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf @@ -0,0 +1,20 @@ + + @type tail + path /var/log/apt/history.log + pos_file /var/log/td-agent/aptitude.pos + format none + tag aptitude + + + + @type record_transformer + + hostname ${hostname} + message ${hostname}: ${record["message"]} + + + + + @type relabel + @label @forward + diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf new file mode 100644 index 0000000..257bae5 --- /dev/null +++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf @@ -0,0 +1,28 @@ + + @type tail + path /var/log/auth.log + pos_file /var/log/td-agent/auth.pos + format syslog + tag auth + + + + @type record_transformer + + message ${hostname}: ${record["message"]} + + + + + @type grep + + + key message + pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected) + + + + + @type relabel + @label @forward + diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf new file mode 100644 index 0000000..e8cd7cc --- /dev/null +++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf @@ -0,0 +1,30 @@ + + @type tail + path /var/log/supervisor/consul.log + pos_file /var/log/td-agent/consul.pos + format /^( (?