initial commit

2019-03-03 16:50:49 +08:00 · 2019-03-03 16:50:49 +08:00 · 39fbe6669b
commit 39fbe6669b
221 changed files with 6774 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+vendor
+*.swp
+.bundle/
+./nodes/
--- a/.rubocop-todo.yml
+++ b/.rubocop-todo.yml
@ -0,0 +1,14 @@
+MethodLength:
+  Enabled: false
+
+LineLength:
+  Enabled: false
+
+NumericLiterals:
+  Enabled: false
+
+AmbiguousRegexpLiteral:
+  Enabled: false
+
+AbcSize:
+  Enabled: false
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -0,0 +1,16 @@
+inherit_from: .rubocop-todo.yml
+
+AllCops:
+  Exclude:
+    - 'cookbooks/**/*'
+    - 'tmp/**/*'
+    - 'vendor/bundle/**/*'
+    - 'site-cookbooks/sensu-custom/files/default/tw.rb'
+    - 'images/**/*'
+
+Style/CommandLiteral:
+  EnforcedStyle: mixed
+  AllowInnerBackticks: true
+
+Style/PerlBackrefs:
+  Enabled: false
--- a/.ruby-version
+++ b/.ruby-version
@ -0,0 +1 @@
+2.4.1
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gem 'itamae'
+gem 'serverspec'
+
+gem 'itamae-plugin-resource-encrypted_remote_file'
+gem 'reversible_cryptography'
+
+gem 'rubocop'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -0,0 +1,81 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ansi (1.5.0)
+    ast (2.4.0)
+    diff-lcs (1.3)
+    hashie (3.6.0)
+    itamae (1.10.1)
+      ansi
+      hashie
+      schash (~> 0.1.0)
+      specinfra (>= 2.64.0, < 3.0.0)
+      thor
+    itamae-plugin-resource-encrypted_remote_file (0.0.2)
+      itamae (>= 1.2)
+      reversible_cryptography
+    jaro_winkler (1.5.1)
+    multi_json (1.13.1)
+    net-scp (1.2.1)
+      net-ssh (>= 2.6.5)
+    net-ssh (5.0.2)
+    net-telnet (0.1.1)
+    parallel (1.12.1)
+    parser (2.5.3.0)
+      ast (~> 2.4.0)
+    powerpack (0.1.2)
+    rainbow (3.0.0)
+    reversible_cryptography (0.5.0)
+      thor
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    rubocop (0.61.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.4.0)
+    ruby-progressbar (1.10.0)
+    schash (0.1.2)
+    serverspec (2.41.3)
+      multi_json
+      rspec (~> 3.0)
+      rspec-its
+      specinfra (~> 2.72)
+    sfl (2.3)
+    specinfra (2.76.3)
+      net-scp
+      net-ssh (>= 2.7)
+      net-telnet (= 0.1.1)
+      sfl
+    thor (0.20.3)
+    unicode-display_width (1.4.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  itamae
+  itamae-plugin-resource-encrypted_remote_file
+  reversible_cryptography
+  rubocop
+  serverspec
+
+BUNDLED WITH
+   1.16.1
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+#!/usr/bin/env rake
+
+Dir['tasks/**/*.rake'].each { |path| load path }
--- a/cookbooks/base/aws_ec2.rb
+++ b/cookbooks/base/aws_ec2.rb
@ -0,0 +1,27 @@
+# Make swap file:
+[
+  'dd if=/dev/zero of=/swap.img bs=1M count=2048 && chomod 600 /swap.img',
+  'mkswap /swap.img'
+].each do |cmd|
+  execute cmd do
+    user 'root'
+
+    only_if 'test ! -f /swap.img -a `cat /proc/swaps | wc -l` -eq 1'
+  end
+end
+
+# Add the fstab entry:
+file '/etc/fstab' do
+  action :edit
+
+  block do |content|
+    content << "/swap.img /dev/null swap defaults 0 2\n"
+  end
+
+  not_if 'grep swap.img /etc/fstab'
+end
+
+# Mount the swap file:
+execute 'swapon -ae' do
+  only_if 'test `cat /proc/swaps | wc -l` -eq 1'
+end
--- a/cookbooks/base/cron-apt.rb
+++ b/cookbooks/base/cron-apt.rb
@ -0,0 +1,44 @@
+# Install `cron-apt`:
+package 'cron-apt'
+
+# From here, we are going to set up `cron-apt` to
+# install the important security updates every day.
+remote_file '/etc/cron-apt/config' do
+  user 'root'
+
+  owner 'root'
+  group 'root'
+  mode  '644'
+end
+
+remote_file '/etc/cron-apt/action.d/3-download' do
+  user 'root'
+
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
+  user 'root'
+
+  not_if 'test -e /etc/apt/security.sources.list'
+end
+
+file '/var/log/cron-apt/log' do
+  user 'root'
+
+  content 'foo\n'
+
+  owner 'root'
+  group 'root'
+  mode '666'
+
+  not_if 'test -e /var/log/cron-apt/log'
+end
+
+execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
+  user 'root'
+
+  not_if 'test -e /var/log/cron-apt/log'
+end
--- a/cookbooks/base/default.rb
+++ b/cookbooks/base/default.rb
@ -0,0 +1,74 @@
+[
+  # only install amd64 package
+  # http://d.hatena.ne.jp/ritchey/20121229
+  'dpkg --remove-architecture i386',
+
+  # Execute `apt update`
+  'apt update',
+].each do |cmd|
+  execute cmd do
+    user 'root'
+
+    only_if 'dpkg --print-architecture | grep i386'
+  end
+end
+
+# Create /etc/sudoers.d/
+directory '/etc/sudoers.d/' do
+  owner 'root'
+  group 'root'
+  mode '750'
+end
+
+# motd configurations:
+remote_file '/etc/motd.tail' do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+remote_file '/etc/update-motd.d/99-motd-update' do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Install the necessary packages:
+include_recipe './packages.rb'
+
+# Lang Setting:
+include_recipe './lang.rb'
+
+# `cron-apt` settings:
+include_recipe './cron-apt.rb'
+
+# `ufw` configurations:
+include_recipe './ufw.rb'
+
+# `sshd` configurations:
+include_recipe './ssh.rb'
+
+# `fortune` configurations:
+include_recipe './fortune.rb'
+
+# timezone configurations:
+include_recipe './timezone.rb'
+
+# ntp configurations:
+include_recipe './ntp.rb'
+
+# kernel configurations:
+include_recipe './kernel.rb'
+
+# Install mc command:
+include_recipe './mc.rb'
+
+# unnecessary configurations:
+if node['platform_version'].to_f == 16.04
+  include_recipe './unnecessary.rb'
+end
+
+# AWS EC2 Swap Setting:
+if node['is_ec2']
+  include_recipe './aws_ec2.rb'
+end
--- a/cookbooks/base/files/etc/cron-apt/action.d/3-download
+++ b/cookbooks/base/files/etc/cron-apt/action.d/3-download
@ -0,0 +1,2 @@
+autoclean -y
+upgrade -y -o APT::Get::Show-Upgraded=true
--- a/cookbooks/base/files/etc/cron-apt/config
+++ b/cookbooks/base/files/etc/cron-apt/config
@ -0,0 +1,11 @@
+# Configuration for cron-apt. For further information about the possible
+# configuration settings see the README file.
+
+SYSLOGON="always"
+DEBUG="verbose"
+
+MAILON=""
+
+APTCOMMAND=/usr/bin/apt
+
+OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list"
--- a/cookbooks/base/files/etc/motd.tail
+++ b/cookbooks/base/files/etc/motd.tail
@ -0,0 +1,15 @@
+                                                                                                     
+              [104m [0m[104m [0m                                [101m [0m[101m [0m                                [47m [0m[47m [0m                 
+              [104m [0m[104m [0m                                [101m [0m[101m [0m                                [47m [0m[47m [0m                 
+              [104m [0m[104m [0m                                [101m [0m[101m [0m                                [47m [0m[47m [0m                 
+            [104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m                            [101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m                            [47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m               
+          [107m [0m[107m [0m[107m [0m[107m [0m[104m [0m[104m [0m[44m [0m[44m [0m[104m [0m[104m [0m                        [107m [0m[107m [0m[107m [0m[107m [0m[101m [0m[101m [0m[41m [0m[41m [0m[101m [0m[101m [0m                        [107m [0m[107m [0m[107m [0m[107m [0m[47m [0m[47m [0m[100m [0m[100m [0m[47m [0m[47m [0m             
+      [107m [0m[107m [0m[107m [0m[107m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[44m [0m[44m [0m[104m [0m[104m [0m[104m [0m[104m [0m                [107m [0m[107m [0m[107m [0m[107m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[41m [0m[41m [0m[101m [0m[101m [0m[101m [0m[101m [0m                [107m [0m[107m [0m[107m [0m[107m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[100m [0m[100m [0m[47m [0m[47m [0m[47m [0m[47m [0m         
+    [107m [0m[107m [0m[107m [0m[107m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[104m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[104m [0m[104m [0m            [107m [0m[107m [0m[107m [0m[107m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[101m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[101m [0m[101m [0m            [107m [0m[107m [0m[107m [0m[107m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[47m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[47m [0m[47m [0m       
+  [104m [0m[104m [0m[107m [0m[107m [0m[104m [0m[104m [0m[104m [0m[104m [0m[107m [0m[107m [0m[104m [0m[104m [0m[104m [0m[104m [0m[44m [0m[44m [0m[107m [0m[107m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[104m [0m[104m [0m        [101m [0m[101m [0m[107m [0m[107m [0m[101m [0m[101m [0m[101m [0m[101m [0m[107m [0m[107m [0m[101m [0m[101m [0m[101m [0m[101m [0m[41m [0m[41m [0m[107m [0m[107m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[101m [0m[101m [0m        [47m [0m[47m [0m[107m [0m[107m [0m[47m [0m[47m [0m[47m [0m[47m [0m[107m [0m[107m [0m[47m [0m[47m [0m[47m [0m[47m [0m[100m [0m[100m [0m[107m [0m[107m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[47m [0m[47m [0m     
+  [104m [0m[104m [0m[44m [0m[44m [0m[104m [0m[104m [0m[107m [0m[107m [0m[40m [0m[40m [0m[107m [0m[107m [0m[44m [0m[44m [0m[107m [0m[107m [0m[40m [0m[40m [0m[107m [0m[107m [0m[44m [0m[44m [0m[44m [0m[44m [0m[104m [0m[104m [0m        [101m [0m[101m [0m[41m [0m[41m [0m[101m [0m[101m [0m[107m [0m[107m [0m[40m [0m[40m [0m[107m [0m[107m [0m[41m [0m[41m [0m[107m [0m[107m [0m[40m [0m[40m [0m[107m [0m[107m [0m[41m [0m[41m [0m[41m [0m[41m [0m[101m [0m[101m [0m        [47m [0m[47m [0m[100m [0m[100m [0m[47m [0m[47m [0m[107m [0m[107m [0m[40m [0m[40m [0m[107m [0m[107m [0m[100m [0m[100m [0m[107m [0m[107m [0m[40m [0m[40m [0m[107m [0m[107m [0m[100m [0m[100m [0m[100m [0m[100m [0m[47m [0m[47m [0m     
+  [104m [0m[104m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[107m [0m[107m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[107m [0m[107m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m        [101m [0m[101m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[107m [0m[107m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[107m [0m[107m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m        [47m [0m[47m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[107m [0m[107m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[107m [0m[107m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m     
+  [104m [0m[104m [0m[44m [0m[44m [0m[44m [0m[44m [0m[41m [0m[41m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[41m [0m[41m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m        [101m [0m[101m [0m[41m [0m[41m [0m[41m [0m[41m [0m[100m [0m[100m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[100m [0m[100m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m        [47m [0m[47m [0m[100m [0m[100m [0m[100m [0m[100m [0m[41m [0m[41m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[41m [0m[41m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m     
+    [104m [0m[104m [0m[44m [0m[44m [0m[44m [0m[44m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m            [101m [0m[101m [0m[41m [0m[41m [0m[41m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m            [47m [0m[47m [0m[100m [0m[100m [0m[100m [0m[100m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m       
+        [44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m[44m [0m                    [41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m[41m [0m                    [100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m[100m [0m           
+                                                                                                     
--- a/cookbooks/base/files/etc/ntp.conf
+++ b/cookbooks/base/files/etc/ntp.conf
@ -0,0 +1,66 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Specify one or more NTP servers.
+
+# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
+# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
+# more information.
+pool 0.ubuntu.pool.ntp.org iburst
+pool 1.ubuntu.pool.ntp.org iburst
+pool 2.ubuntu.pool.ntp.org iburst
+pool 3.ubuntu.pool.ntp.org iburst
+
+# Use Ubuntu's ntp server as a fallback.
+pool ntp.ubuntu.com
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+
+#Changes recquired to use pps synchonisation as explained in documentation:
+#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
+
+#server 127.127.8.1 mode 135 prefer    # Meinberg GPS167 with PPS
+#fudge 127.127.8.1 time1 0.0042        # relative to PPS for my hardware
+
+#server 127.127.22.1                   # ATOM(PPS)
+#fudge 127.127.22.1 flag3 1            # enable PPS API
--- a/cookbooks/base/files/etc/ssh/sshd_config
+++ b/cookbooks/base/files/etc/ssh/sshd_config
@ -0,0 +1,91 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 10022
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+# Do not use DNS:
+UseDNS no
--- a/cookbooks/base/files/etc/ssh/sshd_config.1804
+++ b/cookbooks/base/files/etc/ssh/sshd_config.1804
@ -0,0 +1,122 @@
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 10022
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
--- a/cookbooks/base/files/etc/sysctl.d/90-vfs-cache-pressure.conf
+++ b/cookbooks/base/files/etc/sysctl.d/90-vfs-cache-pressure.conf
@ -0,0 +1,8 @@
+# `vfs_cache_pressure` configures how much the system will choose to cache inode
+# and dentry information over other data.
+#
+# Basically, this is access data about the filesystem.
+# This is generally very costly to look up and very frequently requested,
+# so it's an excellent thing for your system to cache.
+
+vm.vfs_cache_pressure = 50
--- a/cookbooks/base/files/etc/sysctl.d/90-vm-swappiness.conf
+++ b/cookbooks/base/files/etc/sysctl.d/90-vm-swappiness.conf
@ -0,0 +1,9 @@
+# The swappiness parameter configures how often your system swaps data out of RAM to the swap space.
+# This is a value between 0 and 100 that represents a percentage.
+#
+# With values close to zero, the kernel will not swap data to the disk unless absolutely necessary.
+# Remember, interactions with the swap file are "expensive" in that they take a lot longer than
+# interactions with RAM and they can cause a significant reduction in performance.
+# Telling the system not to rely on the swap much will generally make your system faster.
+
+vm.swappiness = 10
--- a/cookbooks/base/files/etc/timezone
+++ b/cookbooks/base/files/etc/timezone
@ -0,0 +1 @@
+Asia/Tokyo
--- a/cookbooks/base/files/etc/update-motd.d/99-motd-update
+++ b/cookbooks/base/files/etc/update-motd.d/99-motd-update
@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo
+cat /etc/motd.tail
--- a/cookbooks/base/files/usr/share/git-core/templates/hooks/pre-commit
+++ b/cookbooks/base/files/usr/share/git-core/templates/hooks/pre-commit
@ -0,0 +1,17 @@
+#!/bin/sh
+
+# if the commit is first one, then pass
+
+if [ -z "$(git branch)" ]; then
+  exit 0
+fi
+
+# Otherwise, check if the branch is master, and if it is, fail.
+
+branch="$(git symbolic-ref HEAD 2>/dev/null)" || \
+       "$(git describe --contains --all HEAD)"
+
+if [ "${branch##refs/heads/}" = "master" ]; then
+  echo "Do not commit on the master branch!"
+  exit 1
+fi
--- a/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg
+++ b/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg
@ -0,0 +1,18 @@
+#!/bin/sh
+
+if [ "$2" = "" ]; then
+  mv $1 $1.tmp
+
+  ID=`git branch | grep ^\* | awk '{print $2}' | cut -f 2 -d "/"`
+
+  cat <<EOF > $1
+
+
+This commit refs/fixes #${ID}.
+#           ^^^^^^^^^^
+EOF
+
+  cat $1.tmp >> $1
+fi
+
+exit 0
--- a/cookbooks/base/fortune.rb
+++ b/cookbooks/base/fortune.rb
@ -0,0 +1,21 @@
+# Install `fortune` package:
+package 'fortune' do
+  not_if 'test -e /usr/games/fortune'
+end
+
+URL='http://www.splitbrain.org/_media/projects/fortunes/fortune-starwars.tgz'
+TGZ='fortune-starwars.tgz'
+
+[
+  "wget #{URL} -O #{TGZ}",
+  "tar xf #{TGZ}",
+  'cp fortune-starwars/starwars.dat /usr/share/games/fortunes/',
+  'cp fortune-starwars/starwars /usr/share/games/fortunes/'
+].each do |cmd|
+  execute cmd do
+    user 'root'
+    cwd '/tmp/itamae_tmp/'
+
+    not_if 'test -e /usr/share/games/fortunes/starwars.dat'
+  end
+end
--- a/cookbooks/base/kernel.rb
+++ b/cookbooks/base/kernel.rb
@ -0,0 +1,12 @@
+STORAGE = '/etc/sysctl.d'
+
+[
+  "#{STORAGE}/90-vm-swappiness.conf",
+  "#{STORAGE}/90-vfs-cache-pressure.conf"
+].each do |conf|
+  remote_file conf do
+    owner 'root'
+    group 'root'
+    mode '644'
+  end
+end
--- a/cookbooks/base/lang.rb
+++ b/cookbooks/base/lang.rb
@ -0,0 +1,20 @@
+# Language Settings:
+package 'language-pack-ja-base'
+
+execute 'locale-gen ja_JP.UTF-8' do
+  user 'root'
+
+  not_if 'locale -a | grep ja_JP.utf8'
+end
+
+execute 'dpkg-reconfigure --frontend=noninteractive locales' do
+  user 'root'
+
+  not_if 'locale -a | grep ja_JP.utf8'
+end
+
+execute 'update-locale LANG=ja_JP.UTF-8' do
+  user 'root'
+
+  not_if 'strings /etc/default/locale | grep ja_JP.UTF-8'
+end
--- a/cookbooks/base/mc.rb
+++ b/cookbooks/base/mc.rb
@ -0,0 +1,12 @@
+MC = 'https://dl.minio.io/client/mc/release/linux-amd64/mc'
+LOCATION = '/usr/local/bin/mc'
+
+execute "wget #{MC} -O #{LOCATION}" do
+  not_if "test -e #{LOCATION}"
+end
+
+file LOCATION do
+  mode '755'
+  user 'root'
+  group 'root'
+end
--- a/cookbooks/base/ntp.rb
+++ b/cookbooks/base/ntp.rb
@ -0,0 +1,18 @@
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  # do nothing
+else
+  package 'ntp'
+
+  remote_file '/etc/ntp.conf' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    notifies :restart, 'service[ntp]'
+  end
+
+  service 'ntp' do
+    action :nothing
+  end
+end
--- a/cookbooks/base/packages.rb
+++ b/cookbooks/base/packages.rb
@ -0,0 +1,64 @@
+# Execute `apt update`:
+execute 'apt update'
+
+# Install the necessary packages:
+%w[build-essential zsh vim-nox debian-keyring screen curl dstat].each do |pkg|
+  package pkg
+end
+
+# Install the extra kernel:
+unless node['is_ec2']
+  case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+  when "18.04"
+    package 'linux-image-extra-virtual'
+  else
+    KERNEL = run_command("uname -r").stdout.chomp
+    package "linux-image-extra-#{KERNEL}"
+  end
+end
+
+### Here we are going to install git.
+# Constants:
+KEYSRV = 'hkp://keyserver.ubuntu.com:80'
+ID = 'E1DF1F24'
+
+GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push'
+PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push'
+
+# Retrieve the Ubuntu code:
+DIST = run_command('lsb_release -cs').stdout.chomp
+
+# Add the public key file to install `git`
+execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do
+  not_if 'apt-key list | grep E1DF1F24'
+end
+
+# Deploy the `apt` sources:
+template '/etc/apt/sources.list.d/git.list' do
+  action :create
+  variables(distribution: DIST)
+end
+
+execute 'apt update' do
+  not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa'
+end
+
+execute 'apt install git -y' do
+  not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa'
+end
+
+execute "wget #{PREPUSH} -O #{GIT_PREPUSH}" do
+  not_if "test -e #{GIT_PREPUSH}"
+end
+
+[
+  '/usr/share/git-core/templates/hooks/pre-commit',
+  '/usr/share/git-core/templates/hooks/prepare-commit-msg',
+].each do |conf|
+  remote_file conf do
+    user 'root'
+    owner 'root'
+    group 'root'
+    mode '644'
+  end
+end
--- a/cookbooks/base/ssh.rb
+++ b/cookbooks/base/ssh.rb
@ -0,0 +1,35 @@
+# ToDo: `iptables` setting must be here:
+execute 'ufw allow 10022' do
+  user 'root'
+
+  not_if 'LANG=c ufw status | grep 10022'
+
+  notifies :run, 'execute[ufw reload-or-enable]'
+end
+
+# Deploy the `sshd` configuration file:
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  remote_file '/etc/ssh/sshd_config' do
+    user 'root'
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    source 'files/etc/ssh/sshd_config.1804'
+  end
+else
+  remote_file '/etc/ssh/sshd_config' do
+    user 'root'
+    owner 'root'
+    group 'root'
+    mode '644'
+  end
+end
+
+
+# Apply the changes:
+execute 'systemctl reload ssh.service ' do
+  action :nothing
+  subscribes :run, 'remote_file[/etc/ssh/sshd_config]'
+end
--- a/cookbooks/base/templates/etc/apt/sources.list.d/git.list
+++ b/cookbooks/base/templates/etc/apt/sources.list.d/git.list
@ -0,0 +1 @@
+deb      "http://ppa.launchpad.net/git-core/ppa/ubuntu" <%= @distribution %> main
--- a/cookbooks/base/timezone.rb
+++ b/cookbooks/base/timezone.rb
@ -0,0 +1,23 @@
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  execute 'timedatectl set-timezone Asia/Tokyo' do
+    not_if 'timedatectl | grep Tokyo'
+  end
+else
+  remote_file '/etc/timezone' do
+    user 'root'
+    owner 'root'
+    group 'root'
+    mode '644'
+  end
+
+  [
+    'cp -f /usr/share/zoneinfo/Asia/Tokyo /etc/localtime'
+  ].each do |cmd|
+    execute cmd do
+      user 'root'
+
+      not_if 'diff /usr/share/zoneinfo/Asia/Tokyo /etc/localtime'
+    end
+  end
+end
--- a/cookbooks/base/ufw.rb
+++ b/cookbooks/base/ufw.rb
@ -0,0 +1,6 @@
+execute 'ufw reload-or-enable' do
+  user 'root'
+  command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
+
+  action :nothing
+end
--- a/cookbooks/base/unnecessary.rb
+++ b/cookbooks/base/unnecessary.rb
@ -0,0 +1,5 @@
+%w( apparmor iscsid lxc lxcfs lxd-containers lxd open-iscsi ).each do |s|
+  service s do
+    action :disable
+  end
+end
--- a/cookbooks/blog/attributes.rb
+++ b/cookbooks/blog/attributes.rb
@ -0,0 +1,9 @@
+# -------------------------------------------
+# Specifying the default settings:
+# -------------------------------------------
+node.reverse_merge!({
+  'blog' => {
+    'FQDN' => 'blog.kazu634.com',
+    'production' => true
+  }
+})
--- a/cookbooks/blog/default.rb
+++ b/cookbooks/blog/default.rb
@ -0,0 +1,6 @@
+include_recipe './attributes.rb'
+
+if node['blog']['production']
+  include_recipe './ssl.rb'
+  include_recipe './nginx.rb'
+end
--- a/cookbooks/blog/files/etc/cron.d/blog
+++ b/cookbooks/blog/files/etc/cron.d/blog
@ -0,0 +1,2 @@
+@reboot webadm cp -pr /home/webadm/works/public/* /var/www/blog/
+12 3 * * * root openssl rand 48 > /etc/letsencrypt/live/blog.kazu634.com/ticket.key
--- a/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem
+++ b/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem
@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAqY1i3j1m5Udr7eJxrsxBDK3NqsXJbPgfj2tdH+RlY8Bb7NuTPl9Z
+e5KtZ2UQlPcth9sSPgulg/V+g4GQhge8xACSl1joAenDpPF8BGyBcv/o9QwNpdzj
+yP9o4X/TQkDxGKTJItpfKMHdmBPYC8Sxv0NpPlkKT27kfwOpSRuj17ZWAl+AnOjS
+TjLzSq85/Ao7C0rgAhJRG38iZ36DXGWYtrA7n/F6wTlmelRwkNCGEypF79GWSU8P
+xCpVLTY6MIhDq5NBO3mzkeYyl0M1M8c7dwUAPAMCK43Fl6nfQbbbwSIxlxQy8WIq
+48s5TaJEp1hU2CXTgTa+cmm1JQziFBlwOZNAeAAIi6JcJRHCFhpUrTVirqPRIoUc
+c99xUs91aELi/nZggt0vrGd4kyQ6eB5pxB6kAJwNfP3URMjucttcukyhuu/jzDMd
+GNg1J75dAF606yunta8ZohecrabpkACQz9ZR+VOM0z4IGbI39M+EohFcxL7+8gSU
+VP537jDrlAjU2DtbE2Dr+dotg1LfIE4P5AGFIAPfKYE+YXJ85SNin7POMttw8TP2
+WlMVFAG159CBjPvGPuXqInBv6U5QHWxINSevHL6vdD12d7L9LjUHQQNaAborPe2Z
+rN7fPDbDib5vnxUBAayHgic8qw1/eqWIhAXyBGRG/EOuwKgr2DU5U3sCAQI=
+-----END DH PARAMETERS-----
--- a/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf
+++ b/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf
@ -0,0 +1,2 @@
+check file nginx-blog with path /var/log/nginx/blog.access.log
+    if timestamp > 2 minutes for 5 cycles then exec "/bin/systemctl restart nginx"
--- a/cookbooks/blog/files/etc/nginx/sites-available/blog
+++ b/cookbooks/blog/files/etc/nginx/sites-available/blog
@ -0,0 +1,90 @@
+server {
+  # allow access from localhost
+  listen 80 reuseport backlog=1024;
+  listen 443 ssl http2 backlog=1024;
+  server_name blog.kazu634.com;
+
+  ssl_certificate /etc/letsencrypt/live/blog.kazu634.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/blog.kazu634.com/privkey.pem;
+  ssl_dhparam /etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem;
+
+  ssl_session_cache   shared:SSL:3m;
+  ssl_buffer_size     4k;
+  ssl_session_timeout 10m;
+
+  ssl_session_tickets on;
+  ssl_session_ticket_key /etc/letsencrypt/live/blog.kazu634.com/ticket.key;
+
+  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA;
+  ssl_prefer_server_ciphers on;
+
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver 8.8.4.4 8.8.8.8 valid=300s;
+  resolver_timeout 10s;
+
+  # Enable HSTS (HTTP Strict Transport Security)
+  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+
+  root /var/www/blog;
+  index index.html index.htm;
+
+  access_log   /var/log/nginx/blog.access.log   ltsv;
+  error_log    /var/log/nginx/blog.error.log;
+
+  location / {
+    gzip on;
+    gunzip on;
+    gzip_vary on;
+
+    # http2 server push:
+    http2_push_preload on;
+
+    http2_push /css/sanitize.css;
+    http2_push /css/responsive.css;
+    http2_push /css/highlight_monokai.css;
+    http2_push /css/theme.css;
+    http2_push /css/custom.css;
+    http2_push /images/profile.png;
+    http2_push /js/highlight.pack.js;
+
+    if (-e "/tmp/maintenance") {
+      return 503;
+    }
+
+    location /feed {
+      return 301 http://blog.kazu634.com/index.xml;
+    }
+
+    location /wp-content {
+      return 404;
+    }
+
+    location ~* \.css {
+      gzip_static always;
+
+      expires max;
+    }
+
+    location ~* \.js {
+      gzip_static always;
+
+      expires max;
+    }
+
+    location /images {
+      gzip_static always;
+
+      expires max;
+    }
+
+    location = /favicon.ico {
+      access_log off;
+      empty_gif;
+      expires max;
+    }
+
+    try_files $uri $uri/ /index.html;
+  }
+}
--- a/cookbooks/blog/nginx.rb
+++ b/cookbooks/blog/nginx.rb
@ -0,0 +1,63 @@
+# Deploy the nginx configuration file:
+remote_file '/etc/nginx/sites-available/blog' do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+# Deploy cron tab configuration for nginx
+remote_file '/etc/cron.d/blog' do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+# Create link:
+link '/etc/nginx/sites-enabled/blog' do
+  user 'root'
+  to '/etc/nginx/sites-available/blog'
+
+  notifies :restart, 'service[nginx]'
+end
+
+service 'nginx' do
+  action :nothing
+end
+
+# Create the nginx directory:
+directory '/var/www/blog' do
+  owner 'www-data'
+  group 'webadm'
+  mode '770'
+end
+
+# Add the fstab entry:
+file '/etc/fstab' do
+  action :edit
+
+  block do |content|
+    content << "tmpfs /var/www/blog tmpfs size=250m,noatime 0 0\n"
+  end
+
+  not_if 'grep /var/www/blog /etc/fstab'
+
+  notifies :run, 'execute[fstab -a]'
+end
+
+execute 'mount -a' do
+  action :nothing
+end
+
+# Add monit configuration file for monitoring nginx logs:
+remote_file '/etc/monit/conf.d/blog-log.conf' do
+  owner 'root'
+  group 'root'
+  mode '644'
+
+  notifies :reload, 'service[monit]'
+end
+
+service 'monit' do
+  action :nothing
+end
+
--- a/cookbooks/blog/ssl.rb
+++ b/cookbooks/blog/ssl.rb
@ -0,0 +1,16 @@
+[
+  'rm -f /etc/nginx/sites-enabled/*',
+  'ln -f -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance',
+  'systemctl reload nginx',
+  "test -e /etc/letsencrypt/live/#{node['blog']['FQDN']}/cert.pem || certbot certonly --webroot -d #{node['blog']['FQDN']} --webroot-path /usr/share/nginx/html/ --email simoom634@yahoo.co.jp --agree-tos -n",
+  '/home/webadm/bin/nginx-config.sh',
+].each do |cmd|
+  execute cmd
+end
+
+remote_file "/etc/letsencrypt/live/#{node['blog']['FQDN']}/dhparams_4096.pem" do
+  owner 'root'
+  group 'root'
+end
+
+execute "openssl rand 48 > /etc/letsencrypt/live/#{node['blog']['FQDN']}/ticket.key"
--- a/cookbooks/consul-template/attributes.rb
+++ b/cookbooks/consul-template/attributes.rb
@ -0,0 +1,10 @@
+# -------------------------------------------
+# Specifying the default settings:
+# -------------------------------------------
+node.reverse_merge!({
+  'consul-template' => {
+    'base_binary_url' => 'https://releases.hashicorp.com/consul-template/',
+    'arch' => node['kernel']['machine'] =~ /x86_64/ ? 'amd64' : '386',
+    'tmp_path' => '/tmp/itamae_tmp/consul-template.zip'
+  }
+})
--- a/cookbooks/consul-template/default.rb
+++ b/cookbooks/consul-template/default.rb
@ -0,0 +1,6 @@
+include_recipe './attributes.rb'
+
+include_recipe './prerequisites.rb'
+include_recipe './install.rb'
+
+include_recipe './setup.rb'
--- a/cookbooks/consul-template/install.rb
+++ b/cookbooks/consul-template/install.rb
@ -0,0 +1,47 @@
+# -------------------------------------------
+# Calculating the latest `consul-template` version:
+# -------------------------------------------
+download_url = ''
+
+begin
+  require 'net/http'
+
+  uri = URI.parse('https://releases.hashicorp.com/consul-template/')
+
+  Timeout.timeout(3) do
+    response = Net::HTTP.get_response(uri)
+
+    if response.body =~ /consul-template_(\d+\.\d+\.\d+)/
+      tag_version = $1
+      download_url = \
+        "#{node['consul-template']['base_binary_url']}#{tag_version}/consul-template_#{tag_version}_linux_#{node['consul-template']['arch']}.zip"
+    end
+  end
+rescue
+  # Abort the chef client process:
+  raise 'Cannot connect to https://releases.hashicorp.com/consul-template/'
+end
+
+# -------------------------------------------
+# Main Part
+# -------------------------------------------
+
+# Download:
+execute "wget #{download_url} -O #{node['consul-template']['tmp_path']}"
+
+# Unzip:
+execute "unzip -qo #{node['consul-template']['tmp_path']}" do
+  cwd '/opt/consul/bin/'
+end
+
+file '/opt/consul/bin/consul-template' do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Create link:
+link '/usr/local/bin/consul-template' do
+  user 'root'
+  to '/opt/consul/bin/consul-template'
+end
--- a/cookbooks/consul-template/prerequisites.rb
+++ b/cookbooks/consul-template/prerequisites.rb
@ -0,0 +1,14 @@
+# Ensure that `unzip` and `dnsmasq` are available:
+%w( unzip ).each do |p|
+  package p do
+    action :install
+  end
+end
+
+%w( /opt/consul/bin ).each do |d|
+  directory d do
+    owner 'root'
+    group 'root'
+    mode '755'
+  end
+end
--- a/cookbooks/consul-template/setup.rb
+++ b/cookbooks/consul-template/setup.rb
@ -0,0 +1,9 @@
+# `consul-template`-related paths:
+%w( /etc/consul-template.d ).each do |d|
+  directory d do
+    owner 'root'
+    group 'root'
+
+    mode '755'
+  end
+end
--- a/cookbooks/consul/attributes.rb
+++ b/cookbooks/consul/attributes.rb
@ -0,0 +1,21 @@
+# -------------------------------------------
+# Specifying the default settings:
+# -------------------------------------------
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v 127.0.0.1 | cut -d" " -f10'
+else
+  cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v 127.0.0.1 | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
+end
+ipaddr = run_command(cmd).stdout.chomp
+
+node.reverse_merge!({
+  'consul' => {
+    'base_binary_url' => 'https://releases.hashicorp.com/consul/',
+    'arch' => node['kernel']['machine'] =~ /x86_64/ ? 'amd64' : '386',
+    'tmp_path' => '/tmp/itamae_tmp/consul.zip',
+    'manager' => true,
+    'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]',
+    'ipaddr' => ipaddr
+  }
+})
--- a/cookbooks/consul/default.rb
+++ b/cookbooks/consul/default.rb
@ -0,0 +1,11 @@
+include_recipe './attributes.rb'
+
+include_recipe './prerequisites.rb'
+
+include_recipe './install.rb'
+
+include_recipe './setup.rb'
+
+include_recipe './dnsmasq.rb'
+
+include_recipe './monitoring.rb'
--- a/cookbooks/consul/dnsmasq.rb
+++ b/cookbooks/consul/dnsmasq.rb
@ -0,0 +1,47 @@
+%w(dnsmasq resolvconf systemd-resolved).each do |s|
+  service s do
+    action :nothing
+  end
+end
+
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  remote_file '/etc/dnsmasq.conf' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    source 'files/etc/dnsmasq.conf.1804'
+
+    notifies :reload, 'service[dnsmasq]'
+  end
+else
+  remote_file '/etc/dnsmasq.conf' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    source 'files/etc/dnsmasq.conf.1804'
+
+    notifies :reload, 'service[dnsmasq]'
+  end
+end
+
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  remote_file '/etc/systemd/resolved.conf' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    notifies :restart, 'service[systemd-resolved]'
+  end
+else
+  remote_file '/etc/resolvconf/resolv.conf.d/head' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    notifies :restart, 'service[resolvconf]'
+  end
+end
--- a/cookbooks/consul/files/etc/consul.d/check-disk.json
+++ b/cookbooks/consul/files/etc/consul.d/check-disk.json
@ -0,0 +1,9 @@
+{
+  "check": {
+    "id": "disk-capacity",
+    "name": "Check for Disk Capacity",
+    "args": ["/usr/lib/nagios/plugins/check_disk", "-w", "25%", "-c", "10%", "-p", "/"],
+    "interval": "3600s",
+    "timeout": "10s"
+  }
+}
--- a/cookbooks/consul/files/etc/consul.d/check-load.json
+++ b/cookbooks/consul/files/etc/consul.d/check-load.json
@ -0,0 +1,9 @@
+{
+  "check": {
+    "id": "load-average",
+    "name": "Check for Load Average",
+    "args": ["/usr/lib/nagios/plugins/check_load", "-r", "--warning=1,1,1", "--critical=2,2,2"],
+    "interval": "60s",
+    "timeout": "10s"
+  }
+}
--- a/cookbooks/consul/files/etc/consul.d/check-memory.json
+++ b/cookbooks/consul/files/etc/consul.d/check-memory.json
@ -0,0 +1,9 @@
+{
+  "check": {
+    "id": "memory",
+    "name": "Check for Memory",
+    "args": ["/usr/lib/nagios/plugins/check_memory"],
+    "interval": "60s",
+    "timeout": "10s"
+  }
+}
--- a/cookbooks/consul/files/etc/consul.d/check-reboot-required.json
+++ b/cookbooks/consul/files/etc/consul.d/check-reboot-required.json
@ -0,0 +1,9 @@
+{
+  "check": {
+    "id": "reboot-required",
+    "name": "Check for Reboot Required",
+    "args": ["/usr/lib/nagios/plugins/check_file", "/var/run/reboot-required"],
+    "interval": "86400s",
+    "timeout": "10s"
+  }
+}
--- a/cookbooks/consul/files/etc/consul.d/check-ssh.json
+++ b/cookbooks/consul/files/etc/consul.d/check-ssh.json
@ -0,0 +1,9 @@
+{
+  "check": {
+    "id": "ssh",
+    "name": "SSH TCP on port 10022",
+    "tcp": "localhost:10022",
+    "interval": "10s",
+    "timeout": "1s"
+  }
+}
--- a/cookbooks/consul/files/etc/consul.d/check-swap.json
+++ b/cookbooks/consul/files/etc/consul.d/check-swap.json
@ -0,0 +1,9 @@
+{
+  "check": {
+    "id": "swap-capacity",
+    "name": "Check for Swap Capacity",
+    "args": ["/usr/lib/nagios/plugins/check_swap", "-a", "-w", "50%", "-c", "25%", "-n", "ok"],
+    "interval": "300s",
+    "timeout": "10s"
+  }
+}
--- a/cookbooks/consul/files/etc/consul.d/service-consul.json
+++ b/cookbooks/consul/files/etc/consul.d/service-consul.json
@ -0,0 +1,6 @@
+{
+  "service": {
+    "name": "consul",
+    "port": 8600
+  }
+}
--- a/cookbooks/consul/files/etc/dnsmasq.conf
+++ b/cookbooks/consul/files/etc/dnsmasq.conf
@ -0,0 +1,667 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+#domain-needed
+# Never forward addresses in the non-routed address spaces.
+#bogus-priv
+
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By  default,  dnsmasq  will  send queries to any of the upstream
+# servers it knows about and tries to favour servers to are  known
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
+# with  each  server  strictly  in  the  order  they   appear   in
+# /etc/resolv.conf
+strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+server=/consul/127.0.0.1#8600
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# server=10.1.2.3@192.168.1.1#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=
+# Or you can specify which interface _not_ to listen on
+#except-interface=
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+#bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC alogrithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overriden by ra-stateless, ra-names, et al, the router
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the Infiniband interface with hardware address
+# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
+# ip address 192.168.0.61. The client id is derived from the prefix
+# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
+# hex digits of the hardware address.
+#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also the they [] around the IPv6 address are obilgatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Ask client to poll for option changes every six hours. (RFC4242)
+#dhcp-option=option6:information-refresh-time,6h
+
+# Set option 58 client renewal time (T1). Defaults to half of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T1:1m
+
+# Set option 59 rebinding time (T2). Defaults to 7/8 of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T2:2m
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0           # option ip-forwarding off
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+#dhcp-option=46,8           # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Do not abort if the tftp-root is unavailable
+#tftp-no-fail
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=tag:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fasion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come from /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records.  These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d
+
+# Include all the files in a directory except those ending in .bak
+#conf-dir=/etc/dnsmasq.d,.bak
+
+# Include all files in a directory which end in .conf
+#conf-dir=/etc/dnsmasq.d/,*.conf
--- a/cookbooks/consul/files/etc/dnsmasq.conf.1804
+++ b/cookbooks/consul/files/etc/dnsmasq.conf.1804
@ -0,0 +1,666 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+#domain-needed
+# Never forward addresses in the non-routed address spaces.
+#bogus-priv
+
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By  default,  dnsmasq  will  send queries to any of the upstream
+# servers it knows about and tries to favour servers to are  known
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
+# with  each  server  strictly  in  the  order  they   appear   in
+# /etc/resolv.conf
+strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+server=/consul/127.0.0.1#8600
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
+# IP on the machine, obviously).
+# server=10.1.2.3@192.168.1.1#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=
+# Or you can specify which interface _not_ to listen on
+#except-interface=
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+#bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC algorithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overridden by ra-stateless, ra-names, et al, the router
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the InfiniBand interface with hardware address
+# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
+# ip address 192.168.0.61. The client id is derived from the prefix
+# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
+# hex digits of the hardware address.
+#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also that the [] around the IPv6 address are obligatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Ask client to poll for option changes every six hours. (RFC4242)
+#dhcp-option=option6:information-refresh-time,6h
+
+# Set option 58 client renewal time (T1). Defaults to half of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T1,1m
+
+# Set option 59 rebinding time (T2). Defaults to 7/8 of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T2,2m
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0           # option ip-forwarding off
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+#dhcp-option=46,8           # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this if you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built-in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for iPXE. The idea is to send two different
+# filenames, the first loads iPXE, and the second tells iPXE what to
+# load. The dhcp-match sets the ipxe tag for requests from iPXE.
+#dhcp-boot=undionly.kpxe
+#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
+#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
+
+# Encapsulated options for iPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Do not abort if the tftp-root is unavailable
+#tftp-no-fail
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=tag:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fashion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come from /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records.  These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d
+
+# Include all the files in a directory except those ending in .bak
+#conf-dir=/etc/dnsmasq.d,.bak
+
+# Include all files in a directory which end in .conf
+#conf-dir=/etc/dnsmasq.d/,*.conf
--- a/cookbooks/consul/files/etc/monit/conf.d/consul.conf
+++ b/cookbooks/consul/files/etc/monit/conf.d/consul.conf
@ -0,0 +1,10 @@
+check process consul
+  with pidfile /var/run/consul.pid
+  start program = "/usr/bin/supervisorctl start consul"
+  stop program = "/usr/bin/supervisorctl stop consul"
+
+  if failed
+    host localhost
+    port 8500
+    protocol HTTP
+  then restart
--- a/cookbooks/consul/files/etc/resolvconf/resolv.conf.d/head
+++ b/cookbooks/consul/files/etc/resolvconf/resolv.conf.d/head
@ -0,0 +1,3 @@
+# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
+#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+nameserver localhost
--- a/cookbooks/consul/files/etc/supervisor/conf.d/consul.conf
+++ b/cookbooks/consul/files/etc/supervisor/conf.d/consul.conf
@ -0,0 +1,9 @@
+[program:consul]
+command=/usr/local/bin/consul agent -pid-file /var/run/consul.pid -config-dir=/etc/consul.d
+stdout_logfile=/var/log/supervisor/consul.log
+environment=GOMAXPROC="2"
+redirect_stderr=true
+stdout_logfile_maxbytes=1MB
+stdout_logfile_backups=5
+autorestart=true
+stopsignal=TERM
--- a/cookbooks/consul/files/etc/systemd/resolved.conf
+++ b/cookbooks/consul/files/etc/systemd/resolved.conf
@ -0,0 +1,22 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See resolved.conf(5) for details
+
+[Resolve]
+DNS=127.0.0.1
+#FallbackDNS=
+#Domains=
+#LLMNR=no
+#MulticastDNS=no
+#DNSSEC=no
+#Cache=yes
+#DNSStubListener=yes
--- a/cookbooks/consul/files/usr/lib/nagios/plugins/check_file
+++ b/cookbooks/consul/files/usr/lib/nagios/plugins/check_file
@ -0,0 +1,9 @@
+#!/bin/bash
+
+TARGET=$1
+
+if [ -f ${TARGET} ]; then
+  exit 1
+fi
+
+exit 0
--- a/cookbooks/consul/install.rb
+++ b/cookbooks/consul/install.rb
@ -0,0 +1,47 @@
+# -------------------------------------------
+# Calculating the latest `consul` version:
+# -------------------------------------------
+download_url = ''
+
+begin
+  require 'net/http'
+
+  uri = URI.parse('https://www.consul.io/downloads.html')
+
+  Timeout.timeout(3) do
+    response = Net::HTTP.get_response(uri)
+
+    if response.body =~ /consul_(\d+\.\d+\.\d+)/
+      tag_version = $1
+      download_url = \
+        "#{node['consul']['base_binary_url']}#{tag_version}/consul_#{tag_version}_linux_#{node['consul']['arch']}.zip"
+    end
+  end
+rescue
+  # Abort the chef client process:
+  raise 'Cannot connect to https://www.consul.io/downloads.html'
+end
+
+# -------------------------------------------
+# Main Part
+# -------------------------------------------
+
+# Download:
+execute "wget #{download_url} -O #{node['consul']['tmp_path']}"
+
+# Unzip:
+execute "unzip -qo #{node['consul']['tmp_path']}" do
+  cwd '/opt/consul/bin/'
+end
+
+file '/opt/consul/bin/consul' do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Create link:
+link '/usr/local/bin/consul' do
+  user 'root'
+  to '/opt/consul/bin/consul'
+end
--- a/cookbooks/consul/monitoring.rb
+++ b/cookbooks/consul/monitoring.rb
@ -0,0 +1,41 @@
+package 'nagios-plugins' do
+  action :install
+
+  options '--no-install-recommends'
+end
+
+remote_file '/usr/lib/nagios/plugins/check_file' do
+  owner 'root'
+  group 'root'
+  mode '555'
+
+  notifies :restart, 'service[supervisor]'
+end
+
+# Deploy the check_memory script:
+package 'bc' do
+  action :install
+end
+
+URL = 'https://raw.githubusercontent.com/zwindler/check_mem_ng/master/check_mem_ng.sh'
+TARGET = '/usr/lib/nagios/plugins/check_memory'
+
+execute "wget #{URL} -O #{TARGET}" do
+  not_if "test -e #{TARGET}"
+end
+
+file TARGET do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+%w(disk load ssh swap reboot-required memory).each do |conf|
+  remote_file "/etc/consul.d/check-#{conf}.json" do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    notifies :restart, 'service[supervisor]'
+  end
+end
--- a/cookbooks/consul/prerequisites.rb
+++ b/cookbooks/consul/prerequisites.rb
@ -0,0 +1,14 @@
+# Ensure that `unzip` and `dnsmasq` are available:
+%w( unzip dnsmasq ).each do |p|
+  package p do
+    action :install
+  end
+end
+
+%w(/etc/consul.d /var/opt/consul /opt/consul/bin).each do |d|
+  directory d do
+    owner 'root'
+    group 'root'
+    mode '755'
+  end
+end
--- a/cookbooks/consul/setup.rb
+++ b/cookbooks/consul/setup.rb
@ -0,0 +1,49 @@
+remote_file '/etc/supervisor/conf.d/consul.conf' do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+template '/etc/consul.d/config.json' do
+  owner 'root'
+  group 'root'
+  mode '644'
+
+  variables(manager: node['consul']['manager'],
+            manager_hosts: node['consul']['manager_hosts'],
+            ipaddr: node['consul']['ipaddr'],
+           )
+end
+
+remote_file '/etc/consul.d/service-consul.json' do
+  owner 'root'
+  group 'root'
+  mode '644'
+
+  only_if '{ node["consul"]["manager"]}'
+end
+
+remote_file '/etc/monit/conf.d/consul.conf' do
+  owner 'root'
+  group 'root'
+  mode '644'
+
+  notifies :restart, 'service[monit]'
+end
+
+execute 'Reload supervisor' do
+  user 'root'
+
+  command '/usr/bin/supervisorctl update'
+end
+
+# iptables settings here:
+%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp ).each do |port|
+  execute "ufw allow #{port}" do
+    user 'root'
+
+    not_if "LANG=c ufw status | grep #{port}"
+
+    notifies :run, 'execute[ufw reload-or-enable]'
+  end
+end
--- a/cookbooks/consul/templates/etc/consul.d/config.json.erb
+++ b/cookbooks/consul/templates/etc/consul.d/config.json.erb
@ -0,0 +1,23 @@
+{
+  "datacenter": "aws",
+  <% if @manager then%>
+  "bootstrap_expect": 3,
+  "addresses": {
+    "http": "0.0.0.0"
+  },
+  "ui": true,
+  <% end %>
+  "bind_addr": "<%= @ipaddr %>",
+  "disable_remote_exec": false,
+  "disable_update_check": true,
+  "leave_on_terminate": true,
+  "retry_interval": "30s",
+  "data_dir": "/var/opt/consul",
+  "log_level": "INFO",
+  "enable_syslog": false,
+  "enable_script_checks": true,
+  "rejoin_after_leave": true,
+  "retry_join": <%= @manager_hosts %>,
+  "encrypt": "LPKrNBQZnJIc8tJpViI4ug==",
+  "server": <%= @manager %>
+}
--- a/cookbooks/digdag/attributes.rb
+++ b/cookbooks/digdag/attributes.rb
@ -0,0 +1,12 @@
+# -------------------------------------------
+# Specifying the default settings:
+# -------------------------------------------
+cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v 127.0.0.1 | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
+ipaddr = run_command(cmd).stdout.chomp
+
+node.reverse_merge!({
+  'digdag' => {
+    'binary_url' => 'https://dl.digdag.io/digdag-latest',
+    'install_path' => '/opt/digdag'
+  }
+})
--- a/cookbooks/digdag/default.rb
+++ b/cookbooks/digdag/default.rb
@ -0,0 +1,10 @@
+include_recipe './attributes.rb'
+
+include_recipe './install.rb'
+
+include_recipe './setup.rb'
+
+# AWS EC2 Swap Setting:
+if !node['is_ec2']
+  include_recipe './shared_dir.rb'
+end
--- a/cookbooks/digdag/files/etc/digdag/digdag.config
+++ b/cookbooks/digdag/files/etc/digdag/digdag.config
@ -0,0 +1,6 @@
+database.type=postgresql
+database.user=postgres
+database.password=Holiday88
+database.host=192.168.10.200
+database.port=15432
+database.database=digdag
--- a/cookbooks/digdag/files/etc/digdag/digdag.sh
+++ b/cookbooks/digdag/files/etc/digdag/digdag.sh
@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /usr/local/bin/digdag server --config /etc/digdag/digdag.config
+
--- a/cookbooks/digdag/files/etc/supervisor/conf.d/digdag.conf
+++ b/cookbooks/digdag/files/etc/supervisor/conf.d/digdag.conf
@ -0,0 +1,7 @@
+[program:digdag]
+command=/etc/digdag/digdag.sh
+stdout_logfile=/var/log/supervisor/digdag.log
+redirect_stderr=true
+stdout_logfile_maxbytes=1MB
+stdout_logfile_backups=5
+autorestart=true
--- a/cookbooks/digdag/install.rb
+++ b/cookbooks/digdag/install.rb
@ -0,0 +1,33 @@
+# Create installation directory:
+directory node['digdag']['install_path'] do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Download and install:
+URL = "#{node['digdag']['binary_url']}"
+TARGET = "#{node['digdag']['install_path']}/digdag"
+
+execute "wget #{URL} -O #{TARGET}" do
+  not_if "test -e #{TARGET}"
+end
+
+file TARGET do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Create link:
+link '/usr/local/bin/digdag' do
+  user 'root'
+  to TARGET
+end
+
+# Install the Java Runtime:
+%w(nkf default-jre).each do |p|
+  package p do
+    action :install
+  end
+end
--- a/cookbooks/digdag/setup.rb
+++ b/cookbooks/digdag/setup.rb
@ -0,0 +1,50 @@
+# Create directory for digdag:
+directory '/etc/digdag' do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Deploy the files:
+remote_file "/etc/digdag/digdag.sh" do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+remote_file "/etc/digdag/digdag.config" do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+# Firewall settings here:
+%w( 65432/tcp ).each do |p|
+  execute "ufw allow #{p}" do
+    user 'root'
+
+    not_if "LANG=c ufw status | grep #{p}"
+
+    notifies :run, 'execute[ufw reload-or-enable]'
+  end
+end
+
+execute 'ufw reload-or-enable' do
+  user 'root'
+  command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
+
+  action :nothing
+end
+
+# Deploy the config file for `supervisor`:
+remote_file '/etc/supervisor/conf.d/digdag.conf' do
+  owner 'root'
+  group 'root'
+  mode '644'
+
+  notifies :restart, 'service[supervisor]'
+end
+
+service 'supervisor' do
+  action :nothing
+end
--- a/cookbooks/digdag/shared_dir.rb
+++ b/cookbooks/digdag/shared_dir.rb
@ -0,0 +1,34 @@
+package 'cifs-utils'
+
+%w(shared tmp img).each do |d|
+  directory "/mnt/#{d}/" do
+    owner 'root'
+    group 'root'
+    mode '777'
+  end
+end
+
+# Add the fstab entry:
+file '/etc/fstab' do
+  action :edit
+
+  block do |content|
+    content << "//192.168.10.200/Shared/shared /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n"
+  end
+
+  not_if 'grep shared /etc/fstab'
+end
+
+file '/etc/fstab' do
+  action :edit
+
+  block do |content|
+    content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n"
+  end
+
+  not_if 'grep img /etc/fstab'
+end
+
+execute 'mount -a' do
+  not_if 'df -h | grep shared'
+end
--- a/cookbooks/docker/default.rb
+++ b/cookbooks/docker/default.rb
@ -0,0 +1,3 @@
+include_recipe './install.rb'
+
+include_recipe './setup.rb'
--- a/cookbooks/docker/files/etc/cron.d/docker-housekeep
+++ b/cookbooks/docker/files/etc/cron.d/docker-housekeep
@ -0,0 +1,6 @@
+MAILTO=""
+
+DOCKER=/usr/bin/docker
+
+0 13 * * *    root ${DOCKER} image prune -f
+0 23 * * *    root ${DOCKER} container prune -f
--- a/cookbooks/docker/install.rb
+++ b/cookbooks/docker/install.rb
@ -0,0 +1,22 @@
+%w(apt-transport-https ca-certificates curl software-properties-common).each do |p|
+  package p do
+    action :install
+  end
+end
+
+execute 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -' do
+  not_if 'apt-key fingerprint 0EBFCD88 | grep 9DC8'
+end
+
+execute 'add-apt-repository \
+   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+   $(lsb_release -cs) \
+   stable"' do
+  not_if 'which docker'
+end
+
+execute 'apt-get update' do
+  not_if 'which docker'
+end
+
+package 'docker-ce'
--- a/cookbooks/docker/setup.rb
+++ b/cookbooks/docker/setup.rb
@ -0,0 +1,37 @@
+# install `cifs-utils`
+package 'cifs-utils'
+
+directory '/mnt/backup/' do
+  owner 'root'
+  group 'root'
+end
+
+# Add the fstab entry:
+file '/etc/fstab' do
+  action :edit
+
+  block do |content|
+    content << "//192.168.10.200/Shared/backup /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n"
+  end
+
+  not_if 'grep backup /etc/fstab'
+end
+
+file '/etc/fstab' do
+  action :edit
+
+  block do |content|
+    content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n"
+  end
+
+  not_if 'grep apt-mirror /etc/fstab'
+end
+
+execute 'mount -a'
+
+# Deploy the cron.d file:
+remote_file '/etc/cron.d/docker-housekeep' do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
--- a/cookbooks/embulk/attributes.rb
+++ b/cookbooks/embulk/attributes.rb
@ -0,0 +1,14 @@
+# -------------------------------------------
+# Specifying the default settings:
+# -------------------------------------------
+cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v 127.0.0.1 | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
+ipaddr = run_command(cmd).stdout.chomp
+
+node.reverse_merge!({
+  'embulk' => {
+    'base_binary_url' => 'https://dl.bintray.com/embulk/maven/embulk-',
+    'version' => '0.8.33',
+    'extension' => '.jar',
+    'install_path' => '/opt/embulk'
+  }
+})
--- a/cookbooks/embulk/default.rb
+++ b/cookbooks/embulk/default.rb
@ -0,0 +1,5 @@
+include_recipe './attributes.rb'
+
+include_recipe './install.rb'
+
+include_recipe './setup.rb'
--- a/cookbooks/embulk/files/root/.ssh/amazon.pem
+++ b/cookbooks/embulk/files/root/.ssh/amazon.pem
@ -0,0 +1,38 @@
+md5:e0486d739e65e30fdde604d901bbe9ab:salt:42-187-238-208-244-207-139-173:aes-256-cfb:ACTalT4qSks0TrcXAr6EWg6lddGsfZqIM9dRSlXiFVhNso373y1C93N2YKGz
+DBrWZ+EmISAuS6c9ZugiTzJHfF+i2VDJZxc/8iQ6MOZ5IRfcEQobjWcMUOhJ
+Op4hf9gLgr1DlZRGoSs/VCS5b7LUs9xSXV3rpjTTV23oxfTmwAKvGPV+iMNs
+xwt9JIE5qXX4Q0Zj4fXSzVJMX3nYKsnEZmCW73C9uCl7IrVap/ZR+5MWvY26
+uAtiBnrBa/vPAVcuHw+hWBEEs4iL+hpvWMYOb4ANy3dNKdg1j0nHsHtncQWr
+4YNpTGaWxoi0z2lA6ersLrAy8DAyrsKiQZNasCmK/lRx3lACUi2Fl3pfsZcp
+Go4HHvTXVoe+lyjT21TucRqYKZYGDXgKFhBECM4IkGPqFJHEafYvqKcVCW0d
+hhxZsGecoIULnp9KI+rCtcm7RHTleWnRufK3Cg3m3X0zQjm5MkYkkJPvzv7i
+7OwsnYPHs0RDtRMfCgMN55iKH/tQHvhf5X0lrEuT+i43nm8DziG4MdN/TOHG
+44j2PQwI3tS/iRo4V5RFo1volqb/p7CZFo7G+jm9gljPJ9v2hFW5dVaXK44b
+QWCCdxIV30ASAYQkpN3DYixNXxeseHd2mALKXAHkgdt0PIZFbsbMJd6zXVw7
+8yTa2agO1NKL62SFhorq4WTvwYi1jan88VVfCpS5SfMa44uu13LHtfYgXtG0
+6FiSeUZzOVSZKcUA7tSZVYXW4+BFM9kjFPgYjlCVtupfedBGrRaZGYZNdKjO
+ZEkfUIsT7P1DMRxBrLm4hBhIbc0GZrCNAQH5ONpc+44Mi7QrSu+7KKpCJbCx
+KRusMN/qbDrJSKI7L0z3xd0Gdfxbp3ZI9Lm/3WpQeiy58y1FzTl4Y53U6M6V
+/mtYN5PZErAnJ1V1T0Uwu8L42sHV3dqzbFdKHxsSDVdKhygi9P/y7aAcXDFw
+UV3C77J7j4iM3jGBYQ2p54a/bepHCa9VilGOZlWyV33Lqa6deiMrnsEvLlE7
+0b63U3TS/BYYZbBs9abG8QamgXwT5kgsjO21pSZE+mECTQ4oa0bUQ6hOgsaM
+GwKdh7BPF6mXFcJUm5LrGXMbeht5YvGj9EZrCrudQnpnhj1jA/Dx5eVt0mKx
+kDvqPiqfnHLlSRDQme7c0xnvuyDaL2wL6cgkpSStwNc21KH5G8Vbh/rQix/0
+PhR5UsAb1c53yWnmxVCmLMS75sBCqjXObWa+YVwfirZIjU0VmArlbd/Nq+0H
+AMtJdTNBfiWV/eZqNksiw+zQ9LFa+YUuRCq3ylaU/ZMLoTpdRQRmYRb2X3KJ
+H99hHeZfqw+Bky/v3xfs64+T8jYfgGzpPl5O2FR8GBv4k1chwYHceAGsdG2S
+NkaHKk582AUnNNAaW629KmBGsRUgrVMge1iJuEtQjxAn/u7lC5UGZOXPtYts
+o7AkxEFbpXhWQZhHU5UrLIwf7xLVP+DlrDqKbKZeV7vDrLeC58bCIyL4vI2g
+ZcGtNxv8Q181nxzlU+fAqIsPor94K0nYnSM1sOKKkuPB8v2wQ5m44eyK6rWY
+lxR9Jcua768j2B4QD3NQKIiS5mKx2aX3BhnBJDkXfOMrwttcgC/in4vkTnAW
+5rVBwoU2TDGvNtvy+JxKs1V8rE/Y6qEXiRl8zz54lFJvKjtzbhdscbF5Kmt7
+FQMuKD2AeqjkRhUD2mbQwCaRQjGQ4hs8zTjbsLxJzBnRqtGuB0xUbj4tDNBy
+7pzJk1Lwd+4cplaTc2GssVe3SP6iKq1cJ40cS159c81oPr+3otVcOQeoGRyJ
+KQC8lR60XM6lXfvH3/eVhuxmS//5uvkElnyB7Ec8l8gjX2mEV7AUqN5EOaa0
+WHgW7j3TgwadXvVeQdwFSbrddwtfE9Bq4Cj6Egb9auNl8/Q4/sRHxhc+yGDA
+ttl589yqc7VCh5n7UiTF2rXK963XGDwpgosC2d7P6bQM9TKSde+8rRUh9jZ9
+kSMdkdQ4+TL5+UCGT8jFJSBfwrk38vf9IJZzETSLW9ugNEVp/yAUZGXY/WRs
+/7nyRBh23xpwH2oLaIK7gi9RgP6jqDW3K7g+Y7z5Or/Q46CYHLko18BhE7ow
+rwqjTGbMBcNVUm33c9Bt5TAfHy1gjyL4Nioqdt+sE1uEisegjVZCWt2zddL2
+fRQQfTS7HTyo0upUn47SCqf5ACpW4UdL/rXnd+fA1V4oxNpWf3bx6InLWIXr
+Ynxpos42aw==
--- a/cookbooks/embulk/files/root/.ssh/authorized_keys
+++ b/cookbooks/embulk/files/root/.ssh/authorized_keys
@ -0,0 +1,38 @@
+md5:b940e33c24842e81a2ac83c3a61a5605:salt:59-103-63-243-177-210-254-59:aes-256-cfb:+j+wg5NSjQMEEAZ3+HEseUoYHJ2KLGkk0ia6a6MOd78FikQFs7gWAQQys+vj
+/aOx+7jYoZxZ+8DluR8fYSi8uwoIceE7uekfPOgXFkTfI868K8Cd95M1oyda
+jxZe2Rc9GiXK+wmBbwciPv8xIQcpeQK262zU8eJiMxaIAojlZD7p/8vVTEwZ
+8mM0+Y+NpQFASGsdMswpxeS5kdk986pvEOob0hjpxVxz0SCebjqdNxmZTivJ
+mXGDCI1bshhJAVNLhtnS4mvNb4w5+9hyp0xElkYVVUSK/7PFow3OLjC7QwZw
+HjHEKwAS5cPf0QibaPE6FvhYzTw19H90g2s2KkB/lrpNIOSZj0KpefDA41M9
+xtQKO/GmBrYFNZC3EFDUhJpavPxiiGzYpXEN2lUjjf3NMpRs4MoYH7fGgRma
+93y3z8blLwGtSQMKJimNYdvLnxwGMiRyDyRQ7TCmLIVMR4wdrJBOP4zJ6K7h
+WvgePTUH28zyEqOpdcmr//izvkr6vvtoA6DPDhToKR7lCIduxowx5qdj63D
+2RgbajRfbKNMh0s0XiAwM70b15y7SLkIejx2zuUnLCa9MHIfsN6jjFeyO1Zw
+bMHq4ukA/3aQzz6OgGY8rLfIhEvEV/PjGOnjd/BQcb33ACSo9c3Ase2H/lGn
+T7Q0hK78fadEDH/cM0VtYuBHTr8THZzIgsz8dfhfBU01+vxfa7nFNPwvlthD
+UrcMF9V0gNi4wQHPx9hjNXX/iJmHVVau2QcV+m3wdBpgoG6vyp8guYc7el8o
+YjxiJ2HHDwOIhW8WOa3LgKk2GIPjfa5yocB2HylWDvgG1OUWZ0A9CboQ57AB
+WfLJso/OYyD3MZcAJnM/Oou30vlzmq/aNuh+Xz3ycITlYhQOSfmQ4OcqwRo3
+vJ9oZaH/uFacRUmHwhsuvldbdHgv97iIPXF0LwG3Cim8cOYfgjvdhFgLygtD
+P8vMU8z7W0PODw4Sh5vJy3P+M/gSK6uDrPpdjiYGOtCInxC5N8HuFGpL6ZcX
+jpuC8Hn0LxjVmRFP0Kdz9NTmd67kaiyifAOHTTNMR1rIl52zFT26R6u0hB+/
+h87EwDWSjsNt+7Z4lKgBRI6nM6aj6/JQlmN0cC9puUc6QczSxsHr7Mr48jf0
+HF2ejuA3PGBIFf/KgzQ5/LpQwKfyV08fuH1sgGcHMUcuT4jcs3ZuvMO9y9Wi
+pq1WzO8+8MOnpePdsx2zN/8G4Ufy0GdLLV08y5RPugdk2wF6BYsl/erIkB1H
+xlsbSetLWXxIl3wnnnMpRdJjrK3IkW/jlAlzDlyMuhXPcbdEfCfgU9oHpFIp
+YYIebxUMM5H1XwDiUQlFBMlDTk848JiwBnXAtDR5pVxQK42dSKPz22d5jvLM
+rYlFzraI9dkA0mOJoQQ+TM79k7EFdm1NiDIeC+Px9Ud2Iu/lBGlA2d38YPnS
+JeDhe6NPiOjhsd6A6YFKkA3ZcJAJpqg0pJAc5lELMrB7ZT8rDM3W0rZft2Yb
+vcWan8s71NW1LPrQMZwQw8FMGM8OysKtbPA5b9Q98qn/elCV7nP8yOTR19Jl
+kk73smvjnkGdslpXKt9RzhnE/cQPpShVVdmoTlLzwY/nNaHu9CV5DDPWpmw
+ynWDKuFvpOT3ajnJOOkt/9BOQ55yG5DJL0EclxTfpBaq5CUfAQ0A3vba9isD
+VfxPYSx5nhNkv2r1eDBpMiGdN8GgUW2BuSLzx7I65aEQMDk+c4z7nvxy5FFZ
+2t0IfCjVSCyv1yb0k3ALRmzftQhnPJZhzkbNJ7PRoda+CgoPk5pwkLW46cSA
+1KVm1HN53RIZuzAEnSW/EsKFmlK7OegV1n30O3cij+KNdUUmKldhIvg1W/RV
+UVejeruRe53K954ucIHhojL5REwBHiMVGmRnVYaftUTTzEzcPe3t4NiMBgFS
+agbXDv0X0EHJ5tzi6TuGpUChR6FHabsEbLHiCCk41TnPI6tpIadnr5gidTE+
+l1RF0OeEMWRO9mmgwSEwyD7hgPQgCgPDd0MIasTteDkAb94zqO2TP+j4df8x
+YoHfwNMzf8A5wkYi18GGp8mQIpmNE5BJyxhsz6qdZcfTY1tNgye94ORlIseK
+wGdadtpwTLWH7PZ+ryVlXYfng0N52QK2SzmjJnvdIatfoCI8/ri1i89K5bdU
+PNid2Qov1nTeuvucUhcyEDhgIHBZ4Yu9DtaiDFUBlWMOqKcdmdOWQ1DFZzMi
+POKsqyBc70v4fLqFoIgAezgVxhsDmn+elrg5x/E1fg==
--- a/cookbooks/embulk/files/root/.ssh/config
+++ b/cookbooks/embulk/files/root/.ssh/config
@ -0,0 +1,11 @@
+Host bitbucket.org
+    HostName bitbucket.org
+    IdentityFile ~/.ssh/id_rsa.bitbucket
+    Port 22
+    User git
+
+Host github.com
+    HostName github.com
+    IdentityFile ~/.ssh/id_rsa.github
+    Port 22
+    User git
--- a/cookbooks/embulk/files/root/.ssh/id_rsa.chef
+++ b/cookbooks/embulk/files/root/.ssh/id_rsa.chef
@ -0,0 +1,38 @@
+md5:37086e711fa7bf46d618f23d91feaa4f:salt:182-65-33-210-46-24-105-147:aes-256-cfb:Mde5spOzswSrR4BZ86rsjXNjgMAN9FZOOH3jehSvQ9qWZk0WKqkOJgVUzTdZ
+skdxEQBWTLhsZlIwK0t3rZxwnePeUq2jCvWitJhWLAh+eFu4xTgQrx2kQjFA
+E8z4jJfzU77ZEUyGyre8BQncgHkMgVggs1ktbVBGkHGBaeM37HC35xEcxssM
+yp5SwsoOSRledSWHqIxbzV4TMbUKs7KOfSwAAAq6Nxu5+83UQx1Dp4oOVsbz
+c2NlX/BJnk3vD2Ls6JWldcT5yffrqHegb8323Kpyd5MvMEhYDDZDb4bmTM84
+f3fdnfpA4lCxca1czWqOVuLTx0MGc3dV3jjoMR89oZYXik/a4kWvYKU+0U84
+rfKttLefEK8GltMTPDaIsuiXA1HScPRQyBnj791yCeuVNBsT0jsxMZCxaKZm
+ghnWnlhu1U+Rl3MP6kHkyCeBc1t+2zn1wcfB6y5QkMM9EujJCUPZuUjwWVzn
+pZXYjwzP1am7a4MO5Ya5GysahMuFEsiKptMCvbybQQ8xvI9HX04/fALWtAl/
+7GMmTb3EwgUZdQGYr15eQLUKFiyO/xO+JQ/U1fVHG5EP06TxLKf2PZ7lekuO
+zHjBc1lORRYX4i+mKzFWbbc4uSsZ6k9ive2cCB8ndY8kfOADxYuSIjPOsVGL
+aT+PfPlbnKUZfmEo/sViSEokO5iE7zE8vbDtxDiQ23BlCSXzJJ15bPp/m/ii
+sUE8whxjoeb+TxTGWT1eM0Ah/B836rs0UVZUMrbI2011AFX/LPS8Dwmoz+o0
+1VcIpqGxTVBNuuBl38IOHwLstyzP4t9yMvfOXvrqWcqwDforK+xplQxuHiUa
+CSUlFeeCTMKqrslGOm34WYo5x5o0rZ3Chtnoota9PmVcY4k8n5OjK1RX4sUE
+n0NkkRzBxducxYl5Z7Y5sFP0xrGY0VdLejYOsuL6u6CjWtAotJPMEv0MtOCb
+rEqpAkFGNUxbKvo3ER0O+xjxZk53ghbiC9his+BNgV37fSNGw18ebvisSeHW
+RYErU8AnSh5QgnQBlwfDBjoMp06yjMoq9C83ZWvQ/ltdVZcTDbmnATPlUXF2
+F9rHINtw3N5/9oyqvNRnQKByVlBBUKcaNuVOLumJYAHVlrbSDLXhh3SDpdf9
+Xee/S00HJQC71zOKjyr9vDy1ZmpB8PltMy/rM6iLApVPvRlKmso3qdID0lLC
+SOjkEzZwtVXbcGzFdxBAN7j/GUG/VEo/1mSBXuJxfJdVEqSRYGTyA2gO8xF6
+R/MX0s+EZxa3eUesf3O/ZGkyfEUxjXBqiay0QD4eC4y83/da6YroPpSImRbF
+tgoXcvo5GkQnLg8fYc6vBuOq2YvJtJECr/epuUJ7U24CuO9E0RJlQgYOO0jj
+IUEpyN6AxSLvLnUw9g9YxdV+otVuFIuZXx7DbpY0r1eySj1w4b0FPyAHZgMo
+o0m5QAa1NAZGr5n2P/pjAZGe3WS/ypAqjluNFC5SWazw2L4qIPW7wVpeUItj
+stpvGzNdg/w9iXAalKhxE1zOe58mA13dOXgbBLPorQ2lL74C7PIhRhhz9Z46
+k98aSQxxs4ptZpXnCFmARjYThS4/4ueU2orqxMKTWMIRQ0I23ELmXuphS4dM
+DSz995TrOqkzH9+6AB/a7SOg9aWc4Vycp2LYgsOpxONdmD620jfqLP9RSQ/R
+WliRqGOtTMVkV0U9z1gCyc+F/uWQ57OhASLteIGwwm0HN79yatIrxuDFqNAv
+Dof7bYHv5rkiPOF6CTBXkKxY/G7AzPgDL49AkMiu5xJV7Wil92DBAV+7MJRZ
+Qu8Uzt3zdGOiJrF9gOoT8kdNQ6APAMv2cOoJ+qPsdJpN5mi+U+G3D+wDtQlE
+67oqqQJXq47w2geNkV93Rx5NjFwOOCsbDYAbdgco+X630kq1Otnep0fjo/pE
+fQzC+vFltcsG2Xq8215k7ubED8PsAC0hx3ZieqsaPvf70c6F4rIFHNJ4R4wx
+CpdBD3rNRQJ0vwr3Dvfzq/DBMM6bhOt95nAVLvBT4WhTEMnBeMC+TtSUW+Fg
+QzLHl5/1MWk+8X/lic/4186rGDyZByvupBPjL1aT1vPScSu5s/VieRLqFmc7
+u39sNWZRdONMKfF26HtDfHMbwqGO7y/U2Bmrqszk0VIn4zURN/wvSZlJOSrw
+4+CM6P9GMcqWaY0d7MqT5WMsNGioazeEMJWNfIkuMcyk8CfjD7fLssxm0dC2
+bICNWzrocylXXw==
--- a/cookbooks/embulk/files/root/.ssh/id_rsa.github
+++ b/cookbooks/embulk/files/root/.ssh/id_rsa.github
@ -0,0 +1,38 @@
+md5:86b365bb51904196f7cd6a819f097d6b:salt:159-92-154-253-242-134-41-71:aes-256-cfb:7CGP5FXxiGhSHmsxtxQYoLnru7R1rTD1mfvI2ehjS2LfztoG+8fxJnB0oZ93
+z43QWkW8g7/36lT1iiCiKSbXkRpCLEimSNL9iDRfP+P9GrDNfnQzgreq0KCU
+fCJCKo9bYrJOGrXeY9NS535kE21NlgmimDZbsaVicCsHPn4X71oxoK+neBtv
+IMNEf2QKavJLvZpDtG5YHKcTF96WM+yEKS8KaiK2DLp9PDaDb7zI9wGHZd7Z
+n0hwO4ZxMW+vFHg7EUMHV0MPBH4MLRbX5xX4m3enclcp9ulfkxzNMMSKSnfE
+DVuJKdTr9vvEQO1tpye6NvNZAKepsaGOYUF6NxHAlKj7vhCq6U2KDEZ161oh
+K65eg8YqirulQg9ekETzIc3ktHfPxUMTDNpnuBLcx//oOnYPWYnONg6EQDis
+NjdeaSz+RT0BhRoNJgU5rQz0D2twYmMDLykz7sgS7Z6DHHAWTDYSU9xGdjbQ
+CPQpF1XUOTWei28MBcpyrq3leZplKxwwUGOCL77Fy+aASTmdZhu1QPSDwPlC
+FFuFBeJnihJUt8e9GhIX2Tx67o5b46X5A0AyLzzuWAgg+w7fgVBhBzoOqwFK
+YvR0cR1k0xJ/UXMmKRTno4SUZ0ghw9tFPCg+ptXLQuwYkPTi9yZRMJGhEEWE
+BD3kXYWSfa27kCr6AWca/6/7L+250CE//WSYvh/j3Jba++ZcWPfRj7TgT9oT
+IjtS+YEa1EUCaJmC1zpNEWXES1u/WSMZSEIbEyUgb0lbSV4AKMBTxRwOhs8I
+5jTZYqzGWnFTIIgoWvzoqRP5e/CdijzMCTpXO2SRM7OqiYjBO2p7p1GQQrnA
+ttsaT0u9vYvpbaND+ThFSFpF0+d1/ueUgi7Fv59GmZz+MQamvdzFkji5wwF7
+mUfRBkrchV2P9NyRvUnkiyRtWOoPkIuGTWoWaQPErtc3/OzBVmgjsatv2Blk
+rIejRL+n74zdElcLRI2fwQfpDmjYYVyb8GudC4L0HVdcAVOevp93NAtgu+jn
+lNFsmB+JvkWuoaXm5JOOGtq7mYI1gtnF3Y/v+4HqvixBpE0+5HtPzVebzGoW
+YkvISaLx5tXNzjQded4pIb+AhfttSc+BqUz94yQRaXz71mjciyr8Vrrjt8NR
+Yxm2dM/kV09pm+fnH2QNXloVF6HfaozepmPSbQBnJ7QqbjeD18f0QIgXyPWJ
+vuyCvkaFrehudPH1o4GppRQf7fcqS46vTwzVG5bksK86Y9AFvw/utQ267DV4
+JMJBGl+ZoaXKXGeCfe9L/a2OxrVMg0QJdAKpkby8Ht2Cq8OvIzEtFK/0O0lo
+pBViOeX02d/crdSRgX9Kpw0swjhQHqqz97Ilf3EzbmSydGbzPKgseBdkZGlF
+T9BticaM0Xvt99/BUhBz1r5g/60kqp53HtRzdpU3Enexa1gk1MOZUsJNrxGm
+xdRNtMew2GYU/bbFrG4sJeLpM5aXXLg/q3Z0LxW4FIM2tzf84Y4hNtNhm8TD
+jbAtSfg3+nXaUyXfybsZ98rPwIYVd+SmqVozxeHmOi/rn8wP/zjR5TeFHPbd
+riYgVh7E0nVLCoiowVpvBX3x+kYbj2o6dC+ArQW+wj8pGP3N6FL4P8SUv9WC
+eb/BmND02uTKinxIr32qZFprqtM0k8enTcU2tjsmOS2lnfgEnFaJlnMxds85
+pUon4qtwJgQg21w3SgHFaeCYqgSFrQVl8JXsMafB5rjD7bovL8j6BGxgpLI4
+0bgcr5W3yFlg4xMuXc7CDvO2+VR/a1YVFHFx2GCwwTfhJNRpmXNWTjlGG2EU
+ZzZwWAOA/wLRvnE4wTnE9VIz8WgVw9eEth54k9SJ1vyc4e++SGrSvVe+qDF8
+BcyRiMi1Y8ukFtVaFMO6s7eRRuQL9hloDwC/k7M/g9u7JExpj+kYcN3i0FQM
+z/9XI6K67OVDsNFxctHjr42urYIhcWtqDmF+G6Mz1+f/9cRBKntsXYBwCAd1
+JT/eo9FMemhDSFGwNGROrlzLAsyM0ylNyXagC1xlhPbw0We7gkpUI25dY3R8
+IV9dvmch/PE4swRicmZmc6IatulcO6+Z9FXg+PHwT7p7CqTD+kLsc8HmaUzW
+HHht5B+UDIam/GLc/CdBnQiiq4x8i4hAl8HrdPFda7mOQ/mQwt9Uzs2RsJDD
+Q7KsSAazeARw+QG5HUuRvDjcsdh9V9phXrC9cD/Ef9QEZEajpWgyx92tWAJ5
+BRM1EObviIL/v+OJbPo=
--- a/cookbooks/embulk/install.rb
+++ b/cookbooks/embulk/install.rb
@ -0,0 +1,30 @@
+# Create installation directory:
+directory node['embulk']['install_path'] do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+URL = "#{node['embulk']['base_binary_url']}#{node['embulk']['version']}#{node['embulk']['extension']}"
+TARGET = "#{node['embulk']['install_path']}/embulk"
+
+# Download and install:
+execute "wget #{URL} -O #{TARGET}" do
+  not_if "test -e #{TARGET}"
+end
+
+file TARGET do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# Create link:
+link '/usr/local/bin/embulk' do
+  user 'root'
+  to TARGET
+end
+
+package 'default-jre' do
+  action :install
+end
--- a/cookbooks/embulk/setup.rb
+++ b/cookbooks/embulk/setup.rb
@ -0,0 +1,41 @@
+directory '/root/.ssh' do
+  owner 'root'
+  group 'root'
+  mode '700'
+end
+
+# Deploy `~/.ssh/.ssh/authorized_keys`:
+encrypted_remote_file '/root/.ssh/authorized_keys' do
+  owner 'root'
+  group 'root'
+  mode '600'
+  source   'files/root/.ssh/authorized_keys'
+  password ENV['ITAMAE_PASSWORD']
+end
+
+# Deploy secret keys
+%w( id_rsa.github id_rsa.chef amazon.pem ).each do |conf|
+  encrypted_remote_file "/root/.ssh/#{conf}" do
+    owner 'root'
+    group 'root'
+    mode '600'
+    source   "files/root/.ssh/#{conf}"
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
+# Deploy .ssh/config:
+remote_file '/root/.ssh/config' do
+  owner 'root'
+  group 'root'
+  mode '644'
+end
+
+
+%w(filter-column output-mysql).each do |p|
+  execute "embulk gem install embulk-#{p}" do
+    user 'root'
+
+    not_if "embulk gem list | grep #{p}"
+  end
+end
--- a/cookbooks/fluentd/attributes.rb
+++ b/cookbooks/fluentd/attributes.rb
@ -0,0 +1,11 @@
+# -------------------------------------------
+# Specifying the default settings:
+# -------------------------------------------
+node.reverse_merge!({
+  'td-agent' => {
+    'user' => 'td-agent',
+    'group' => 'td-agent',
+    'forward' => false,
+    'role' => 'primary'
+  }
+})
--- a/cookbooks/fluentd/auth.rb
+++ b/cookbooks/fluentd/auth.rb
--- a/cookbooks/fluentd/default.rb
+++ b/cookbooks/fluentd/default.rb
@ -0,0 +1,40 @@
+#####################################
+# Common Settings:
+#####################################
+
+include_recipe './attributes.rb'
+
+include_recipe './prerequisites.rb'
+include_recipe './install.rb'
+
+include_recipe './setup.rb'
+
+#####################################
+# Manager Settings:
+#####################################
+
+if node['td-agent']['forward']
+  include_recipe './processor.rb'
+  include_recipe './syslog.rb'
+  include_recipe './slack.rb'
+end
+
+#####################################
+# monitoring Settings:
+#####################################
+
+include_recipe './nginx.rb'
+
+%w( aptitude auth cron-apt monit consul ).each do |c|
+  remote_file "/etc/td-agent/conf.d/forwarder_#{c}.conf" do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    notifies :restart, 'service[td-agent]'
+  end
+end
+
+service 'td-agent' do
+  action :restart
+end
--- a/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf
+++ b/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf
@ -0,0 +1,4 @@
+check process td-agent
+    with pidfile /var/run/td-agent/td-agent.pid
+    start program = "/etc/init.d/td-agent start"
+    stop program = "/etc/init.d/td-agent stop"
--- a/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf
+++ b/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf
@ -0,0 +1,6 @@
+# - nofile - max number of open files
+
+root soft nofile 65536
+root hard nofile 65536
+* soft nofile 65536
+* hard nofile 65536
--- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf
+++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf
@ -0,0 +1,38 @@
+<label @forward>
+  <match **>
+    @type copy
+
+    <store>
+      @type forward
+      send_timeout 60s
+      recover_wait 10s
+      transport tcp
+      heartbeat_interval 1s
+      phi_threshold 16
+      hard_timeout 60s
+
+      buffer_type file
+      buffer_path /var/log/td-agent/buffer/forward*.buffer
+
+      <server>
+        name primary.td-agent.service.consul
+        host primary.td-agent.service.consul
+        port 24224
+        weight 60
+      </server>
+
+      <server>
+        name backup.td-agent.service.consul
+        host backup.td-agent.service.consul
+        port 24224
+        weight 60
+        standby
+      </server>
+    </store>
+
+    <store>
+      @type file
+      path /tmp/forward.log
+    </store>
+  </match>
+</label>
--- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf
+++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf
@ -0,0 +1,20 @@
+<source>
+  @type tail
+  path /var/log/apt/history.log
+  pos_file /var/log/td-agent/aptitude.pos
+  format none
+  tag aptitude
+</source>
+
+<filter aptitude>
+  @type record_transformer
+  <record>
+    hostname ${hostname}
+    message ${hostname}: ${record["message"]}
+  </record>
+</filter>
+
+<match aptitude>
+  @type relabel
+  @label @forward
+</match>
--- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf
+++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf
@ -0,0 +1,28 @@
+<source>
+  @type tail
+  path /var/log/auth.log
+  pos_file /var/log/td-agent/auth.pos
+  format syslog
+  tag auth
+</source>
+
+<filter auth>
+  @type record_transformer
+  <record>
+    message ${hostname}: ${record["message"]}
+  </record>
+</filter>
+
+<filter auth>
+  @type grep
+
+  <exclude>
+    key message
+    pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected)
+  </exclude>
+</filter>
+
+<match auth>
+  @type relabel
+  @label @forward
+</match>
--- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf
+++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf
@ -0,0 +1,30 @@
+<source>
+  @type tail
+  path /var/log/supervisor/consul.log
+  pos_file /var/log/td-agent/consul.pos
+  format /^(    (?<time>[0-9/]+ [0-9:]+) (?<message>.*$)|(?<message>.*))/
+  time_format %Y/%m/%d %H:%M:%S
+  time_key time
+  tag consul
+</source>
+
+<filter consul>
+  @type record_transformer
+  <record>
+    message ${hostname}: ${record["message"]}
+  </record>
+</filter>
+
+<filter consul>
+  @type grep
+
+  <exclude>
+    key message
+    pattern (raft|memberlist|serf|Synced|Adding|Removing|consul\.fsm: snapshot created|session shutdown|context deadline exceeded|last request still outstanding|INFO|server health)
+  </exclude>
+</filter>
+
+<match consul>
+  @type relabel
+  @label @forward
+</match>
--- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_cron-apt.conf
+++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_cron-apt.conf
@ -0,0 +1,29 @@
+<source>
+  @type tail
+  path /var/log/cron-apt/log
+  pos_file /var/log/td-agent/cron-apt.pos
+  format none
+  tag cron_apt
+</source>
+
+<filter cron_apt>
+  @type grep
+
+  <regexp>
+    key message
+    pattern (^CRON-APT RUN|not upgraded\.)
+  </regexp>
+</filter>
+
+<filter cron_apt>
+  @type record_transformer
+  <record>
+    hostname ${hostname}
+    message ${hostname}: ${record["message"]}
+  </record>
+</filter>
+
+<match cron_apt>
+  @type relabel
+  @label @forward
+</match>
--- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_monit.conf
+++ b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_monit.conf
@ -0,0 +1,20 @@
+<source>
+  @type tail
+  path /var/log/monit.log
+  pos_file /var/log/td-agent/monit.pos
+  format none
+  tag monit
+</source>
+
+<filter monit>
+  @type record_transformer
+  <record>
+    hostname ${hostname}
+    message ${hostname}: ${record["message"]}
+  </record>
+</filter>
+
+<match monit>
+  @type relabel
+  @label @forward
+</match>
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`deb "http://ppa.launchpad.net/git-core/ppa/ubuntu" <%= @distribution %> main`