diff --git a/cookbooks/base/cron-apt.rb b/cookbooks/base/cron-apt.rb deleted file mode 100644 index 9083ce4..0000000 --- a/cookbooks/base/cron-apt.rb +++ /dev/null @@ -1,44 +0,0 @@ -# Install `cron-apt`: -package 'cron-apt' - -# From here, we are going to set up `cron-apt` to -# install the important security updates every day. -remote_file '/etc/cron-apt/config' do - user 'root' - - owner 'root' - group 'root' - mode '644' -end - -remote_file '/etc/cron-apt/action.d/3-download' do - user 'root' - - owner 'root' - group 'root' - mode '644' -end - -execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do - user 'root' - - not_if 'test -e /etc/apt/security.sources.list' -end - -file '/var/log/cron-apt/log' do - user 'root' - - content 'foo\n' - - owner 'root' - group 'root' - mode '666' - - not_if 'test -e /var/log/cron-apt/log' -end - -execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do - user 'root' - - not_if 'test -e /var/log/cron-apt/log' -end diff --git a/cookbooks/base/default.rb b/cookbooks/base/default.rb index 97ad48e..caa17e2 100644 --- a/cookbooks/base/default.rb +++ b/cookbooks/base/default.rb @@ -39,8 +39,8 @@ include_recipe './packages.rb' # Lang Setting: include_recipe './lang.rb' -# `cron-apt` settings: -include_recipe './cron-apt.rb' +# `unattended-upgrade` settings: +include_recipe './unattended-upgrade.rb' # `ufw` configurations: include_recipe './ufw.rb' @@ -54,17 +54,18 @@ include_recipe './fortune.rb' # timezone configurations: include_recipe './timezone.rb' -# ntp configurations: -include_recipe './ntp.rb' - # kernel configurations: include_recipe './kernel.rb' # Install mc command: include_recipe './mc.rb' -# unnecessary configurations: +# recipes for Ubuntu 16.04 if node['platform_version'].to_f == 16.04 + # ntp configurations + include_recipe './ntp.rb' + + # misc recipe include_recipe './unnecessary.rb' end diff --git a/cookbooks/base/files/etc/apt/apt.conf.d/20auto-upgrades b/cookbooks/base/files/etc/apt/apt.conf.d/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/cookbooks/base/files/etc/apt/apt.conf.d/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/cookbooks/base/files/etc/apt/apt.conf.d/50unattended-upgrades b/cookbooks/base/files/etc/apt/apt.conf.d/50unattended-upgrades new file mode 100644 index 0000000..d31a4d2 --- /dev/null +++ b/cookbooks/base/files/etc/apt/apt.conf.d/50unattended-upgrades @@ -0,0 +1,131 @@ +// Automatically upgrade packages from these (origin:archive) pairs +// +// Note that in Ubuntu security updates may pull in new dependencies +// from non-security sources (e.g. chromium). By allowing the release +// pocket these get automatically pulled in. +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}"; + "${distro_id}:${distro_codename}-security"; + // Extended Security Maintenance; doesn't necessarily exist for + // every release and this system may not have it installed, but if + // available, the policy for updates is such that unattended-upgrades + // should also install from here by default. + "${distro_id}ESMApps:${distro_codename}-apps-security"; + "${distro_id}ESM:${distro_codename}-infra-security"; +// "${distro_id}:${distro_codename}-updates"; +// "${distro_id}:${distro_codename}-proposed"; +// "${distro_id}:${distro_codename}-backports"; +}; + +// Python regular expressions, matching packages to exclude from upgrading +Unattended-Upgrade::Package-Blacklist { + // The following matches all packages starting with linux- +// "linux-"; + + // Use $ to explicitely define the end of a package name. Without + // the $, "libc6" would match all of them. +// "libc6$"; +// "libc6-dev$"; +// "libc6-i686$"; + + // Special characters need escaping +// "libstdc\+\+6$"; + + // The following matches packages like xen-system-amd64, xen-utils-4.1, + // xenstore-utils and libxenstore3.0 +// "(lib)?xen(store)?"; + + // For more information about Python regular expressions, see + // https://docs.python.org/3/howto/regex.html +}; + +// This option controls whether the development release of Ubuntu will be +// upgraded automatically. Valid values are "true", "false", and "auto". +Unattended-Upgrade::DevRelease "auto"; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +//Unattended-Upgrade::AutoFixInterruptedDpkg "true"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGTERM. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +//Unattended-Upgrade::MinimalSteps "true"; + +// Install all updates when the machine is shutting down +// instead of doing it in the background while the machine is running. +// This will (obviously) make shutdown slower. +// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. +// This allows more time for unattended-upgrades to shut down gracefully +// or even install a few packages in InstallOnShutdown mode, but is still a +// big step back from the 30 minutes allowed for InstallOnShutdown previously. +// Users enabling InstallOnShutdown mode are advised to increase +// InhibitDelayMaxSec even further, possibly to 30 minutes. +//Unattended-Upgrade::InstallOnShutdown "false"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +//Unattended-Upgrade::Mail ""; + +// Set this value to one of: +// "always", "only-on-error" or "on-change" +// If this is not set, then any legacy MailOnlyOnError (boolean) value +// is used to chose between "only-on-error" and "on-change" +//Unattended-Upgrade::MailReport "on-change"; + +// Remove unused automatically installed kernel-related packages +// (kernel images, kernel headers and kernel version locked tools). +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; + +// Do automatic removal of newly unused dependencies after the upgrade +Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + +// Do automatic removal of unused packages after the upgrade +// (equivalent to apt-get autoremove) +Unattended-Upgrade::Remove-Unused-Dependencies "true"; + +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "false"; + +// Automatically reboot even if there are users currently logged in +// when Unattended-Upgrade::Automatic-Reboot is set to true +//Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; + +// Enable logging to syslog. Default is False +// Unattended-Upgrade::SyslogEnable "false"; + +// Specify syslog facility. Default is daemon +// Unattended-Upgrade::SyslogFacility "daemon"; + +// Download and install upgrades only on AC power +// (i.e. skip or gracefully stop updates on battery) +// Unattended-Upgrade::OnlyOnACPower "true"; + +// Download and install upgrades only on non-metered connection +// (i.e. skip or gracefully stop updates on a metered connection) +// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; + +// Verbose logging +// Unattended-Upgrade::Verbose "false"; + +// Print debugging information both in unattended-upgrades and +// in unattended-upgrade-shutdown +// Unattended-Upgrade::Debug "false"; + +// Allow package downgrade if Pin-Priority exceeds 1000 +// Unattended-Upgrade::Allow-downgrade "false"; diff --git a/cookbooks/base/files/etc/ssh/sshd_config.2004 b/cookbooks/base/files/etc/ssh/sshd_config.2004 new file mode 100644 index 0000000..04c850d --- /dev/null +++ b/cookbooks/base/files/etc/ssh/sshd_config.2004 @@ -0,0 +1,124 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +Port 10022 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +#PasswordAuthentication yes diff --git a/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg b/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg deleted file mode 100644 index 15a8694..0000000 --- a/cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -if [ "$2" = "" ]; then - mv $1 $1.tmp - - ID=`git branch | grep ^\* | awk '{print $2}' | cut -f 2 -d "/"` - - cat < $1 - - -This commit refs/fixes #${ID}. -# ^^^^^^^^^^ -EOF - - cat $1.tmp >> $1 -fi - -exit 0 diff --git a/cookbooks/base/ntp.rb b/cookbooks/base/ntp.rb index aaf520d..be36310 100644 --- a/cookbooks/base/ntp.rb +++ b/cookbooks/base/ntp.rb @@ -1,18 +1,13 @@ -case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "18.04" - # do nothing -else - package 'ntp' +package 'ntp' - remote_file '/etc/ntp.conf' do - owner 'root' - group 'root' - mode '644' +remote_file '/etc/ntp.conf' do + owner 'root' + group 'root' + mode '644' - notifies :restart, 'service[ntp]' - end - - service 'ntp' do - action :nothing - end + notifies :restart, 'service[ntp]' +end + +service 'ntp' do + action :nothing end diff --git a/cookbooks/base/packages.rb b/cookbooks/base/packages.rb index 06df598..65e835c 100644 --- a/cookbooks/base/packages.rb +++ b/cookbooks/base/packages.rb @@ -9,11 +9,12 @@ end # Install the extra kernel: unless node['is_ec2'] case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp - when "18.04" - package 'linux-image-extra-virtual' - else + when "16.04" KERNEL = run_command("uname -r").stdout.chomp package "linux-image-extra-#{KERNEL}" + + when "18.04" + package 'linux-image-extra-virtual' end end @@ -53,7 +54,6 @@ end [ '/usr/share/git-core/templates/hooks/pre-commit', - '/usr/share/git-core/templates/hooks/prepare-commit-msg', ].each do |conf| remote_file conf do user 'root' diff --git a/cookbooks/base/ssh.rb b/cookbooks/base/ssh.rb index 728ff4d..947c023 100644 --- a/cookbooks/base/ssh.rb +++ b/cookbooks/base/ssh.rb @@ -9,6 +9,16 @@ end # Deploy the `sshd` configuration file: case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "20.04" + remote_file '/etc/ssh/sshd_config' do + user 'root' + owner 'root' + group 'root' + mode '644' + + source 'files/etc/ssh/sshd_config.2004' + end + when "18.04" remote_file '/etc/ssh/sshd_config' do user 'root' diff --git a/cookbooks/base/timezone.rb b/cookbooks/base/timezone.rb index 2c76108..2d7f899 100644 --- a/cookbooks/base/timezone.rb +++ b/cookbooks/base/timezone.rb @@ -1,5 +1,5 @@ case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "18.04" +when "18.04", "20.04" execute 'timedatectl set-timezone Asia/Tokyo' do not_if 'timedatectl | grep Tokyo' end diff --git a/cookbooks/base/unattended-upgrade.rb b/cookbooks/base/unattended-upgrade.rb new file mode 100644 index 0000000..4ab6b59 --- /dev/null +++ b/cookbooks/base/unattended-upgrade.rb @@ -0,0 +1,56 @@ +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "18.04" + # Install `cron-apt`: + package 'cron-apt' + + # From here, we are going to set up `cron-apt` to + # install the important security updates every day. + remote_file '/etc/cron-apt/config' do + user 'root' + + owner 'root' + group 'root' + mode '644' + end + + remote_file '/etc/cron-apt/action.d/3-download' do + user 'root' + + owner 'root' + group 'root' + mode '644' + end + + execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do + user 'root' + + not_if 'test -e /etc/apt/security.sources.list' + end + + file '/var/log/cron-apt/log' do + user 'root' + + content 'foo\n' + + owner 'root' + group 'root' + mode '666' + + not_if 'test -e /var/log/cron-apt/log' + end + + execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do + user 'root' + + not_if 'test -e /var/log/cron-apt/log' + end + +when '20.04' + %w(20auto-upgrades 50unattended-upgrades).each do |conf| + remote_file "/etc/apt/apt.conf.d/#{conf}" do + owner 'root' + group 'root' + mode '644' + end + end +end diff --git a/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf b/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf deleted file mode 100644 index dda15cb..0000000 --- a/cookbooks/blog/files/etc/monit/conf.d/blog-log.conf +++ /dev/null @@ -1,2 +0,0 @@ -check file nginx-blog with path /var/log/nginx/blog.access.log - if timestamp > 2 minutes for 5 cycles then exec "/bin/systemctl restart nginx" diff --git a/cookbooks/blog/nginx.rb b/cookbooks/blog/nginx.rb index 4e06e22..b68ef52 100644 --- a/cookbooks/blog/nginx.rb +++ b/cookbooks/blog/nginx.rb @@ -30,19 +30,6 @@ remote_file '/etc/cron.d/blog' do mode '644' end -# Add monit configuration file for monitoring nginx logs: -remote_file '/etc/monit/conf.d/blog-log.conf' do - owner 'root' - group 'root' - mode '644' - - notifies :reload, 'service[monit]' -end - -service 'monit' do - action :nothing -end - # Create storage directory for blog data directory '/home/webadm/works/public' do owner 'webadm' diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index a2627d1..f964ce6 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -2,13 +2,20 @@ # Specifying the default settings: # ------------------------------------------- case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "20.04" + cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' + when "18.04" cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10' + else cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' end ipaddr = run_command(cmd).stdout.chomp +cmd = 'grep nameserver /run/systemd/resolve/resolv.conf | grep -v 8.8.8.8 | grep -v 127.0.0.1 | perl -pe "s/nameserver //g" | perl -pe "s/\n/ /g"' +dns = run_command(cmd).stdout.chomp + node.reverse_merge!({ 'consul' => { 'base_binary_url' => 'https://releases.hashicorp.com/consul/', @@ -16,6 +23,7 @@ node.reverse_merge!({ 'tmp_path' => '/tmp/itamae_tmp/consul.zip', 'manager' => true, 'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]', - 'ipaddr' => ipaddr + 'ipaddr' => ipaddr, + 'dns' => dns } }) diff --git a/cookbooks/consul/dnsmasq.rb b/cookbooks/consul/dnsmasq.rb index c8e48f5..a0c2c3f 100644 --- a/cookbooks/consul/dnsmasq.rb +++ b/cookbooks/consul/dnsmasq.rb @@ -5,29 +5,27 @@ end case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "18.04" +when "20.04" + template '/etc/systemd/resolved.conf' do + owner 'root' + group 'root' + mode '644' + + variables(dns: node['consul']['dns']) + + notifies :restart, 'service[systemd-resolved]', :immediately + end + remote_file '/etc/dnsmasq.conf' do owner 'root' group 'root' mode '644' - source 'files/etc/dnsmasq.conf.1804' + source 'files/etc/dnsmasq.conf.2004' - notifies :reload, 'service[dnsmasq]' + notifies :restart, 'service[dnsmasq]', :immediately end -else - remote_file '/etc/dnsmasq.conf' do - owner 'root' - group 'root' - mode '644' - source 'files/etc/dnsmasq.conf.1804' - - notifies :reload, 'service[dnsmasq]' - end -end - -case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp when "18.04" remote_file '/etc/systemd/resolved.conf' do owner 'root' @@ -36,7 +34,18 @@ when "18.04" notifies :restart, 'service[systemd-resolved]' end -else + + remote_file '/etc/dnsmasq.conf' do + owner 'root' + group 'root' + mode '644' + + source 'files/etc/dnsmasq.conf.1804' + + notifies :reload, 'service[dnsmasq]' + end + +when '16.04' remote_file '/etc/resolvconf/resolv.conf.d/head' do owner 'root' group 'root' @@ -44,4 +53,15 @@ else notifies :restart, 'service[resolvconf]' end + + remote_file '/etc/dnsmasq.conf' do + owner 'root' + group 'root' + mode '644' + + source 'files/etc/dnsmasq.conf.1804' + + notifies :reload, 'service[dnsmasq]' + end end + diff --git a/cookbooks/consul/files/etc/dnsmasq.conf.2004 b/cookbooks/consul/files/etc/dnsmasq.conf.2004 new file mode 100644 index 0000000..213bdaf --- /dev/null +++ b/cookbooks/consul/files/etc/dnsmasq.conf.2004 @@ -0,0 +1,679 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +resolv-file=/run/systemd/resolve/resolv.conf + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +server=/consul/127.0.0.1#8600 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface= +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC algorithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overridden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the InfiniBand interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also that the [] around the IPv6 address are obligatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1,1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2,2m + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php + +# Encapsulated options for iPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fashion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore diff --git a/cookbooks/consul/files/etc/monit/conf.d/consul.conf b/cookbooks/consul/files/etc/monit/conf.d/consul.conf deleted file mode 100644 index 5a54067..0000000 --- a/cookbooks/consul/files/etc/monit/conf.d/consul.conf +++ /dev/null @@ -1,10 +0,0 @@ -check process consul - with pidfile /var/run/consul.pid - start program = "/usr/bin/supervisorctl start consul" - stop program = "/usr/bin/supervisorctl stop consul" - - if failed - host localhost - port 8500 - protocol HTTP - then restart diff --git a/cookbooks/consul/setup.rb b/cookbooks/consul/setup.rb index 3ba8fa7..9654250 100644 --- a/cookbooks/consul/setup.rb +++ b/cookbooks/consul/setup.rb @@ -13,6 +13,8 @@ template '/etc/consul.d/config.json' do manager_hosts: node['consul']['manager_hosts'], ipaddr: node['consul']['ipaddr'], ) + + notifies :restart, 'service[supervisor]' end remote_file '/etc/consul.d/service-consul.json' do @@ -23,14 +25,6 @@ remote_file '/etc/consul.d/service-consul.json' do only_if '{ node["consul"]["manager"]}' end -remote_file '/etc/monit/conf.d/consul.conf' do - owner 'root' - group 'root' - mode '644' - - notifies :restart, 'service[monit]' -end - execute 'Reload supervisor' do user 'root' diff --git a/cookbooks/consul/templates/etc/systemd/resolved.conf.erb b/cookbooks/consul/templates/etc/systemd/resolved.conf.erb new file mode 100644 index 0000000..9a0d79d --- /dev/null +++ b/cookbooks/consul/templates/etc/systemd/resolved.conf.erb @@ -0,0 +1,24 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See resolved.conf(5) for details + +[Resolve] +DNS=127.0.0.1 <%= @dns %> 8.8.8.8 +#FallbackDNS= +#Domains= +#LLMNR=no +#MulticastDNS=no +#DNSSEC=no +#DNSOverTLS=no +#Cache=yes +DNSStubListener=no +#ReadEtcHosts=yes diff --git a/cookbooks/digdag/shared_dir.rb b/cookbooks/digdag/shared_dir.rb index 9542530..b843326 100644 --- a/cookbooks/digdag/shared_dir.rb +++ b/cookbooks/digdag/shared_dir.rb @@ -8,12 +8,18 @@ package 'cifs-utils' end end +directory '/var/spool/apt-mirror' do + owner 'root' + group 'root' + mode '777' +end + # Add the fstab entry: file '/etc/fstab' do action :edit block do |content| - content << "//192.168.10.200/Shared/shared /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" + content << "//192.168.10.200/Shared/AppData /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" end not_if 'grep shared /etc/fstab' @@ -23,12 +29,32 @@ file '/etc/fstab' do action :edit block do |content| - content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" + content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" end not_if 'grep img /etc/fstab' end +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/Shared/AppData /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" + end + + not_if 'grep backup /etc/fstab' +end + +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" + end + + not_if 'grep apt-mirror /etc/fstab' +end + execute 'mount -a' do not_if 'df -h | grep shared' end diff --git a/cookbooks/fluentd/attributes.rb b/cookbooks/fluentd/attributes.rb deleted file mode 100644 index df35d4f..0000000 --- a/cookbooks/fluentd/attributes.rb +++ /dev/null @@ -1,11 +0,0 @@ -# ------------------------------------------- -# Specifying the default settings: -# ------------------------------------------- -node.reverse_merge!({ - 'td-agent' => { - 'user' => 'td-agent', - 'group' => 'td-agent', - 'forward' => false, - 'role' => 'primary' - } -}) diff --git a/cookbooks/fluentd/auth.rb b/cookbooks/fluentd/auth.rb deleted file mode 100644 index e69de29..0000000 diff --git a/cookbooks/fluentd/default.rb b/cookbooks/fluentd/default.rb deleted file mode 100644 index 0cac0d9..0000000 --- a/cookbooks/fluentd/default.rb +++ /dev/null @@ -1,40 +0,0 @@ -##################################### -# Common Settings: -##################################### - -include_recipe './attributes.rb' - -include_recipe './prerequisites.rb' -include_recipe './install.rb' - -include_recipe './setup.rb' - -##################################### -# Manager Settings: -##################################### - -if node['td-agent']['forward'] - include_recipe './processor.rb' - include_recipe './syslog.rb' - include_recipe './slack.rb' -end - -##################################### -# monitoring Settings: -##################################### - -include_recipe './nginx.rb' - -%w( aptitude auth cron-apt monit consul ).each do |c| - remote_file "/etc/td-agent/conf.d/forwarder_#{c}.conf" do - owner 'root' - group 'root' - mode '644' - - notifies :restart, 'service[td-agent]' - end -end - -service 'td-agent' do - action :restart -end diff --git a/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf b/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf deleted file mode 100644 index c7760a3..0000000 --- a/cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf +++ /dev/null @@ -1,4 +0,0 @@ -check process td-agent - with pidfile /var/run/td-agent/td-agent.pid - start program = "/etc/init.d/td-agent start" - stop program = "/etc/init.d/td-agent stop" diff --git a/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf b/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf deleted file mode 100644 index 929b7b8..0000000 --- a/cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf +++ /dev/null @@ -1,6 +0,0 @@ -# - nofile - max number of open files - -root soft nofile 65536 -root hard nofile 65536 -* soft nofile 65536 -* hard nofile 65536 diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf deleted file mode 100644 index 48eaad0..0000000 --- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf +++ /dev/null @@ -1,38 +0,0 @@ - diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf deleted file mode 100644 index abda2a5..0000000 --- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf +++ /dev/null @@ -1,20 +0,0 @@ - - @type tail - path /var/log/apt/history.log - pos_file /var/log/td-agent/aptitude.pos - format none - tag aptitude - - - - @type record_transformer - - hostname ${hostname} - message ${hostname}: ${record["message"]} - - - - - @type relabel - @label @forward - diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf deleted file mode 100644 index 257bae5..0000000 --- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf +++ /dev/null @@ -1,28 +0,0 @@ - - @type tail - path /var/log/auth.log - pos_file /var/log/td-agent/auth.pos - format syslog - tag auth - - - - @type record_transformer - - message ${hostname}: ${record["message"]} - - - - - @type grep - - - key message - pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected) - - - - - @type relabel - @label @forward - diff --git a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf b/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf deleted file mode 100644 index e8cd7cc..0000000 --- a/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf +++ /dev/null @@ -1,30 +0,0 @@ - - @type tail - path /var/log/supervisor/consul.log - pos_file /var/log/td-agent/consul.pos - format /^( (?