Merge branch 'ubuntu2004-support' of kazu634/itamae into master

This commit is contained in:
Kazuhiro MUSASHI 2020-10-13 21:21:52 +09:00 committed by Gitea
commit 5b5fb26630
61 changed files with 1134 additions and 1625 deletions

View File

@ -1,44 +0,0 @@
# Install `cron-apt`:
package 'cron-apt'
# From here, we are going to set up `cron-apt` to
# install the important security updates every day.
remote_file '/etc/cron-apt/config' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
remote_file '/etc/cron-apt/action.d/3-download' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
user 'root'
not_if 'test -e /etc/apt/security.sources.list'
end
file '/var/log/cron-apt/log' do
user 'root'
content 'foo\n'
owner 'root'
group 'root'
mode '666'
not_if 'test -e /var/log/cron-apt/log'
end
execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
user 'root'
not_if 'test -e /var/log/cron-apt/log'
end

View File

@ -39,8 +39,8 @@ include_recipe './packages.rb'
# Lang Setting: # Lang Setting:
include_recipe './lang.rb' include_recipe './lang.rb'
# `cron-apt` settings: # `unattended-upgrade` settings:
include_recipe './cron-apt.rb' include_recipe './unattended-upgrade.rb'
# `ufw` configurations: # `ufw` configurations:
include_recipe './ufw.rb' include_recipe './ufw.rb'
@ -54,17 +54,18 @@ include_recipe './fortune.rb'
# timezone configurations: # timezone configurations:
include_recipe './timezone.rb' include_recipe './timezone.rb'
# ntp configurations:
include_recipe './ntp.rb'
# kernel configurations: # kernel configurations:
include_recipe './kernel.rb' include_recipe './kernel.rb'
# Install mc command: # Install mc command:
include_recipe './mc.rb' include_recipe './mc.rb'
# unnecessary configurations: # recipes for Ubuntu 16.04
if node['platform_version'].to_f == 16.04 if node['platform_version'].to_f == 16.04
# ntp configurations
include_recipe './ntp.rb'
# misc recipe
include_recipe './unnecessary.rb' include_recipe './unnecessary.rb'
end end

View File

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

View File

@ -0,0 +1,131 @@
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";

View File

@ -0,0 +1,124 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 10022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#PasswordAuthentication yes

View File

@ -1,18 +0,0 @@
#!/bin/sh
if [ "$2" = "" ]; then
mv $1 $1.tmp
ID=`git branch | grep ^\* | awk '{print $2}' | cut -f 2 -d "/"`
cat <<EOF > $1
This commit refs/fixes #${ID}.
# ^^^^^^^^^^
EOF
cat $1.tmp >> $1
fi
exit 0

View File

@ -1,7 +1,3 @@
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04"
# do nothing
else
package 'ntp' package 'ntp'
remote_file '/etc/ntp.conf' do remote_file '/etc/ntp.conf' do
@ -15,4 +11,3 @@ else
service 'ntp' do service 'ntp' do
action :nothing action :nothing
end end
end

View File

@ -9,11 +9,12 @@ end
# Install the extra kernel: # Install the extra kernel:
unless node['is_ec2'] unless node['is_ec2']
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "16.04"
package 'linux-image-extra-virtual'
else
KERNEL = run_command("uname -r").stdout.chomp KERNEL = run_command("uname -r").stdout.chomp
package "linux-image-extra-#{KERNEL}" package "linux-image-extra-#{KERNEL}"
when "18.04"
package 'linux-image-extra-virtual'
end end
end end
@ -53,7 +54,6 @@ end
[ [
'/usr/share/git-core/templates/hooks/pre-commit', '/usr/share/git-core/templates/hooks/pre-commit',
'/usr/share/git-core/templates/hooks/prepare-commit-msg',
].each do |conf| ].each do |conf|
remote_file conf do remote_file conf do
user 'root' user 'root'

View File

@ -9,6 +9,16 @@ end
# Deploy the `sshd` configuration file: # Deploy the `sshd` configuration file:
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04"
remote_file '/etc/ssh/sshd_config' do
user 'root'
owner 'root'
group 'root'
mode '644'
source 'files/etc/ssh/sshd_config.2004'
end
when "18.04" when "18.04"
remote_file '/etc/ssh/sshd_config' do remote_file '/etc/ssh/sshd_config' do
user 'root' user 'root'

View File

@ -1,5 +1,5 @@
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "18.04", "20.04"
execute 'timedatectl set-timezone Asia/Tokyo' do execute 'timedatectl set-timezone Asia/Tokyo' do
not_if 'timedatectl | grep Tokyo' not_if 'timedatectl | grep Tokyo'
end end

View File

@ -0,0 +1,56 @@
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04"
# Install `cron-apt`:
package 'cron-apt'
# From here, we are going to set up `cron-apt` to
# install the important security updates every day.
remote_file '/etc/cron-apt/config' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
remote_file '/etc/cron-apt/action.d/3-download' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
user 'root'
not_if 'test -e /etc/apt/security.sources.list'
end
file '/var/log/cron-apt/log' do
user 'root'
content 'foo\n'
owner 'root'
group 'root'
mode '666'
not_if 'test -e /var/log/cron-apt/log'
end
execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
user 'root'
not_if 'test -e /var/log/cron-apt/log'
end
when '20.04'
%w(20auto-upgrades 50unattended-upgrades).each do |conf|
remote_file "/etc/apt/apt.conf.d/#{conf}" do
owner 'root'
group 'root'
mode '644'
end
end
end

View File

@ -1,2 +0,0 @@
check file nginx-blog with path /var/log/nginx/blog.access.log
if timestamp > 2 minutes for 5 cycles then exec "/bin/systemctl restart nginx"

View File

@ -30,19 +30,6 @@ remote_file '/etc/cron.d/blog' do
mode '644' mode '644'
end end
# Add monit configuration file for monitoring nginx logs:
remote_file '/etc/monit/conf.d/blog-log.conf' do
owner 'root'
group 'root'
mode '644'
notifies :reload, 'service[monit]'
end
service 'monit' do
action :nothing
end
# Create storage directory for blog data # Create storage directory for blog data
directory '/home/webadm/works/public' do directory '/home/webadm/works/public' do
owner 'webadm' owner 'webadm'

View File

@ -2,13 +2,20 @@
# Specifying the default settings: # Specifying the default settings:
# ------------------------------------------- # -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04" when "18.04"
cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10' cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10'
else else
cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
end end
ipaddr = run_command(cmd).stdout.chomp ipaddr = run_command(cmd).stdout.chomp
cmd = 'grep nameserver /run/systemd/resolve/resolv.conf | grep -v 8.8.8.8 | grep -v 127.0.0.1 | perl -pe "s/nameserver //g" | perl -pe "s/\n/ /g"'
dns = run_command(cmd).stdout.chomp
node.reverse_merge!({ node.reverse_merge!({
'consul' => { 'consul' => {
'base_binary_url' => 'https://releases.hashicorp.com/consul/', 'base_binary_url' => 'https://releases.hashicorp.com/consul/',
@ -16,6 +23,7 @@ node.reverse_merge!({
'tmp_path' => '/tmp/itamae_tmp/consul.zip', 'tmp_path' => '/tmp/itamae_tmp/consul.zip',
'manager' => true, 'manager' => true,
'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]', 'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]',
'ipaddr' => ipaddr 'ipaddr' => ipaddr,
'dns' => dns
} }
}) })

View File

@ -5,29 +5,27 @@
end end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "20.04"
template '/etc/systemd/resolved.conf' do
owner 'root'
group 'root'
mode '644'
variables(dns: node['consul']['dns'])
notifies :restart, 'service[systemd-resolved]', :immediately
end
remote_file '/etc/dnsmasq.conf' do remote_file '/etc/dnsmasq.conf' do
owner 'root' owner 'root'
group 'root' group 'root'
mode '644' mode '644'
source 'files/etc/dnsmasq.conf.1804' source 'files/etc/dnsmasq.conf.2004'
notifies :reload, 'service[dnsmasq]' notifies :restart, 'service[dnsmasq]', :immediately
end
else
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/dnsmasq.conf.1804'
notifies :reload, 'service[dnsmasq]'
end
end end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "18.04"
remote_file '/etc/systemd/resolved.conf' do remote_file '/etc/systemd/resolved.conf' do
owner 'root' owner 'root'
@ -36,7 +34,18 @@ when "18.04"
notifies :restart, 'service[systemd-resolved]' notifies :restart, 'service[systemd-resolved]'
end end
else
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/dnsmasq.conf.1804'
notifies :reload, 'service[dnsmasq]'
end
when '16.04'
remote_file '/etc/resolvconf/resolv.conf.d/head' do remote_file '/etc/resolvconf/resolv.conf.d/head' do
owner 'root' owner 'root'
group 'root' group 'root'
@ -44,4 +53,15 @@ else
notifies :restart, 'service[resolvconf]' notifies :restart, 'service[resolvconf]'
end end
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/dnsmasq.conf.1804'
notifies :reload, 'service[dnsmasq]'
end end
end

View File

@ -0,0 +1,679 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
resolv-file=/run/systemd/resolve/resolv.conf
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
server=/consul/127.0.0.1#8600
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the InfiniBand interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also that the [] around the IPv6 address are obligatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1,1m
# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2,2m
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this if you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built-in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
#dhcp-boot=undionly.kpxe
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
# Encapsulated options for iPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Do not abort if the tftp-root is unavailable
#tftp-no-fail
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fashion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
# option with a DHCPACK including a Rapid Commit option and fully committed address
# and configuration information. This must only be enabled if either the server is
# the only server for the subnet, or multiple servers are present and they each
# commit a binding for all clients.
#dhcp-rapid-commit
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

View File

@ -1,10 +0,0 @@
check process consul
with pidfile /var/run/consul.pid
start program = "/usr/bin/supervisorctl start consul"
stop program = "/usr/bin/supervisorctl stop consul"
if failed
host localhost
port 8500
protocol HTTP
then restart

View File

@ -13,6 +13,8 @@ template '/etc/consul.d/config.json' do
manager_hosts: node['consul']['manager_hosts'], manager_hosts: node['consul']['manager_hosts'],
ipaddr: node['consul']['ipaddr'], ipaddr: node['consul']['ipaddr'],
) )
notifies :restart, 'service[supervisor]'
end end
remote_file '/etc/consul.d/service-consul.json' do remote_file '/etc/consul.d/service-consul.json' do
@ -23,14 +25,6 @@ remote_file '/etc/consul.d/service-consul.json' do
only_if '{ node["consul"]["manager"]}' only_if '{ node["consul"]["manager"]}'
end end
remote_file '/etc/monit/conf.d/consul.conf' do
owner 'root'
group 'root'
mode '644'
notifies :restart, 'service[monit]'
end
execute 'Reload supervisor' do execute 'Reload supervisor' do
user 'root' user 'root'

View File

@ -0,0 +1,24 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details
[Resolve]
DNS=127.0.0.1 <%= @dns %> 8.8.8.8
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=yes
DNSStubListener=no
#ReadEtcHosts=yes

View File

@ -8,12 +8,18 @@ package 'cifs-utils'
end end
end end
directory '/var/spool/apt-mirror' do
owner 'root'
group 'root'
mode '777'
end
# Add the fstab entry: # Add the fstab entry:
file '/etc/fstab' do file '/etc/fstab' do
action :edit action :edit
block do |content| block do |content|
content << "//192.168.10.200/Shared/shared /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" content << "//192.168.10.200/Shared/AppData /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end end
not_if 'grep shared /etc/fstab' not_if 'grep shared /etc/fstab'
@ -23,12 +29,32 @@ file '/etc/fstab' do
action :edit action :edit
block do |content| block do |content|
content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end end
not_if 'grep img /etc/fstab' not_if 'grep img /etc/fstab'
end end
file '/etc/fstab' do
action :edit
block do |content|
content << "//192.168.10.200/Shared/AppData /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end
not_if 'grep backup /etc/fstab'
end
file '/etc/fstab' do
action :edit
block do |content|
content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end
not_if 'grep apt-mirror /etc/fstab'
end
execute 'mount -a' do execute 'mount -a' do
not_if 'df -h | grep shared' not_if 'df -h | grep shared'
end end

View File

@ -1,11 +0,0 @@
# -------------------------------------------
# Specifying the default settings:
# -------------------------------------------
node.reverse_merge!({
'td-agent' => {
'user' => 'td-agent',
'group' => 'td-agent',
'forward' => false,
'role' => 'primary'
}
})

View File

@ -1,40 +0,0 @@
#####################################
# Common Settings:
#####################################
include_recipe './attributes.rb'
include_recipe './prerequisites.rb'
include_recipe './install.rb'
include_recipe './setup.rb'
#####################################
# Manager Settings:
#####################################
if node['td-agent']['forward']
include_recipe './processor.rb'
include_recipe './syslog.rb'
include_recipe './slack.rb'
end
#####################################
# monitoring Settings:
#####################################
include_recipe './nginx.rb'
%w( aptitude auth cron-apt monit consul ).each do |c|
remote_file "/etc/td-agent/conf.d/forwarder_#{c}.conf" do
owner 'root'
group 'root'
mode '644'
notifies :restart, 'service[td-agent]'
end
end
service 'td-agent' do
action :restart
end

View File

@ -1,4 +0,0 @@
check process td-agent
with pidfile /var/run/td-agent/td-agent.pid
start program = "/etc/init.d/td-agent start"
stop program = "/etc/init.d/td-agent stop"

View File

@ -1,6 +0,0 @@
# - nofile - max number of open files
root soft nofile 65536
root hard nofile 65536
* soft nofile 65536
* hard nofile 65536

View File

@ -1,38 +0,0 @@
<label @forward>
<match **>
@type copy
<store>
@type forward
send_timeout 60s
recover_wait 10s
transport tcp
heartbeat_interval 1s
phi_threshold 16
hard_timeout 60s
buffer_type file
buffer_path /var/log/td-agent/buffer/forward*.buffer
<server>
name primary.td-agent.service.consul
host primary.td-agent.service.consul
port 24224
weight 60
</server>
<server>
name backup.td-agent.service.consul
host backup.td-agent.service.consul
port 24224
weight 60
standby
</server>
</store>
<store>
@type file
path /tmp/forward.log
</store>
</match>
</label>

View File

@ -1,20 +0,0 @@
<source>
@type tail
path /var/log/apt/history.log
pos_file /var/log/td-agent/aptitude.pos
format none
tag aptitude
</source>
<filter aptitude>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match aptitude>
@type relabel
@label @forward
</match>

View File

@ -1,28 +0,0 @@
<source>
@type tail
path /var/log/auth.log
pos_file /var/log/td-agent/auth.pos
format syslog
tag auth
</source>
<filter auth>
@type record_transformer
<record>
message ${hostname}: ${record["message"]}
</record>
</filter>
<filter auth>
@type grep
<exclude>
key message
pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected)
</exclude>
</filter>
<match auth>
@type relabel
@label @forward
</match>

View File

@ -1,30 +0,0 @@
<source>
@type tail
path /var/log/supervisor/consul.log
pos_file /var/log/td-agent/consul.pos
format /^( (?<time>[0-9/]+ [0-9:]+) (?<message>.*$)|(?<message>.*))/
time_format %Y/%m/%d %H:%M:%S
time_key time
tag consul
</source>
<filter consul>
@type record_transformer
<record>
message ${hostname}: ${record["message"]}
</record>
</filter>
<filter consul>
@type grep
<exclude>
key message
pattern (raft|memberlist|serf|Synced|Adding|Removing|consul\.fsm: snapshot created|session shutdown|context deadline exceeded|last request still outstanding|INFO|server health)
</exclude>
</filter>
<match consul>
@type relabel
@label @forward
</match>

View File

@ -1,29 +0,0 @@
<source>
@type tail
path /var/log/cron-apt/log
pos_file /var/log/td-agent/cron-apt.pos
format none
tag cron_apt
</source>
<filter cron_apt>
@type grep
<regexp>
key message
pattern (^CRON-APT RUN|not upgraded\.)
</regexp>
</filter>
<filter cron_apt>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match cron_apt>
@type relabel
@label @forward
</match>

View File

@ -1,20 +0,0 @@
<source>
@type tail
path /var/log/monit.log
pos_file /var/log/td-agent/monit.pos
format none
tag monit
</source>
<filter monit>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match monit>
@type relabel
@label @forward
</match>

View File

@ -1,21 +0,0 @@
<source>
@type tail
path /var/log/nginx/*access.log
pos_file /var/log/td-agent/nginx_logs.pos
format ltsv
time_format %d/%b/%Y:%H:%M:%S %z
time_key time
tag nginx
</source>
<filter nginx>
@type record_transformer
<record>
hostname ${hostname}
</record>
</filter>
<match nginx>
@type relabel
@label @forward
</match>

View File

@ -1,29 +0,0 @@
<source>
@type tail
path /var/log/td-agent/td-agent.log
pos_file /var/log/td-agent/td-agent.pos
format none
tag td_agent
</source>
<filter td_agent>
@type grep
<exclude>
key message
pattern (openvpn|will be ignored|section <buffer> is not used)
</exclude>
</filter>
<filter td_agent>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match td_agent>
@type relabel
@label @forward
</match>

View File

@ -1,146 +0,0 @@
<label @forward>
<match consul>
@type relabel
@label @consul_branch
</match>
<match nginx>
@type relabel
@label @s3_upload
</match>
<match **>
@type relabel
@label @process
</match>
</label>
<label @received>
<match consul>
@type relabel
@label @consul_branch
</match>
<match nginx>
@type relabel
@label @s3_upload
</match>
<match **>
@type copy
<store>
@type relabel
@label @process
</store>
<store>
@type file
path /tmp/received.log
</store>
</match>
</label>
<label @process>
<match auth>
@type relabel
@label @good
</match>
<filter aptitude>
@type grep
<regexp>
key message
pattern (Commandline|Error|Install|Remove|Upgrade)
</regexp>
</filter>
<match aptitude>
@type copy
<store>
@type relabel
@label @good
</store>
<store>
@type file
path /tmp/aptitude.log
</store>
</match>
<filter monit>
@type grep
<exclude>
key message
pattern (error|ERROR)
</exclude>
</filter>
<match monit>
@type relabel
@label @danger
</match>
<match cron_apt>
@type copy
<store>
@type relabel
@label @good
</store>
<store>
@type file
path /tmp/cron-apt.log
</store>
</match>
<match consul>
@type relabel
@label @danger
</match>
<filter td_agent>
@type grep
<exclude>
key message
pattern (\[info\]|parameter '.*' in|suppressed same stacktrace|loop\.rb|in_tail\.rb| 0(6|7):25|from ASCII-8BIT to UTF-8|of buffered_slack plugin)
</exclude>
<regexp>
key message
pattern \[(warn|error)\]
</regexp>
</filter>
<match td_agent>
@type relabel
@label @danger
</match>
<filter app.**>
@type record_transformer
<record>
message ${record["log"]}
</record>
</filter>
<match app.**>
@type relabel
@label @apps
</match>
<match random.**>
@type relabel
@label @random
</match>
<match apt-mirror.**>
@type relabel
@label @good
</match>
</label>

View File

@ -1,39 +0,0 @@
######################
# Receive nginx logs #
######################
<label @consul_branch>
<match consul>
@type copy
<store>
@type rewrite_tag_filter
<rule>
key message
pattern (\[WARN\]|left, deregistering|removing server monitor)
tag consul.danger
</rule>
</store>
<store>
@type rewrite_tag_filter
<rule>
key message
pattern (\[INFO\])
tag consul.good
</rule>
</store>
</match>
<match consul.danger>
@type relabel
@label @danger
</match>
<match consul.good>
@type relabel
@label @good
</match>
</label>

View File

@ -1,15 +0,0 @@
md5:57588c890f0ef6e8f8a9de3f2336df7c:salt:128-16-245-219-49-150-248-21:aes-256-cfb:y/5qRG08epYJHUpPCrY46RkH9mYeg0PPxe6b8Vus43Ph7TOSJOey/LrOZjJ7
iTYfOte4QbTH/P+wjm/8RldxRRSJ3spha/2MuIVQpliC+5KnT9nmC1rLP8+y
nbJstGpeGUuRIjzZtMvI1Kvb+j2BEOPCeiTAD2yXwPsMbaODoG5mzYgcSgBV
TDvtbG6I0KYDiLbTZw7crusQltx45uvq1zcK+g5UMb7oaqClyJA5VLsWRbeT
tiaFXQLYy2oXIvQmw65ccFixLIxVERxGrx/x4uGhR/saQIZMonymG6z3Riy3
vejNLQNIfaxZYb0llLTtzt13jsft+5Z766Y8Umoiws+bUF7igLw3CI47pb6y
PEwCvhKxk+RG5dtPQysRy1sSPrOTBzVf6+0/Em2BaKRBubRNEDpjI/1+aN5L
t5c4qYX3lP3v2bjwF1iQO5qEv3R46ytblZmyaoSPYGsWyzZBNn841QBZ1oi7
IlyYsnTFEQ5InVTygCd+04/L3tOoxShvsbxJZ/jYqSBaAo9UdhnYU9wo+8ob
Oz2sjarXIJyzqs4a68/YizNRdke7dEFblnYsLZUAtWQBnjo4cwGug8nZGaKr
L2M5IT3NWfVHRCf1sbkQspsjGtb3fM/F62VH8OU85vTXvR+SWSTYJzpSvcCH
73HqgOD1H0jzwanZi8SvVs7zA3Fr6HgJ4FYbwaB/109BVjnzhcmDm0RkXGQY
nqRsvlxEj6NnSGlGQgLvYgT1KLCTYFrZNlNZRzO71B32jc/KxZnwFRcxgrcb
/mAsz/TxLdxSjmuCAssfL/YY2uh5fPgL0XC31RdVJ9mdUpHQmtTAfAjYyilJ
J/fQOY6ZRDqq1Vfq53wuLrZJdxztWNK8DJguZJ5gdqy/l4ggPnCvDFwI

View File

@ -1,5 +0,0 @@
<source>
@type forward
port 24224
@label @received
</source>

View File

@ -1,38 +0,0 @@
# For ESXi syslog Monitoring:
<source>
@type syslog
port 1514
bind 0.0.0.0
protocol_type tcp
format none
tag system.esxi
</source>
<filter system.esxi.**>
@type grep
<exclude>
key message
pattern (iscsid|LikewiseGetDomainJoinInfo|hostd|DictionaryLoad|addVob|backup\.sh|libsmart|\[context\]|Hostd|vmauthd|Rhttpproxy|requested fast path state update| above TEMPERATURE threshold)
</exclude>
</filter>
<match system.esxi.**.{debug,info}>
@type null
</match>
<match system.esxi.**.{notice,warn,err,crit,alert,emerg}>
@type copy
<store>
@type file
path /tmp/syslog_esxi.log
time_slice_format %Y%m%d
time_slice_wait 1m
</store>
<store>
@type relabel
@label @danger
</store>
</match>

View File

@ -1,41 +0,0 @@
# For synology syslog Monitoring:
<source>
@type syslog
port 5141
bind 0.0.0.0
protocol_type tcp
message_format auto
tag system.synology
</source>
<filter system.synology.**>
@type grep
<exclude>
key message
pattern (accessed the shared folder)
</exclude>
</filter>
<filter system.synology.**>
@type record_transformer
<record>
message ${record["host"]}: ${record["message"]}
</record>
</filter>
<match system.synology.**>
@type copy
<store>
@type file
path /tmp/syslog_synology.log
time_slice_format %Y%m%d
time_slice_wait 1m
</store>
<store>
@type relabel
@label @good
</store>
</match>

View File

@ -1,45 +0,0 @@
# For vyos syslog Monitoring:
<source>
@type syslog
port 5140
bind 0.0.0.0
protocol_type tcp
message_format auto
tag system.vyos
</source>
<filter system.vyos.**>
@type grep
<exclude>
key message
pattern (suspect value|Port3 Link|duplicate on LAN|can't get program name from|call user-defined scripts or executables|FRAG TTL expired|Port4 Link|Overriding mtu|Overriding mru|IPv6 Control Protoco)
</exclude>
</filter>
<filter system.vyos.**>
@type record_transformer
<record>
message ${record["host"]}: ${record["message"]}
</record>
</filter>
<match system.vyos.**.{debug,info,notice}>
@type null
</match>
<match system.vyos.**.{warn,err,crit,alert,emerg}>
@type copy
<store>
@type file
path /tmp/syslog_vyos.log
time_slice_format %Y%m%d
time_slice_wait 1m
</store>
<store>
@type relabel
@label @danger
</store>
</match>

View File

@ -1,44 +0,0 @@
md5:4d7c92818f78f0384855b1006b60eb0f:salt:101-24-185-121-164-238-97-103:aes-256-cfb:e61qKgTSpyfqU8V+iEk9dDk3DI7Y9QiykJgDwEG0Qn/fquFM/6YhP/+FvQxV
BVcIDU1zMtX0TVjq3HBSVLW1fEh0tFLCRRG5lCwj5wpmFa+NeAY4Db4XxjPB
q0VbsAv9PI9ptDGylrNvBhAJpB/2A6xJ2h5Lh7026Dv5qi1bdvvAnyxNmbRa
UwkKvb9e+ptPk3gjQath/eX9qbR4fiX9LG9URnIkwhvlpYhRUqk94BL04toK
pLQEvtk4RdDKHylpdbKmWj2JCFeKb28JNq0AE7CrAi8zXevUoI6jXP+pipA5
GdW7BMEpjc8e6O2dy7kd/qWLKMvbEbzj0I1EC5ut1e1gAVzKGjPnwVVWGxaP
Hl3K3Vmj59kWU57Zgzmh7WYemt2AnTW6jQcCe5fP7gzIfD4KXYM18rStThOE
LXOCyuOFI5/EyGaX1lyWmw6Ic45rnr9iHaYDVqq0Q0aifIsLWxaQlD2AI4+7
uaU4Qa+QsSHLCmvhZ/ysKTfp9gKUZEQql/FCtKLjvmTAv8cN20W+c6KbZNI9
CrGpDLAY4oIsi0qSLsNqddC6D31dssMLDBC/ZdMdZmpwo32qeRvoca2GYBD9
voTiiEEbUP1+ZVhwndIaVMI3tIKc29Ixlo3W6vF4rL5AXyWSmW6OdcdOwgRI
FddW89z+LV4HB0L1HNIsWcR8eS/6OzJ3hKB6qFjz77+6X4lna4MX5nW4hnJI
dhUK8HzmF2NlP5UnnIPPF0Mznhrnrde6GZxRVkunZrnp9q9r63bJB9okfQSm
q/UBDbCUrJo81kRvtfv5+kLB1QppxWQljqzF65tnCbvvWe0KiNztyeP4yjds
hTx4vsTdKZGI0eTc7H1IiVgxS8OS7Z1nmd1seho4IsyFobI75E1Si96EgdEQ
IOXF2A6aqYJCqPbLaULih1jrrM70m/xENx2mykLwsZDzDs7nPelwze0fLLt/
qPxkFaqfElqkc4R8OaXAWVoEl4vZWosYvhrwu9g5JX00RPzS6wEFl3pywwjJ
rzQqGkG9fJu5KFRg/PFW19Jc75kuKsV7Glf12lq4mWqfvuc6PrH/ISok2G3/
LBuRp/MD+dyrFb+uKDua9cCjGF/d0FZ83vOEPTM607BN3GNuucBAA+u3BMKF
8zjL58Af01aSUrnGJ9IESbUOt4Fz9Isep/P4rVh6RkOcJMRvbuXgPCYN5xFv
qsf/fBmauim9lmQXg2QomnSBrguv/OgqKxoVwDHVPFqPlwkLPhoA2pN/xoId
y4g7BbsPaySGKNfcNG/xzFWM058oSgnxmqq2Jvgb3+mXk+EylRrdKVh8FLhh
s1sl04u8I4DiftOGcU0vg1dTmdAKSo8TcDROeQOYknkyT9SE9vUaEOeOvLRD
dOJi+S6BFfSE8kuWocL4Amvg8SKMgchvXGOXg44w0GJ1OFPNT4QDlm5PloWD
KXS+LBw6kL+617/cIclt1yPdxd0tOhr00moeDYT95Eso+AnvQLswSIRGLXA+
2E537p1+fYZqsfrG+FDDo/I6JWTzY3NMnDlo4GWpC/8vHom9effVwa6eHAWd
5Wg6d/9m2PQzJhLusBombcf+og+0EPxYgm/F2BL9jdljyOi2Fd2FNJKNA58V
Ol1fnIyvN4tQvUVQVTQHS15lTsMC7FGu5sgUY6O1YQTXu+0J2nuL9RRsJHDR
zBkRUE7+I/kdgVirgzVZrNGmJd6nVed4f6in0OKk1ITheWHdCXTQqP7nHliL
ZG/RZmAVK1djE1EtbnNdIZ3QmsIJdy879kUJn77koKfh7ds1QQxnBBQuMNFA
ab79jiMZYlKepZGyb3H/iz5hXo6LtIjNXU1tQOkMp7eni4niWTV8TKL7Kmso
1+4qVH5h/cjxjjl1hV4eQ3uNT5+LDEszX4bQgTF1La/PGHSgxisBxxU35OXq
0+wgkBjnTtfR1pNmGlzBkknrfCvasde7E37IzhAKFLsxlUPZT7W11UIDDiNr
6vZmAo5c5jnp8qhdEgE4FgQxH9s9d+ZtEbA7TCaiD/caO3TNmZiFohd9oDaT
i+FM1eHXfs9HfOCLfPe9QNCoXOuKV71qfVf2rRTg2mBV3yx7MN+jAQML2qkW
y2Th/sCYh8JzvsgBOZnBZ8gVZadYhnyQg5c7rNucqy6lw4ioS2GyUKrdPnR7
vq5OqBpFvbIKm+RaPkMV464fjdZJeJlQwa1ip466rfiipART3j9yZQH8Txkr
NACKgjzqnWiMvOe3CibdQsfN86qZpuC66xfTtbvgm1VGJlzWvMMzpRBdSWv5
u+KMl6rkqJ2hFnrAYJp1j/IQnY/SMN0LxZYQRWmQwYzqNBl5CEjJLNE/wW+8
//qdXor1TRe7zePzn40GJQ8U9AScbYgQU8xkeDfAapdh7XUj0NvFMN80jADJ
PimRBX/LgpToKts+XWWU6CiDLYDnsnLD72SB5hwZkWMo6tOMjC+dWKgZBcGH
zisf7rGgY/X4VO40i+uMB+HcoRHHSQBVoApIQt2Ozl6Zeaqm28M8/jVmpgUm
7BxL/JR0gLvYCSU4BEPFngPauLli0IPvZcEJ0vLW20vtOf+QtwaL0lzMz3fr
YaiKkOcdd19P4GSy1LpKkSdapT95EIaQMbnzvg0aRivdO4s4GXihPS3b8A==

View File

@ -1 +0,0 @@
@include conf.d/*.conf

View File

@ -1,57 +0,0 @@
# Load the APT key:
execute 'curl https://packages.treasuredata.com/GPG-KEY-td-agent | apt-key add -' do
not_if 'apt-key list | grep Treasure'
end
# Deploy the APT source:
CMD = 'grep DISTRIB_CODENAME /etc/lsb-release | cut -f 2 -d "="'
DIST = run_command(CMD).stdout.chomp
template '/etc/apt/sources.list.d/treasure-data.list' do
owner 'root'
group 'root'
mode '644'
variables(platform: node['platform'], dist: DIST)
end
execute 'apt update' do
action :run
not_if 'which td-agent'
end
# Install
package 'td-agent' do
action :install
end
# Overwrite the conf:
remote_file '/etc/td-agent/td-agent.conf' do
owner node['td-agent']['user']
group node['td-agent']['group']
mode '644'
end
# Create /etc/td-agent/conf.d:
directory '/etc/td-agent/conf.d' do
owner node['td-agent']['user']
group node['td-agent']['group']
mode '755'
end
# Deploy /etc/hosts file:
HOSTNAME = run_command('uname -n').stdout.chomp
template '/etc/hosts' do
owner 'root'
group 'root'
mode '644'
variables(HOSTNAME: HOSTNAME)
end
# Enable and start:
service 'td-agent' do
action :enable
end

View File

@ -1,22 +0,0 @@
# Manager setting:
if node['td-agent']['forward']
gem_package 'fluent-plugin-s3' do
action :upgrade
gem_binary '/usr/sbin/td-agent-gem'
end
encrypted_remote_file '/etc/td-agent/conf.d/processor_nginx.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/td-agent/conf.d/processor_nginx.conf'
password ENV['ITAMAE_PASSWORD']
end
end
# Agent setting:
remote_file '/etc/td-agent/conf.d/forwarder_nginx.conf' do
owner 'root'
group 'root'
mode '644'
end

View File

@ -1,5 +0,0 @@
remote_file '/etc/security/limits.d/90-nfile.conf' do
owner 'root'
group 'root'
mode '644'
end

View File

@ -1,7 +0,0 @@
%w( processor.conf processor_consul.conf ).each do |f|
remote_file "/etc/td-agent/conf.d/#{f}" do
owner 'root'
group 'root'
mode '644'
end
end

View File

@ -1,73 +0,0 @@
########################################################
# Common Configuration
########################################################
# Monit configuration for `td-agent`:
remote_file '/etc/monit/conf.d/td-agent.conf' do
owner 'root'
group 'root'
mode '644'
# notifies :restart, 'service[monit]'
end
# add `td-agent` user to `adm` group:
execute 'usermod -aG adm td-agent' do
not_if 'id td-agent | grep adm'
end
# Deploy the `td-agent` configuration file for monitoring `td-agent` logs:
remote_file '/etc/td-agent/conf.d/forwarder_td-agent.conf' do
owner 'root'
group 'root'
mode '644'
end
########################################################
# Agent Configuration:
########################################################
unless node['td-agent']['forward']
remote_file '/etc/td-agent/conf.d/forwarder.conf' do
owner 'root'
group 'root'
mode '644'
end
end
########################################################
# Manager Configuration:
########################################################
if node['td-agent']['forward']
remote_file '/etc/td-agent/conf.d/receiver.conf' do
owner 'root'
group 'root'
mode '644'
end
template '/etc/consul.d/service-td-agent.json' do
owner 'root'
group 'root'
mode '644'
variables(role: node['td-agent']['role'])
notifies :restart, 'service[supervisor]'
end
%w( 24224/tcp 24224/udp ).each do |p|
execute "ufw allow #{p}" do
user 'root'
not_if "LANG=c ufw status | grep #{p}"
notifies :run, 'execute[ufw reload-or-enable]'
end
end
execute 'ufw reload-or-enable' do
user 'root'
command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
action :nothing
end
end

View File

@ -1,12 +0,0 @@
gem_package 'fluent-plugin-slack' do
action :upgrade
gem_binary '/usr/sbin/td-agent-gem'
end
encrypted_remote_file '/etc/td-agent/conf.d/watcher.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/td-agent/conf.d/watcher.conf'
password ENV['ITAMAE_PASSWORD']
end

View File

@ -1,15 +0,0 @@
%w( esxi synology vyos ).each do |c|
remote_file "/etc/td-agent/conf.d/syslog_#{c}.conf" do
owner 'root'
group 'root'
mode '644'
end
end
%w( 1514/tcp 5140/tcp 5141/tcp ).each do |p|
execute "ufw allow #{p}" do
user 'root'
not_if "LANG=c ufw status | grep #{p}"
end
end

View File

@ -1 +0,0 @@
deb http://packages.treasuredata.com/3/<%= @platform %>/<%= @dist %>/ <%= @dist %> contrib

View File

@ -1,7 +0,0 @@
{
"service": {
"name": "td-agent",
"tags": ["<%= @role %>"],
"port": 24224
}
}

View File

@ -1,11 +0,0 @@
127.0.0.1 localhost
127.0.1.1 <%= @HOSTNAME %>
192.168.10.110 primary.td-agent.service.consul
192.168.10.115 backup.td-agent.service.consul
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

View File

@ -1,39 +0,0 @@
package 'monit'
service 'monit' do
action :disable
end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04"
# do nothing
else
remote_file '/etc/monit/monitrc' do
owner 'root'
group 'root'
mode '600'
notifies :reload, 'service[monit]'
end
end
remote_file '/etc/default/monit' do
owner 'root'
group 'root'
mode '644'
notifies :run, 'execute[systemctl daemon-reload]'
end
remote_file '/lib/systemd/system/monit.service' do
owner 'root'
group 'root'
mode '644'
notifies :run, 'execute[systemctl daemon-reload]'
end
execute 'systemctl daemon-reload' do
action :nothing
command '/etc/init.d/monit stop && systemctl daemon-reload && systemctl enable monit && systemctl start monit'
end

View File

@ -1,10 +0,0 @@
# /etc/default/monit
# Defaults for monit initscript. This file is sourced by
# /bin/sh from /etc/init.d/monit.
# Set START to yes to start the monit
START=yes
# Options to pass to monit
MONIT_OPTS=-I

View File

@ -1,248 +0,0 @@
###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
##
## Start Monit in the background (run as a daemon):
#
set daemon 60 # check services at 2-minute intervals
with start delay 240 # optional: delay the first check by 4-minutes (by
# # default Monit check immediately after Monit start)
#
#
## Set syslog logging with the 'daemon' facility. If the FACILITY option is
## omitted, Monit will use 'user' facility by default. If you want to log to
## a standalone log file instead, specify the full path to the log file
#
# set logfile syslog facility log_daemon
set logfile /var/log/monit.log
#
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
set idfile /var/lib/monit/id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
set statefile /var/lib/monit/state
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the maximal queue
## size using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
set eventqueue
basedir /var/lib/monit/events # set the base directory where events will be stored
slots 100 # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more informations about M/Monit
## see http://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted.
#
# set mmonit http://monit:monit@192.168.1.10:8080/collector
# # and register without credentials # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the the mail-format
## statement is missing::
## --8<--
## set mail-format {
## from: monit@$HOST
## subject: monit alert -- $EVENT $SERVICE
## message: $EVENT Service $SERVICE
## Date: $DATE
## Action: $ACTION
## Host: $HOST
## Description: $DESCRIPTION
##
## Your faithful employee,
## Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
# set alert manager@foo.bar only on { timeout } # receive just service-
# # timeout alert
#
#
## Monit has an embedded web server which can be used to view status of
## services monitored and manage services from a web interface. See the
## Monit Wiki if you want to enable SSL for the web server.
#
# set httpd port 2812 and
# use address localhost # only accept connection from localhost
# allow localhost # allow localhost to connect to the server and
# allow admin:monit # require user 'admin' with password 'monit'
# allow @monit # allow users of group 'monit' to connect (rw)
# allow @users readonly # allow users of group 'users' to connect readonly
#
###############################################################################
## Services
###############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
# check system myhost.mydomain.tld
# if loadavg (1min) > 4 then alert
# if loadavg (5min) > 2 then alert
# if memory usage > 75% then alert
# if swap usage > 25% then alert
# if cpu usage (user) > 70% then alert
# if cpu usage (system) > 30% then alert
# if cpu usage (wait) > 20% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
# if failed permission 755 then unmonitor
# if failed uid root then unmonitor
# if failed gid root then unmonitor
# alert security@foo.bar on {
# checksum, permission, uid, gid, unmonitor
# } with the mail-format { subject: Alarm! }
# group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
# stop program = "/etc/init.d/httpd stop"
# if cpu > 60% for 2 cycles then alert
# if cpu > 80% for 5 cycles then restart
# if totalmem > 200.0 MB for 5 cycles then restart
# if children > 250 then restart
# if loadavg(5min) greater than 10 for 8 cycles then stop
# if failed host www.tildeslash.com port 80 protocol http
# and request "/somefile.html"
# then restart
# if failed port 443 type tcpssl protocol http
# with timeout 15 seconds
# then restart
# if 3 restarts within 5 cycles then timeout
# depends on apache_bin
# group server
#
#
## Check filesystem permissions, uid, gid, space and inode usage. Other services,
## such as databases, may depend on this resource and an automatically graceful
## stop may be cascaded to them before the filesystem will become full and data
## lost.
#
# check filesystem datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# stop program = "/bin/umount /data"
# if failed permission 660 then unmonitor
# if failed uid root then unmonitor
# if failed gid disk then unmonitor
# if space usage > 80% for 5 times within 15 cycles then alert
# if space usage > 99% then stop
# if inode usage > 30000 then alert
# if inode usage > 99% then stop
# group server
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if failed uid data then alert
# if failed gid data then alert
# if timestamp > 15 minutes then alert
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid. An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0. In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed uid 0 then unmonitor
# if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed icmp type echo count 3 with timeout 3 seconds then alert
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
# if failed url http://user:password@www.foo.bar:8080/?querystring
# and content == 'action="j_security_check"'
# then alert
#
#
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
include /etc/monit/conf.d/*.conf
#

View File

@ -1,308 +0,0 @@
###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
##
## Start Monit in the background (run as a daemon):
#
set daemon 120 # check services at 2-minute intervals
# with start delay 240 # optional: delay the first check by 4-minutes (by
# # default Monit check immediately after Monit start)
#
#
## Set syslog logging. If you want to log to a standalone log file instead,
## specify the full path to the log file
#
set log /var/log/monit.log
#
#
## Set the location of the Monit lock file which stores the process id of the
## running Monit instance. By default this file is stored in $HOME/.monit.pid
#
# set pidfile /var/run/monit.pid
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
set idfile /var/lib/monit/id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
set statefile /var/lib/monit/state
#
#
## Set limits for various tests. The following example shows the default values:
##
# set limits {
# programOutput: 512 B, # check program's output truncate limit
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
# fileContentBuffer: 512 B, # limit for file content test
# httpContentBuffer: 1 MB, # limit for HTTP content test
# networkTimeout: 5 seconds # timeout for network I/O
# programTimeout: 300 seconds # timeout for check program
# stopTimeout: 30 seconds # timeout for service stop
# startTimeout: 30 seconds # timeout for service start
# restartTimeout: 30 seconds # timeout for service restart
# }
## Set global SSL options (just most common options showed, see manual for
## full list).
#
# set ssl {
# verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
# selfsigned : allow # allow self signed SSL certificates (reject by default)
# }
#
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the queue size
## by using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
set eventqueue
basedir /var/lib/monit/events # set the base directory where events will be stored
slots 100 # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more informations about M/Monit
## see https://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted. The password
## should be URL encoded if it contains URL-significant characters like
## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
## adding the timeout option.
#
# set mmonit http://monit:monit@192.168.1.10:8080/collector
# # with timeout 30 seconds # Default timeout is 5 seconds
# # and register without credentials # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the mail-format
## statement is missing::
## --8<--
## set mail-format {
## from: Monit <monit@$HOST>
## subject: monit alert -- $EVENT $SERVICE
## message: $EVENT Service $SERVICE
## Date: $DATE
## Action: $ACTION
## Host: $HOST
## Description: $DESCRIPTION
##
## Your faithful employee,
## Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
#
## Do not alert when Monit starts, stops or performs a user initiated action.
## This filter is recommended to avoid getting alerts for trivial cases.
#
# set alert your-name@your.domain not on { instance, action }
#
#
## Monit has an embedded HTTP interface which can be used to view status of
## services monitored and manage services from a web interface. The HTTP
## interface is also required if you want to issue Monit commands from the
## command line, such as 'monit status' or 'monit restart service' The reason
## for this is that the Monit client uses the HTTP interface to send these
## commands to a running Monit daemon. See the Monit Wiki if you want to
## enable SSL for the HTTP interface.
#
# set httpd port 2812 and
# use address localhost # only accept connection from localhost
# allow localhost # allow localhost to connect to the server and
# allow admin:monit # require user 'admin' with password 'monit'
# #with ssl { # enable SSL/TLS and set path to server certificate
# # pemfile: /etc/ssl/certs/monit.pem
# #}
###############################################################################
## Services
###############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
# check system $HOST
# if loadavg (1min) > 4 then alert
# if loadavg (5min) > 2 then alert
# if cpu usage > 95% for 10 cycles then alert
# if memory usage > 75% then alert
# if swap usage > 25% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
# if failed permission 755 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "root" then unmonitor
# alert security@foo.bar on {
# checksum, permission, uid, gid, unmonitor
# } with the mail-format { subject: Alarm! }
# group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
# stop program = "/etc/init.d/httpd stop"
# if cpu > 60% for 2 cycles then alert
# if cpu > 80% for 5 cycles then restart
# if totalmem > 200.0 MB for 5 cycles then restart
# if children > 250 then restart
# if loadavg(5min) greater than 10 for 8 cycles then stop
# if disk read > 500 kb/s for 10 cycles then alert
# if disk write > 500 kb/s for 10 cycles then alert
# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
# if failed port 443 protocol https with timeout 15 seconds then restart
# if 3 restarts within 5 cycles then unmonitor
# depends on apache_bin
# group server
#
#
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
## Other services, such as databases, may depend on this resource and an automatically
## graceful stop may be cascaded to them before the filesystem will become full and data
## lost.
#
# check filesystem datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# stop program = "/bin/umount /data"
# if failed permission 660 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "disk" then unmonitor
# if space usage > 80% for 5 times within 15 cycles then alert
# if space usage > 99% then stop
# if inode usage > 30000 then alert
# if inode usage > 99% then stop
# if read rate > 1 MB/s for 5 cycles then alert
# if read rate > 500 operations/s for 5 cycles then alert
# if write rate > 1 MB/s for 5 cycles then alert
# if write rate > 500 operations/s for 5 cycles then alert
# if service time > 10 milliseconds for 3 times within 5 cycles then alert
# group server
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if failed uid "data" then alert
# if failed gid "data" then alert
# if timestamp > 15 minutes then alert
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid. An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0. In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed uid 0 then unmonitor
# if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed ping then alert
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
# if failed port 80 protocol http
# and request /some/path with content = "a string"
# then alert
#
#
## Check a network link status (up/down), link capacity changes, saturation
## and bandwidth usage.
#
# check network public with interface eth0
# if failed link then alert
# if changed link then alert
# if saturation > 90% then alert
# if download > 10 MB/s then alert
# if total uploaded > 1 GB in last hour then alert
#
#
## Check custom program status output.
#
# check program myscript with path /usr/local/bin/myscript.sh
# if status != 0 then alert
#
#
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
include /etc/monit/conf.d/*
include /etc/monit/conf-enabled/*
#

View File

@ -1,10 +0,0 @@
[Service]
Type=simple
KillMode=process
ExecStart=/etc/init.d/monit start
ExecStop=/etc/init.d/monit stop
ExecReload=/etc/init.d/monit reload
Restart=always
[Install]
WantedBy=multi-user.target

View File

@ -3,6 +3,6 @@
# ------------------------------------------- # -------------------------------------------
node.reverse_merge!({ node.reverse_merge!({
'nginx' => { 'nginx' => {
'version' => '1.17.5' 'version' => '1.19.3'
} }
}) })

View File

@ -4,12 +4,12 @@ include_recipe './attributes.rb'
# Kernel Parameters: # Kernel Parameters:
include_recipe './kernel.rb' include_recipe './kernel.rb'
# Install Let's Encrypt:
include_recipe './lego.rb'
# Prerequisites for Building nginx: # Prerequisites for Building nginx:
include_recipe './webadm.rb' include_recipe './webadm.rb'
# Install Let's Encrypt:
include_recipe './lego.rb'
# Build nginx: # Build nginx:
include_recipe './build.rb' include_recipe './build.rb'

View File

@ -13,12 +13,14 @@ remote_file '/etc/sudoers.d/webadm' do
mode '440' mode '440'
end end
# Create `.ssh` directory: # Create directories:
directory '/home/webadm/.ssh' do %w(/home/webadm/.ssh /home/webadm/repo).each do |d|
directory d do
owner 'webadm' owner 'webadm'
group 'webadm' group 'webadm'
mode '700' mode '700'
end end
end
# Deploy `~/.ssh/.ssh/authorized_keys`: # Deploy `~/.ssh/.ssh/authorized_keys`:
encrypted_remote_file '/home/webadm/.ssh/authorized_keys' do encrypted_remote_file '/home/webadm/.ssh/authorized_keys' do

View File

@ -1,7 +1,6 @@
include_recipe '../cookbooks/base/default.rb' include_recipe '../cookbooks/base/default.rb'
include_recipe '../cookbooks/kazu634/default.rb' include_recipe '../cookbooks/kazu634/default.rb'
include_recipe '../cookbooks/supervisor/default.rb' include_recipe '../cookbooks/supervisor/default.rb'
include_recipe '../cookbooks/monit/default.rb'
include_recipe '../cookbooks/consul/default.rb' include_recipe '../cookbooks/consul/default.rb'
include_recipe '../cookbooks/fzf/default.rb' include_recipe '../cookbooks/fzf/default.rb'
include_recipe '../cookbooks/promtail/default.rb' include_recipe '../cookbooks/promtail/default.rb'