kazu634
/
itamae
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'ubuntu2004-support' of kazu634/itamae into master

This commit is contained in:
Kazuhiro MUSASHI 2020-10-13 21:21:52 +09:00 committed by Gitea
parent 979323acc6 018890d7e1
commit 5b5fb26630
61 changed files with 1134 additions and 1625 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
cookbooks/base/cron-apt.rb
View File

@ -1,44 +0,0 @@
# Install `cron-apt`:
package 'cron-apt'
# From here, we are going to set up `cron-apt` to
# install the important security updates every day.
remote_file '/etc/cron-apt/config' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
remote_file '/etc/cron-apt/action.d/3-download' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
user 'root'
not_if 'test -e /etc/apt/security.sources.list'
end
file '/var/log/cron-apt/log' do
user 'root'
content 'foo\n'
owner 'root'
group 'root'
mode '666'
not_if 'test -e /var/log/cron-apt/log'
end
execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
user 'root'
not_if 'test -e /var/log/cron-apt/log'
end

13
cookbooks/base/default.rb
View File

@ -39,8 +39,8 @@ include_recipe './packages.rb'
# Lang Setting: # Lang Setting:
include_recipe './lang.rb' include_recipe './lang.rb'
# `cron-apt` settings: # `unattended-upgrade` settings:
include_recipe './cron-apt.rb' include_recipe './unattended-upgrade.rb'
# `ufw` configurations: # `ufw` configurations:
include_recipe './ufw.rb' include_recipe './ufw.rb'
@ -54,17 +54,18 @@ include_recipe './fortune.rb'
# timezone configurations: # timezone configurations:
include_recipe './timezone.rb' include_recipe './timezone.rb'
# ntp configurations:
include_recipe './ntp.rb'
# kernel configurations: # kernel configurations:
include_recipe './kernel.rb' include_recipe './kernel.rb'
# Install mc command: # Install mc command:
include_recipe './mc.rb' include_recipe './mc.rb'
# unnecessary configurations: # recipes for Ubuntu 16.04
if node['platform_version'].to_f == 16.04 if node['platform_version'].to_f == 16.04
# ntp configurations
include_recipe './ntp.rb'
# misc recipe
include_recipe './unnecessary.rb' include_recipe './unnecessary.rb'
end end

2
cookbooks/base/files/etc/apt/apt.conf.d/20auto-upgrades Normal file
View File

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

131
cookbooks/base/files/etc/apt/apt.conf.d/50unattended-upgrades Normal file
View File

@ -0,0 +1,131 @@
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";

124
cookbooks/base/files/etc/ssh/sshd_config.2004 Normal file
View File

@ -0,0 +1,124 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 10022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#PasswordAuthentication yes

18
cookbooks/base/files/usr/share/git-core/templates/hooks/prepare-commit-msg
View File

@ -1,18 +0,0 @@
#!/bin/sh
if [ "$2" = "" ]; then
mv $1 $1.tmp
ID=`git branch | grep ^\* | awk '{print $2}' | cut -f 2 -d "/"`
cat <<EOF > $1
This commit refs/fixes #${ID}.
# ^^^^^^^^^^
EOF
cat $1.tmp >> $1
fi
exit 0

5
cookbooks/base/ntp.rb
View File

@ -1,7 +1,3 @@
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04"
# do nothing
else
package 'ntp' package 'ntp'
remote_file '/etc/ntp.conf' do remote_file '/etc/ntp.conf' do
@ -15,4 +11,3 @@ else
service 'ntp' do service 'ntp' do
action :nothing action :nothing
end end
end

8
cookbooks/base/packages.rb
View File

@ -9,11 +9,12 @@ end
# Install the extra kernel: # Install the extra kernel:
unless node['is_ec2'] unless node['is_ec2']
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "16.04"
package 'linux-image-extra-virtual'
else
KERNEL = run_command("uname -r").stdout.chomp KERNEL = run_command("uname -r").stdout.chomp
package "linux-image-extra-#{KERNEL}" package "linux-image-extra-#{KERNEL}"
when "18.04"
package 'linux-image-extra-virtual'
end end
end end
@ -53,7 +54,6 @@ end
[ [
'/usr/share/git-core/templates/hooks/pre-commit', '/usr/share/git-core/templates/hooks/pre-commit',
'/usr/share/git-core/templates/hooks/prepare-commit-msg',
].each do |conf| ].each do |conf|
remote_file conf do remote_file conf do
user 'root' user 'root'

10
cookbooks/base/ssh.rb
View File

@ -9,6 +9,16 @@ end
# Deploy the `sshd` configuration file: # Deploy the `sshd` configuration file:
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04"
remote_file '/etc/ssh/sshd_config' do
user 'root'
owner 'root'
group 'root'
mode '644'
source 'files/etc/ssh/sshd_config.2004'
end
when "18.04" when "18.04"
remote_file '/etc/ssh/sshd_config' do remote_file '/etc/ssh/sshd_config' do
user 'root' user 'root'

2
cookbooks/base/timezone.rb
View File

@ -1,5 +1,5 @@
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "18.04", "20.04"
execute 'timedatectl set-timezone Asia/Tokyo' do execute 'timedatectl set-timezone Asia/Tokyo' do
not_if 'timedatectl | grep Tokyo' not_if 'timedatectl | grep Tokyo'
end end

56
cookbooks/base/unattended-upgrade.rb Normal file
View File

@ -0,0 +1,56 @@
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04"
# Install `cron-apt`:
package 'cron-apt'
# From here, we are going to set up `cron-apt` to
# install the important security updates every day.
remote_file '/etc/cron-apt/config' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
remote_file '/etc/cron-apt/action.d/3-download' do
user 'root'
owner 'root'
group 'root'
mode '644'
end
execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
user 'root'
not_if 'test -e /etc/apt/security.sources.list'
end
file '/var/log/cron-apt/log' do
user 'root'
content 'foo\n'
owner 'root'
group 'root'
mode '666'
not_if 'test -e /var/log/cron-apt/log'
end
execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
user 'root'
not_if 'test -e /var/log/cron-apt/log'
end
when '20.04'
%w(20auto-upgrades 50unattended-upgrades).each do |conf|
remote_file "/etc/apt/apt.conf.d/#{conf}" do
owner 'root'
group 'root'
mode '644'
end
end
end

2
cookbooks/blog/files/etc/monit/conf.d/blog-log.conf
View File

@ -1,2 +0,0 @@
check file nginx-blog with path /var/log/nginx/blog.access.log
if timestamp > 2 minutes for 5 cycles then exec "/bin/systemctl restart nginx"

13
cookbooks/blog/nginx.rb
View File

@ -30,19 +30,6 @@ remote_file '/etc/cron.d/blog' do
mode '644' mode '644'
end end
# Add monit configuration file for monitoring nginx logs:
remote_file '/etc/monit/conf.d/blog-log.conf' do
owner 'root'
group 'root'
mode '644'
notifies :reload, 'service[monit]'
end
service 'monit' do
action :nothing
end
# Create storage directory for blog data # Create storage directory for blog data
directory '/home/webadm/works/public' do directory '/home/webadm/works/public' do
owner 'webadm' owner 'webadm'

10
cookbooks/consul/attributes.rb
View File

@ -2,13 +2,20 @@
# Specifying the default settings: # Specifying the default settings:
# ------------------------------------------- # -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04" when "18.04"
cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10' cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10'
else else
cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
end end
ipaddr = run_command(cmd).stdout.chomp ipaddr = run_command(cmd).stdout.chomp
cmd = 'grep nameserver /run/systemd/resolve/resolv.conf | grep -v 8.8.8.8 | grep -v 127.0.0.1 | perl -pe "s/nameserver //g" | perl -pe "s/\n/ /g"'
dns = run_command(cmd).stdout.chomp
node.reverse_merge!({ node.reverse_merge!({
'consul' => { 'consul' => {
'base_binary_url' => 'https://releases.hashicorp.com/consul/', 'base_binary_url' => 'https://releases.hashicorp.com/consul/',
@ -16,6 +23,7 @@ node.reverse_merge!({
'tmp_path' => '/tmp/itamae_tmp/consul.zip', 'tmp_path' => '/tmp/itamae_tmp/consul.zip',
'manager' => true, 'manager' => true,
'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]', 'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]',
'ipaddr' => ipaddr 'ipaddr' => ipaddr,
'dns' => dns
} }
}) })

52
cookbooks/consul/dnsmasq.rb
View File

@ -5,29 +5,27 @@
end end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "20.04"
template '/etc/systemd/resolved.conf' do
owner 'root'
group 'root'
mode '644'
variables(dns: node['consul']['dns'])
notifies :restart, 'service[systemd-resolved]', :immediately
end
remote_file '/etc/dnsmasq.conf' do remote_file '/etc/dnsmasq.conf' do
owner 'root' owner 'root'
group 'root' group 'root'
mode '644' mode '644'
source 'files/etc/dnsmasq.conf.1804' source 'files/etc/dnsmasq.conf.2004'
notifies :reload, 'service[dnsmasq]' notifies :restart, 'service[dnsmasq]', :immediately
end
else
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/dnsmasq.conf.1804'
notifies :reload, 'service[dnsmasq]'
end
end end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04" when "18.04"
remote_file '/etc/systemd/resolved.conf' do remote_file '/etc/systemd/resolved.conf' do
owner 'root' owner 'root'
@ -36,7 +34,18 @@ when "18.04"
notifies :restart, 'service[systemd-resolved]' notifies :restart, 'service[systemd-resolved]'
end end
else
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/dnsmasq.conf.1804'
notifies :reload, 'service[dnsmasq]'
end
when '16.04'
remote_file '/etc/resolvconf/resolv.conf.d/head' do remote_file '/etc/resolvconf/resolv.conf.d/head' do
owner 'root' owner 'root'
group 'root' group 'root'
@ -44,4 +53,15 @@ else
notifies :restart, 'service[resolvconf]' notifies :restart, 'service[resolvconf]'
end end
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/dnsmasq.conf.1804'
notifies :reload, 'service[dnsmasq]'
end end
end

679
cookbooks/consul/files/etc/dnsmasq.conf.2004 Normal file
View File

@ -0,0 +1,679 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
resolv-file=/run/systemd/resolve/resolv.conf
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
server=/consul/127.0.0.1#8600
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the InfiniBand interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also that the [] around the IPv6 address are obligatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1,1m
# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2,2m
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this if you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built-in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
#dhcp-boot=undionly.kpxe
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
# Encapsulated options for iPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Do not abort if the tftp-root is unavailable
#tftp-no-fail
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fashion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
# option with a DHCPACK including a Rapid Commit option and fully committed address
# and configuration information. This must only be enabled if either the server is
# the only server for the subnet, or multiple servers are present and they each
# commit a binding for all clients.
#dhcp-rapid-commit
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

10
cookbooks/consul/files/etc/monit/conf.d/consul.conf
View File

@ -1,10 +0,0 @@
check process consul
with pidfile /var/run/consul.pid
start program = "/usr/bin/supervisorctl start consul"
stop program = "/usr/bin/supervisorctl stop consul"
if failed
host localhost
port 8500
protocol HTTP
then restart

10
cookbooks/consul/setup.rb
View File

@ -13,6 +13,8 @@ template '/etc/consul.d/config.json' do
manager_hosts: node['consul']['manager_hosts'], manager_hosts: node['consul']['manager_hosts'],
ipaddr: node['consul']['ipaddr'], ipaddr: node['consul']['ipaddr'],
) )
notifies :restart, 'service[supervisor]'
end end
remote_file '/etc/consul.d/service-consul.json' do remote_file '/etc/consul.d/service-consul.json' do
@ -23,14 +25,6 @@ remote_file '/etc/consul.d/service-consul.json' do
only_if '{ node["consul"]["manager"]}' only_if '{ node["consul"]["manager"]}'
end end
remote_file '/etc/monit/conf.d/consul.conf' do
owner 'root'
group 'root'
mode '644'
notifies :restart, 'service[monit]'
end
execute 'Reload supervisor' do execute 'Reload supervisor' do
user 'root' user 'root'

24
cookbooks/consul/templates/etc/systemd/resolved.conf.erb Normal file
View File

@ -0,0 +1,24 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details
[Resolve]
DNS=127.0.0.1 <%= @dns %> 8.8.8.8
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=yes
DNSStubListener=no
#ReadEtcHosts=yes

30
cookbooks/digdag/shared_dir.rb
View File

@ -8,12 +8,18 @@ package 'cifs-utils'
end end
end end
directory '/var/spool/apt-mirror' do
owner 'root'
group 'root'
mode '777'
end
# Add the fstab entry: # Add the fstab entry:
file '/etc/fstab' do file '/etc/fstab' do
action :edit action :edit
block do |content| block do |content|
content << "//192.168.10.200/Shared/shared /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" content << "//192.168.10.200/Shared/AppData /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end end
not_if 'grep shared /etc/fstab' not_if 'grep shared /etc/fstab'
@ -23,12 +29,32 @@ file '/etc/fstab' do
action :edit action :edit
block do |content| block do |content|
content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n" content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end end
not_if 'grep img /etc/fstab' not_if 'grep img /etc/fstab'
end end
file '/etc/fstab' do
action :edit
block do |content|
content << "//192.168.10.200/Shared/AppData /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end
not_if 'grep backup /etc/fstab'
end
file '/etc/fstab' do
action :edit
block do |content|
content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
end
not_if 'grep apt-mirror /etc/fstab'
end
execute 'mount -a' do execute 'mount -a' do
not_if 'df -h | grep shared' not_if 'df -h | grep shared'
end end

11
cookbooks/fluentd/attributes.rb
View File

@ -1,11 +0,0 @@
# -------------------------------------------
# Specifying the default settings:
# -------------------------------------------
node.reverse_merge!({
'td-agent' => {
'user' => 'td-agent',
'group' => 'td-agent',
'forward' => false,
'role' => 'primary'
}
})

0
cookbooks/fluentd/auth.rb
View File

40
cookbooks/fluentd/default.rb
View File

@ -1,40 +0,0 @@
#####################################
# Common Settings:
#####################################
include_recipe './attributes.rb'
include_recipe './prerequisites.rb'
include_recipe './install.rb'
include_recipe './setup.rb'
#####################################
# Manager Settings:
#####################################
if node['td-agent']['forward']
include_recipe './processor.rb'
include_recipe './syslog.rb'
include_recipe './slack.rb'
end
#####################################
# monitoring Settings:
#####################################
include_recipe './nginx.rb'
%w( aptitude auth cron-apt monit consul ).each do |c|
remote_file "/etc/td-agent/conf.d/forwarder_#{c}.conf" do
owner 'root'
group 'root'
mode '644'
notifies :restart, 'service[td-agent]'
end
end
service 'td-agent' do
action :restart
end

4
cookbooks/fluentd/files/etc/monit/conf.d/td-agent.conf
View File

@ -1,4 +0,0 @@
check process td-agent
with pidfile /var/run/td-agent/td-agent.pid
start program = "/etc/init.d/td-agent start"
stop program = "/etc/init.d/td-agent stop"

6
cookbooks/fluentd/files/etc/security/limits.d/90-nfile.conf
View File

@ -1,6 +0,0 @@
# - nofile - max number of open files
root soft nofile 65536
root hard nofile 65536
* soft nofile 65536
* hard nofile 65536

38
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder.conf
View File

@ -1,38 +0,0 @@
<label @forward>
<match **>
@type copy
<store>
@type forward
send_timeout 60s
recover_wait 10s
transport tcp
heartbeat_interval 1s
phi_threshold 16
hard_timeout 60s
buffer_type file
buffer_path /var/log/td-agent/buffer/forward*.buffer
<server>
name primary.td-agent.service.consul
host primary.td-agent.service.consul
port 24224
weight 60
</server>
<server>
name backup.td-agent.service.consul
host backup.td-agent.service.consul
port 24224
weight 60
standby
</server>
</store>
<store>
@type file
path /tmp/forward.log
</store>
</match>
</label>

20
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_aptitude.conf
View File

@ -1,20 +0,0 @@
<source>
@type tail
path /var/log/apt/history.log
pos_file /var/log/td-agent/aptitude.pos
format none
tag aptitude
</source>
<filter aptitude>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match aptitude>
@type relabel
@label @forward
</match>

28
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf
View File

@ -1,28 +0,0 @@
<source>
@type tail
path /var/log/auth.log
pos_file /var/log/td-agent/auth.pos
format syslog
tag auth
</source>
<filter auth>
@type record_transformer
<record>
message ${hostname}: ${record["message"]}
</record>
</filter>
<filter auth>
@type grep
<exclude>
key message
pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected)
</exclude>
</filter>
<match auth>
@type relabel
@label @forward
</match>

30
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_consul.conf
View File

@ -1,30 +0,0 @@
<source>
@type tail
path /var/log/supervisor/consul.log
pos_file /var/log/td-agent/consul.pos
format /^( (?<time>[0-9/]+ [0-9:]+) (?<message>.*$)|(?<message>.*))/
time_format %Y/%m/%d %H:%M:%S
time_key time
tag consul
</source>
<filter consul>
@type record_transformer
<record>
message ${hostname}: ${record["message"]}
</record>
</filter>
<filter consul>
@type grep
<exclude>
key message
pattern (raft|memberlist|serf|Synced|Adding|Removing|consul\.fsm: snapshot created|session shutdown|context deadline exceeded|last request still outstanding|INFO|server health)
</exclude>
</filter>
<match consul>
@type relabel
@label @forward
</match>

29
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_cron-apt.conf
View File

@ -1,29 +0,0 @@
<source>
@type tail
path /var/log/cron-apt/log
pos_file /var/log/td-agent/cron-apt.pos
format none
tag cron_apt
</source>
<filter cron_apt>
@type grep
<regexp>
key message
pattern (^CRON-APT RUN|not upgraded\.)
</regexp>
</filter>
<filter cron_apt>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match cron_apt>
@type relabel
@label @forward
</match>

20
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_monit.conf
View File

@ -1,20 +0,0 @@
<source>
@type tail
path /var/log/monit.log
pos_file /var/log/td-agent/monit.pos
format none
tag monit
</source>
<filter monit>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match monit>
@type relabel
@label @forward
</match>

21
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_nginx.conf
View File

@ -1,21 +0,0 @@
<source>
@type tail
path /var/log/nginx/*access.log
pos_file /var/log/td-agent/nginx_logs.pos
format ltsv
time_format %d/%b/%Y:%H:%M:%S %z
time_key time
tag nginx
</source>
<filter nginx>
@type record_transformer
<record>
hostname ${hostname}
</record>
</filter>
<match nginx>
@type relabel
@label @forward
</match>

29
cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_td-agent.conf
View File

@ -1,29 +0,0 @@
<source>
@type tail
path /var/log/td-agent/td-agent.log
pos_file /var/log/td-agent/td-agent.pos
format none
tag td_agent
</source>
<filter td_agent>
@type grep
<exclude>
key message
pattern (openvpn|will be ignored|section <buffer> is not used)
</exclude>
</filter>
<filter td_agent>
@type record_transformer
<record>
hostname ${hostname}
message ${hostname}: ${record["message"]}
</record>
</filter>
<match td_agent>
@type relabel
@label @forward
</match>

146
cookbooks/fluentd/files/etc/td-agent/conf.d/processor.conf
View File

@ -1,146 +0,0 @@
<label @forward>
<match consul>
@type relabel
@label @consul_branch
</match>
<match nginx>
@type relabel
@label @s3_upload
</match>
<match **>
@type relabel
@label @process
</match>
</label>
<label @received>
<match consul>
@type relabel
@label @consul_branch
</match>
<match nginx>
@type relabel
@label @s3_upload
</match>
<match **>
@type copy
<store>
@type relabel
@label @process
</store>
<store>
@type file
path /tmp/received.log
</store>
</match>
</label>
<label @process>
<match auth>
@type relabel
@label @good
</match>
<filter aptitude>
@type grep
<regexp>
key message
pattern (Commandline|Error|Install|Remove|Upgrade)
</regexp>
</filter>
<match aptitude>
@type copy
<store>
@type relabel
@label @good
</store>
<store>
@type file
path /tmp/aptitude.log
</store>
</match>
<filter monit>
@type grep
<exclude>
key message
pattern (error|ERROR)
</exclude>
</filter>
<match monit>
@type relabel
@label @danger
</match>
<match cron_apt>
@type copy
<store>
@type relabel
@label @good
</store>
<store>
@type file
path /tmp/cron-apt.log
</store>
</match>
<match consul>
@type relabel
@label @danger
</match>
<filter td_agent>
@type grep
<exclude>
key message
pattern (\[info\]|parameter '.*' in|suppressed same stacktrace|loop\.rb|in_tail\.rb| 0(6|7):25|from ASCII-8BIT to UTF-8|of buffered_slack plugin)
</exclude>
<regexp>
key message
pattern \[(warn|error)\]
</regexp>
</filter>
<match td_agent>
@type relabel
@label @danger
</match>
<filter app.**>
@type record_transformer
<record>
message ${record["log"]}
</record>
</filter>
<match app.**>
@type relabel
@label @apps
</match>
<match random.**>
@type relabel
@label @random
</match>
<match apt-mirror.**>
@type relabel
@label @good
</match>
</label>

39
cookbooks/fluentd/files/etc/td-agent/conf.d/processor_consul.conf
View File

@ -1,39 +0,0 @@
######################
# Receive nginx logs #
######################
<label @consul_branch>
<match consul>
@type copy
<store>
@type rewrite_tag_filter
<rule>
key message
pattern (\[WARN\]|left, deregistering|removing server monitor)
tag consul.danger
</rule>
</store>
<store>
@type rewrite_tag_filter
<rule>
key message
pattern (\[INFO\])
tag consul.good
</rule>
</store>
</match>
<match consul.danger>
@type relabel
@label @danger
</match>
<match consul.good>
@type relabel
@label @good
</match>
</label>

15
cookbooks/fluentd/files/etc/td-agent/conf.d/processor_nginx.conf
View File

@ -1,15 +0,0 @@
md5:57588c890f0ef6e8f8a9de3f2336df7c:salt:128-16-245-219-49-150-248-21:aes-256-cfb:y/5qRG08epYJHUpPCrY46RkH9mYeg0PPxe6b8Vus43Ph7TOSJOey/LrOZjJ7
iTYfOte4QbTH/P+wjm/8RldxRRSJ3spha/2MuIVQpliC+5KnT9nmC1rLP8+y
nbJstGpeGUuRIjzZtMvI1Kvb+j2BEOPCeiTAD2yXwPsMbaODoG5mzYgcSgBV
TDvtbG6I0KYDiLbTZw7crusQltx45uvq1zcK+g5UMb7oaqClyJA5VLsWRbeT
tiaFXQLYy2oXIvQmw65ccFixLIxVERxGrx/x4uGhR/saQIZMonymG6z3Riy3
vejNLQNIfaxZYb0llLTtzt13jsft+5Z766Y8Umoiws+bUF7igLw3CI47pb6y
PEwCvhKxk+RG5dtPQysRy1sSPrOTBzVf6+0/Em2BaKRBubRNEDpjI/1+aN5L
t5c4qYX3lP3v2bjwF1iQO5qEv3R46ytblZmyaoSPYGsWyzZBNn841QBZ1oi7
IlyYsnTFEQ5InVTygCd+04/L3tOoxShvsbxJZ/jYqSBaAo9UdhnYU9wo+8ob
Oz2sjarXIJyzqs4a68/YizNRdke7dEFblnYsLZUAtWQBnjo4cwGug8nZGaKr
L2M5IT3NWfVHRCf1sbkQspsjGtb3fM/F62VH8OU85vTXvR+SWSTYJzpSvcCH
73HqgOD1H0jzwanZi8SvVs7zA3Fr6HgJ4FYbwaB/109BVjnzhcmDm0RkXGQY
nqRsvlxEj6NnSGlGQgLvYgT1KLCTYFrZNlNZRzO71B32jc/KxZnwFRcxgrcb
/mAsz/TxLdxSjmuCAssfL/YY2uh5fPgL0XC31RdVJ9mdUpHQmtTAfAjYyilJ
J/fQOY6ZRDqq1Vfq53wuLrZJdxztWNK8DJguZJ5gdqy/l4ggPnCvDFwI

5
cookbooks/fluentd/files/etc/td-agent/conf.d/receiver.conf
View File

@ -1,5 +0,0 @@
<source>
@type forward
port 24224
@label @received
</source>

38
cookbooks/fluentd/files/etc/td-agent/conf.d/syslog_esxi.conf
View File

@ -1,38 +0,0 @@
# For ESXi syslog Monitoring:
<source>
@type syslog
port 1514
bind 0.0.0.0
protocol_type tcp
format none
tag system.esxi
</source>
<filter system.esxi.**>
@type grep
<exclude>
key message
pattern (iscsid|LikewiseGetDomainJoinInfo|hostd|DictionaryLoad|addVob|backup\.sh|libsmart|\[context\]|Hostd|vmauthd|Rhttpproxy|requested fast path state update| above TEMPERATURE threshold)
</exclude>
</filter>
<match system.esxi.**.{debug,info}>
@type null
</match>
<match system.esxi.**.{notice,warn,err,crit,alert,emerg}>
@type copy
<store>
@type file
path /tmp/syslog_esxi.log
time_slice_format %Y%m%d
time_slice_wait 1m
</store>
<store>
@type relabel
@label @danger
</store>
</match>

41
cookbooks/fluentd/files/etc/td-agent/conf.d/syslog_synology.conf
View File

@ -1,41 +0,0 @@
# For synology syslog Monitoring:
<source>
@type syslog
port 5141
bind 0.0.0.0
protocol_type tcp
message_format auto
tag system.synology
</source>
<filter system.synology.**>
@type grep
<exclude>
key message
pattern (accessed the shared folder)
</exclude>
</filter>
<filter system.synology.**>
@type record_transformer
<record>
message ${record["host"]}: ${record["message"]}
</record>
</filter>
<match system.synology.**>
@type copy
<store>
@type file
path /tmp/syslog_synology.log
time_slice_format %Y%m%d
time_slice_wait 1m
</store>
<store>
@type relabel
@label @good
</store>
</match>

45
cookbooks/fluentd/files/etc/td-agent/conf.d/syslog_vyos.conf
View File

@ -1,45 +0,0 @@
# For vyos syslog Monitoring:
<source>
@type syslog
port 5140
bind 0.0.0.0
protocol_type tcp
message_format auto
tag system.vyos
</source>
<filter system.vyos.**>
@type grep
<exclude>
key message
pattern (suspect value|Port3 Link|duplicate on LAN|can't get program name from|call user-defined scripts or executables|FRAG TTL expired|Port4 Link|Overriding mtu|Overriding mru|IPv6 Control Protoco)
</exclude>
</filter>
<filter system.vyos.**>
@type record_transformer
<record>
message ${record["host"]}: ${record["message"]}
</record>
</filter>
<match system.vyos.**.{debug,info,notice}>
@type null
</match>
<match system.vyos.**.{warn,err,crit,alert,emerg}>
@type copy
<store>
@type file
path /tmp/syslog_vyos.log
time_slice_format %Y%m%d
time_slice_wait 1m
</store>
<store>
@type relabel
@label @danger
</store>
</match>

44
cookbooks/fluentd/files/etc/td-agent/conf.d/watcher.conf
View File

@ -1,44 +0,0 @@
md5:4d7c92818f78f0384855b1006b60eb0f:salt:101-24-185-121-164-238-97-103:aes-256-cfb:e61qKgTSpyfqU8V+iEk9dDk3DI7Y9QiykJgDwEG0Qn/fquFM/6YhP/+FvQxV
BVcIDU1zMtX0TVjq3HBSVLW1fEh0tFLCRRG5lCwj5wpmFa+NeAY4Db4XxjPB
q0VbsAv9PI9ptDGylrNvBhAJpB/2A6xJ2h5Lh7026Dv5qi1bdvvAnyxNmbRa
UwkKvb9e+ptPk3gjQath/eX9qbR4fiX9LG9URnIkwhvlpYhRUqk94BL04toK
pLQEvtk4RdDKHylpdbKmWj2JCFeKb28JNq0AE7CrAi8zXevUoI6jXP+pipA5
GdW7BMEpjc8e6O2dy7kd/qWLKMvbEbzj0I1EC5ut1e1gAVzKGjPnwVVWGxaP
Hl3K3Vmj59kWU57Zgzmh7WYemt2AnTW6jQcCe5fP7gzIfD4KXYM18rStThOE
LXOCyuOFI5/EyGaX1lyWmw6Ic45rnr9iHaYDVqq0Q0aifIsLWxaQlD2AI4+7
uaU4Qa+QsSHLCmvhZ/ysKTfp9gKUZEQql/FCtKLjvmTAv8cN20W+c6KbZNI9
CrGpDLAY4oIsi0qSLsNqddC6D31dssMLDBC/ZdMdZmpwo32qeRvoca2GYBD9
voTiiEEbUP1+ZVhwndIaVMI3tIKc29Ixlo3W6vF4rL5AXyWSmW6OdcdOwgRI
FddW89z+LV4HB0L1HNIsWcR8eS/6OzJ3hKB6qFjz77+6X4lna4MX5nW4hnJI
dhUK8HzmF2NlP5UnnIPPF0Mznhrnrde6GZxRVkunZrnp9q9r63bJB9okfQSm
q/UBDbCUrJo81kRvtfv5+kLB1QppxWQljqzF65tnCbvvWe0KiNztyeP4yjds
hTx4vsTdKZGI0eTc7H1IiVgxS8OS7Z1nmd1seho4IsyFobI75E1Si96EgdEQ
IOXF2A6aqYJCqPbLaULih1jrrM70m/xENx2mykLwsZDzDs7nPelwze0fLLt/
qPxkFaqfElqkc4R8OaXAWVoEl4vZWosYvhrwu9g5JX00RPzS6wEFl3pywwjJ
rzQqGkG9fJu5KFRg/PFW19Jc75kuKsV7Glf12lq4mWqfvuc6PrH/ISok2G3/
LBuRp/MD+dyrFb+uKDua9cCjGF/d0FZ83vOEPTM607BN3GNuucBAA+u3BMKF
8zjL58Af01aSUrnGJ9IESbUOt4Fz9Isep/P4rVh6RkOcJMRvbuXgPCYN5xFv
qsf/fBmauim9lmQXg2QomnSBrguv/OgqKxoVwDHVPFqPlwkLPhoA2pN/xoId
y4g7BbsPaySGKNfcNG/xzFWM058oSgnxmqq2Jvgb3+mXk+EylRrdKVh8FLhh
s1sl04u8I4DiftOGcU0vg1dTmdAKSo8TcDROeQOYknkyT9SE9vUaEOeOvLRD
dOJi+S6BFfSE8kuWocL4Amvg8SKMgchvXGOXg44w0GJ1OFPNT4QDlm5PloWD
KXS+LBw6kL+617/cIclt1yPdxd0tOhr00moeDYT95Eso+AnvQLswSIRGLXA+
2E537p1+fYZqsfrG+FDDo/I6JWTzY3NMnDlo4GWpC/8vHom9effVwa6eHAWd
5Wg6d/9m2PQzJhLusBombcf+og+0EPxYgm/F2BL9jdljyOi2Fd2FNJKNA58V
Ol1fnIyvN4tQvUVQVTQHS15lTsMC7FGu5sgUY6O1YQTXu+0J2nuL9RRsJHDR
zBkRUE7+I/kdgVirgzVZrNGmJd6nVed4f6in0OKk1ITheWHdCXTQqP7nHliL
ZG/RZmAVK1djE1EtbnNdIZ3QmsIJdy879kUJn77koKfh7ds1QQxnBBQuMNFA
ab79jiMZYlKepZGyb3H/iz5hXo6LtIjNXU1tQOkMp7eni4niWTV8TKL7Kmso
1+4qVH5h/cjxjjl1hV4eQ3uNT5+LDEszX4bQgTF1La/PGHSgxisBxxU35OXq
0+wgkBjnTtfR1pNmGlzBkknrfCvasde7E37IzhAKFLsxlUPZT7W11UIDDiNr
6vZmAo5c5jnp8qhdEgE4FgQxH9s9d+ZtEbA7TCaiD/caO3TNmZiFohd9oDaT
i+FM1eHXfs9HfOCLfPe9QNCoXOuKV71qfVf2rRTg2mBV3yx7MN+jAQML2qkW
y2Th/sCYh8JzvsgBOZnBZ8gVZadYhnyQg5c7rNucqy6lw4ioS2GyUKrdPnR7
vq5OqBpFvbIKm+RaPkMV464fjdZJeJlQwa1ip466rfiipART3j9yZQH8Txkr
NACKgjzqnWiMvOe3CibdQsfN86qZpuC66xfTtbvgm1VGJlzWvMMzpRBdSWv5
u+KMl6rkqJ2hFnrAYJp1j/IQnY/SMN0LxZYQRWmQwYzqNBl5CEjJLNE/wW+8
//qdXor1TRe7zePzn40GJQ8U9AScbYgQU8xkeDfAapdh7XUj0NvFMN80jADJ
PimRBX/LgpToKts+XWWU6CiDLYDnsnLD72SB5hwZkWMo6tOMjC+dWKgZBcGH
zisf7rGgY/X4VO40i+uMB+HcoRHHSQBVoApIQt2Ozl6Zeaqm28M8/jVmpgUm
7BxL/JR0gLvYCSU4BEPFngPauLli0IPvZcEJ0vLW20vtOf+QtwaL0lzMz3fr
YaiKkOcdd19P4GSy1LpKkSdapT95EIaQMbnzvg0aRivdO4s4GXihPS3b8A==

1
cookbooks/fluentd/files/etc/td-agent/td-agent.conf
View File

@ -1 +0,0 @@
@include conf.d/*.conf

57
cookbooks/fluentd/install.rb
View File

@ -1,57 +0,0 @@
# Load the APT key:
execute 'curl https://packages.treasuredata.com/GPG-KEY-td-agent | apt-key add -' do
not_if 'apt-key list | grep Treasure'
end
# Deploy the APT source:
CMD = 'grep DISTRIB_CODENAME /etc/lsb-release | cut -f 2 -d "="'
DIST = run_command(CMD).stdout.chomp
template '/etc/apt/sources.list.d/treasure-data.list' do
owner 'root'
group 'root'
mode '644'
variables(platform: node['platform'], dist: DIST)
end
execute 'apt update' do
action :run
not_if 'which td-agent'
end
# Install
package 'td-agent' do
action :install
end
# Overwrite the conf:
remote_file '/etc/td-agent/td-agent.conf' do
owner node['td-agent']['user']
group node['td-agent']['group']
mode '644'
end
# Create /etc/td-agent/conf.d:
directory '/etc/td-agent/conf.d' do
owner node['td-agent']['user']
group node['td-agent']['group']
mode '755'
end
# Deploy /etc/hosts file:
HOSTNAME = run_command('uname -n').stdout.chomp
template '/etc/hosts' do
owner 'root'
group 'root'
mode '644'
variables(HOSTNAME: HOSTNAME)
end
# Enable and start:
service 'td-agent' do
action :enable
end

22
cookbooks/fluentd/nginx.rb
View File

@ -1,22 +0,0 @@
# Manager setting:
if node['td-agent']['forward']
gem_package 'fluent-plugin-s3' do
action :upgrade
gem_binary '/usr/sbin/td-agent-gem'
end
encrypted_remote_file '/etc/td-agent/conf.d/processor_nginx.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/td-agent/conf.d/processor_nginx.conf'
password ENV['ITAMAE_PASSWORD']
end
end
# Agent setting:
remote_file '/etc/td-agent/conf.d/forwarder_nginx.conf' do
owner 'root'
group 'root'
mode '644'
end

5
cookbooks/fluentd/prerequisites.rb
View File

@ -1,5 +0,0 @@
remote_file '/etc/security/limits.d/90-nfile.conf' do
owner 'root'
group 'root'
mode '644'
end

7
cookbooks/fluentd/processor.rb
View File

@ -1,7 +0,0 @@
%w( processor.conf processor_consul.conf ).each do |f|
remote_file "/etc/td-agent/conf.d/#{f}" do
owner 'root'
group 'root'
mode '644'
end
end

73
cookbooks/fluentd/setup.rb
View File

@ -1,73 +0,0 @@
########################################################
# Common Configuration
########################################################
# Monit configuration for `td-agent`:
remote_file '/etc/monit/conf.d/td-agent.conf' do
owner 'root'
group 'root'
mode '644'
# notifies :restart, 'service[monit]'
end
# add `td-agent` user to `adm` group:
execute 'usermod -aG adm td-agent' do
not_if 'id td-agent | grep adm'
end
# Deploy the `td-agent` configuration file for monitoring `td-agent` logs:
remote_file '/etc/td-agent/conf.d/forwarder_td-agent.conf' do
owner 'root'
group 'root'
mode '644'
end
########################################################
# Agent Configuration:
########################################################
unless node['td-agent']['forward']
remote_file '/etc/td-agent/conf.d/forwarder.conf' do
owner 'root'
group 'root'
mode '644'
end
end
########################################################
# Manager Configuration:
########################################################
if node['td-agent']['forward']
remote_file '/etc/td-agent/conf.d/receiver.conf' do
owner 'root'
group 'root'
mode '644'
end
template '/etc/consul.d/service-td-agent.json' do
owner 'root'
group 'root'
mode '644'
variables(role: node['td-agent']['role'])
notifies :restart, 'service[supervisor]'
end
%w( 24224/tcp 24224/udp ).each do |p|
execute "ufw allow #{p}" do
user 'root'
not_if "LANG=c ufw status | grep #{p}"
notifies :run, 'execute[ufw reload-or-enable]'
end
end
execute 'ufw reload-or-enable' do
user 'root'
command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
action :nothing
end
end

12
cookbooks/fluentd/slack.rb
View File

@ -1,12 +0,0 @@
gem_package 'fluent-plugin-slack' do
action :upgrade
gem_binary '/usr/sbin/td-agent-gem'
end
encrypted_remote_file '/etc/td-agent/conf.d/watcher.conf' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/td-agent/conf.d/watcher.conf'
password ENV['ITAMAE_PASSWORD']
end

15
cookbooks/fluentd/syslog.rb
View File

@ -1,15 +0,0 @@
%w( esxi synology vyos ).each do |c|
remote_file "/etc/td-agent/conf.d/syslog_#{c}.conf" do
owner 'root'
group 'root'
mode '644'
end
end
%w( 1514/tcp 5140/tcp 5141/tcp ).each do |p|
execute "ufw allow #{p}" do
user 'root'
not_if "LANG=c ufw status | grep #{p}"
end
end

1
cookbooks/fluentd/templates/etc/apt/sources.list.d/treasure-data.list.erb
View File

@ -1 +0,0 @@
deb http://packages.treasuredata.com/3/<%= @platform %>/<%= @dist %>/ <%= @dist %> contrib

7
cookbooks/fluentd/templates/etc/consul.d/service-td-agent.json.erb
View File

@ -1,7 +0,0 @@
{
"service": {
"name": "td-agent",
"tags": ["<%= @role %>"],
"port": 24224
}
}

11
cookbooks/fluentd/templates/etc/hosts.erb
View File

@ -1,11 +0,0 @@
127.0.0.1 localhost
127.0.1.1 <%= @HOSTNAME %>
192.168.10.110 primary.td-agent.service.consul
192.168.10.115 backup.td-agent.service.consul
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

39
cookbooks/monit/default.rb
View File

@ -1,39 +0,0 @@
package 'monit'
service 'monit' do
action :disable
end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "18.04"
# do nothing
else
remote_file '/etc/monit/monitrc' do
owner 'root'
group 'root'
mode '600'
notifies :reload, 'service[monit]'
end
end
remote_file '/etc/default/monit' do
owner 'root'
group 'root'
mode '644'
notifies :run, 'execute[systemctl daemon-reload]'
end
remote_file '/lib/systemd/system/monit.service' do
owner 'root'
group 'root'
mode '644'
notifies :run, 'execute[systemctl daemon-reload]'
end
execute 'systemctl daemon-reload' do
action :nothing
command '/etc/init.d/monit stop && systemctl daemon-reload && systemctl enable monit && systemctl start monit'
end

10
cookbooks/monit/files/etc/default/monit
View File

@ -1,10 +0,0 @@
# /etc/default/monit
# Defaults for monit initscript. This file is sourced by
# /bin/sh from /etc/init.d/monit.
# Set START to yes to start the monit
START=yes
# Options to pass to monit
MONIT_OPTS=-I

248
cookbooks/monit/files/etc/monit/monitrc
View File

@ -1,248 +0,0 @@
###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
##
## Start Monit in the background (run as a daemon):
#
set daemon 60 # check services at 2-minute intervals
with start delay 240 # optional: delay the first check by 4-minutes (by
# # default Monit check immediately after Monit start)
#
#
## Set syslog logging with the 'daemon' facility. If the FACILITY option is
## omitted, Monit will use 'user' facility by default. If you want to log to
## a standalone log file instead, specify the full path to the log file
#
# set logfile syslog facility log_daemon
set logfile /var/log/monit.log
#
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
set idfile /var/lib/monit/id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
set statefile /var/lib/monit/state
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the maximal queue
## size using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
set eventqueue
basedir /var/lib/monit/events # set the base directory where events will be stored
slots 100 # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more informations about M/Monit
## see http://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted.
#
# set mmonit http://monit:monit@192.168.1.10:8080/collector
# # and register without credentials # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the the mail-format
## statement is missing::
## --8<--
## set mail-format {
## from: monit@$HOST
## subject: monit alert -- $EVENT $SERVICE
## message: $EVENT Service $SERVICE
## Date: $DATE
## Action: $ACTION
## Host: $HOST
## Description: $DESCRIPTION
##
## Your faithful employee,
## Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
# set alert manager@foo.bar only on { timeout } # receive just service-
# # timeout alert
#
#
## Monit has an embedded web server which can be used to view status of
## services monitored and manage services from a web interface. See the
## Monit Wiki if you want to enable SSL for the web server.
#
# set httpd port 2812 and
# use address localhost # only accept connection from localhost
# allow localhost # allow localhost to connect to the server and
# allow admin:monit # require user 'admin' with password 'monit'
# allow @monit # allow users of group 'monit' to connect (rw)
# allow @users readonly # allow users of group 'users' to connect readonly
#
###############################################################################
## Services
###############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
# check system myhost.mydomain.tld
# if loadavg (1min) > 4 then alert
# if loadavg (5min) > 2 then alert
# if memory usage > 75% then alert
# if swap usage > 25% then alert
# if cpu usage (user) > 70% then alert
# if cpu usage (system) > 30% then alert
# if cpu usage (wait) > 20% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
# if failed permission 755 then unmonitor
# if failed uid root then unmonitor
# if failed gid root then unmonitor
# alert security@foo.bar on {
# checksum, permission, uid, gid, unmonitor
# } with the mail-format { subject: Alarm! }
# group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
# stop program = "/etc/init.d/httpd stop"
# if cpu > 60% for 2 cycles then alert
# if cpu > 80% for 5 cycles then restart
# if totalmem > 200.0 MB for 5 cycles then restart
# if children > 250 then restart
# if loadavg(5min) greater than 10 for 8 cycles then stop
# if failed host www.tildeslash.com port 80 protocol http
# and request "/somefile.html"
# then restart
# if failed port 443 type tcpssl protocol http
# with timeout 15 seconds
# then restart
# if 3 restarts within 5 cycles then timeout
# depends on apache_bin
# group server
#
#
## Check filesystem permissions, uid, gid, space and inode usage. Other services,
## such as databases, may depend on this resource and an automatically graceful
## stop may be cascaded to them before the filesystem will become full and data
## lost.
#
# check filesystem datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# stop program = "/bin/umount /data"
# if failed permission 660 then unmonitor
# if failed uid root then unmonitor
# if failed gid disk then unmonitor
# if space usage > 80% for 5 times within 15 cycles then alert
# if space usage > 99% then stop
# if inode usage > 30000 then alert
# if inode usage > 99% then stop
# group server
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if failed uid data then alert
# if failed gid data then alert
# if timestamp > 15 minutes then alert
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid. An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0. In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed uid 0 then unmonitor
# if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed icmp type echo count 3 with timeout 3 seconds then alert
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
# if failed url http://user:password@www.foo.bar:8080/?querystring
# and content == 'action="j_security_check"'
# then alert
#
#
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
include /etc/monit/conf.d/*.conf
#

308
cookbooks/monit/files/etc/monit/monitrc.1804
View File

@ -1,308 +0,0 @@
###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
##
## Start Monit in the background (run as a daemon):
#
set daemon 120 # check services at 2-minute intervals
# with start delay 240 # optional: delay the first check by 4-minutes (by
# # default Monit check immediately after Monit start)
#
#
## Set syslog logging. If you want to log to a standalone log file instead,
## specify the full path to the log file
#
set log /var/log/monit.log
#
#
## Set the location of the Monit lock file which stores the process id of the
## running Monit instance. By default this file is stored in $HOME/.monit.pid
#
# set pidfile /var/run/monit.pid
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
set idfile /var/lib/monit/id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
set statefile /var/lib/monit/state
#
#
## Set limits for various tests. The following example shows the default values:
##
# set limits {
# programOutput: 512 B, # check program's output truncate limit
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
# fileContentBuffer: 512 B, # limit for file content test
# httpContentBuffer: 1 MB, # limit for HTTP content test
# networkTimeout: 5 seconds # timeout for network I/O
# programTimeout: 300 seconds # timeout for check program
# stopTimeout: 30 seconds # timeout for service stop
# startTimeout: 30 seconds # timeout for service start
# restartTimeout: 30 seconds # timeout for service restart
# }
## Set global SSL options (just most common options showed, see manual for
## full list).
#
# set ssl {
# verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
# selfsigned : allow # allow self signed SSL certificates (reject by default)
# }
#
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the queue size
## by using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
set eventqueue
basedir /var/lib/monit/events # set the base directory where events will be stored
slots 100 # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more informations about M/Monit
## see https://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted. The password
## should be URL encoded if it contains URL-significant characters like
## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
## adding the timeout option.
#
# set mmonit http://monit:monit@192.168.1.10:8080/collector
# # with timeout 30 seconds # Default timeout is 5 seconds
# # and register without credentials # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the mail-format
## statement is missing::
## --8<--
## set mail-format {
## from: Monit <monit@$HOST>
## subject: monit alert -- $EVENT $SERVICE
## message: $EVENT Service $SERVICE
## Date: $DATE
## Action: $ACTION
## Host: $HOST
## Description: $DESCRIPTION
##
## Your faithful employee,
## Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
#
## Do not alert when Monit starts, stops or performs a user initiated action.
## This filter is recommended to avoid getting alerts for trivial cases.
#
# set alert your-name@your.domain not on { instance, action }
#
#
## Monit has an embedded HTTP interface which can be used to view status of
## services monitored and manage services from a web interface. The HTTP
## interface is also required if you want to issue Monit commands from the
## command line, such as 'monit status' or 'monit restart service' The reason
## for this is that the Monit client uses the HTTP interface to send these
## commands to a running Monit daemon. See the Monit Wiki if you want to
## enable SSL for the HTTP interface.
#
# set httpd port 2812 and
# use address localhost # only accept connection from localhost
# allow localhost # allow localhost to connect to the server and
# allow admin:monit # require user 'admin' with password 'monit'
# #with ssl { # enable SSL/TLS and set path to server certificate
# # pemfile: /etc/ssl/certs/monit.pem
# #}
###############################################################################
## Services
###############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
# check system $HOST
# if loadavg (1min) > 4 then alert
# if loadavg (5min) > 2 then alert
# if cpu usage > 95% for 10 cycles then alert
# if memory usage > 75% then alert
# if swap usage > 25% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
# if failed permission 755 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "root" then unmonitor
# alert security@foo.bar on {
# checksum, permission, uid, gid, unmonitor
# } with the mail-format { subject: Alarm! }
# group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
# stop program = "/etc/init.d/httpd stop"
# if cpu > 60% for 2 cycles then alert
# if cpu > 80% for 5 cycles then restart
# if totalmem > 200.0 MB for 5 cycles then restart
# if children > 250 then restart
# if loadavg(5min) greater than 10 for 8 cycles then stop
# if disk read > 500 kb/s for 10 cycles then alert
# if disk write > 500 kb/s for 10 cycles then alert
# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
# if failed port 443 protocol https with timeout 15 seconds then restart
# if 3 restarts within 5 cycles then unmonitor
# depends on apache_bin
# group server
#
#
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
## Other services, such as databases, may depend on this resource and an automatically
## graceful stop may be cascaded to them before the filesystem will become full and data
## lost.
#
# check filesystem datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# stop program = "/bin/umount /data"
# if failed permission 660 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "disk" then unmonitor
# if space usage > 80% for 5 times within 15 cycles then alert
# if space usage > 99% then stop
# if inode usage > 30000 then alert
# if inode usage > 99% then stop
# if read rate > 1 MB/s for 5 cycles then alert
# if read rate > 500 operations/s for 5 cycles then alert
# if write rate > 1 MB/s for 5 cycles then alert
# if write rate > 500 operations/s for 5 cycles then alert
# if service time > 10 milliseconds for 3 times within 5 cycles then alert
# group server
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if failed uid "data" then alert
# if failed gid "data" then alert
# if timestamp > 15 minutes then alert
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid. An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0. In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed uid 0 then unmonitor
# if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed ping then alert
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
# if failed port 80 protocol http
# and request /some/path with content = "a string"
# then alert
#
#
## Check a network link status (up/down), link capacity changes, saturation
## and bandwidth usage.
#
# check network public with interface eth0
# if failed link then alert
# if changed link then alert
# if saturation > 90% then alert
# if download > 10 MB/s then alert
# if total uploaded > 1 GB in last hour then alert
#
#
## Check custom program status output.
#
# check program myscript with path /usr/local/bin/myscript.sh
# if status != 0 then alert
#
#
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
include /etc/monit/conf.d/*
include /etc/monit/conf-enabled/*
#

10
cookbooks/monit/files/lib/systemd/system/monit.service
View File

@ -1,10 +0,0 @@
[Service]
Type=simple
KillMode=process
ExecStart=/etc/init.d/monit start
ExecStop=/etc/init.d/monit stop
ExecReload=/etc/init.d/monit reload
Restart=always
[Install]
WantedBy=multi-user.target

2
cookbooks/nginx/attributes.rb
View File

@ -3,6 +3,6 @@
# ------------------------------------------- # -------------------------------------------
node.reverse_merge!({ node.reverse_merge!({
'nginx' => { 'nginx' => {
'version' => '1.17.5' 'version' => '1.19.3'
} }
}) })

6
cookbooks/nginx/default.rb
View File

@ -4,12 +4,12 @@ include_recipe './attributes.rb'
# Kernel Parameters: # Kernel Parameters:
include_recipe './kernel.rb' include_recipe './kernel.rb'
# Install Let's Encrypt:
include_recipe './lego.rb'
# Prerequisites for Building nginx: # Prerequisites for Building nginx:
include_recipe './webadm.rb' include_recipe './webadm.rb'
# Install Let's Encrypt:
include_recipe './lego.rb'
# Build nginx: # Build nginx:
include_recipe './build.rb' include_recipe './build.rb'

6
cookbooks/nginx/webadm.rb
View File

@ -13,12 +13,14 @@ remote_file '/etc/sudoers.d/webadm' do
mode '440' mode '440'
end end
# Create `.ssh` directory: # Create directories:
directory '/home/webadm/.ssh' do %w(/home/webadm/.ssh /home/webadm/repo).each do |d|
directory d do
owner 'webadm' owner 'webadm'
group 'webadm' group 'webadm'
mode '700' mode '700'
end end
end
# Deploy `~/.ssh/.ssh/authorized_keys`: # Deploy `~/.ssh/.ssh/authorized_keys`:
encrypted_remote_file '/home/webadm/.ssh/authorized_keys' do encrypted_remote_file '/home/webadm/.ssh/authorized_keys' do

1
roles/base.rb
View File

@ -1,7 +1,6 @@
include_recipe '../cookbooks/base/default.rb' include_recipe '../cookbooks/base/default.rb'
include_recipe '../cookbooks/kazu634/default.rb' include_recipe '../cookbooks/kazu634/default.rb'
include_recipe '../cookbooks/supervisor/default.rb' include_recipe '../cookbooks/supervisor/default.rb'
include_recipe '../cookbooks/monit/default.rb'
include_recipe '../cookbooks/consul/default.rb' include_recipe '../cookbooks/consul/default.rb'
include_recipe '../cookbooks/fzf/default.rb' include_recipe '../cookbooks/fzf/default.rb'
include_recipe '../cookbooks/promtail/default.rb' include_recipe '../cookbooks/promtail/default.rb'