Compare commits

..

30 Commits

Author SHA1 Message Date
Kazuhiro MUSASHI 06b8ae6c1c Merge pull request 'Support fo Ubuntu2404' (#26) from ubuntu2404 into main
Reviewed-on: #26
2024-11-03 02:02:59 +00:00
Kazuhiro MUSASHI 015fe2ee31 Modify `nomad` recipes to reflect the step changes. 2024-11-03 10:58:04 +09:00
Kazuhiro MUSASHI eaa7ddcd32 Update DNS settings. 2024-11-03 10:56:38 +09:00
Kazuhiro MUSASHI db10caca55 Delete `resolved.conf.2404`. 2024-11-02 16:56:12 +09:00
Kazuhiro MUSASHI a61e3c3dd7 Install `cni` plugins, using `eget`. 2024-07-20 17:34:01 +09:00
Kazuhiro MUSASHI 8e0a8a06c3 Bump `nginx` version. 2024-07-20 17:33:31 +09:00
Kazuhiro MUSASHI 248a624f22 Install `Docker`, before setting up `Nomad`. 2024-07-15 21:40:05 +09:00
Kazuhiro MUSASHI df0bccd61b Add `Consul` token setting for registering `Vault` 2024-07-15 21:39:32 +09:00
Kazuhiro MUSASHI a955001416 Add firewall settings for `Vault`. 2024-07-15 21:39:00 +09:00
Kazuhiro MUSASHI e21fa08291 Deploy `/etc/vault.d/vault.env` to enable AWS KMS. 2024-07-15 21:28:07 +09:00
Kazuhiro MUSASHI 44ca217183 Reload the config after updating the config file. 2024-07-15 21:27:23 +09:00
Kazuhiro MUSASHI 7d65474067 Change mode of `/etc/vault.d/vault.hcl`. 2024-07-15 18:49:42 +09:00
Kazuhiro MUSASHI d11206e3c2 Change `Vault` IP addresses. 2024-07-15 18:48:40 +09:00
Kazuhiro MUSASHI 44325ace47 Change `Vault` tokens for enabling Consul Auto Config. 2024-07-15 18:47:02 +09:00
Kazuhiro MUSASHI 977648f95e Change `consul` server IP addresses. 2024-07-15 18:45:25 +09:00
Kazuhiro MUSASHI 1998a11c29 Disable `Ubuntu Pro` announcement. 2024-07-01 15:23:03 +09:00
Kazuhiro MUSASHI 450426b12a Expliciyly specify the owner and group for `/etc/apt/sources.list.d/hashicorp.list`. 2024-06-10 11:55:15 +09:00
Kazuhiro MUSASHI d8094f8a6b Install exporters for `Ubuntu24.04`. 2024-06-10 11:54:39 +09:00
Kazuhiro MUSASHI 3b61e2b7ac Add condition for `Ubuntu 24.04`. 2024-06-10 11:54:08 +09:00
Kazuhiro MUSASHI cf28ca20b6 Disable password authentication for `SSH` daemon. 2024-06-10 11:48:35 +09:00
Kazuhiro MUSASHI 6bc876df6f Use `eget` to download and install `consul-template`. 2024-06-10 11:45:12 +09:00
Kazuhiro MUSASHI 4f2aeaac41 Check whether `eget` is installed or not, before the actual installation. 2024-06-10 11:44:07 +09:00
Kazuhiro MUSASHI 6d1e1599e3 Modify `dnsmasq` settings. 2024-06-10 11:42:42 +09:00
Kazuhiro MUSASHI 9a6a874abe Install `eget`. 2024-05-11 14:28:12 +09:00
Kazuhiro MUSASHI f122269855 Accumulative changes for `nginc` recipe. 2024-05-06 17:09:24 +09:00
Kazuhiro MUSASHI 6fe04fdaa0 Add cases for Ubuntu 24.04. 2024-05-06 17:08:42 +09:00
Kazuhiro MUSASHI 2063cf2f6c Update HashiCorp APT sources. 2024-04-28 12:13:35 +09:00
Kazuhiro MUSASHI a52c841151 Add steps for `SSH` daemon config. 2024-04-28 11:52:29 +09:00
Kazuhiro MUSASHI f6a6c49823 Add `git` APT source setting for Ubuntu2404. 2024-04-28 11:51:43 +09:00
Kazuhiro MUSASHI 8ae10311a6 Add steps for `timesyncd` configs. 2024-04-28 11:51:05 +09:00
56 changed files with 1146 additions and 208 deletions

View File

@ -35,6 +35,7 @@ end
# Install the necessary packages: # Install the necessary packages:
include_recipe './packages.rb' include_recipe './packages.rb'
include_recipe './eget.rb'
# Lang Setting: # Lang Setting:
include_recipe './lang.rb' include_recipe './lang.rb'
@ -69,9 +70,12 @@ include_recipe './starship.rb'
# Install cloudflared command: # Install cloudflared command:
include_recipe './cloudflared.rb' include_recipe './cloudflared.rb'
# Disable Ubuntu Pro
include_recipe './ubuntupro.rb'
# recipes for Ubuntu 20.04 and later # recipes for Ubuntu 20.04 and later
case node['platform_version'] case node['platform_version']
when "20.04", "22.04" when "20.04", "22.04", "24.04"
remote_file '/etc/multipath.conf' do remote_file '/etc/multipath.conf' do
owner 'root' owner 'root'
group 'root' group 'root'
@ -89,10 +93,9 @@ when "20.04", "22.04"
service 'systemd-timesyncd' do service 'systemd-timesyncd' do
action :enable action :enable
end end
end
case node['platform_version'] case node['platform_version']
when "20.04" when "20.04"
remote_file '/etc/systemd/timesyncd.conf' do remote_file '/etc/systemd/timesyncd.conf' do
owner 'root' owner 'root'
group 'root' group 'root'
@ -100,7 +103,7 @@ when "20.04"
notifies :restart, 'service[systemd-timesyncd]' notifies :restart, 'service[systemd-timesyncd]'
end end
when "22.04" when "22.04"
remote_file '/etc/systemd/timesyncd.conf' do remote_file '/etc/systemd/timesyncd.conf' do
owner 'root' owner 'root'
group 'root' group 'root'
@ -110,8 +113,20 @@ when "22.04"
notifies :restart, 'service[systemd-timesyncd]' notifies :restart, 'service[systemd-timesyncd]'
end end
when "24.04"
remote_file '/etc/systemd/timesyncd.conf' do
owner 'root'
group 'root'
mode '0644'
source 'files/etc/systemd/timesyncd.2404.conf'
notifies :restart, 'service[systemd-timesyncd]'
end
end
end end
# AWS EC2 Swap Setting: # AWS EC2 Swap Setting:
if node['is_ec2'] if node['is_ec2']
include_recipe './aws_ec2.rb' include_recipe './aws_ec2.rb'

14
cookbooks/base/eget.rb Normal file
View File

@ -0,0 +1,14 @@
result = run_command('which eget', error: false)
if result.exit_status != 0
# Install eget
execute 'curl https://zyedidia.github.io/eget.sh | sh' do
cwd '/usr/local/bin/'
end
execute 'chown root:root /usr/local/bin/eget'
execute 'chmod 755 /usr/local/bin/eget'
end
%w( zyedidia/eget mgdm/htmlq ).each do |p|
execute "eget #{p} --to /usr/local/bin/ --upgrade-only"
end

View File

@ -0,0 +1,122 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 10022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

View File

@ -0,0 +1,26 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/timesyncd.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/timesyncd.conf' to display the full config.
#
# See timesyncd.conf(5) for details.
[Time]
NTP=192.168.10.1
#FallbackNTP=ntp.ubuntu.com
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
#ConnectionRetrySec=30
#SaveIntervalSec=60

View File

@ -20,24 +20,28 @@ end
### Here we are going to install git. ### Here we are going to install git.
# Constants: # Constants:
KEYSRV = 'hkp://keyserver.ubuntu.com:80' case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
ID = 'E1DF1F24' when "24.04"
execute 'add-apt-repository -y ppa:git-core/ppa' do
not_if 'test -e /etc/apt/sources.list.d/git-core-ubuntu-ppa-noble.sources'
end
else
KEYSRV = 'hkp://keyserver.ubuntu.com:80'
ID = 'E1DF1F24'
GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push' # Retrieve the Ubuntu code:
PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push' DIST = run_command('lsb_release -cs').stdout.chomp
# Retrieve the Ubuntu code: # Add the public key file to install `git`
DIST = run_command('lsb_release -cs').stdout.chomp execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do
# Add the public key file to install `git`
execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do
not_if 'apt-key list | grep "E1DF 1F24"' not_if 'apt-key list | grep "E1DF 1F24"'
end end
# Deploy the `apt` sources: # Deploy the `apt` sources:
template '/etc/apt/sources.list.d/git.list' do template '/etc/apt/sources.list.d/git.list' do
action :create action :create
variables(distribution: DIST) variables(distribution: DIST)
end
end end
execute 'apt update' do execute 'apt update' do
@ -48,6 +52,9 @@ execute 'apt install git -y' do
not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa' not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa'
end end
GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push'
PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push'
execute "wget #{PREPUSH} -O #{GIT_PREPUSH}" do execute "wget #{PREPUSH} -O #{GIT_PREPUSH}" do
not_if "test -e #{GIT_PREPUSH}" not_if "test -e #{GIT_PREPUSH}"
end end

View File

@ -9,6 +9,16 @@ end
# Deploy the `sshd` configuration file: # Deploy the `sshd` configuration file:
case node['platform_version'] case node['platform_version']
when "24.04"
remote_file '/etc/ssh/sshd_config' do
user 'root'
owner 'root'
group 'root'
mode '644'
source 'files/etc/ssh/sshd_config.2404'
end
when "22.04" when "22.04"
remote_file '/etc/ssh/sshd_config' do remote_file '/etc/ssh/sshd_config' do
user 'root' user 'root'
@ -48,9 +58,15 @@ else
end end
end end
case node['platform_version']
when "24.04"
execute 'systemctl disable --now ssh.socket'
execute 'systemctl enable --now ssh.service'
execute 'systemctl daemon-reload'
end
# Apply the changes: # Apply the changes:
execute 'systemctl reload ssh.service ' do execute 'systemctl restart ssh.service ' do
action :nothing action :nothing
subscribes :run, 'remote_file[/etc/ssh/sshd_config]' subscribes :run, 'remote_file[/etc/ssh/sshd_config]'
end end

View File

@ -1,5 +1,5 @@
case node['platform_version'] case node['platform_version']
when "18.04", "20.04", "22.04" when "18.04", "20.04", "22.04", "24.04"
execute 'timedatectl set-timezone Asia/Tokyo' do execute 'timedatectl set-timezone Asia/Tokyo' do
not_if 'timedatectl | grep Tokyo' not_if 'timedatectl | grep Tokyo'
end end

View File

@ -0,0 +1,11 @@
case node['platform_version']
when "24.04"
directory "/etc/apt/apt.conf.d/bk/"
%w( 20apt-esm-hook.conf ).each do |conf|
execute "mv /etc/apt/apt.conf.d/#{conf} /etc/apt/apt.conf.d/bk/#{conf}"
execute "touch /etc/apt/apt.conf.d/#{conf}"
end
execute 'pro config set apt_news=false'
end

View File

@ -45,7 +45,7 @@ when "18.04"
not_if 'test -e /var/log/cron-apt/log' not_if 'test -e /var/log/cron-apt/log'
end end
when '20.04', '22.04' when '20.04', '22.04', '24.04'
%w(20auto-upgrades 50unattended-upgrades).each do |conf| %w(20auto-upgrades 50unattended-upgrades).each do |conf|
remote_file "/etc/apt/apt.conf.d/#{conf}" do remote_file "/etc/apt/apt.conf.d/#{conf}" do
owner 'root' owner 'root'

View File

@ -1,10 +1,12 @@
# ------------------------------------------- # -------------------------------------------
# Specifying the default settings: # Specifying the default settings:
# ------------------------------------------- # -------------------------------------------
node.reverse_merge!({ node.reverse_merge!({
'consulTemplate' => { 'consulTemplate' => {
'baseUrl' => 'https://releases.hashicorp.com/consul-template/', 'baseUrl' => 'https://releases.hashicorp.com/consul-template/',
'version' => '0.25.2', 'version' => `curl -s https://releases.hashicorp.com/consul-template/ | htmlq -t 'a' | grep consul-template | head -n 1 | sed -e 's/^[^_]*_//g'`.chomp!,
'zipPrefix' => 'consul-template_', 'zipPrefix' => 'consul-template_',
'zipPostfix' => '_linux_amd64.zip', 'zipPostfix' => '_linux_amd64.zip',
'storage' => '/opt/consul-template/consul-template', 'storage' => '/opt/consul-template/consul-template',

View File

@ -5,20 +5,13 @@ consulTemplate_url = "#{node['consulTemplate']['baseUrl']}#{node['consulTemplate
result = run_command('which consul-template', error: false) result = run_command('which consul-template', error: false)
if result.exit_status != 0 if result.exit_status != 0
# Download:
TMP = "/tmp/#{consulTemplate_zip}"
execute "wget #{consulTemplate_url} -O #{TMP}"
directory '/opt/consul-template' do directory '/opt/consul-template' do
owner 'root' owner 'root'
group 'root' group 'root'
mode '0755' mode '0755'
end end
execute "unzip #{TMP} -d /opt/consul-template/" do execute "eget #{consulTemplate_url} --to /opt/consul-template/"
not_if 'test -e /opt/consul-template/consul-template'
end
# Change Owner and Permissions: # Change Owner and Permissions:
file "#{node['consulTemplate']['storage']}" do file "#{node['consulTemplate']['storage']}" do

View File

@ -2,7 +2,7 @@
# Specifying the default settings: # Specifying the default settings:
# ------------------------------------------- # -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04", "22.04" when "20.04", "22.04", "24.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04" when "18.04"
@ -19,7 +19,7 @@ dns = run_command(cmd).stdout.chomp
node.reverse_merge!({ node.reverse_merge!({
'consul' => { 'consul' => {
'manager' => false, 'manager' => false,
'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"', 'manager_hosts' => '"192.168.10.102", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
'ipaddr' => ipaddr, 'ipaddr' => ipaddr,
'dns' => dns, 'dns' => dns,
'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=', 'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',

View File

@ -7,6 +7,42 @@ package 'dnsmasq'
end end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "24.04"
execute "change link to /etc/resolv.conf" do
command "ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf"
end
directory "/etc/systemd/resolved.conf.d/" do
mode "0755"
owner "root"
group "root"
end
template '/etc/systemd/resolved.conf.d/partial.conf' do
owner 'root'
group 'root'
mode '644'
source 'templates/etc/systemd/resolved.conf.d/partial.conf.erb'
variables(dns: node['consul']['dns'])
notifies :restart, 'service[systemd-resolved]', :immediately
end
remote_file "/etc/default/dnsmasq" do
mode "0644"
owner "root"
group "root"
end
remote_file '/etc/dnsmasq.conf' do
owner 'root'
group 'root'
mode '644'
notifies :restart, 'service[dnsmasq]', :immediately
end
when "22.04" when "22.04"
template '/etc/systemd/resolved.conf' do template '/etc/systemd/resolved.conf' do
owner 'root' owner 'root'
@ -24,6 +60,8 @@ when "22.04"
group 'root' group 'root'
mode '644' mode '644'
source 'files/etc/dnsmasq.conf.2204'
notifies :restart, 'service[dnsmasq]', :immediately notifies :restart, 'service[dnsmasq]', :immediately
end end

View File

@ -0,0 +1,42 @@
# This file has six functions:
# 1) to completely disable starting this dnsmasq instance
# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
# 3) to select an alternative config file
# by setting DNSMASQ_OPTS to --conf-file=<file>
# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
# more configuration variables.
# 5) to stop the resolvconf package from controlling dnsmasq's
# idea of which upstream nameservers to use.
# 6) to avoid using this dnsmasq instance as the system's default resolver
# by setting DNSMASQ_EXCEPT="lo"
# For upgraders from very old versions, all the shell variables set
# here in previous versions are still honored by the init script
# so if you just keep your old version of this file nothing will break.
#DOMAIN_SUFFIX=`dnsdomainname`
#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
# The dnsmasq daemon is run by default conforming to the Debian Policy.
# To disable the service,
# for SYSV init, use "update-rc.d dnsmasq disable",
# for systemd, use "systemctl disable dnsmasq".
# By default search this drop directory for configuration options.
# Libvirt leaves a file here to make the system dnsmasq play nice.
# Comment out this line if you don't want this. The dpkg-* are file
# endings which cause dnsmasq to skip that file. This avoids pulling
# in backups made by dpkg.
CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
# If the resolvconf package is installed, dnsmasq will use its output
# rather than the contents of /etc/resolv.conf to find upstream
# nameservers. Uncommenting this line inhibits this behaviour.
# Note that including a "resolv-file=<filename>" line in
# /etc/dnsmasq.conf is not enough to override resolvconf if it is
# installed: the line below must be uncommented.
IGNORE_RESOLVCONF=yes
# If the resolvconf package is installed, dnsmasq will tell resolvconf
# to use dnsmasq under 127.0.0.1 as the system's default resolver.
# Uncommenting this line inhibits this behaviour.
#DNSMASQ_EXCEPT="lo"

View File

@ -16,9 +16,9 @@
# these requests from bringing up the link unnecessarily. # these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part) # Never forward plain names (without a dot or domain part)
#domain-needed domain-needed
# Never forward addresses in the non-routed address spaces. # Never forward addresses in the non-routed address spaces.
#bogus-priv bogus-priv
# Uncomment these to enable DNSSEC validation and caching: # Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.) # (Requires dnsmasq to be built with DNSSEC option.)

View File

@ -0,0 +1,679 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
server=/consul/127.0.0.1#8600
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the InfiniBand interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also that the [] around the IPv6 address are obligatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1,1m
# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2,2m
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this if you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built-in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
#dhcp-boot=undionly.kpxe
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
# Encapsulated options for iPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Do not abort if the tftp-root is unavailable
#tftp-no-fail
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fashion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
# option with a DHCPACK including a Rapid Commit option and fully committed address
# and configuration information. This must only be enabled if either the server is
# the only server for the subnet, or multiple servers are present and they each
# commit a binding for all clients.
#dhcp-rapid-commit
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

View File

@ -1 +1 @@
md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ== md5:1ae55d337df5f9dd4fffc187a183b0b2:salt:205-89-236-103-190-38-95-67:aes-256-cfb:Ma2d+BQ24dejEcakleRob9FbO/uXSyymKm3hMllr4BU89COZ6g==

View File

@ -1 +1 @@
md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg== md5:c5e23c82c19bfdbd585c22c2244d48c4:salt:159-101-196-196-176-220-40-108:aes-256-cfb:ddjwjLHE5NsLCVioXEv9oaJoGtpJ+P6FvVs6ecKK26eaI49ElQ==

View File

@ -7,7 +7,7 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do
end end
# Retrieve the Ubuntu code: # Retrieve the Ubuntu code:
DIST = run_command('lsb_release -cs').stdout.chomp DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp
# Deploy the `apt` sources: # Deploy the `apt` sources:
template '/etc/apt/sources.list.d/hashicorp.list' do template '/etc/apt/sources.list.d/hashicorp.list' do

View File

@ -0,0 +1,3 @@
[Resolve]
DNS=127.0.0.1
DNSStubListener=no

View File

@ -31,3 +31,13 @@ remote_file '/home/kazu634/.ssh/config' do
mode '644' mode '644'
end end
# Disable Password authentication
file '/etc/ssh/sshd_config.d/50-cloud-init.conf' do
action :delete
end
execute 'systemctl restart ssh.service ' do
action :nothing
subscribes :run, 'file[/etc/ssh/sshd_config.d/50-cloud-init.conf]'
end

View File

@ -2,7 +2,7 @@
# Specifying the default settings: # Specifying the default settings:
# ------------------------------------------- # -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04", "22.04" when "20.04", "22.04", "24.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04" when "18.04"

View File

@ -3,8 +3,9 @@
# ------------------------------------------- # -------------------------------------------
node.reverse_merge!({ node.reverse_merge!({
'nginx' => { 'nginx' => {
'version' => '1.25.0', 'version' => '1.26.1',
'skip_lego' => 'true', 'skip_lego' => true,
'skip_webadm' => 'true' 'skip_webadm' => false,
'skip_deploy_conf' => true
} }
}) })

View File

@ -78,7 +78,7 @@ directory MODULEDIR do
end end
# Build starts here: # Build starts here:
execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.8.0" do execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.9.1" do
cwd WORKDIR cwd WORKDIR
user USER user USER

View File

@ -35,6 +35,13 @@ end
# Prerequisites for Building nginx: # Prerequisites for Building nginx:
if !node['nginx']['skip_webadm'] if !node['nginx']['skip_webadm']
include_recipe './webadm.rb' include_recipe './webadm.rb'
end
# Build nginx:
include_recipe './build.rb'
# Check whether to deploy the nginx confings:
if !node['nginx']['skip_deploy_conf']
include_recipe '../blog/default.rb' include_recipe '../blog/default.rb'
include_recipe '../everun/default.rb' include_recipe '../everun/default.rb'
end end
@ -44,9 +51,5 @@ if !node['nginx']['skip_lego']
include_recipe './lego.rb' include_recipe './lego.rb'
end end
# Build nginx:
include_recipe './build.rb'
# Setup nginx: # Setup nginx:
include_recipe './setup.rb' include_recipe './setup.rb'

View File

@ -47,17 +47,18 @@ end
end end
# Create `repo` directory: # Create `repo` directory:
git '/home/webadm/repo/nginx-config' do if !node['nginx']['skip_deploy_conf']
git '/home/webadm/repo/nginx-config' do
user 'webadm' user 'webadm'
repository 'https://github.com/kazu634/nginx-config.git' repository 'https://github.com/kazu634/nginx-config.git'
end end
execute '/home/webadm/repo/nginx-config/deploy.sh' do execute '/home/webadm/repo/nginx-config/deploy.sh' do
user 'root' user 'root'
cwd '/home/webadm/repo/nginx-config/' cwd '/home/webadm/repo/nginx-config/'
end end
service 'consul-template' do service 'consul-template' do
action :restart action :restart
end
end end

View File

@ -31,14 +31,7 @@ directory '/opt/cni/bin' do
mode '0755' mode '0755'
end end
%w( bandwidth bridge dhcp firewall host-device host-local ipvlan loopback macvlan portmap ptp sbr static tuning vlan vrf ).each do |f| execute "eget containernetworking/plugins --to /opt/cni/bin --upgrade-only -a ^sha --all"
remote_file "/opt/cni/bin/#{f}" do
owner 'root'
group 'root'
mode '0775'
end
end
directory '/etc/cni' do directory '/etc/cni' do
owner 'root' owner 'root'

View File

@ -2,7 +2,14 @@ include_recipe './attributes.rb'
include_recipe './install.rb' include_recipe './install.rb'
if node['nomad']['client']
include_recipe '../docker/default.rb'
include_recipe './csi.rb'
package "consul-cni"
package "dmidecode"
end
if node['nomad']['manager'] || node['nomad']['client'] if node['nomad']['manager'] || node['nomad']['client']
include_recipe './setup.rb' include_recipe './setup.rb'
include_recipe './csi.rb'
end end

View File

@ -7,7 +7,7 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do
end end
# Retrieve the Ubuntu code: # Retrieve the Ubuntu code:
DIST = run_command('lsb_release -cs').stdout.chomp DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp
# Deploy the `apt` sources: # Deploy the `apt` sources:
template '/etc/apt/sources.list.d/hashicorp.list' do template '/etc/apt/sources.list.d/hashicorp.list' do

View File

@ -1,5 +1,6 @@
# Kernel parameters: # Kernel parameters:
execute 'modprobe br_netfilter' execute 'modprobe br_netfilter'
execute 'modprobe bridge'
remote_file '/etc/sysctl.d/90-nomad.conf' do remote_file '/etc/sysctl.d/90-nomad.conf' do
owner 'root' owner 'root'

View File

@ -3,23 +3,12 @@
# ------------------------------------------- # -------------------------------------------
node.reverse_merge!({ node.reverse_merge!({
'node_exporter' => { 'node_exporter' => {
'url' => 'https://github.com/prometheus/node_exporter/releases/download/', 'url' => 'prometheus/node_exporter',
'prefix' => 'node_exporter-',
'postfix' => '.linux-amd64.tar.gz',
'storage' => '/opt/node_exporter/bin/', 'storage' => '/opt/node_exporter/bin/',
'location' => '/usr/local/bin/' 'location' => '/usr/local/bin/'
}, },
'blackbox_exporter' => {
'url' => 'https://github.com/prometheus/blackbox_exporter/releases/download/',
'prefix' => 'blackbox_exporter-',
'postfix' => '.linux-amd64.tar.gz',
'storage' => '/opt/blackbox_exporter/bin/',
'location' => '/usr/local/bin/'
},
'filestat_exporter' => { 'filestat_exporter' => {
'url' => 'https://github.com/michael-doubez/filestat_exporter/releases/download/', 'url' => 'michael-doubez/filestat_exporter',
'prefix' => 'filestat_exporter-',
'postfix' => '.linux-amd64.tar.gz',
'storage' => '/opt/filestat_exporter/', 'storage' => '/opt/filestat_exporter/',
'location' => '/usr/local/bin/' 'location' => '/usr/local/bin/'
}, },

View File

@ -3,9 +3,7 @@ BIN = '/usr/local/bin/exporter_proxy'
CONFDIR = '/etc/prometheus_exporters.d/exporter_proxy/' CONFDIR = '/etc/prometheus_exporters.d/exporter_proxy/'
CONF = 'config.yml' CONF = 'config.yml'
execute "wget #{URL} -O #{BIN}" do execute "eget rrreeeyyy/exporter_proxy --to /usr/local/bin/ --upgrade-only"
not_if "test -e #{BIN}"
end
file BIN do file BIN do
user 'root' user 'root'

View File

@ -1,53 +1,20 @@
filestat_exporter_url = '' # Install:
filestat_exporter_bin = '' directory node['filestat_exporter']['storage'] do
owner 'root'
vtag = '' group 'root'
mode '755'
# Calculate the Download URL:
begin
require 'net/http'
uri = URI.parse('https://github.com/michael-doubez/filestat_exporter/releases/latest')
Timeout.timeout(3) do
response = Net::HTTP.get_response(uri)
vtag = $1 if response['location'] =~ %r{tag\/(v\d+\.\d+\.\d+)}
filestat_exporter_bin = "#{node['filestat_exporter']['prefix']}#{vtag}#{node['filestat_exporter']['postfix']}"
filestat_exporter_url = "#{node['filestat_exporter']['url']}/#{vtag}/#{filestat_exporter_bin}"
end
rescue
# Abort the chef client process:
raise 'Cannot connect to http://github.com.'
end end
# バージョン確認して、アップデート必要かどうか確認 execute "eget #{node['filestat_exporter']['url']} --to #{node['filestat_exporter']['storage']}"
result = run_command("filestat_exporter --version 2>&1 | grep #{vtag}", error: false)
if result.exit_status != 0
# Download:
TMP = "/tmp/#{filestat_exporter_bin}"
execute "wget #{filestat_exporter_url} -O #{TMP}" # Change Owner and Permissions:
file "#{node['filestat_exporter']['storage']}filestat_exporter" do
# Install:
directory node['filestat_exporter']['storage'] do
owner 'root' owner 'root'
group 'root' group 'root'
mode '755' mode '755'
end end
execute "tar zxf #{TMP} -C #{node['filestat_exporter']['storage']} --strip-components 1" # Create Link
link "#{node['filestat_exporter']['location']}filestat_exporter" do
# Change Owner and Permissions:
file "#{node['filestat_exporter']['storage']}filestat_exporter" do
owner 'root'
group 'root'
mode '755'
end
# Create Link
link "#{node['filestat_exporter']['location']}filestat_exporter" do
to "#{node['filestat_exporter']['storage']}filestat_exporter" to "#{node['filestat_exporter']['storage']}filestat_exporter"
end
end end

View File

@ -1,55 +1,20 @@
node_exporter_url = '' # Install:
node_exporter_bin = '' directory node['node_exporter']['storage'] do
owner 'root'
tag = '' group 'root'
vtag = '' mode '755'
# Calculate the Download URL:
begin
require 'net/http'
uri = URI.parse('https://github.com/prometheus/node_exporter/releases/latest')
Timeout.timeout(3) do
response = Net::HTTP.get_response(uri)
vtag = $1 if response['location'] =~ %r{tag\/(v\d+\.\d+\.\d+)}
tag = vtag.sub(/^v/, '')
node_exporter_bin = "#{node['node_exporter']['prefix']}#{tag}#{node['node_exporter']['postfix']}"
node_exporter_url = "#{node['node_exporter']['url']}/#{vtag}/#{node_exporter_bin}"
end
rescue
# Abort the chef client process:
raise 'Cannot connect to http://github.com.'
end end
# バージョン確認して、アップデート必要かどうか確認 execute "eget #{node['node_exporter']['url']} --to #{node['node_exporter']['storage']} --upgrade-only"
result = run_command("node_exporter --version 2>&1 | grep #{tag}", error: false)
if result.exit_status != 0
# Download:
TMP = "/tmp/#{node_exporter_bin}"
execute "wget #{node_exporter_url} -O #{TMP}" # Change Owner and Permissions:
file "#{node['node_exporter']['storage']}node_exporter" do
# Install:
directory node['node_exporter']['storage'] do
owner 'root' owner 'root'
group 'root' group 'root'
mode '755' mode '755'
end end
execute "tar zxf #{TMP} -C #{node['node_exporter']['storage']} --strip-components 1" # Create Link
link "#{node['node_exporter']['location']}node_exporter" do
# Change Owner and Permissions:
file "#{node['node_exporter']['storage']}node_exporter" do
owner 'root'
group 'root'
mode '755'
end
# Create Link
link "#{node['node_exporter']['location']}node_exporter" do
to "#{node['node_exporter']['storage']}node_exporter" to "#{node['node_exporter']['storage']}node_exporter"
end
end end

View File

@ -3,7 +3,7 @@
# ------------------------------------------- # -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04", "22.04" when "20.04", "22.04", "24.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04" when "18.04"
@ -21,6 +21,6 @@ node.reverse_merge!({
'manager' => false, 'manager' => false,
'ipaddr' => ipaddr, 'ipaddr' => ipaddr,
'hostname' => hostname, 'hostname' => hostname,
'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'], 'ips' => ['192.168.10.140', '192.168.10.141', '192.168.10.142'],
} }
}) })

View File

@ -0,0 +1,5 @@
md5:cb234b386c1601dc3c6bf1072c00a441:salt:123-90-76-221-9-96-59-101:aes-256-cfb:SfQ2qhmH163jZgh9yequT6JyUCNfaCYW1Ch6BDE6Lid8fj6xcwWYLLTycXhs
o0y3Wvf3lgt3rHQy6J2tPuSahbtMcZwcBUp6jblNahBJW5yw1pUR/cLNXruy
J3/LLbA2BPBb+l2TAzVfUTNHKdPY7Z1hZ2hcSgf7uK6cCoSHrPGF1jePQx7+
Ys1sJLsg0M7jUXUiHrNZGdf5ShR0oeyQ+1tFYu9bMVn/EnJHoTtrL6Zbrb8b
14YmdtqwhuY46L+wTE2nmWqBUdCYCnlta8RHzgnXxWQRLnnEZ356oW+WIQ==

View File

@ -7,12 +7,15 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do
end end
# Retrieve the Ubuntu code: # Retrieve the Ubuntu code:
DIST = run_command('lsb_release -cs').stdout.chomp DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp
# Deploy the `apt` sources: # Deploy the `apt` sources:
template '/etc/apt/sources.list.d/hashicorp.list' do template '/etc/apt/sources.list.d/hashicorp.list' do
action :create action :create
variables(distribution: DIST) variables(distribution: DIST)
owner 'root'
group 'root'
end end
execute 'apt update' do execute 'apt update' do

View File

@ -2,9 +2,21 @@
template '/etc/vault.d/vault.hcl' do template '/etc/vault.d/vault.hcl' do
owner 'vault' owner 'vault'
group 'vault' group 'vault'
mode '644' mode '600'
variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips']) variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
notifies :restart, 'service[vault]'
end
encrypted_remote_file '/etc/vault.d/vault.env' do
owner 'vault'
group 'vault'
mode '600'
source 'files/etc/vault.d/vault.env'
password ENV['ITAMAE_PASSWORD']
notifies :restart, 'service[vault]'
end end
directory '/etc/vault.d/policies' do directory '/etc/vault.d/policies' do
@ -26,3 +38,18 @@ remote_file '/etc/logrotate.d/vault' do
group 'root' group 'root'
mode '644' mode '644'
end end
%w(8200 8201).each do |port|
execute "ufw allow #{port}" do
user 'root'
not_if "LANG=c ufw status | grep #{port}"
notifies :run, 'execute[ufw reload-or-enable]'
end
end
service 'vault' do
action [:enable, :start]
end

View File

@ -1,15 +1,15 @@
ui = true ui = true
disable_mlock = true disable_mlock = true
# service_registration "consul" { service_registration "consul" {
# address = "127.0.0.1:8500" address = "127.0.0.1:8500"
# token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8" token = "63c7eb0b-3e39-95e8-9c70-6e42885cb8f8"
# } }
storage "raft" { storage "raft" {
path = "/opt/vault/data" path = "/opt/vault/data"
node_id = "<%= @HOSTNAME %>" node_id = "<%= @HOSTNAME %>"
<% @IPS.each do |ip| %> <% @IPS.each do |ip| %>
retry_join { retry_join {
leader_api_addr = "http://<%= ip %>:8200" leader_api_addr = "http://<%= ip %>:8200"
@ -18,7 +18,7 @@ storage "raft" {
} }
api_addr = "http://<%= @IPADDR %>:8200" api_addr = "http://<%= @IPADDR %>:8200"
cluster_addr = "http://<%= @IPADDR %>::8201" cluster_addr = "http://<%= @IPADDR %>:8201"
# HTTPS listener # HTTPS listener
listener "tcp" { listener "tcp" {

View File

@ -2,7 +2,7 @@
# Specifying the default settings: # Specifying the default settings:
# ------------------------------------------- # -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04", "22.04" when "20.04", "22.04", "24.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04" when "18.04"