Merge pull request 'Update the Vault tokens for the provisioning process.' (#28) from BumpVaultTokens into main

Reviewed-on: #28

cookbooks/base/default.rb

@@ -35,6 +35,7 @@ end
 
 # Install the necessary packages:
 include_recipe './packages.rb'
+include_recipe './eget.rb'
 
 # Lang Setting:
 include_recipe './lang.rb'
@@ -69,9 +70,12 @@ include_recipe './starship.rb'
 # Install cloudflared command:
 include_recipe './cloudflared.rb'
 
+# Disable Ubuntu Pro
+include_recipe './ubuntupro.rb'
+
 # recipes for Ubuntu 20.04 and later
 case node['platform_version']
-when "20.04", "22.04"
+when "20.04", "22.04", "24.04"
   remote_file '/etc/multipath.conf' do
     owner 'root'
     group 'root'
@@ -89,29 +93,40 @@ when "20.04", "22.04"
   service 'systemd-timesyncd' do
     action :enable
   end
-end
 
-case node['platform_version']
-when "20.04"
-  remote_file '/etc/systemd/timesyncd.conf' do
-    owner 'root'
-    group 'root'
-    mode '0644'
+  case node['platform_version']
+  when "20.04"
+    remote_file '/etc/systemd/timesyncd.conf' do
+      owner 'root'
+      group 'root'
+      mode '0644'
 
-    notifies :restart, 'service[systemd-timesyncd]'
-  end
-when "22.04"
-  remote_file '/etc/systemd/timesyncd.conf' do
-    owner 'root'
-    group 'root'
-    mode '0644'
+      notifies :restart, 'service[systemd-timesyncd]'
+    end
+  when "22.04"
+    remote_file '/etc/systemd/timesyncd.conf' do
+      owner 'root'
+      group 'root'
+      mode '0644'
 
-    source 'files/etc/systemd/timesyncd.2204.conf'
+      source 'files/etc/systemd/timesyncd.2204.conf'
 
-    notifies :restart, 'service[systemd-timesyncd]'
+      notifies :restart, 'service[systemd-timesyncd]'
+    end
+  when "24.04"
+    remote_file '/etc/systemd/timesyncd.conf' do
+      owner 'root'
+      group 'root'
+      mode '0644'
+
+      source 'files/etc/systemd/timesyncd.2404.conf'
+
+      notifies :restart, 'service[systemd-timesyncd]'
+    end
   end
 end
 
+
 # AWS EC2 Swap Setting:
 if node['is_ec2']
   include_recipe './aws_ec2.rb'

cookbooks/base/eget.rb

@@ -0,0 +1,14 @@
+result = run_command('which eget',  error: false)
+if result.exit_status != 0
+  # Install eget
+  execute 'curl https://zyedidia.github.io/eget.sh | sh' do
+    cwd '/usr/local/bin/'
+  end
+
+  execute 'chown root:root /usr/local/bin/eget'
+  execute 'chmod 755 /usr/local/bin/eget'
+end
+
+%w( zyedidia/eget mgdm/htmlq ).each do |p|
+  execute "eget #{p} --to /usr/local/bin/ --upgrade-only"
+end

cookbooks/base/files/etc/ssh/sshd_config.2404

@@ -0,0 +1,122 @@
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 10022
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

cookbooks/base/files/etc/systemd/timesyncd.2404.conf

@@ -0,0 +1,26 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file (or a copy of it placed in
+# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
+# the /etc/systemd/timesyncd.conf.d/ directory. The latter is generally
+# recommended. Defaults can be restored by simply deleting the main
+# configuration file and all drop-ins located in /etc/.
+#
+# Use 'systemd-analyze cat-config systemd/timesyncd.conf' to display the full config.
+#
+# See timesyncd.conf(5) for details.
+
+[Time]
+NTP=192.168.10.1
+#FallbackNTP=ntp.ubuntu.com
+#RootDistanceMaxSec=5
+#PollIntervalMinSec=32
+#PollIntervalMaxSec=2048
+#ConnectionRetrySec=30
+#SaveIntervalSec=60

cookbooks/base/packages.rb

@@ -20,24 +20,28 @@ end
 
 ### Here we are going to install git.
 # Constants:
-KEYSRV = 'hkp://keyserver.ubuntu.com:80'
-ID = 'E1DF1F24'
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "24.04"
+  execute 'add-apt-repository -y ppa:git-core/ppa' do
+    not_if 'test -e /etc/apt/sources.list.d/git-core-ubuntu-ppa-noble.sources'
+  end
+else
+  KEYSRV = 'hkp://keyserver.ubuntu.com:80'
+  ID = 'E1DF1F24'
 
-GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push'
-PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push'
+  # Retrieve the Ubuntu code:
+  DIST = run_command('lsb_release -cs').stdout.chomp
 
-# Retrieve the Ubuntu code:
-DIST = run_command('lsb_release -cs').stdout.chomp
+  # Add the public key file to install `git`
+  execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do
+    not_if 'apt-key list | grep "E1DF 1F24"'
+  end
 
-# Add the public key file to install `git`
-execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do
-  not_if 'apt-key list | grep "E1DF 1F24"'
-end
-
-# Deploy the `apt` sources:
-template '/etc/apt/sources.list.d/git.list' do
-  action :create
-  variables(distribution: DIST)
+  # Deploy the `apt` sources:
+  template '/etc/apt/sources.list.d/git.list' do
+    action :create
+    variables(distribution: DIST)
+  end
 end
 
 execute 'apt update' do
@@ -48,6 +52,9 @@ execute 'apt install git -y' do
   not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa'
 end
 
+GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push'
+PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push'
+
 execute "wget #{PREPUSH} -O #{GIT_PREPUSH}" do
   not_if "test -e #{GIT_PREPUSH}"
 end

cookbooks/base/ssh.rb

@@ -9,6 +9,16 @@ end
 
 # Deploy the `sshd` configuration file:
 case node['platform_version']
+when "24.04"
+  remote_file '/etc/ssh/sshd_config' do
+    user 'root'
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    source 'files/etc/ssh/sshd_config.2404'
+  end
+
 when "22.04"
   remote_file '/etc/ssh/sshd_config' do
     user 'root'
@@ -48,9 +58,15 @@ else
   end
 end
 
+case node['platform_version']
+when "24.04"
+  execute 'systemctl disable --now ssh.socket'
+  execute 'systemctl enable --now ssh.service'
+  execute 'systemctl daemon-reload'
+end
 
 # Apply the changes:
-execute 'systemctl reload ssh.service ' do
+execute 'systemctl restart ssh.service ' do
   action :nothing
   subscribes :run, 'remote_file[/etc/ssh/sshd_config]'
 end

cookbooks/base/timezone.rb

@@ -1,5 +1,5 @@
 case node['platform_version']
-when "18.04", "20.04", "22.04"
+when "18.04", "20.04", "22.04", "24.04"
   execute 'timedatectl set-timezone Asia/Tokyo' do
     not_if 'timedatectl | grep Tokyo'
   end

cookbooks/base/ubuntupro.rb

@@ -0,0 +1,11 @@
+case node['platform_version']
+when "24.04"
+  directory "/etc/apt/apt.conf.d/bk/"
+
+  %w( 20apt-esm-hook.conf ).each do |conf|
+    execute "mv /etc/apt/apt.conf.d/#{conf} /etc/apt/apt.conf.d/bk/#{conf}"
+    execute "touch /etc/apt/apt.conf.d/#{conf}"
+  end
+
+  execute 'pro config set apt_news=false'
+end

cookbooks/base/unattended-upgrade.rb

@@ -45,7 +45,7 @@ when "18.04"
     not_if 'test -e /var/log/cron-apt/log'
   end
 
-when '20.04', '22.04'
+when '20.04', '22.04', '24.04'
   %w(20auto-upgrades 50unattended-upgrades).each do |conf|
     remote_file "/etc/apt/apt.conf.d/#{conf}" do
       owner 'root'

cookbooks/consul-template/attributes.rb

@@ -1,10 +1,12 @@
 # -------------------------------------------
 # Specifying the default settings:
 # -------------------------------------------
+
+
 node.reverse_merge!({
   'consulTemplate' => {
     'baseUrl' => 'https://releases.hashicorp.com/consul-template/',
-    'version' => '0.25.2',
+    'version' => `curl -s https://releases.hashicorp.com/consul-template/ | htmlq -t 'a' | grep consul-template | head -n 1 | sed -e 's/^[^_]*_//g'`.chomp!,
     'zipPrefix' => 'consul-template_',
     'zipPostfix' => '_linux_amd64.zip',
     'storage' => '/opt/consul-template/consul-template',

cookbooks/consul-template/install.rb

@@ -5,20 +5,13 @@ consulTemplate_url = "#{node['consulTemplate']['baseUrl']}#{node['consulTemplate
 result = run_command('which consul-template', error: false)
 if result.exit_status != 0
 
-  # Download:
-  TMP = "/tmp/#{consulTemplate_zip}"
-
-  execute "wget #{consulTemplate_url} -O #{TMP}"
-
   directory '/opt/consul-template' do
     owner 'root'
     group 'root'
     mode  '0755'
   end
 
-  execute "unzip #{TMP} -d /opt/consul-template/" do
-    not_if 'test -e /opt/consul-template/consul-template'
-  end
+  execute "eget #{consulTemplate_url} --to /opt/consul-template/"
 
   # Change Owner and Permissions:
   file "#{node['consulTemplate']['storage']}" do

cookbooks/consul/attributes.rb

@@ -2,7 +2,7 @@
 # Specifying the default settings:
 # -------------------------------------------
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
-when "20.04", "22.04"
+when "20.04", "22.04", "24.04"
   cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
 
 when "18.04"
@@ -19,7 +19,7 @@ dns = run_command(cmd).stdout.chomp
 node.reverse_merge!({
   'consul' => {
     'manager' => false,
-    'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
+    'manager_hosts' => '"192.168.10.102", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
     'ipaddr' => ipaddr,
     'dns' => dns,
     'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',

cookbooks/consul/dnsmasq.rb

@@ -7,6 +7,42 @@ package 'dnsmasq'
 end
 
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "24.04"
+  execute "change link to /etc/resolv.conf" do
+    command "ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf"
+  end
+
+  directory "/etc/systemd/resolved.conf.d/" do
+    mode  "0755"
+    owner "root"
+    group "root"
+  end
+
+  template '/etc/systemd/resolved.conf.d/partial.conf' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    source 'templates/etc/systemd/resolved.conf.d/partial.conf.erb'
+    variables(dns: node['consul']['dns'])
+
+    notifies :restart, 'service[systemd-resolved]', :immediately
+  end
+
+  remote_file "/etc/default/dnsmasq" do
+    mode   "0644"
+    owner  "root"
+    group  "root"
+  end
+
+  remote_file '/etc/dnsmasq.conf' do
+    owner 'root'
+    group 'root'
+    mode '644'
+
+    notifies :restart, 'service[dnsmasq]', :immediately
+  end
+
 when "22.04"
   template '/etc/systemd/resolved.conf' do
     owner 'root'
@@ -24,6 +60,8 @@ when "22.04"
     group 'root'
     mode '644'
 
+    source 'files/etc/dnsmasq.conf.2204'
+
     notifies :restart, 'service[dnsmasq]', :immediately
   end
 

cookbooks/consul/files/etc/default/dnsmasq

@@ -0,0 +1,42 @@
+# This file has six functions:
+# 1) to completely disable starting this dnsmasq instance
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
+# 3) to select an alternative config file
+#    by setting DNSMASQ_OPTS to --conf-file=<file>
+# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
+#    more configuration variables.
+# 5) to stop the resolvconf package from controlling dnsmasq's
+#    idea of which upstream nameservers to use.
+# 6) to avoid using this dnsmasq instance as the system's default resolver
+#    by setting DNSMASQ_EXCEPT="lo"
+# For upgraders from very old versions, all the shell variables set
+# here in previous versions are still honored by the init script
+# so if you just keep your old version of this file nothing will break.
+
+#DOMAIN_SUFFIX=`dnsdomainname`
+#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
+
+# The dnsmasq daemon is run by default conforming to the Debian Policy.
+# To disable the service,
+# for SYSV init, use "update-rc.d dnsmasq disable",
+# for systemd, use "systemctl disable dnsmasq".
+
+# By default search this drop directory for configuration options.
+# Libvirt leaves a file here to make the system dnsmasq play nice.
+# Comment out this line if you don't want this. The dpkg-* are file
+# endings which cause dnsmasq to skip that file. This avoids pulling
+# in backups made by dpkg.
+CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
+
+# If the resolvconf package is installed, dnsmasq will use its output
+# rather than the contents of /etc/resolv.conf to find upstream
+# nameservers. Uncommenting this line inhibits this behaviour.
+# Note that including a "resolv-file=<filename>" line in
+# /etc/dnsmasq.conf is not enough to override resolvconf if it is
+# installed: the line below must be uncommented.
+IGNORE_RESOLVCONF=yes
+
+# If the resolvconf package is installed, dnsmasq will tell resolvconf
+# to use dnsmasq under 127.0.0.1 as the system's default resolver.
+# Uncommenting this line inhibits this behaviour.
+#DNSMASQ_EXCEPT="lo"

cookbooks/consul/files/etc/dnsmasq.conf

@@ -16,9 +16,9 @@
 # these requests from bringing up the link unnecessarily.
 
 # Never forward plain names (without a dot or domain part)
-#domain-needed
+domain-needed
 # Never forward addresses in the non-routed address spaces.
-#bogus-priv
+bogus-priv
 
 # Uncomment these to enable DNSSEC validation and caching:
 # (Requires dnsmasq to be built with DNSSEC option.)

cookbooks/consul/files/etc/dnsmasq.conf.2204

@@ -0,0 +1,679 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+#domain-needed
+# Never forward addresses in the non-routed address spaces.
+#bogus-priv
+
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By  default,  dnsmasq  will  send queries to any of the upstream
+# servers it knows about and tries to favour servers to are  known
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
+# with  each  server  strictly  in  the  order  they   appear   in
+# /etc/resolv.conf
+strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+server=/consul/127.0.0.1#8600
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
+# IP on the machine, obviously).
+# server=10.1.2.3@192.168.1.1#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=
+# Or you can specify which interface _not_ to listen on
+#except-interface=
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+#bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC algorithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overridden by ra-stateless, ra-names, et al, the router
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the InfiniBand interface with hardware address
+# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
+# ip address 192.168.0.61. The client id is derived from the prefix
+# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
+# hex digits of the hardware address.
+#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also that the [] around the IPv6 address are obligatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Ask client to poll for option changes every six hours. (RFC4242)
+#dhcp-option=option6:information-refresh-time,6h
+
+# Set option 58 client renewal time (T1). Defaults to half of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T1,1m
+
+# Set option 59 rebinding time (T2). Defaults to 7/8 of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T2,2m
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0           # option ip-forwarding off
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+#dhcp-option=46,8           # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this if you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built-in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for iPXE. The idea is to send two different
+# filenames, the first loads iPXE, and the second tells iPXE what to
+# load. The dhcp-match sets the ipxe tag for requests from iPXE.
+#dhcp-boot=undionly.kpxe
+#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
+#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
+
+# Encapsulated options for iPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Do not abort if the tftp-root is unavailable
+#tftp-no-fail
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=tag:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fashion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
+# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
+# option with a DHCPACK including a Rapid Commit option and fully committed address
+# and configuration information. This must only be enabled if either the server is
+# the only server for the subnet, or multiple servers are present and they each
+# commit a binding for all clients.
+#dhcp-rapid-commit
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come from /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records.  These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d
+
+# Include all the files in a directory except those ending in .bak
+#conf-dir=/etc/dnsmasq.d,.bak
+
+# Include all files in a directory which end in .conf
+#conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore

cookbooks/consul/files/etc/vault.d/tokens/roleid

@@ -1 +1 @@
-md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ==
+md5:d0bf5c103435e9c51e21752192e89575:salt:20-135-197-125-136-152-137-246:aes-256-cfb:aVa3ufSt0fr6iarjwajOHZZs4bGSOo38N577EEbCJwXNW/M41g==

cookbooks/consul/files/etc/vault.d/tokens/secretid

@@ -1 +1 @@
-md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg==
+md5:ab19117b12b65eef5d46283a1f9d8430:salt:2-183-180-51-94-222-93-197:aes-256-cfb:hlO5lzU8SmLmqPjquIJgwEzSlM5w7ij8gGFZXJVY2yt0KNRqrw==

cookbooks/consul/install.rb

@@ -7,7 +7,7 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do
 end
 
 # Retrieve the Ubuntu code:
-DIST = run_command('lsb_release -cs').stdout.chomp
+DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp
 
 # Deploy the `apt` sources:
 template '/etc/apt/sources.list.d/hashicorp.list' do

cookbooks/consul/templates/etc/systemd/resolved.conf.d/partial.conf.erb

@@ -0,0 +1,3 @@
+[Resolve]
+DNS=127.0.0.1
+DNSStubListener=no

cookbooks/kazu634/ssh.rb

@@ -31,3 +31,13 @@ remote_file '/home/kazu634/.ssh/config' do
   mode '644'
 end
 
+# Disable Password authentication
+file '/etc/ssh/sshd_config.d/50-cloud-init.conf' do
+  action :delete
+end
+
+execute 'systemctl restart ssh.service ' do
+  action :nothing
+  subscribes :run, 'file[/etc/ssh/sshd_config.d/50-cloud-init.conf]'
+end
+

cookbooks/loki/attributes.rb

@@ -2,7 +2,7 @@
 # Specifying the default settings:
 # -------------------------------------------
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
-when "20.04", "22.04"
+when "20.04", "22.04", "24.04"
   cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
 
 when "18.04"

cookbooks/loki/files/etc/loki/loki-config.yml

@@ -2,44 +2,50 @@ auth_enabled: false
 
 server:
   http_listen_port: 3100
+  grpc_listen_port: 9096
 
-ingester:
-  lifecycler:
-    address: 127.0.0.1
-    ring:
-      kvstore:
-        store: inmemory
-      replication_factor: 1
-    final_sleep: 0s
-  chunk_idle_period: 5m
-  chunk_retain_period: 30s
-  max_transfer_retries: 0
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /var/opt/loki
+  storage:
+    filesystem:
+      chunks_directory: /var/opt/loki/chunks
+      rules_directory: /var/opt/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
 
 schema_config:
   configs:
-    - from: 2018-04-15
-      store: boltdb
+    - from: 2020-10-24
+      store: tsdb
       object_store: filesystem
-      schema: v11
+      schema: v13
       index:
         prefix: index_
-        period: 168h
+        period: 24h
 
-storage_config:
-  boltdb:
-    directory: /var/opt/loki/index
+frontend:
+  encoding: protobuf
 
-  filesystem:
-    directory: /var/opt/loki/chunks
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+#analytics:
+#  reporting_enabled: false
 
-limits_config:
-  enforce_metric_name: false
-  reject_old_samples: true
-  reject_old_samples_max_age: 168h
-
-chunk_store_config:
-  max_look_back_period: 0s
-
-table_manager:
-  retention_deletes_enabled: false
-  retention_period: 0s

cookbooks/loki/setup.rb

@@ -8,13 +8,11 @@
 end
 
 # Deploy `prometheus` files:
-template '/etc/loki/loki-config.yml' do
+remote_file '/etc/loki/loki-config.yml' do
   owner  'root'
   group  'root'
   mode   '644'
 
-  variables(ipaddr: node['loki']['ipaddr'])
-
   notifies :restart, 'service[loki]'
 end
 

cookbooks/loki/templates/etc/loki/loki-config.yml

@@ -1,45 +0,0 @@
-auth_enabled: false
-
-server:
-  http_listen_port: 3100
-
-ingester:
-  lifecycler:
-    address: 127.0.0.1
-    ring:
-      kvstore:
-        store: inmemory
-      replication_factor: 1
-    final_sleep: 0s
-  chunk_idle_period: 5m
-  chunk_retain_period: 30s
-  max_transfer_retries: 0
-
-schema_config:
-  configs:
-    - from: 2018-04-15
-      store: boltdb
-      object_store: filesystem
-      schema: v11
-      index:
-        prefix: index_
-        period: 168h
-
-storage_config:
-  boltdb:
-    directory: /var/opt/loki/index
-
-  filesystem:
-    directory: /var/opt/loki/chunks
-
-limits_config:
-  enforce_metric_name: false
-  reject_old_samples: true
-  reject_old_samples_max_age: 168h
-
-chunk_store_config:
-  max_look_back_period: 0s
-
-table_manager:
-  retention_deletes_enabled: false
-  retention_period: 0s

cookbooks/lxc/default.rb

@@ -0,0 +1,16 @@
+# Install the necessary packages:
+include_recipe './packages.rb'
+include_recipe './eget.rb'
+
+# `unattended-upgrade` settings:
+include_recipe './unattended-upgrade.rb'
+
+# `ufw` configurations:
+include_recipe './ufw.rb'
+
+# timezone configurations:
+include_recipe './timezone.rb'
+
+execute 'ufw allow 22/tcp' do
+  notifies :run, 'execute[ufw reload-or-enable]'
+end

cookbooks/lxc/eget.rb

@@ -0,0 +1,14 @@
+result = run_command('which eget',  error: false)
+if result.exit_status != 0
+  # Install eget
+  execute 'curl https://zyedidia.github.io/eget.sh | sh' do
+    cwd '/usr/local/bin/'
+  end
+
+  execute 'chown root:root /usr/local/bin/eget'
+  execute 'chmod 755 /usr/local/bin/eget'
+end
+
+%w( zyedidia/eget mgdm/htmlq ).each do |p|
+  execute "eget #{p} --to /usr/local/bin/ --upgrade-only"
+end

cookbooks/lxc/files/etc/apt/apt.conf.d/20auto-upgrades

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

cookbooks/lxc/files/etc/apt/apt.conf.d/50unattended-upgrades

@@ -0,0 +1,143 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+	"${distro_id}ESMApps:${distro_codename}-apps-security";
+	"${distro_id}ESM:${distro_codename}-infra-security";
+//	"${distro_id}:${distro_codename}-updates";
+//	"${distro_id}:${distro_codename}-proposed";
+//	"${distro_id}:${distro_codename}-backports";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+
+// This option controls whether the development release of Ubuntu will be
+// upgraded automatically. Valid values are "true", "false", and "auto".
+Unattended-Upgrade::DevRelease "auto";
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+//Unattended-Upgrade::Mail "";
+
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+//Unattended-Upgrade::MailReport "on-change";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "false";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

cookbooks/lxc/files/etc/cron-apt/action.d/3-download

@@ -0,0 +1,2 @@
+autoclean -y
+upgrade -y -o APT::Get::Show-Upgraded=true

cookbooks/lxc/files/etc/cron-apt/config

@@ -0,0 +1,11 @@
+# Configuration for cron-apt. For further information about the possible
+# configuration settings see the README file.
+
+SYSLOGON="always"
+DEBUG="verbose"
+
+MAILON=""
+
+APTCOMMAND=/usr/bin/apt
+
+OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list"

cookbooks/lxc/packages.rb

@@ -0,0 +1,14 @@
+# Execute `apt update`:
+execute 'apt update'
+
+# Install the necessary packages:
+%w[build-essential zsh vim-nox debian-keyring curl direnv jq avahi-daemon wget gpg coreutils].each do |pkg|
+  package pkg
+end
+
+execute 'ufw allow 5353/udp' do
+  user 'root'
+
+  not_if 'LANG=c ufw status | grep 5353'
+  notifies :run, 'execute[ufw reload-or-enable]'
+end

cookbooks/lxc/templates/etc/apt/sources.list.d/git.list

@@ -0,0 +1 @@
+deb      "http://ppa.launchpad.net/git-core/ppa/ubuntu" <%= @distribution %> main

cookbooks/lxc/timezone.rb

@@ -0,0 +1,23 @@
+case node['platform_version']
+when "18.04", "20.04", "22.04", "24.04"
+  execute 'timedatectl set-timezone Asia/Tokyo' do
+    not_if 'timedatectl | grep Tokyo'
+  end
+else
+  remote_file '/etc/timezone' do
+    user 'root'
+    owner 'root'
+    group 'root'
+    mode '644'
+  end
+
+  [
+    'cp -f /usr/share/zoneinfo/Asia/Tokyo /etc/localtime'
+  ].each do |cmd|
+    execute cmd do
+      user 'root'
+
+      not_if 'diff /usr/share/zoneinfo/Asia/Tokyo /etc/localtime'
+    end
+  end
+end

cookbooks/lxc/ufw.rb

@@ -0,0 +1,6 @@
+execute 'ufw reload-or-enable' do
+  user 'root'
+  command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
+
+  action :nothing
+end

cookbooks/lxc/unattended-upgrade.rb

@@ -0,0 +1,56 @@
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "18.04"
+  # Install `cron-apt`:
+  package 'cron-apt'
+
+  # From here, we are going to set up `cron-apt` to
+  # install the important security updates every day.
+  remote_file '/etc/cron-apt/config' do
+    user 'root'
+
+    owner 'root'
+    group 'root'
+    mode  '644'
+  end
+
+  remote_file '/etc/cron-apt/action.d/3-download' do
+    user 'root'
+
+    owner 'root'
+    group 'root'
+    mode '644'
+  end
+
+  execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
+    user 'root'
+
+    not_if 'test -e /etc/apt/security.sources.list'
+  end
+
+  file '/var/log/cron-apt/log' do
+    user 'root'
+
+    content 'foo\n'
+
+    owner 'root'
+    group 'root'
+    mode '666'
+
+    not_if 'test -e /var/log/cron-apt/log'
+  end
+
+  execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
+    user 'root'
+
+    not_if 'test -e /var/log/cron-apt/log'
+  end
+
+when '20.04', '22.04', '24.04'
+  %w(20auto-upgrades 50unattended-upgrades).each do |conf|
+    remote_file "/etc/apt/apt.conf.d/#{conf}" do
+      owner 'root'
+      group 'root'
+      mode  '644'
+    end
+  end
+end

cookbooks/nginx/attributes.rb

@@ -3,8 +3,9 @@
 # -------------------------------------------
 node.reverse_merge!({
   'nginx' => {
-    'version' => '1.25.0',
-    'skip_lego' => 'true',
-    'skip_webadm' => 'true'
+    'version' => '1.26.1',
+    'skip_lego' => true,
+    'skip_webadm' => false,
+    'skip_deploy_conf' => true
   }
 })

cookbooks/nginx/build.rb

@@ -78,7 +78,7 @@ directory MODULEDIR do
 end
 
 # Build starts here:
-execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.8.0" do
+execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.9.1" do
   cwd WORKDIR
   user USER
 

cookbooks/nginx/default.rb

@@ -35,6 +35,13 @@ end
 # Prerequisites for Building nginx:
 if !node['nginx']['skip_webadm']
   include_recipe './webadm.rb'
+end
+
+# Build nginx:
+include_recipe './build.rb'
+
+# Check whether to deploy the nginx confings:
+if !node['nginx']['skip_deploy_conf']
   include_recipe '../blog/default.rb'
   include_recipe '../everun/default.rb'
 end
@@ -44,9 +51,5 @@ if !node['nginx']['skip_lego']
   include_recipe './lego.rb'
 end
 
-# Build nginx:
-include_recipe './build.rb'
-
 # Setup nginx:
 include_recipe './setup.rb'
-

cookbooks/nginx/webadm.rb

@@ -47,17 +47,18 @@ end
 end
 
 # Create `repo` directory:
-git '/home/webadm/repo/nginx-config' do
-  user 'webadm'
-  repository 'https://github.com/kazu634/nginx-config.git'
-end
+if !node['nginx']['skip_deploy_conf']
+  git '/home/webadm/repo/nginx-config' do
+    user 'webadm'
+    repository 'https://github.com/kazu634/nginx-config.git'
+  end
 
-execute '/home/webadm/repo/nginx-config/deploy.sh' do
-  user 'root'
-  cwd '/home/webadm/repo/nginx-config/'
-end
+  execute '/home/webadm/repo/nginx-config/deploy.sh' do
+    user 'root'
+    cwd '/home/webadm/repo/nginx-config/'
+  end
 
-service 'consul-template' do
-  action :restart
+  service 'consul-template' do
+    action :restart
+  end
 end
-

cookbooks/nomad/csi.rb

@@ -31,14 +31,7 @@ directory '/opt/cni/bin' do
   mode '0755'
 end
 
-%w( bandwidth bridge dhcp firewall host-device host-local ipvlan loopback macvlan portmap ptp sbr static tuning vlan vrf ).each do |f|
-  remote_file "/opt/cni/bin/#{f}" do
-    owner 'root'
-    group 'root'
-
-    mode '0775'
-  end
-end
+execute "eget containernetworking/plugins --to /opt/cni/bin --upgrade-only -a ^sha --all"
 
 directory '/etc/cni' do
   owner 'root'

cookbooks/nomad/default.rb

@@ -2,7 +2,14 @@ include_recipe './attributes.rb'
 
 include_recipe './install.rb'
 
+if node['nomad']['client']
+  include_recipe '../docker/default.rb'
+  include_recipe './csi.rb'
+
+  package "consul-cni"
+  package "dmidecode"
+end
+
 if node['nomad']['manager'] || node['nomad']['client']
   include_recipe './setup.rb'
-  include_recipe './csi.rb'
 end

cookbooks/nomad/install.rb

@@ -7,7 +7,7 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do
 end
 
 # Retrieve the Ubuntu code:
-DIST = run_command('lsb_release -cs').stdout.chomp
+DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp
 
 # Deploy the `apt` sources:
 template '/etc/apt/sources.list.d/hashicorp.list' do

cookbooks/nomad/setup.rb

@@ -1,5 +1,6 @@
 # Kernel parameters:
 execute 'modprobe br_netfilter'
+execute 'modprobe bridge'
 
 remote_file '/etc/sysctl.d/90-nomad.conf' do
   owner 'root'

cookbooks/prometheus-exporters/attributes.rb

@@ -3,23 +3,12 @@
 # -------------------------------------------
 node.reverse_merge!({
   'node_exporter' => {
-    'url' => 'https://github.com/prometheus/node_exporter/releases/download/',
-    'prefix' => 'node_exporter-',
-    'postfix' => '.linux-amd64.tar.gz',
+    'url' => 'prometheus/node_exporter',
     'storage' => '/opt/node_exporter/bin/',
     'location' => '/usr/local/bin/'
   },
-  'blackbox_exporter' => {
-    'url' => 'https://github.com/prometheus/blackbox_exporter/releases/download/',
-    'prefix' => 'blackbox_exporter-',
-    'postfix' => '.linux-amd64.tar.gz',
-    'storage' => '/opt/blackbox_exporter/bin/',
-    'location' => '/usr/local/bin/'
-  },
   'filestat_exporter' => {
-    'url' => 'https://github.com/michael-doubez/filestat_exporter/releases/download/',
-    'prefix' => 'filestat_exporter-',
-    'postfix' => '.linux-amd64.tar.gz',
+    'url' => 'michael-doubez/filestat_exporter',
     'storage' => '/opt/filestat_exporter/',
     'location' => '/usr/local/bin/'
   },

cookbooks/prometheus-exporters/exporter_proxy.rb

@@ -3,9 +3,7 @@ BIN = '/usr/local/bin/exporter_proxy'
 CONFDIR = '/etc/prometheus_exporters.d/exporter_proxy/'
 CONF = 'config.yml'
 
-execute "wget #{URL} -O #{BIN}" do
-    not_if "test -e #{BIN}"
-end
+execute "eget rrreeeyyy/exporter_proxy --to /usr/local/bin/ --upgrade-only"
 
 file BIN do
   user 'root'

cookbooks/prometheus-exporters/filestat_exporter_install.rb

@@ -1,53 +1,20 @@
-filestat_exporter_url = ''
-filestat_exporter_bin = ''
-
-vtag              = ''
-
-# Calculate the Download URL:
-begin
-  require 'net/http'
-
-  uri = URI.parse('https://github.com/michael-doubez/filestat_exporter/releases/latest')
-
-  Timeout.timeout(3) do
-    response = Net::HTTP.get_response(uri)
-
-    vtag = $1 if response['location'] =~ %r{tag\/(v\d+\.\d+\.\d+)}
-
-    filestat_exporter_bin = "#{node['filestat_exporter']['prefix']}#{vtag}#{node['filestat_exporter']['postfix']}"
-    filestat_exporter_url = "#{node['filestat_exporter']['url']}/#{vtag}/#{filestat_exporter_bin}"
-  end
-rescue
-  # Abort the chef client process:
-  raise 'Cannot connect to http://github.com.'
+# Install:
+directory node['filestat_exporter']['storage'] do
+  owner 'root'
+  group 'root'
+  mode '755'
 end
 
-# バージョン確認して、アップデート必要かどうか確認
-result = run_command("filestat_exporter --version 2>&1 | grep #{vtag}", error: false)
-if result.exit_status != 0
-  # Download:
-  TMP = "/tmp/#{filestat_exporter_bin}"
+execute "eget #{node['filestat_exporter']['url']} --to #{node['filestat_exporter']['storage']}"
 
-  execute "wget #{filestat_exporter_url} -O #{TMP}"
-
-  # Install:
-  directory node['filestat_exporter']['storage'] do
-    owner 'root'
-    group 'root'
-    mode '755'
-  end
-
-  execute "tar zxf #{TMP} -C #{node['filestat_exporter']['storage']} --strip-components 1"
-
-  # Change Owner and Permissions:
-  file "#{node['filestat_exporter']['storage']}filestat_exporter" do
-    owner 'root'
-    group 'root'
-    mode  '755'
-  end
-
-  # Create Link
-  link "#{node['filestat_exporter']['location']}filestat_exporter" do
-    to "#{node['filestat_exporter']['storage']}filestat_exporter"
-  end
+# Change Owner and Permissions:
+file "#{node['filestat_exporter']['storage']}filestat_exporter" do
+  owner 'root'
+  group 'root'
+  mode  '755'
+end
+
+# Create Link
+link "#{node['filestat_exporter']['location']}filestat_exporter" do
+  to "#{node['filestat_exporter']['storage']}filestat_exporter"
 end

cookbooks/prometheus-exporters/node_exporter_install.rb

@@ -1,55 +1,20 @@
-node_exporter_url = ''
-node_exporter_bin = ''
-
-tag               = ''
-vtag              = ''
-
-# Calculate the Download URL:
-begin
-  require 'net/http'
-
-  uri = URI.parse('https://github.com/prometheus/node_exporter/releases/latest')
-
-  Timeout.timeout(3) do
-    response = Net::HTTP.get_response(uri)
-
-    vtag = $1 if response['location'] =~ %r{tag\/(v\d+\.\d+\.\d+)}
-    tag = vtag.sub(/^v/, '')
-
-    node_exporter_bin = "#{node['node_exporter']['prefix']}#{tag}#{node['node_exporter']['postfix']}"
-    node_exporter_url = "#{node['node_exporter']['url']}/#{vtag}/#{node_exporter_bin}"
-  end
-rescue
-  # Abort the chef client process:
-  raise 'Cannot connect to http://github.com.'
+# Install:
+directory node['node_exporter']['storage'] do
+  owner 'root'
+  group 'root'
+  mode '755'
 end
 
-# バージョン確認して、アップデート必要かどうか確認
-result = run_command("node_exporter --version 2>&1 | grep #{tag}", error: false)
-if result.exit_status != 0
-  # Download:
-  TMP = "/tmp/#{node_exporter_bin}"
+execute "eget #{node['node_exporter']['url']} --to #{node['node_exporter']['storage']} --upgrade-only"
 
-  execute "wget #{node_exporter_url} -O #{TMP}"
-
-  # Install:
-  directory node['node_exporter']['storage'] do
-    owner 'root'
-    group 'root'
-    mode '755'
-  end
-
-  execute "tar zxf #{TMP} -C #{node['node_exporter']['storage']} --strip-components 1"
-
-  # Change Owner and Permissions:
-  file "#{node['node_exporter']['storage']}node_exporter" do
-    owner 'root'
-    group 'root'
-    mode  '755'
-  end
-
-  # Create Link
-  link "#{node['node_exporter']['location']}node_exporter" do
-    to "#{node['node_exporter']['storage']}node_exporter"
-  end
+# Change Owner and Permissions:
+file "#{node['node_exporter']['storage']}node_exporter" do
+  owner 'root'
+  group 'root'
+  mode  '755'
+end
+
+# Create Link
+link "#{node['node_exporter']['location']}node_exporter" do
+  to "#{node['node_exporter']['storage']}node_exporter"
 end

cookbooks/prometheus/prometheus_setup.rb

@@ -9,7 +9,7 @@ end
   directory d do
     owner  'prometheus'
     group  'prometheus'
-    mode   '0744'
+    mode   '0755'
   end
 end
 

cookbooks/vault/attributes.rb

@@ -3,7 +3,7 @@
 # -------------------------------------------
 
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
-when "20.04"
+when "20.04", "22.04", "24.04"
   cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
 
 when "18.04"
@@ -21,6 +21,6 @@ node.reverse_merge!({
     'manager' => false,
     'ipaddr' => ipaddr,
     'hostname' => hostname,
-    'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'],
+    'ips' => ['192.168.10.140', '192.168.10.141', '192.168.10.142'],
   }
 })

cookbooks/vault/files/etc/vault.d/vault.env

@@ -0,0 +1,5 @@
+md5:cb234b386c1601dc3c6bf1072c00a441:salt:123-90-76-221-9-96-59-101:aes-256-cfb:SfQ2qhmH163jZgh9yequT6JyUCNfaCYW1Ch6BDE6Lid8fj6xcwWYLLTycXhs
+o0y3Wvf3lgt3rHQy6J2tPuSahbtMcZwcBUp6jblNahBJW5yw1pUR/cLNXruy
+J3/LLbA2BPBb+l2TAzVfUTNHKdPY7Z1hZ2hcSgf7uK6cCoSHrPGF1jePQx7+
+Ys1sJLsg0M7jUXUiHrNZGdf5ShR0oeyQ+1tFYu9bMVn/EnJHoTtrL6Zbrb8b
+14YmdtqwhuY46L+wTE2nmWqBUdCYCnlta8RHzgnXxWQRLnnEZ356oW+WIQ==

cookbooks/vault/install.rb

@@ -7,12 +7,15 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do
 end
 
 # Retrieve the Ubuntu code:
-DIST = run_command('lsb_release -cs').stdout.chomp
+DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp
 
 # Deploy the `apt` sources:
 template '/etc/apt/sources.list.d/hashicorp.list' do
   action :create
   variables(distribution: DIST)
+
+  owner 'root'
+  group 'root'
 end
 
 execute 'apt update' do

cookbooks/vault/setup.rb

@@ -2,9 +2,21 @@
 template '/etc/vault.d/vault.hcl' do
   owner 'vault'
   group 'vault'
-  mode '644'
+  mode '600'
 
   variables(HOSTNAME: node['vault']['hostname'],  IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
+
+  notifies :restart, 'service[vault]'
+end
+
+encrypted_remote_file '/etc/vault.d/vault.env' do
+  owner 'vault'
+  group 'vault'
+  mode '600'
+  source   'files/etc/vault.d/vault.env'
+  password ENV['ITAMAE_PASSWORD']
+
+  notifies :restart, 'service[vault]'
 end
 
 directory '/etc/vault.d/policies' do
@@ -26,3 +38,18 @@ remote_file '/etc/logrotate.d/vault' do
   group 'root'
   mode '644'
 end
+
+
+%w(8200 8201).each do |port|
+  execute "ufw allow #{port}" do
+    user 'root'
+
+    not_if "LANG=c ufw status | grep #{port}"
+
+    notifies :run, 'execute[ufw reload-or-enable]'
+  end
+end
+
+service 'vault' do
+  action [:enable, :start]
+end

cookbooks/vault/templates/etc/vault.d/vault.hcl

@@ -1,15 +1,15 @@
 ui = true
-
 disable_mlock = true
 
-# service_registration "consul" {
-#   address = "127.0.0.1:8500"
-#   token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8"
-# }
+service_registration "consul" {
+  address = "127.0.0.1:8500"
+  token = "63c7eb0b-3e39-95e8-9c70-6e42885cb8f8"
+}
 
 storage "raft" {
   path    = "/opt/vault/data"
   node_id = "<%= @HOSTNAME %>"
+
 <% @IPS.each do |ip| %>
   retry_join {
     leader_api_addr = "http://<%= ip %>:8200"
@@ -18,7 +18,7 @@ storage "raft" {
 }
 
 api_addr = "http://<%= @IPADDR %>:8200"
-cluster_addr = "http://<%= @IPADDR %>::8201"
+cluster_addr = "http://<%= @IPADDR %>:8201"
 
 # HTTPS listener
 listener "tcp" {

cookbooks/vector/attributes.rb

@@ -2,7 +2,7 @@
 # Specifying the default settings:
 # -------------------------------------------
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
-when "20.04"
+when "20.04", "22.04", "24.04"
   cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
 
 when "18.04"

cookbooks/vector/files/etc/vector/consul.toml

@@ -2,7 +2,7 @@ data_dir = "/var/lib/vector/"
 
 [sources.consul]
   type = "file"
-  include = [ "/var/log/consul/consul-*.log" ]
+  include = [ "/var/log/consul/consul.log" ]
   ignore_older_secs = 600
   read_from = "beginning"
 

roles/lxc.rb

@@ -0,0 +1,6 @@
+include_recipe "../cookbooks/lxc/default.rb"
+include_recipe "../cookbooks/vault/default.rb"
+include_recipe "../cookbooks/consul-template/default.rb"
+include_recipe "../cookbooks/consul/default.rb"
+include_recipe "../cookbooks/vector/default.rb"
+include_recipe "../cookbooks/prometheus-exporters/default.rb"

tasks/lxc.rake

@@ -0,0 +1,9 @@
+#!/usr/bin/env rake
+
+desc 'Invoke itamae command for the lxc container'
+task :lxc do
+  node = `ls -1 nodes/*.json | xargs -I % basename % .json | fzf`
+  node.chomp!
+
+  sh "ITAMAE_PASSWORD=musashi bundle ex itamae ssh --host #{node} -j nodes/#{node}.json -u root entrypoint.rb"
+end