diff --git a/cookbooks/base/default.rb b/cookbooks/base/default.rb index 162ddbd..f81b098 100644 --- a/cookbooks/base/default.rb +++ b/cookbooks/base/default.rb @@ -35,6 +35,7 @@ end # Install the necessary packages: include_recipe './packages.rb' +include_recipe './eget.rb' # Lang Setting: include_recipe './lang.rb' @@ -69,9 +70,12 @@ include_recipe './starship.rb' # Install cloudflared command: include_recipe './cloudflared.rb' +# Disable Ubuntu Pro +include_recipe './ubuntupro.rb' + # recipes for Ubuntu 20.04 and later case node['platform_version'] -when "20.04", "22.04" +when "20.04", "22.04", "24.04" remote_file '/etc/multipath.conf' do owner 'root' group 'root' @@ -89,29 +93,40 @@ when "20.04", "22.04" service 'systemd-timesyncd' do action :enable end -end -case node['platform_version'] -when "20.04" - remote_file '/etc/systemd/timesyncd.conf' do - owner 'root' - group 'root' - mode '0644' + case node['platform_version'] + when "20.04" + remote_file '/etc/systemd/timesyncd.conf' do + owner 'root' + group 'root' + mode '0644' - notifies :restart, 'service[systemd-timesyncd]' - end -when "22.04" - remote_file '/etc/systemd/timesyncd.conf' do - owner 'root' - group 'root' - mode '0644' + notifies :restart, 'service[systemd-timesyncd]' + end + when "22.04" + remote_file '/etc/systemd/timesyncd.conf' do + owner 'root' + group 'root' + mode '0644' - source 'files/etc/systemd/timesyncd.2204.conf' + source 'files/etc/systemd/timesyncd.2204.conf' - notifies :restart, 'service[systemd-timesyncd]' + notifies :restart, 'service[systemd-timesyncd]' + end + when "24.04" + remote_file '/etc/systemd/timesyncd.conf' do + owner 'root' + group 'root' + mode '0644' + + source 'files/etc/systemd/timesyncd.2404.conf' + + notifies :restart, 'service[systemd-timesyncd]' + end end end + # AWS EC2 Swap Setting: if node['is_ec2'] include_recipe './aws_ec2.rb' diff --git a/cookbooks/base/eget.rb b/cookbooks/base/eget.rb new file mode 100644 index 0000000..a70978a --- /dev/null +++ b/cookbooks/base/eget.rb @@ -0,0 +1,14 @@ +result = run_command('which eget', error: false) +if result.exit_status != 0 + # Install eget + execute 'curl https://zyedidia.github.io/eget.sh | sh' do + cwd '/usr/local/bin/' + end + + execute 'chown root:root /usr/local/bin/eget' + execute 'chmod 755 /usr/local/bin/eget' +end + +%w( zyedidia/eget mgdm/htmlq ).each do |p| + execute "eget #{p} --to /usr/local/bin/ --upgrade-only" +end diff --git a/cookbooks/base/files/etc/ssh/sshd_config.2404 b/cookbooks/base/files/etc/ssh/sshd_config.2404 new file mode 100644 index 0000000..0d39f38 --- /dev/null +++ b/cookbooks/base/files/etc/ssh/sshd_config.2404 @@ -0,0 +1,122 @@ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +Port 10022 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/cookbooks/base/files/etc/systemd/timesyncd.2404.conf b/cookbooks/base/files/etc/systemd/timesyncd.2404.conf new file mode 100644 index 0000000..64e759c --- /dev/null +++ b/cookbooks/base/files/etc/systemd/timesyncd.2404.conf @@ -0,0 +1,26 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Entries in this file show the compile time defaults. Local configuration +# should be created by either modifying this file (or a copy of it placed in +# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in +# the /etc/systemd/timesyncd.conf.d/ directory. The latter is generally +# recommended. Defaults can be restored by simply deleting the main +# configuration file and all drop-ins located in /etc/. +# +# Use 'systemd-analyze cat-config systemd/timesyncd.conf' to display the full config. +# +# See timesyncd.conf(5) for details. + +[Time] +NTP=192.168.10.1 +#FallbackNTP=ntp.ubuntu.com +#RootDistanceMaxSec=5 +#PollIntervalMinSec=32 +#PollIntervalMaxSec=2048 +#ConnectionRetrySec=30 +#SaveIntervalSec=60 diff --git a/cookbooks/base/packages.rb b/cookbooks/base/packages.rb index 621c6fe..11b917e 100644 --- a/cookbooks/base/packages.rb +++ b/cookbooks/base/packages.rb @@ -20,24 +20,28 @@ end ### Here we are going to install git. # Constants: -KEYSRV = 'hkp://keyserver.ubuntu.com:80' -ID = 'E1DF1F24' +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "24.04" + execute 'add-apt-repository -y ppa:git-core/ppa' do + not_if 'test -e /etc/apt/sources.list.d/git-core-ubuntu-ppa-noble.sources' + end +else + KEYSRV = 'hkp://keyserver.ubuntu.com:80' + ID = 'E1DF1F24' -GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push' -PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push' + # Retrieve the Ubuntu code: + DIST = run_command('lsb_release -cs').stdout.chomp -# Retrieve the Ubuntu code: -DIST = run_command('lsb_release -cs').stdout.chomp + # Add the public key file to install `git` + execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do + not_if 'apt-key list | grep "E1DF 1F24"' + end -# Add the public key file to install `git` -execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do - not_if 'apt-key list | grep "E1DF 1F24"' -end - -# Deploy the `apt` sources: -template '/etc/apt/sources.list.d/git.list' do - action :create - variables(distribution: DIST) + # Deploy the `apt` sources: + template '/etc/apt/sources.list.d/git.list' do + action :create + variables(distribution: DIST) + end end execute 'apt update' do @@ -48,6 +52,9 @@ execute 'apt install git -y' do not_if 'LANG=C apt-cache policy git | grep Installed | grep ppa' end +GIT_PREPUSH = '/usr/share/git-core/templates/hooks/pre-push' +PREPUSH = 'https://gist.github.com/kazu634/8267388/raw/e9202cd4c29a66723c88d2be05f3cd19413d2137/pre-push' + execute "wget #{PREPUSH} -O #{GIT_PREPUSH}" do not_if "test -e #{GIT_PREPUSH}" end diff --git a/cookbooks/base/ssh.rb b/cookbooks/base/ssh.rb index 60c7c4a..233eb35 100644 --- a/cookbooks/base/ssh.rb +++ b/cookbooks/base/ssh.rb @@ -9,6 +9,16 @@ end # Deploy the `sshd` configuration file: case node['platform_version'] +when "24.04" + remote_file '/etc/ssh/sshd_config' do + user 'root' + owner 'root' + group 'root' + mode '644' + + source 'files/etc/ssh/sshd_config.2404' + end + when "22.04" remote_file '/etc/ssh/sshd_config' do user 'root' @@ -48,9 +58,15 @@ else end end +case node['platform_version'] +when "24.04" + execute 'systemctl disable --now ssh.socket' + execute 'systemctl enable --now ssh.service' + execute 'systemctl daemon-reload' +end # Apply the changes: -execute 'systemctl reload ssh.service ' do +execute 'systemctl restart ssh.service ' do action :nothing subscribes :run, 'remote_file[/etc/ssh/sshd_config]' end diff --git a/cookbooks/base/timezone.rb b/cookbooks/base/timezone.rb index 548851b..c5bf6ed 100644 --- a/cookbooks/base/timezone.rb +++ b/cookbooks/base/timezone.rb @@ -1,5 +1,5 @@ case node['platform_version'] -when "18.04", "20.04", "22.04" +when "18.04", "20.04", "22.04", "24.04" execute 'timedatectl set-timezone Asia/Tokyo' do not_if 'timedatectl | grep Tokyo' end diff --git a/cookbooks/base/ubuntupro.rb b/cookbooks/base/ubuntupro.rb new file mode 100644 index 0000000..dc5d636 --- /dev/null +++ b/cookbooks/base/ubuntupro.rb @@ -0,0 +1,11 @@ +case node['platform_version'] +when "24.04" + directory "/etc/apt/apt.conf.d/bk/" + + %w( 20apt-esm-hook.conf ).each do |conf| + execute "mv /etc/apt/apt.conf.d/#{conf} /etc/apt/apt.conf.d/bk/#{conf}" + execute "touch /etc/apt/apt.conf.d/#{conf}" + end + + execute 'pro config set apt_news=false' +end diff --git a/cookbooks/base/unattended-upgrade.rb b/cookbooks/base/unattended-upgrade.rb index 07adc5f..1a522aa 100644 --- a/cookbooks/base/unattended-upgrade.rb +++ b/cookbooks/base/unattended-upgrade.rb @@ -45,7 +45,7 @@ when "18.04" not_if 'test -e /var/log/cron-apt/log' end -when '20.04', '22.04' +when '20.04', '22.04', '24.04' %w(20auto-upgrades 50unattended-upgrades).each do |conf| remote_file "/etc/apt/apt.conf.d/#{conf}" do owner 'root' diff --git a/cookbooks/consul-template/attributes.rb b/cookbooks/consul-template/attributes.rb index cb6f58c..63eb081 100644 --- a/cookbooks/consul-template/attributes.rb +++ b/cookbooks/consul-template/attributes.rb @@ -1,10 +1,12 @@ # ------------------------------------------- # Specifying the default settings: # ------------------------------------------- + + node.reverse_merge!({ 'consulTemplate' => { 'baseUrl' => 'https://releases.hashicorp.com/consul-template/', - 'version' => '0.25.2', + 'version' => `curl -s https://releases.hashicorp.com/consul-template/ | htmlq -t 'a' | grep consul-template | head -n 1 | sed -e 's/^[^_]*_//g'`.chomp!, 'zipPrefix' => 'consul-template_', 'zipPostfix' => '_linux_amd64.zip', 'storage' => '/opt/consul-template/consul-template', diff --git a/cookbooks/consul-template/install.rb b/cookbooks/consul-template/install.rb index 7c0b01a..d603766 100644 --- a/cookbooks/consul-template/install.rb +++ b/cookbooks/consul-template/install.rb @@ -5,20 +5,13 @@ consulTemplate_url = "#{node['consulTemplate']['baseUrl']}#{node['consulTemplate result = run_command('which consul-template', error: false) if result.exit_status != 0 - # Download: - TMP = "/tmp/#{consulTemplate_zip}" - - execute "wget #{consulTemplate_url} -O #{TMP}" - directory '/opt/consul-template' do owner 'root' group 'root' mode '0755' end - execute "unzip #{TMP} -d /opt/consul-template/" do - not_if 'test -e /opt/consul-template/consul-template' - end + execute "eget #{consulTemplate_url} --to /opt/consul-template/" # Change Owner and Permissions: file "#{node['consulTemplate']['storage']}" do diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index be74aff..14560dd 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -2,7 +2,7 @@ # Specifying the default settings: # ------------------------------------------- case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04", "22.04" +when "20.04", "22.04", "24.04" cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' when "18.04" @@ -19,7 +19,7 @@ dns = run_command(cmd).stdout.chomp node.reverse_merge!({ 'consul' => { 'manager' => false, - 'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"', + 'manager_hosts' => '"192.168.10.102", "192.168.10.251", "192.168.10.252", "192.168.10.253"', 'ipaddr' => ipaddr, 'dns' => dns, 'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=', diff --git a/cookbooks/consul/dnsmasq.rb b/cookbooks/consul/dnsmasq.rb index a048bb2..710ef6b 100644 --- a/cookbooks/consul/dnsmasq.rb +++ b/cookbooks/consul/dnsmasq.rb @@ -7,6 +7,42 @@ package 'dnsmasq' end case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "24.04" + execute "change link to /etc/resolv.conf" do + command "ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf" + end + + directory "/etc/systemd/resolved.conf.d/" do + mode "0755" + owner "root" + group "root" + end + + template '/etc/systemd/resolved.conf.d/partial.conf' do + owner 'root' + group 'root' + mode '644' + + source 'templates/etc/systemd/resolved.conf.d/partial.conf.erb' + variables(dns: node['consul']['dns']) + + notifies :restart, 'service[systemd-resolved]', :immediately + end + + remote_file "/etc/default/dnsmasq" do + mode "0644" + owner "root" + group "root" + end + + remote_file '/etc/dnsmasq.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[dnsmasq]', :immediately + end + when "22.04" template '/etc/systemd/resolved.conf' do owner 'root' @@ -24,6 +60,8 @@ when "22.04" group 'root' mode '644' + source 'files/etc/dnsmasq.conf.2204' + notifies :restart, 'service[dnsmasq]', :immediately end diff --git a/cookbooks/consul/files/etc/default/dnsmasq b/cookbooks/consul/files/etc/default/dnsmasq new file mode 100644 index 0000000..e281cc0 --- /dev/null +++ b/cookbooks/consul/files/etc/default/dnsmasq @@ -0,0 +1,42 @@ +# This file has six functions: +# 1) to completely disable starting this dnsmasq instance +# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` +# 3) to select an alternative config file +# by setting DNSMASQ_OPTS to --conf-file= +# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for +# more configuration variables. +# 5) to stop the resolvconf package from controlling dnsmasq's +# idea of which upstream nameservers to use. +# 6) to avoid using this dnsmasq instance as the system's default resolver +# by setting DNSMASQ_EXCEPT="lo" +# For upgraders from very old versions, all the shell variables set +# here in previous versions are still honored by the init script +# so if you just keep your old version of this file nothing will break. + +#DOMAIN_SUFFIX=`dnsdomainname` +#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt" + +# The dnsmasq daemon is run by default conforming to the Debian Policy. +# To disable the service, +# for SYSV init, use "update-rc.d dnsmasq disable", +# for systemd, use "systemctl disable dnsmasq". + +# By default search this drop directory for configuration options. +# Libvirt leaves a file here to make the system dnsmasq play nice. +# Comment out this line if you don't want this. The dpkg-* are file +# endings which cause dnsmasq to skip that file. This avoids pulling +# in backups made by dpkg. +CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new + +# If the resolvconf package is installed, dnsmasq will use its output +# rather than the contents of /etc/resolv.conf to find upstream +# nameservers. Uncommenting this line inhibits this behaviour. +# Note that including a "resolv-file=" line in +# /etc/dnsmasq.conf is not enough to override resolvconf if it is +# installed: the line below must be uncommented. +IGNORE_RESOLVCONF=yes + +# If the resolvconf package is installed, dnsmasq will tell resolvconf +# to use dnsmasq under 127.0.0.1 as the system's default resolver. +# Uncommenting this line inhibits this behaviour. +#DNSMASQ_EXCEPT="lo" diff --git a/cookbooks/consul/files/etc/dnsmasq.conf b/cookbooks/consul/files/etc/dnsmasq.conf index ee53ded..4df8589 100644 --- a/cookbooks/consul/files/etc/dnsmasq.conf +++ b/cookbooks/consul/files/etc/dnsmasq.conf @@ -16,9 +16,9 @@ # these requests from bringing up the link unnecessarily. # Never forward plain names (without a dot or domain part) -#domain-needed +domain-needed # Never forward addresses in the non-routed address spaces. -#bogus-priv +bogus-priv # Uncomment these to enable DNSSEC validation and caching: # (Requires dnsmasq to be built with DNSSEC option.) diff --git a/cookbooks/consul/files/etc/dnsmasq.conf.2204 b/cookbooks/consul/files/etc/dnsmasq.conf.2204 new file mode 100644 index 0000000..ee53ded --- /dev/null +++ b/cookbooks/consul/files/etc/dnsmasq.conf.2204 @@ -0,0 +1,679 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +server=/consul/127.0.0.1#8600 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface= +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC algorithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overridden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the InfiniBand interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also that the [] around the IPv6 address are obligatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1,1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2,2m + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php + +# Encapsulated options for iPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fashion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore diff --git a/cookbooks/consul/files/etc/vault.d/tokens/roleid b/cookbooks/consul/files/etc/vault.d/tokens/roleid index 37cce95..7ae456f 100644 --- a/cookbooks/consul/files/etc/vault.d/tokens/roleid +++ b/cookbooks/consul/files/etc/vault.d/tokens/roleid @@ -1 +1 @@ -md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ== \ No newline at end of file +md5:1ae55d337df5f9dd4fffc187a183b0b2:salt:205-89-236-103-190-38-95-67:aes-256-cfb:Ma2d+BQ24dejEcakleRob9FbO/uXSyymKm3hMllr4BU89COZ6g== \ No newline at end of file diff --git a/cookbooks/consul/files/etc/vault.d/tokens/secretid b/cookbooks/consul/files/etc/vault.d/tokens/secretid index 330c158..8f6d625 100644 --- a/cookbooks/consul/files/etc/vault.d/tokens/secretid +++ b/cookbooks/consul/files/etc/vault.d/tokens/secretid @@ -1 +1 @@ -md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg== \ No newline at end of file +md5:c5e23c82c19bfdbd585c22c2244d48c4:salt:159-101-196-196-176-220-40-108:aes-256-cfb:ddjwjLHE5NsLCVioXEv9oaJoGtpJ+P6FvVs6ecKK26eaI49ElQ== \ No newline at end of file diff --git a/cookbooks/consul/install.rb b/cookbooks/consul/install.rb index 244dcf2..303f5e4 100644 --- a/cookbooks/consul/install.rb +++ b/cookbooks/consul/install.rb @@ -7,7 +7,7 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do end # Retrieve the Ubuntu code: -DIST = run_command('lsb_release -cs').stdout.chomp +DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp # Deploy the `apt` sources: template '/etc/apt/sources.list.d/hashicorp.list' do diff --git a/cookbooks/consul/templates/etc/systemd/resolved.conf.d/partial.conf.erb b/cookbooks/consul/templates/etc/systemd/resolved.conf.d/partial.conf.erb new file mode 100644 index 0000000..d2122db --- /dev/null +++ b/cookbooks/consul/templates/etc/systemd/resolved.conf.d/partial.conf.erb @@ -0,0 +1,3 @@ +[Resolve] +DNS=127.0.0.1 +DNSStubListener=no diff --git a/cookbooks/kazu634/ssh.rb b/cookbooks/kazu634/ssh.rb index 5461a51..d4773c1 100644 --- a/cookbooks/kazu634/ssh.rb +++ b/cookbooks/kazu634/ssh.rb @@ -31,3 +31,13 @@ remote_file '/home/kazu634/.ssh/config' do mode '644' end +# Disable Password authentication +file '/etc/ssh/sshd_config.d/50-cloud-init.conf' do + action :delete +end + +execute 'systemctl restart ssh.service ' do + action :nothing + subscribes :run, 'file[/etc/ssh/sshd_config.d/50-cloud-init.conf]' +end + diff --git a/cookbooks/loki/attributes.rb b/cookbooks/loki/attributes.rb index 9fed441..90fb1d5 100644 --- a/cookbooks/loki/attributes.rb +++ b/cookbooks/loki/attributes.rb @@ -2,7 +2,7 @@ # Specifying the default settings: # ------------------------------------------- case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04", "22.04" +when "20.04", "22.04", "24.04" cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' when "18.04" diff --git a/cookbooks/nginx/attributes.rb b/cookbooks/nginx/attributes.rb index c12428c..ed5e63f 100644 --- a/cookbooks/nginx/attributes.rb +++ b/cookbooks/nginx/attributes.rb @@ -3,8 +3,9 @@ # ------------------------------------------- node.reverse_merge!({ 'nginx' => { - 'version' => '1.25.0', - 'skip_lego' => 'true', - 'skip_webadm' => 'true' + 'version' => '1.26.1', + 'skip_lego' => true, + 'skip_webadm' => false, + 'skip_deploy_conf' => true } }) diff --git a/cookbooks/nginx/build.rb b/cookbooks/nginx/build.rb index d316ccb..9c3be07 100644 --- a/cookbooks/nginx/build.rb +++ b/cookbooks/nginx/build.rb @@ -78,7 +78,7 @@ directory MODULEDIR do end # Build starts here: -execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.8.0" do +execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.9.1" do cwd WORKDIR user USER diff --git a/cookbooks/nginx/default.rb b/cookbooks/nginx/default.rb index eb36bd5..f2197b4 100644 --- a/cookbooks/nginx/default.rb +++ b/cookbooks/nginx/default.rb @@ -35,6 +35,13 @@ end # Prerequisites for Building nginx: if !node['nginx']['skip_webadm'] include_recipe './webadm.rb' +end + +# Build nginx: +include_recipe './build.rb' + +# Check whether to deploy the nginx confings: +if !node['nginx']['skip_deploy_conf'] include_recipe '../blog/default.rb' include_recipe '../everun/default.rb' end @@ -44,9 +51,5 @@ if !node['nginx']['skip_lego'] include_recipe './lego.rb' end -# Build nginx: -include_recipe './build.rb' - # Setup nginx: include_recipe './setup.rb' - diff --git a/cookbooks/nginx/webadm.rb b/cookbooks/nginx/webadm.rb index e8336ca..334bc6b 100644 --- a/cookbooks/nginx/webadm.rb +++ b/cookbooks/nginx/webadm.rb @@ -47,17 +47,18 @@ end end # Create `repo` directory: -git '/home/webadm/repo/nginx-config' do - user 'webadm' - repository 'https://github.com/kazu634/nginx-config.git' -end +if !node['nginx']['skip_deploy_conf'] + git '/home/webadm/repo/nginx-config' do + user 'webadm' + repository 'https://github.com/kazu634/nginx-config.git' + end -execute '/home/webadm/repo/nginx-config/deploy.sh' do - user 'root' - cwd '/home/webadm/repo/nginx-config/' -end + execute '/home/webadm/repo/nginx-config/deploy.sh' do + user 'root' + cwd '/home/webadm/repo/nginx-config/' + end -service 'consul-template' do - action :restart + service 'consul-template' do + action :restart + end end - diff --git a/cookbooks/nomad/csi.rb b/cookbooks/nomad/csi.rb index 222199c..34be89a 100644 --- a/cookbooks/nomad/csi.rb +++ b/cookbooks/nomad/csi.rb @@ -31,14 +31,7 @@ directory '/opt/cni/bin' do mode '0755' end -%w( bandwidth bridge dhcp firewall host-device host-local ipvlan loopback macvlan portmap ptp sbr static tuning vlan vrf ).each do |f| - remote_file "/opt/cni/bin/#{f}" do - owner 'root' - group 'root' - - mode '0775' - end -end +execute "eget containernetworking/plugins --to /opt/cni/bin --upgrade-only -a ^sha --all" directory '/etc/cni' do owner 'root' diff --git a/cookbooks/nomad/default.rb b/cookbooks/nomad/default.rb index 6da52cd..e3a2ad8 100644 --- a/cookbooks/nomad/default.rb +++ b/cookbooks/nomad/default.rb @@ -2,7 +2,14 @@ include_recipe './attributes.rb' include_recipe './install.rb' +if node['nomad']['client'] + include_recipe '../docker/default.rb' + include_recipe './csi.rb' + + package "consul-cni" + package "dmidecode" +end + if node['nomad']['manager'] || node['nomad']['client'] include_recipe './setup.rb' - include_recipe './csi.rb' end diff --git a/cookbooks/nomad/files/opt/cni/bin/bandwidth b/cookbooks/nomad/files/opt/cni/bin/bandwidth deleted file mode 100644 index cc834cf..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/bandwidth and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/bridge b/cookbooks/nomad/files/opt/cni/bin/bridge deleted file mode 100644 index 6c371ce..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/bridge and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/dhcp b/cookbooks/nomad/files/opt/cni/bin/dhcp deleted file mode 100644 index f62339a..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/dhcp and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/firewall b/cookbooks/nomad/files/opt/cni/bin/firewall deleted file mode 100644 index 27e5ecf..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/firewall and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/host-device b/cookbooks/nomad/files/opt/cni/bin/host-device deleted file mode 100644 index 082489a..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/host-device and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/host-local b/cookbooks/nomad/files/opt/cni/bin/host-local deleted file mode 100644 index 7c75ff5..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/host-local and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/ipvlan b/cookbooks/nomad/files/opt/cni/bin/ipvlan deleted file mode 100644 index a2e8186..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/ipvlan and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/loopback b/cookbooks/nomad/files/opt/cni/bin/loopback deleted file mode 100644 index 56a107d..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/loopback and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/macvlan b/cookbooks/nomad/files/opt/cni/bin/macvlan deleted file mode 100644 index 36608de..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/macvlan and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/portmap b/cookbooks/nomad/files/opt/cni/bin/portmap deleted file mode 100644 index ca96b93..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/portmap and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/ptp b/cookbooks/nomad/files/opt/cni/bin/ptp deleted file mode 100644 index 14c2023..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/ptp and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/sbr b/cookbooks/nomad/files/opt/cni/bin/sbr deleted file mode 100644 index ff97bbc..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/sbr and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/static b/cookbooks/nomad/files/opt/cni/bin/static deleted file mode 100644 index e28d72b..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/static and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/tuning b/cookbooks/nomad/files/opt/cni/bin/tuning deleted file mode 100644 index 1e0aed5..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/tuning and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/vlan b/cookbooks/nomad/files/opt/cni/bin/vlan deleted file mode 100644 index 339243e..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/vlan and /dev/null differ diff --git a/cookbooks/nomad/files/opt/cni/bin/vrf b/cookbooks/nomad/files/opt/cni/bin/vrf deleted file mode 100644 index a6f5709..0000000 Binary files a/cookbooks/nomad/files/opt/cni/bin/vrf and /dev/null differ diff --git a/cookbooks/nomad/install.rb b/cookbooks/nomad/install.rb index 86657b1..ad66f2e 100644 --- a/cookbooks/nomad/install.rb +++ b/cookbooks/nomad/install.rb @@ -7,7 +7,7 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do end # Retrieve the Ubuntu code: -DIST = run_command('lsb_release -cs').stdout.chomp +DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp # Deploy the `apt` sources: template '/etc/apt/sources.list.d/hashicorp.list' do diff --git a/cookbooks/nomad/setup.rb b/cookbooks/nomad/setup.rb index 0f8ceb0..8d47978 100644 --- a/cookbooks/nomad/setup.rb +++ b/cookbooks/nomad/setup.rb @@ -1,5 +1,6 @@ # Kernel parameters: execute 'modprobe br_netfilter' +execute 'modprobe bridge' remote_file '/etc/sysctl.d/90-nomad.conf' do owner 'root' diff --git a/cookbooks/prometheus-exporters/attributes.rb b/cookbooks/prometheus-exporters/attributes.rb index d39fc78..065f0f6 100644 --- a/cookbooks/prometheus-exporters/attributes.rb +++ b/cookbooks/prometheus-exporters/attributes.rb @@ -3,23 +3,12 @@ # ------------------------------------------- node.reverse_merge!({ 'node_exporter' => { - 'url' => 'https://github.com/prometheus/node_exporter/releases/download/', - 'prefix' => 'node_exporter-', - 'postfix' => '.linux-amd64.tar.gz', + 'url' => 'prometheus/node_exporter', 'storage' => '/opt/node_exporter/bin/', 'location' => '/usr/local/bin/' }, - 'blackbox_exporter' => { - 'url' => 'https://github.com/prometheus/blackbox_exporter/releases/download/', - 'prefix' => 'blackbox_exporter-', - 'postfix' => '.linux-amd64.tar.gz', - 'storage' => '/opt/blackbox_exporter/bin/', - 'location' => '/usr/local/bin/' - }, 'filestat_exporter' => { - 'url' => 'https://github.com/michael-doubez/filestat_exporter/releases/download/', - 'prefix' => 'filestat_exporter-', - 'postfix' => '.linux-amd64.tar.gz', + 'url' => 'michael-doubez/filestat_exporter', 'storage' => '/opt/filestat_exporter/', 'location' => '/usr/local/bin/' }, diff --git a/cookbooks/prometheus-exporters/exporter_proxy.rb b/cookbooks/prometheus-exporters/exporter_proxy.rb index 9893c30..9a95f50 100644 --- a/cookbooks/prometheus-exporters/exporter_proxy.rb +++ b/cookbooks/prometheus-exporters/exporter_proxy.rb @@ -3,9 +3,7 @@ BIN = '/usr/local/bin/exporter_proxy' CONFDIR = '/etc/prometheus_exporters.d/exporter_proxy/' CONF = 'config.yml' -execute "wget #{URL} -O #{BIN}" do - not_if "test -e #{BIN}" -end +execute "eget rrreeeyyy/exporter_proxy --to /usr/local/bin/ --upgrade-only" file BIN do user 'root' diff --git a/cookbooks/prometheus-exporters/filestat_exporter_install.rb b/cookbooks/prometheus-exporters/filestat_exporter_install.rb index 4071040..e306443 100644 --- a/cookbooks/prometheus-exporters/filestat_exporter_install.rb +++ b/cookbooks/prometheus-exporters/filestat_exporter_install.rb @@ -1,53 +1,20 @@ -filestat_exporter_url = '' -filestat_exporter_bin = '' - -vtag = '' - -# Calculate the Download URL: -begin - require 'net/http' - - uri = URI.parse('https://github.com/michael-doubez/filestat_exporter/releases/latest') - - Timeout.timeout(3) do - response = Net::HTTP.get_response(uri) - - vtag = $1 if response['location'] =~ %r{tag\/(v\d+\.\d+\.\d+)} - - filestat_exporter_bin = "#{node['filestat_exporter']['prefix']}#{vtag}#{node['filestat_exporter']['postfix']}" - filestat_exporter_url = "#{node['filestat_exporter']['url']}/#{vtag}/#{filestat_exporter_bin}" - end -rescue - # Abort the chef client process: - raise 'Cannot connect to http://github.com.' +# Install: +directory node['filestat_exporter']['storage'] do + owner 'root' + group 'root' + mode '755' end -# バージョン確認して、アップデート必要かどうか確認 -result = run_command("filestat_exporter --version 2>&1 | grep #{vtag}", error: false) -if result.exit_status != 0 - # Download: - TMP = "/tmp/#{filestat_exporter_bin}" +execute "eget #{node['filestat_exporter']['url']} --to #{node['filestat_exporter']['storage']}" - execute "wget #{filestat_exporter_url} -O #{TMP}" - - # Install: - directory node['filestat_exporter']['storage'] do - owner 'root' - group 'root' - mode '755' - end - - execute "tar zxf #{TMP} -C #{node['filestat_exporter']['storage']} --strip-components 1" - - # Change Owner and Permissions: - file "#{node['filestat_exporter']['storage']}filestat_exporter" do - owner 'root' - group 'root' - mode '755' - end - - # Create Link - link "#{node['filestat_exporter']['location']}filestat_exporter" do - to "#{node['filestat_exporter']['storage']}filestat_exporter" - end +# Change Owner and Permissions: +file "#{node['filestat_exporter']['storage']}filestat_exporter" do + owner 'root' + group 'root' + mode '755' +end + +# Create Link +link "#{node['filestat_exporter']['location']}filestat_exporter" do + to "#{node['filestat_exporter']['storage']}filestat_exporter" end diff --git a/cookbooks/prometheus-exporters/node_exporter_install.rb b/cookbooks/prometheus-exporters/node_exporter_install.rb index 6229c45..34e2c45 100644 --- a/cookbooks/prometheus-exporters/node_exporter_install.rb +++ b/cookbooks/prometheus-exporters/node_exporter_install.rb @@ -1,55 +1,20 @@ -node_exporter_url = '' -node_exporter_bin = '' - -tag = '' -vtag = '' - -# Calculate the Download URL: -begin - require 'net/http' - - uri = URI.parse('https://github.com/prometheus/node_exporter/releases/latest') - - Timeout.timeout(3) do - response = Net::HTTP.get_response(uri) - - vtag = $1 if response['location'] =~ %r{tag\/(v\d+\.\d+\.\d+)} - tag = vtag.sub(/^v/, '') - - node_exporter_bin = "#{node['node_exporter']['prefix']}#{tag}#{node['node_exporter']['postfix']}" - node_exporter_url = "#{node['node_exporter']['url']}/#{vtag}/#{node_exporter_bin}" - end -rescue - # Abort the chef client process: - raise 'Cannot connect to http://github.com.' +# Install: +directory node['node_exporter']['storage'] do + owner 'root' + group 'root' + mode '755' end -# バージョン確認して、アップデート必要かどうか確認 -result = run_command("node_exporter --version 2>&1 | grep #{tag}", error: false) -if result.exit_status != 0 - # Download: - TMP = "/tmp/#{node_exporter_bin}" +execute "eget #{node['node_exporter']['url']} --to #{node['node_exporter']['storage']} --upgrade-only" - execute "wget #{node_exporter_url} -O #{TMP}" - - # Install: - directory node['node_exporter']['storage'] do - owner 'root' - group 'root' - mode '755' - end - - execute "tar zxf #{TMP} -C #{node['node_exporter']['storage']} --strip-components 1" - - # Change Owner and Permissions: - file "#{node['node_exporter']['storage']}node_exporter" do - owner 'root' - group 'root' - mode '755' - end - - # Create Link - link "#{node['node_exporter']['location']}node_exporter" do - to "#{node['node_exporter']['storage']}node_exporter" - end +# Change Owner and Permissions: +file "#{node['node_exporter']['storage']}node_exporter" do + owner 'root' + group 'root' + mode '755' +end + +# Create Link +link "#{node['node_exporter']['location']}node_exporter" do + to "#{node['node_exporter']['storage']}node_exporter" end diff --git a/cookbooks/vault/attributes.rb b/cookbooks/vault/attributes.rb index 0bcaa8b..9fb9c16 100644 --- a/cookbooks/vault/attributes.rb +++ b/cookbooks/vault/attributes.rb @@ -3,7 +3,7 @@ # ------------------------------------------- case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04", "22.04" +when "20.04", "22.04", "24.04" cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' when "18.04" @@ -21,6 +21,6 @@ node.reverse_merge!({ 'manager' => false, 'ipaddr' => ipaddr, 'hostname' => hostname, - 'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'], + 'ips' => ['192.168.10.140', '192.168.10.141', '192.168.10.142'], } }) diff --git a/cookbooks/vault/files/etc/vault.d/vault.env b/cookbooks/vault/files/etc/vault.d/vault.env new file mode 100644 index 0000000..bb3ed57 --- /dev/null +++ b/cookbooks/vault/files/etc/vault.d/vault.env @@ -0,0 +1,5 @@ +md5:cb234b386c1601dc3c6bf1072c00a441:salt:123-90-76-221-9-96-59-101:aes-256-cfb:SfQ2qhmH163jZgh9yequT6JyUCNfaCYW1Ch6BDE6Lid8fj6xcwWYLLTycXhs +o0y3Wvf3lgt3rHQy6J2tPuSahbtMcZwcBUp6jblNahBJW5yw1pUR/cLNXruy +J3/LLbA2BPBb+l2TAzVfUTNHKdPY7Z1hZ2hcSgf7uK6cCoSHrPGF1jePQx7+ +Ys1sJLsg0M7jUXUiHrNZGdf5ShR0oeyQ+1tFYu9bMVn/EnJHoTtrL6Zbrb8b +14YmdtqwhuY46L+wTE2nmWqBUdCYCnlta8RHzgnXxWQRLnnEZ356oW+WIQ== \ No newline at end of file diff --git a/cookbooks/vault/install.rb b/cookbooks/vault/install.rb index ec1e3f7..eb74047 100644 --- a/cookbooks/vault/install.rb +++ b/cookbooks/vault/install.rb @@ -7,12 +7,15 @@ execute "wget -O- #{SRC} | gpg --dearmor -o #{DEST}" do end # Retrieve the Ubuntu code: -DIST = run_command('lsb_release -cs').stdout.chomp +DIST = run_command('lsb_release -cs 2>/dev/null').stdout.chomp # Deploy the `apt` sources: template '/etc/apt/sources.list.d/hashicorp.list' do action :create variables(distribution: DIST) + + owner 'root' + group 'root' end execute 'apt update' do diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb index 6ae000d..222d87d 100644 --- a/cookbooks/vault/setup.rb +++ b/cookbooks/vault/setup.rb @@ -2,9 +2,21 @@ template '/etc/vault.d/vault.hcl' do owner 'vault' group 'vault' - mode '644' + mode '600' variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips']) + + notifies :restart, 'service[vault]' +end + +encrypted_remote_file '/etc/vault.d/vault.env' do + owner 'vault' + group 'vault' + mode '600' + source 'files/etc/vault.d/vault.env' + password ENV['ITAMAE_PASSWORD'] + + notifies :restart, 'service[vault]' end directory '/etc/vault.d/policies' do @@ -26,3 +38,18 @@ remote_file '/etc/logrotate.d/vault' do group 'root' mode '644' end + + +%w(8200 8201).each do |port| + execute "ufw allow #{port}" do + user 'root' + + not_if "LANG=c ufw status | grep #{port}" + + notifies :run, 'execute[ufw reload-or-enable]' + end +end + +service 'vault' do + action [:enable, :start] +end diff --git a/cookbooks/vault/templates/etc/vault.d/vault.hcl b/cookbooks/vault/templates/etc/vault.d/vault.hcl index eccbb78..af237d7 100644 --- a/cookbooks/vault/templates/etc/vault.d/vault.hcl +++ b/cookbooks/vault/templates/etc/vault.d/vault.hcl @@ -1,15 +1,15 @@ ui = true - disable_mlock = true -# service_registration "consul" { -# address = "127.0.0.1:8500" -# token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8" -# } +service_registration "consul" { + address = "127.0.0.1:8500" + token = "63c7eb0b-3e39-95e8-9c70-6e42885cb8f8" +} storage "raft" { path = "/opt/vault/data" node_id = "<%= @HOSTNAME %>" + <% @IPS.each do |ip| %> retry_join { leader_api_addr = "http://<%= ip %>:8200" @@ -18,7 +18,7 @@ storage "raft" { } api_addr = "http://<%= @IPADDR %>:8200" -cluster_addr = "http://<%= @IPADDR %>::8201" +cluster_addr = "http://<%= @IPADDR %>:8201" # HTTPS listener listener "tcp" { diff --git a/cookbooks/vector/attributes.rb b/cookbooks/vector/attributes.rb index 8c312fd..94f2d5a 100644 --- a/cookbooks/vector/attributes.rb +++ b/cookbooks/vector/attributes.rb @@ -2,7 +2,7 @@ # Specifying the default settings: # ------------------------------------------- case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04", "22.04" +when "20.04", "22.04", "24.04" cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' when "18.04"