https://pastein.ru/t/298
Загрузка данных
BR -srv
apt-get update && apt-get install -y task-samba-dc
for service in smb nmb krb5kdc slapd bind;
do
systemctl disable $service --now;
done
rm -f /etc/samba/smb.conf
rm -rf /var/lib/samba
rm -rf /var/cache/samba
mkdir -p /var/lib/samba/sysvol
samba-tool domain provision
(указать айпи hq-srv)
systemctl enable --now samba
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl restart samba
echo "search au-team.irpo" > /etc/net/ifaces/enp7s1/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/net/ifaces/enp7s1/resolv.conf
systemctl restart network
kinit administrator@AU-TEAM.IRPO
samba-tool group add hq
for i in {1..5};
do
samba-tool user add hquser$i P@ssw0rd;
samba-tool user setexpiry hquser$i --noexpiry;
samba-tool group addmembers "hq" hquser$i;
done
hq-cli
host au-team.irpo
apt-get update && apt-get install -y task-auth-ad-sssd
apt-get install -y libnss-role
roleadd hq wheel
nano /etc/sudoers
Cmnd_Alias SHELLCMD = /bin/cat, /bin/grep, /bin/id
WHEEL_USERS ALL=(ALL:ALL) NOPASSWD: SHELLCMD
HQ-SRV:
apt-get update && apt-get install -y mdadm
lsblk
mdadm --zero-superblock --force /dev/sdb /dev/sdc
mdadm --create --verbose /dev/md0 -l 0 -n 2 /dev/sdb /dev/sdс
mdadm --detail --scan --verbose | tee -a /etc/mdadm.conf
mkfs.ext4 /dev/md0
echo "/dev/md0 /raid ext4 defaults 0 0" >> /etc/fstab
mkdir /raid
mount -av
lsblk
cat /et c/mdadm.conf
blkid /dev/md0
HQ-SRV:
apt-get install -y nfs-server nfs-utils
mkdir /raid/nfs
chmod 777 /raid/nfs
vim /etc/exports
echo "/raid/nfs (АЙПИ АДРЕС СЕТИ КЛИЕНТА HQ с маской)(rw, no_root_squash)" > /etc/exports
exportfs -arv
systemctl enable –now nfs-server.service
HQ-CLI:
su -
mkdir /mnt/nfs
chmod -R 777 /mnt/nfs
echo "(адрес hq-srv):/raid/nfs /mnt/nfs nfs defaults,_netdev 0 0" >> /etc/fstab
mount -av
df -h
echo "Hello" > /mnt/nfs/test.txt
cat /mnt/nfs/test.txt
ISP:
sed -i "s/^pool/#pool/" /etc/chrony.conf
cat <<EOF >> /etc/chrony.conf
server ntp0.ntp-servers.net iburst prefer minstratum 4
local stratum 5
allow 0.0.0.0/0
EOF
systemctl restart chronyd
chronyc tracking
HQ-rtr
sed -i "s/^pool/#pool/" /etc/chrony.conf
Echo "server 172.16.1.1 iburst" >> /etc/chrony.conf
systemctl restart chronyd
(интерфейс к isp)
BR-RTR:
sed -i "s/^pool/#pool/" /etc/chrony.conf
echo "server 172.16.2.1 iburst" >> /etc/chrony.conf
systemctl restart chronyd
HQ-SRV:
sed -i "s/^pool/#pool/" /etc/chrony.conf
Echo "server 172.16.1.1 iburst" >> /etc/chrony.conf
systemctl restart chronyd
BR-SRV:
sed -i "s/^pool/#pool/" /etc/chrony.conf
echo "server 172.16.2.1 iburst" >> /etc/chrony.conf
systemctl restart chronyd
HQ-CLI:
sed -i "s/^pool/#pool/" /etc/chrony.conf
echo "server 172.16.1.1 iburst" >> /etc/chrony.conf
systemctl restart chronyd
chronyc sources
BR-SRV:
apt-get update && apt-get install –y ansible sshpass
apt-get install –y python3-module-pip
pip3 install ansible-pylibssh
cat <<EOF > /etc/ansible/ansible.cfg
[defaults]
inventory = /etc/ansible/hosts
host_key_checking = False
EOF
cat <<EOF > /etc/ansible/hosts
HQ-SRV ansible_host=192.168.100.2 ansible_user=sshuser ansible_password=P@ssw0rd ansible_port=2026
HQ-CLI ansible_host=192.168.200.2 ansible_user=user ansible_password=resu
HQ-RTR ansible_host=10.10.10.1 ansible_user=user ansible_password=resu
ВR-RTR ansible_host=192.168.0.1 ansible_user=user ansible_password=resu
[all:vars]
ansible_python_interpreter=/usr/bin/python3
EOF
BR-SRV:
apt-get install –y docker-engine docker-compose-v2
systemctl enable --now docker.service
mount /dev/sr0 /mnt/
docker load < /mnt/docker/site_latest.tar
docker load < /mnt/docker/mariadb_latest.tar
docker image is
cat <<EOF> compose.yaml
services:
database:
container_name: db
image: mariadb: 10.11
restart: always
ports:
- "3306:3306"
environment:
MARIADB_DATABASE: "testdb"
MARIADB_USER: "testc"
MARIADB_PASSWORD: "P@ssw0rd@
MARIADB_ROOT_PASSWORD: "toor"
app:
container_name: testapp
image: site:latest
restart: always
ports:
-"8080:8000"
environment:
DB_TYPE: "maria"
DB_HOST: "192.168.0.2"
DB_PORT: "3306"
DB_NAME: "testdb"
DB_USER: "testc"
DB_PASS: "P@ssw0rd"
depends_on:
- database
EOF
docker compose up -d
docker compose ps
на hq cli 192.168.0.2:8080
HQ-SRV:
apt-get install –y lamp-server
mount /dev/sr0 /mnt/
cp /mnt/web/index.php /var/www/html/
cp /mnt/web/logo.png /var/www/html/
vi /var/www/html/index.php
$username = "webc";
$password = "P@ssw0rd";
$dbname = "webdb";
systemctl enable --now mariadb
mariadb –u root
CREATE DATABASE webdb;
CREATE USER ‘webc’@’localhost’ IDENTIFIED BY ‘P@ssw0rd’;
GRANT ALL PRIVILEGES ON webdb.* TO ‘webc’@’localhost’ WITH GRANT OPTION;
EXIT;
mariadb –u webc –p –D webdb < /mnt/web/dump.sql
systemctl enable --now httpd2
192.168.100.2
HQ_RTR:
iptables -t nat -A PREROUTING -i enp7s3 -p tcp --dport 2026 -j DNAT --to-destination 192.168.100.2:2026
iptables -t nat -A PREROUTING -i enp7s3 -p tcp --dport 8080 -j DNAT --to-destination 192.168.100.2:8080
iptables-save >> /etc/sysconfig/iptables
BR-RTR:
iptables -t nat -A PREROUTING -i enp7s3 -p tcp --dport 2026 -j DNAT --to-destination 192.168.0.2:2026
iptables -t nat -A PREROUTING -i enp7s3 -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:8080
iptables-save >> /etc/sysconfig/iptables
ISP:
apt-get install -y nginx
cat <<EOF> /etc/nginx/siters-available.d/default.conf
server {
listen 80;
server_name web.au-team.irpo;
location / {
proxy_pass http://172.16.1.2:8080;
}
}
server {
listen 80;
server_name docker.au-team.irpo;
location / {
proxy_pass http://172.16.2.2:8080;
}
}
EOF
ln -s /etc/nginx/sites-available.d/default.conf /etc/nginx/sites-enabled.d/
systemctl enable --now nginx
HQ-CLI:
• Настраиваем файл /etc/hosts
su -
echo "172.16.1.1 web.au-team.irpo" >> /etc/hosts
echo "172.16.2.1 docker.au-team.irpo" >> /etc/hosts
exit
ISP:
apt-get install -y apache2-htpasswd
htpasswd –c /etc/nginx/.htpasswd WEB
nano /etc/nginx/sites-available.d/default.conf
cat <<EOF> /etc/nginx/siters-available.d/default.conf
server {
listen 80;
server_name web.au-team.irpo;
location / {
proxy_pass http://172.16.1.2:8080;
auth_basic "Restricted area";
aut_basic_user_file /etc/nginx/.htpasswd;
}
}
server {
listen 80;
server_name docker.au-team.irpo;
location / {
proxy_pass http://172.16.2.2:8080;
}
}
EOF
systemctl restart nginx
HQ-CLI:
[user@hq-cli ~]$ su -
Password:
[root@hq-cli ~]# apt-get update && apt-get install -y yandex-browser-stable
3 модуль
BR-SRV:
mount /dev/sr0 /mnt/
wc -l /mnt/Users.csv
head -n1 /mny/Users.csv
head -n1 /mnt/Users.csv | tr -cd ';' | wc -c | awk '{print $1+1}'
awk -F ';' 'NR>1 {print $5}' /mnt/Users.csv | sort | uniq
nano import_user.sh
#!/bin/bash csu_file="$1"
# Create OU
awk -F ';' 'NR>1 {print $5}' "$csv_file" | sort | uniq | while read ou;
do
samba-tool ou add OU="$ou",DC=au-team,DC=irpo;
done
# Create Users
while IFS=";" read -r firstName lastName role phone ou street zip city country password;
do
if [ "$firstName" == "First Name" ];
then
continue
fi
username="${firstName,,}.${lastName,,}"
samba-tool user add "$username" P@ssw0rd1 \
--given-name="$firstName" \
--surname="$lastName" \
--telephone-number="$phone" \
--job-title="$role" \
--userou="OU=$ou"
samba-tool user setexpiry "$username" --noexpiry
done < "$csv_file"
chmod +x import_user.sh
./import_user.sh /mnt/Users.csv
HQ-SRV:
apt-get install -y openssl-gost-engine
control openssl-gost enabled
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:TCB -out ca.key
openssl req -new -x509 -md_gost12_256 -days 30 -key ca.key -out ca.cer
RU
.
.
au-team.irpo
.
hq-srv.au-team.irpo
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out web.au-team.irpo.key
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out docker.au-team.irpo.key
openssl req -new -md_gost12_256 -key gost.example.com.key -out web.au-team.irpo.csr
RU
.
.
au-team.irpo
.
web.au-team.irpo
openssl req -new -md_gost12_256 -key gost.example.com.key -out docker.au-team.irpo.csr
RU
.
.
au-team.irpo
.
docker.au-team.irpo
openssl x509 -req -in web.au-team.irpo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out web.au-team.irpo.cer -days 30
openssl x509 -req -in docker.au-team.irpo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out docker.au-team.irpo.cer -days 30
nano /etc/openssh/sshd_config
PermitRoologin yes
systemctl restart sshd
HQ-SRV:
scp web.au-team.irpo.key root@172.16.1.1:~/
scp web.au-team.irpo.cer root@172.16.1.1:~/
scp docker.au-team.irpo.key root@172.16.1.1:~/
scp docker.au-team.irpo.cer root@172.16.1.1:~/
ISP:
mkdir /etc/nginx/ssl
cp web.au-team.irpo.* /etc/nginx/ssl
cp docker.au-team.irpo.* /etc/nginx/ssl
nano /etc/nginx/sites-available.d/default.conf
server {
listen 443 ssl;
server_name web.au-team.irpo;
ssl_certificate /etc/nginx/ssl/web.au-team.irpo.cer;
ssl_certificate_key /etc/nginx/ssl/web.au-team.irpo.key;
ssl_ciphers GOST2012-GOST8912-GOST8912:HIGH:MEDIUM:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location {
proxy_pass http://172.16.1.2:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr:
proxy_set_headerX-Forwarded-For$
proxy_add_x_forwarded_for:
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Restricted area";
auth_basic_user_file /etc/nginx/.htpasswd;
listen 443 ssl;
server name docker.au-team.irpo;
ssl_certificate /etc/nginx/ssl/docker.au-team.irpo.cer; ssl_certificate_key /etc/nginx/ssl/docker.au-team.irpo.key; ssl_ciphers GOST2012-GOST8912-GOST8912: HIGH: MEDIUM; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on;
location / {
proxy_pass http://172.16.2.2:8080:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for: proxy_set_header X-Forwarded-Proto $scheme;
apt-get install -y openssl-gost-engine
control openssl-gost enabled
systemctl restart nginx
HQ-SRV:
scp ca.cer user@192.168.200.2:~/
HQ-CLI:
cp /home/user/ca.cer /etc/pki/ca-trust/source/anchors/ && update-ca-trust
HQ-SRV:
apt-get update && apt-get install -y cups cups-pdf
systemctl enable --now cups
cupsctl --share-printers --remote-any
