https://pastein.ru/t/W68
Загрузка данных
cat > /mnt/user-data/outputs/Script3_fixed.sh << 'ENDOFSCRIPT'
#!/bin/bash
enable_nat() {
cat > /etc/nftables/nftables.nft << EOF
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat
oifname "enp7s1" masquerade
}
}
EOF
systemctl enable --now nftables
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/net/sysctl.conf
sysctl -p
systemctl restart network
}
echo "Выберите устройство:"
echo "1 ISP"
echo "2 BR-RTR"
echo "3 HQ-RTR"
echo "4 HQ-SRV"
echo "5 HQ-CLI"
echo "6 BR-SRV"
echo "7 DNS"
read -p "Номер: " dev
case $dev in
1)
echo "Настройка ISP"
echo "=======ISP======="
read -p "Hostname: (ISP) " HOSTNAME
hostnamectl hostname "$HOSTNAME"
mkdir /etc/net/ifaces/enp7s{2,3}
echo -e 'BOOTPROTO=static\nTYPE=eth' >> /etc/net/ifaces/enp7s2/options
echo -e 'BOOTPROTO=static\nTYPE=eth' >> /etc/net/ifaces/enp7s3/options
echo '172.16.4.1/28' > /etc/net/ifaces/enp7s2/ipv4address
echo '172.16.5.1/28' > /etc/net/ifaces/enp7s3/ipv4address
systemctl restart network
apt-get update && apt-get install nftables tzdata -y
timedatectl set-timezone Asia/Yekaterinburg
enable_nat
;;
2)
echo "=======BR-RTR======="
read -p "Hostname: (br-rtr.zenithhub.net)" HOSTNAME
hostnamectl hostname "$HOSTNAME"
echo -e 'BOOTPROTO=static\nTYPE=eth' >> /etc/net/ifaces/enp7s1/options
echo '172.16.5.2/28' > /etc/net/ifaces/enp7s1/ipv4address
echo 'default via 172.16.5.1' > /etc/net/ifaces/enp7s1/ipv4route
echo 'nameserver 8.8.8.8' > /etc/net/ifaces/enp7s1/resolv.conf
mkdir /etc/net/ifaces/{enp7s2,gre1}
echo -e 'BOOTPROTO=static\nTYPE=eth' >> /etc/net/ifaces/enp7s2/options
echo '172.16.6.1/26' > /etc/net/ifaces/enp7s2/ipv4address
systemctl restart network
cat > /etc/net/ifaces/gre1/options << EOF
TYPE=iptun
TUNTYPE=gre
TUNLOCAL=172.16.5.2
TUNREMOTE=172.16.4.2
TUNTTL=64
TUNOPTIONS='ttl 64'
EOF
echo "10.10.10.2/30" > /etc/net/ifaces/gre1/ipv4address
systemctl restart network
apt-get update && apt-get install sudo nftables tzdata frr -y
timedatectl set-timezone Asia/Yekaterinburg
enable_nat
read -p "Username: (rtrhino)" USERNAME
read -s -p "Password: (P@ssw0rd)" PASSWORD
useradd -m "$USERNAME"
echo "$USERNAME:$PASSWORD" | chpasswd
usermod -aG wheel "$USERNAME"
echo 'WHEEL_USERS ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers.d/"$USERNAME"
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons
cat > /etc/frr/frr.conf << 'EOF'
interface gre1
no ip ospf passive
exit
!
interface gre1
ip ospf area 0
ip ospf authentication
ip ospf authentication-key P@ssw0rd
no ip ospf passive
exit
!
interface enp7s2
ip ospf area 0
exit
!
router ospf
passive-interface default
exit
EOF
systemctl restart network
systemctl enable --now nftables frr
;;
3)
echo "=======HQ-RTR======="
read -p "Hostname: (hq-rtr.zenithhub.net)" HOSTNAME
hostnamectl hostname "$HOSTNAME"
echo -e 'BOOTPROTO=static\nTYPE=eth' > /etc/net/ifaces/enp7s1/options
echo '172.16.4.2/28' > /etc/net/ifaces/enp7s1/ipv4address
echo 'default via 172.16.4.1' > /etc/net/ifaces/enp7s1/ipv4route
echo 'nameserver 8.8.8.8' > /etc/net/ifaces/enp7s1/resolv.conf
systemctl restart network
mkdir -p /etc/net/ifaces/enp7s2
mkdir -p /etc/net/ifaces/enp7s2.100
mkdir -p /etc/net/ifaces/enp7s2.200
mkdir -p /etc/net/ifaces/enp7s2.999
mkdir -p /etc/net/ifaces/gre1
echo -e 'BOOTPROTO=static\nTYPE=eth' >> /etc/net/ifaces/enp7s2/options
echo -e 'BOOTPROTO=static\nTYPE=vlan\nVID=100\nHOST=enp7s2\nONBOOT=yes' >> /etc/net/ifaces/enp7s2.100/options
echo -e 'BOOTPROTO=static\nTYPE=vlan\nVID=200\nHOST=enp7s2\nONBOOT=yes' >> /etc/net/ifaces/enp7s2.200/options
echo -e 'BOOTPROTO=static\nTYPE=vlan\nVID=999\nHOST=enp7s2\nONBOOT=yes' >> /etc/net/ifaces/enp7s2.999/options
read -p "MASK vlan100: (24)" MASK
echo "172.16.100.1/$MASK" > /etc/net/ifaces/enp7s2.100/ipv4address
read -p "MASK vlan200: (24)" MASK
echo "172.16.200.1/$MASK" > /etc/net/ifaces/enp7s2.200/ipv4address
read -p "MASK vlan999: (24)" MASK
echo "172.16.99.1/$MASK" > /etc/net/ifaces/enp7s2.999/ipv4address
systemctl restart network
cat > /etc/net/ifaces/gre1/options << EOF
TYPE=iptun
TUNTYPE=gre
TUNLOCAL=172.16.4.2
TUNREMOTE=172.16.5.2
TUNTTL=64
TUNOPTIONS='ttl 64'
EOF
echo "10.10.10.1/30" > /etc/net/ifaces/gre1/ipv4address
systemctl restart network
apt-get update && apt-get install sudo nftables tzdata frr dhcp-server -y
timedatectl set-timezone Asia/Yekaterinburg
enable_nat
read -p "Username: (rtrhino)" USERNAME
read -s -p "Password: (P@ssw0rd)" PASSWORD
useradd -m "$USERNAME"
echo "$USERNAME:$PASSWORD" | chpasswd
usermod -aG wheel "$USERNAME"
echo 'WHEEL_USERS ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers.d/"$USERNAME"
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons
grep ospf /etc/frr/daemons
cat > /etc/frr/frr.conf << 'EOF'
interface gre1
no ip ospf passive
exit
!
interface gre1
ip ospf area 0
ip ospf authentication
ip ospf authentication-key P@ssw0rd
no ip ospf passive
exit
!
interface enp7s2.100
ip ospf area 0
exit
!
interface enp7s2.200
ip ospf area 0
exit
!
interface enp7s2.999
ip ospf area 0
exit
!
router ospf
passive-interface default
exit
EOF
systemctl restart network
systemctl enable --now frr
cat > /etc/dhcp/dhcpd.conf << 'EOF'
subnet 172.16.200.0 netmask 255.255.255.192 {
range 172.16.200.2 172.16.200.30;
option routers 172.16.200.1;
option domain-name-servers 172.16.100.2;
option domain-search "zenithhub.net";
default-lease-time 600;
max-lease-time 7200;
}
EOF
sed -i 's/DHCPDARGS=/DHCPDARGS=enp7s2.200/g' /etc/sysconfig/dhcpd
systemctl enable --now dhcpd
;;
4)
echo "=======HQ-SRV======="
read -p "Hostname: (hq-srv.zenithhub.net)" HOSTNAME
hostnamectl hostname "$HOSTNAME"
echo -e 'BOOTPROTO=static\nTYPE=eth\nONBOOT=yes' > /etc/net/ifaces/enp7s1/options
read -p "MASK: (24)" MASK
echo "172.16.100.2/$MASK" > /etc/net/ifaces/enp7s1/ipv4address
echo 'default via 172.16.100.1' > /etc/net/ifaces/enp7s1/ipv4route
echo 'nameserver 8.8.8.8' > /etc/net/ifaces/enp7s1/resolv.conf
systemctl restart network
apt-get update && apt-get install bind bind-utils tzdata -y
timedatectl set-timezone Asia/Yekaterinburg
read -p "Username: (rtrhino)" USERNAME
read -p "UID: (1015)" UIDNUM
read -s -p "Password: (P@ssw0rd)" PASSWORD
useradd -u "$UIDNUM" "$USERNAME"
echo "$USERNAME:$PASSWORD" | chpasswd
usermod -aG wheel "$USERNAME"
echo "WHEEL_USERS ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USERNAME
read -p "SSH Port: " SSHPORT
echo "Authorized access only" > /etc/openssh/banner
cat >> /etc/openssh/sshd_config << EOF
Port $SSHPORT
MaxAuthTries 2
AllowUsers $USERNAME
Banner /etc/openssh/banner
EOF
systemctl restart sshd
read -p "DNS zone (zenithhub.net): " DNS_ZONE
cat > /etc/bind/options.conf << 'EOF'
options {
directory "/etc/bind/zone";
listen-on { 172.16.100.2; 127.0.0.1; };
allow-query { any; };
forwarders { 8.8.8.8; };
recursion yes;
};
EOF
cat > /etc/bind/rfc1912.conf << EOF
zone "$DNS_ZONE" IN {
type master;
file "/etc/bind/zone/$DNS_ZONE";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "/etc/bind/zone/100.16.172.in-addr.arpa";
};
EOF
cat > /etc/bind/zone/"$DNS_ZONE" << EOF
\$TTL 86400
@ IN SOA hq-srv."$DNS_ZONE". root."$DNS_ZONE". (
2025010101 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
@ IN NS hq-srv."$DNS_ZONE".
hq-rtr IN A 172.16.100.1
hq-srv IN A 172.16.100.2
hq-cli IN A 172.16.200.2
br-rtr IN A 172.16.6.1
br-srv IN A 172.16.6.2
moodle IN CNAME hq-rtr."$DNS_ZONE".
wiki IN CNAME hq-rtr."$DNS_ZONE".
EOF
cat > /etc/bind/zone/100.16.172.in-addr.arpa << EOF
\$TTL 86400
@ IN SOA hq-srv."$DNS_ZONE". root."$DNS_ZONE". (
2025010101
3600
1800
604800
86400 )
@ IN NS hq-srv."$DNS_ZONE".
1 IN PTR hq-rtr."$DNS_ZONE".
2 IN PTR hq-srv."$DNS_ZONE".
EOF
rndc-confgen > /etc/bind/rndc.key
sed -i '6,$d' /etc/bind/rndc.key
named-checkconf
named-checkconf -z
systemctl enable --now bind
systemctl status bind
;;
5)
echo "=======HQ-CLI======="
read -p "Hostname: (hq-cli.zenithhub.net)" HOSTNAME
hostnamectl hostname "$HOSTNAME"
echo "Вход в сеть настроить вручную в GUI"
;;
6)
echo "=======BR-SRV======="
read -p "Hostname: (br-srv.zenithhub.net)" HOSTNAME
hostnamectl hostname "$HOSTNAME"
echo -e 'BOOTPROTO=static\nTYPE=eth' >> /etc/net/ifaces/enp7s1/options
echo '172.16.6.2/28' > /etc/net/ifaces/enp7s1/ipv4address
echo 'default via 172.16.6.1' > /etc/net/ifaces/enp7s1/ipv4route
echo 'nameserver 172.16.100.2' > /etc/net/ifaces/enp7s1/resolv.conf
systemctl restart network
read -p "Username: (rtrhino)" USERNAME
read -p "UID: (1015)" UIDNUM
read -s -p "Password: (P@ssw0rd)" PASSWORD
useradd -u "$UIDNUM" "$USERNAME"
echo "$USERNAME:$PASSWORD" | chpasswd
usermod -aG wheel "$USERNAME"
echo "WHEEL_USERS ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USERNAME
read -p "SSH Port: " SSHPORT
echo "Authorized access only" > /etc/openssh/banner
cat >> /etc/openssh/sshd_config << EOF
Port $SSHPORT
MaxAuthTries 2
AllowUsers $USERNAME
Banner /etc/openssh/banner
EOF
systemctl restart sshd
;;
7)
echo "=======DNS======="
read -p "DNS zone (zenithhub.net): " DNS_ZONE
rm -f /etc/net/ifaces/enp7s1/resolv.conf
cat > /etc/resolv.conf << EOF
search "$DNS_ZONE"
nameserver 172.16.100.2
EOF
;;
esac
echo "Готово."
ENDOFSCRIPT
echo "Done"