ISP
cat > /etc/chrony.conf <<EOF
server ntp0.ntp-servers.net iburst prefer minstratum 4
local stratum 5
allow 0.0.0.0/0
EOF
systemctl enable --now chronyd
systemctl restart chronyd
apt-get update
apt-get install -y nginx apache2-htpasswd
htpasswd -bc /etc/nginx/.htpasswd WEB 'P@ssw0rd'
printf '%s\n' \
'server {' \
$'\tlisten 80;' \
$'\tserver_name web.au-team.irpo;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.1.2:8080;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t\tauth_basic "Restricted area";' \
$'\t\tauth_basic_user_file /etc/nginx/.htpasswd;' \
$'\t}' \
'}' \
'' \
'server {' \
$'\tlisten 80;' \
$'\tserver_name docker.au-team.irpo;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.2.2:8080;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t}' \
'}' \
> /etc/nginx/sites-available.d/default.conf
ln -s /etc/nginx/sites-available.d/default.conf /etc/nginx/sites-enabled.d/
nginx -t
systemctl enable --now nginx
systemctl restart nginxHQ-RTR
ntp server 172.16.1.1
write memory
security none
write memory
ip nat source static tcp 192.168.100.2 80 172.16.1.2 8080
ip nat source static tcp 192.168.100.2 2026 172.16.1.2 2026
write memoryBR-RTR
ntp server 172.16.2.1
write memory
security none
write memory
ip nat source static tcp 192.168.0.2 8080 172.16.2.2 8080
ip nat source static tcp 192.168.0.2 2026 172.16.2.2 2026
write memoryHQ-SRV
apt-get update
apt-get install -y mdadm nfs-server nfs-utils lamp-server
mdadm --zero-superblock --force /dev/sdb /dev/sdc || true
mdadm --create --verbose /dev/md0 -l 0 -n 2 /dev/sdb /dev/sdc
mdadm --detail --scan --verbose | tee -a /etc/mdadm.conf
mkfs.ext4 /dev/md0
mkdir -p /raid
printf '%s\n' \
$'proc\t/proc\t\t\tproc\tnosuid,noexec,gid=proc\t\t0 0' \
$'devpts\t\t/dev/pts\t\tdevpts\tnosuid,noexec,gid=tty,mode=620\t0 0' \
$'tmpfs\t\t\tmp\t\t\ttmpfs\tnosuid\t\t\t\t0 0' \
$'UUID=302239da-1acc-4d68-8023-7370e7f4268c\t/\text4\trelatime\t1\t1' \
$'UUID=c9214986-6733-42bc-92fe-7e09c7acb00d\t/var/log\text4\tnosuid,nodev,noexec,noatime,usrquota,grpquota\t1\t2' \
$'/dev/md0\t/raid\text4\tdefaults\t0\t0'\
> /etc/fstab
mount -av
mkdir -p /raid/nfs
chmod 777 /raid/nfs
printf '%s\n' \
$'/srv/public -ro,insecure,no_subtree_check,fsid=1 *' \
$'#/srv/share -rw,insecure,fsid=0,sec=krb5 *' \
$'/raid/nfs\t192.168.200.0/24(rw,no_root_squash)'\
> /etc/exports
exportfs -arv
systemctl enable --now nfs-server
cat > /etc/chrony.conf <<EOF
server 172.16.1.1 iburst
EOF
systemctl restart chronyd
mount /dev/sr0 /mnt || true
cp /mnt/web/index.php /var/www/html/
cp /mnt/web/logo.png /var/www/html/
cat > /var/www/html/index.php <<EOF
<?php
$servername = "localhost";
$username = "webc";
$password = "P@ssw0rd";
$dbname = "webdb";
?>
EOF
systemctl enable --now httpd2mariadb настраивается в ручную (см. пункт 7)
BR-SRV
apt-get update
apt-get install -y task-samba-dc
for service in smb nmb krb5kdc slapd bind;
do
systemctl disable $service --now;
done
rm -f /etc/samba/smb.conf
rm -f /etc/cache/smb.conf
rm -rf /var/lib/samba
rm -rf /var/cache/samba
mkdir -p /var/lib/samba/sysvol
samba-tool domain provision \
--realm="AU-TEAM.IRPO" \
--domain="AU-TEAM" \
--server-role="dc" \
--dns-backend="SAMBA_INTERNAL" \
--option="dns forwarder=192.168.100.2" \
--adminpass="P@ssw0rd"
systemctl enable --now samba
/bin/cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl restart samba
cat > "/etc/net/ifaces/enp7s1/resolv.conf" <<EOF
search au-team.irpo
nameserver 127.0.0.1
EOF
systemctl restart network
echo "P@ssw0rd" | kinit Administrator@AU-TEAM.IRPO
samba-tool group add hq
for i in {1..5};
do
samba-tool user add hquser$i P@ssw0rd;
samba-tool user setexpiry hquser$i --noexpiry;
samba-tool group addmembers "hq" hquser$i;
done
cat > /etc/chrony.conf <<EOF
server 172.16.2.1 iburst
EOF
systemctl restart chronyd
apt-get update
apt-get install -y ansible sshpass python3-module-pip
cat > /etc/ansible/hosts <<EOF
HQ-SRV ansible_host=192.168.100.2 ansible_user=sshuser ansible_password=P@ssw0rd ansible_port=2026
HQ-CLI ansible_host=192.168.200.2 ansible_user=user ansible_password=resu
HQ-RTR ansible_host=10.10.10.1 ansible_user=net_admin ansible_password=P@ssw0rd ansible_connection=network_cli ansible_network_os=ios
BR-RTR ansible_host=192.168.0.1 ansible_user=net_admin ansible_password=P@ssw0rd ansible_connection=network_cli ansible_network_os=ios
[all:vars]
ansible_python_interpreter=/usr/bin/python3
EOF
cat > /etc/ansible/ansible.cfg <<EOF
[defaults]
inventory = /etc/ansible/hosts
host_key_checking = False
EOF
ansible-galaxy collection install ansible.netcommon
ansible-galaxy collection install cisco.ios
pip3 install ansible-pylibssh
sleep 1m
ansible -m ping all
apt-get update
apt-get install -y docker-engine docker-compose-v2
systemctl enable --now docker.service
mount /dev/sr0 /mnt/
docker load < /mnt/docker/site_latest.tar
docker load < /mnt/docker/mariadb_latest.tar
cat > compose.yaml <<EOF
services:
database:
container_name: db
image: mariadb:10.11
restart: always
ports:
- "3306:3306"
environment:
MARIADB_DATABASE: "testdb"
MARIADB_USER: "testc"
MARIADB_PASSWORD: "P@ssw0rd"
MARIADB_ROOT_PASSWORD: "toor"
app:
container_name: testapp
image: site:latest
restart: always
ports:
- "8080:8000"
environment:
DB_TYPE: "maria"
DB_HOST: "database"
DB_PORT: "3306"
DB_NAME: "testdb"
DB_USER: "testc"
DB_PASS: "P@ssw0rd"
depends_on:
- database
EOF
docker compose up -d
docker compose psHQ-CLI
раcкоментировать порт sshd "vim /etc/openssh/sshd_config" active directory настраивается в ручную (методичка по настройке находится в пункте 1)
cat > /etc/net/ifaces/enp7s1/resolv.conf <<EOF
search au-team.irpo
nameserver 192.168.0.2
EOF
systemctl restart network
apt-get update
apt-get install -y
apt-get install -y libnss-role
roleadd hq wheel
echo "Cmnd_Alias SHELLCMD = /bin/cat, /bin/grep, /usr/bin/id" >> /etc/sudoers
echo "WHEEL_USERS ALL=(ALL:ALL) SHELLCMD" >> /etc/sudoers
apt-get update && apt-get install -y nfs-utils nfs-clients
mkdir /mnt/nfs
chmod 777 /mnt/nfs
printf '%s\n' \
$'proc\t/proc\t\t\tproc\tnosuid,noexec,gid=proc\t0 0' \
$'devpts\t/dev/pts\t\tdevpts\tnosuid,noexec,gid=tty,mode=620\t0 0' \
$'tmpfs\t/tmp\t\t\ttmpfs\tnosuid\t\t\t\t0 0' \
$'UUID=d2b61289-8f7e-4538-8879-725fd07ac83c\t/\text4\trelatime\t1\t1' \
$'UUID=ce9b5b16-dea4-4667-a8af-7edad24c8c6c\t/var/log\text4\tnosuid,nodev,noexec,noatime\t1\t2' \
$'/dev/sr0\t/media/ALTLinux\tudf,iso9660\tro,noauto,user,utf8,nofail,comment=x-gvfs-show\t0 0' \
$'192.168.100.2:/raid/mnt\t/mnt/nfs\t/raid\text4\tdefaults\t0\t0'\
> /etc/fstab
cat > /etc/chrony.conf <<EOF
server 172.16.1.1 iburst
EOF
systemctl restart chronyd
systemctl restart sshd
cat <<EOF >> /etc/hosts
172.16.1.1 web.au-team.irpo
172.16.2.1 docker.au-team.irpo
EOF
apt-get install -y yandex-browser-stable