ISP
cat > /etc/chrony.conf <<EOF
server ntp0.ntp-servers.net iburst prefer minstratum 4
local stratum 6
allow 0.0.0.0/0
EOF
systemctl enable --now chronyd
systemctl restart chronyd
apt-get update
apt-get install -y nginx apache2-htpasswd
htpasswd -bc /etc/nginx/.htpasswd Khariton 'P@ssw0rd'
printf '%s\n' \
'server {' \
$'\tlisten 80;' \
$'\tserver_name web.au-team.irpo;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.1.2:8081;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t\tauth_basic "Restricted area";' \
$'\t\tauth_basic_user_file /etc/nginx/.htpasswd;' \
$'\t}' \
'}' \
'' \
'server {' \
$'\tlisten 80;' \
$'\tserver_name docker.au-team.irpo;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.2.2:8081;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t}' \
'}' \
> /etc/nginx/sites-available.d/default.conf
ln -s /etc/nginx/sites-available.d/default.conf /etc/nginx/sites-enabled.d/
nginx -t
systemctl enable --now nginx
systemctl restart nginx
HQ-RTR
en
conf t
ntp server 172.16.1.1
write memory
security none
write memory
ip nat source static tcp 192.168.100.2 80 172.16.1.2 8081
ip nat source static tcp 192.168.100.2 2011 172.16.1.2 2011
write memory
exit
BR-RTR
en
conf t
ntp server 172.16.2.1
write memory
security none
write memory
ip nat source static tcp 192.168.0.2 8081 172.16.2.2 8081
ip nat source static tcp 192.168.0.2 2011 172.16.2.2 2011
write memory
exit
HQ-SRV
apt-get update
apt-get install -y mdadm nfs-server nfs-utils lamp-server
mdadm --zero-superblock --force /dev/sdb /dev/sdc || true
mdadm --create --verbose /dev/md1 -l 1 -n 2 /dev/sdb /dev/sdc
mdadm --detail --scan --verbose | tee -a /etc/mdadm.conf
mkfs.ext4 /dev/md1
mkdir -p /raid
sed -i "s/^#\?Port .*/Port 2011/" /etc/openssh/sshd_config
systemctl restart sshd
printf '%s\n' \
$'proc\t/proc\t\t\tproc\tnosuid,noexec,gid=proc\t\t0 0' \
$'devpts\t\t/dev/pts\t\tdevpts\tnosuid,noexec,gid=tty,mode=620\t0 0' \
$'tmpfs\t\t\tmp\t\t\ttmpfs\tnosuid\t\t\t\t0 0' \
$'UUID=302239da-1acc-4d68-8023-7370e7f4268c\t/\text4\trelatime\t1\t1' \
$'UUID=c9214986-6733-42bc-92fe-7e09c7acb00d\t/var/log\text4\tnosuid,nodev,noexec,noatime,usrquota,grpquota\t1\t2' \
$'/dev/md1\t/raid\text4\tdefaults\t0\t0'\
> /etc/fstab
mount -av
mkdir -p /raid/nfs
chmod 777 /raid/nfs
printf '%s\n' \
$'/srv/public -ro,insecure,no_subtree_check,fsid=1 *' \
$'#/srv/share -rw,insecure,fsid=0,sec=krb5 *' \
$'/raid/nfs\t192.168.200.0/24(rw,no_root_squash)'\
> /etc/exports
exportfs -arv
systemctl enable --now nfs-server
cat > /etc/chrony.conf <<EOF
server 172.16.1.1 iburst
EOF
systemctl restart chronyd
mount /dev/sr0 /mnt || true
cp /mnt/web/index.php /var/www/html/
cp /mnt/web/logo.png /var/www/html/
sed -i "s/\$username = \"user\";/\$username = \"web1\";/" /var/www/html/index.php
sed -i "s/\$password = \"password\";/\$password = \"P@ssw0rd\";/" /var/www/html/index.php
sed -i "s/\$dbname = \"db\";/\$dbname = \"webdb\";/" /var/www/html/index.php
systemctl enable --now mariadb
-----------------------------------------------------------------------------------------
mariadb -u root <<EOF
CREATE DATABASE IF NOT EXISTS webdb;
CREATE USER IF NOT EXISTS 'web1'@'localhost' IDENTIFIED BY 'P@ssw0rd';
GRANT ALL PRIVILEGES ON webdb.* TO 'web1'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EOF
mariadb -u web1 -p'P@ssw0rd' webdb < /mnt/web/dump.sql
mariadb -u root <<EOF
USE webdb;
SHOW TABLES;
EOF
systemctl enable --now httpd2
BR-SRV
apt-get update
apt-get install -y task-samba-dc
for service in smb nmb krb5kdc slapd bind;
do
systemctl disable $service --now;
done
rm -f /etc/samba/smb.conf
rm -f /etc/cache/smb.conf
rm -rf /var/lib/samba
rm -rf /var/cache/samba
mkdir -p /var/lib/samba/sysvol
samba-tool domain provision \
--realm="AU-TEAM.IRPO" \
--domain="AU-TEAM" \
--server-role="dc" \
--dns-backend="SAMBA_INTERNAL" \
--option="dns forwarder=192.168.100.2" \
--adminpass="P@ssw0rd"
systemctl enable --now samba
/bin/cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl restart samba
cat > "/etc/net/ifaces/enp7s1/resolv.conf" <<EOF
search au-team.irpo
nameserver 127.0.0.1
EOF
systemctl restart network
echo "P@ssw0rd" | kinit Administrator@AU-TEAM.IRPO
samba-tool group add hq
for i in {1..5};
do
samba-tool user add hquser$i P@ssw0rd;
samba-tool user setexpiry hquser$i --noexpiry;
samba-tool group addmembers "hq" hquser$i;
done
cat > /etc/chrony.conf <<EOF
server 172.16.2.1 iburst
EOF
systemctl restart chronyd
apt-get update
apt-get install -y ansible sshpass python3-module-pip
cat > /etc/ansible/hosts <<EOF
HQ-SRV ansible_host=192.168.100.2 ansible_user=sshuser ansible_password=P@ssw0rd ansible_port=2011
HQ-CLI ansible_host=192.168.200.2 ansible_user=user ansible_password=resu
HQ-RTR ansible_host=10.10.10.1 ansible_user=net_admin ansible_password=P@ssw0rd ansible_connection=network_cli ansible_network_os=ios
BR-RTR ansible_host=192.168.0.1 ansible_user=net_admin ansible_password=P@ssw0rd ansible_connection=network_cli ansible_network_os=ios
[all:vars]
ansible_python_interpreter=/usr/bin/python3
EOF
cat > /etc/ansible/ansible.cfg <<EOF
[defaults]
inventory = /etc/ansible/hosts
host_key_checking = False
EOF
ansible-galaxy collection install ansible.netcommon
ansible-galaxy collection install cisco.ios
pip3 install ansible-pylibssh
sleep 1m
ansible -m ping all
apt-get update
apt-get install -y docker-engine docker-compose-v2
systemctl enable --now docker.service
mount /dev/sr0 /mnt/
docker load < /mnt/docker/site_latest.tar
docker load < /mnt/docker/mariadb_latest.tar
cat > compose.yaml <<EOF
services:
database:
container_name: db
image: mariadb:10.11
restart: always
ports:
- "3306:3306"
environment:
MARIADB_DATABASE: "testdb1"
MARIADB_USER: "test1"
MARIADB_PASSWORD: "P@ssw0rd"
MARIADB_ROOT_PASSWORD: "toor"
app:
container_name: testapp
image: site:latest
restart: always
ports:
- "8081:8000"
environment:
DB_TYPE: "maria"
DB_HOST: "database"
DB_PORT: "3306"
DB_NAME: "testdb1"
DB_USER: "test1"
DB_PASS: "P@ssw0rd"
depends_on:
- database
EOF
docker compose up -d
docker compose ps
HQ-CLI
cat > /etc/net/ifaces/enp7s1/resolv.conf <<EOF
search au-team.irpo
nameserver 192.168.0.2
EOF
systemctl restart network
systemctl enable --now sshd
apt-get update
apt-get install -y task-auth-ad-sssd nfs-utils nfs-clients
apt-get install -y libnss-role
roleadd hq wheel
echo "Cmnd_Alias SHELLCMD = /bin/cat, /bin/grep, /usr/bin/id" >> /etc/sudoers
echo "WHEEL_USERS ALL=(ALL:ALL) SHELLCMD" >> /etc/sudoers
mkdir /mnt/nfs
chmod 777 /mnt/nfs
printf '%s\n' \
$'proc\t/proc\t\t\tproc\tnosuid,noexec,gid=proc\t0 0' \
$'devpts\t/dev/pts\t\tdevpts\tnosuid,noexec,gid=tty,mode=620\t0 0' \
$'tmpfs\t/tmp\t\t\ttmpfs\tnosuid\t\t\t\t0 0' \
$'UUID=d2b61289-8f7e-4538-8879-725fd07ac83c\t/\text4\trelatime\t1\t1' \
$'UUID=ce9b5b16-dea4-4667-a8af-7edad24c8c6c\t/var/log\text4\tnosuid,nodev,noexec,noatime\t1\t2' \
$'/dev/sr0\t/media/ALTLinux\tudf,iso9660\tro,noauto,user,utf8,nofail,comment=x-gvfs-show\t0 0' \
$'192.168.100.2:/raid/nfs\t/mnt/nfs\tnfs\tdefaults\t0\t0'\
> /etc/fstab
cat > /etc/chrony.conf <<EOF
server 172.16.1.1 iburst
EOF
systemctl restart chronyd
systemctl restart sshd
cat <<EOF >> /etc/hosts
172.16.1.1 web.au-team.irpo
172.16.2.1 docker.au-team.irpo
EOF
apt-get install -y yandex-browser-stable13. B1
Модуль 2. Организация сетевого администрирования