14. В3

ISP--------------------------------------------------------------------------------

cat > /etc/chrony.conf <<EOF
server ntp0.ntp-servers.net iburst prefer minstratum 7
local stratum 8
allow 0.0.0.0/0
EOF

systemctl enable --now chronyd

systemctl restart chronyd

apt-get update

apt-get install -y nginx apache2-htpasswd

htpasswd -cb /etc/nginx/.htpasswd Kazimir "P@ssw0rd"

printf '%s\n' \
'server {' \
$'\tlisten 80;' \
$'\tserver_name web.au-team.irpo;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.1.2:8083;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t\tauth_basic "Restricted area";' \
$'\t\tauth_basic_user_file /etc/nginx/.htpasswd;' \
$'\t}' \
'}' \
'' \
'server {' \
$'\tlisten 80;' \
$'\tserver_name docker.au-team.irpo;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.2.2:8083;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t}' \
'}' \
> /etc/nginx/sites-available.d/default.conf

ln -s /etc/nginx/sites-available.d/default.conf /etc/nginx/sites-enabled.d/

nginx -t

systemctl enable --now nginx

systemctl restart nginx

HQ-RTR--------------------------------------------------------------------------------

ntp server 172.16.1.1

security none

ip nat source static tcp 192.168.100.2 80 172.16.1.2 8083
ip nat source static tcp 192.168.100.2 2013 172.16.1.2 2013
write memory

BR-RTR--------------------------------------------------------------------------------

ntp server 172.16.2.1

security none

ip nat source static tcp 192.168.0.2 8083 172.16.2.2 8083
ip nat source static tcp 192.168.0.2 2013 172.16.2.2 2013
write memory

HQ-SRV--------------------------------------------------------------------------------

apt-get update

apt-get install -y mdadm nfs-server nfs-utils lamp-server

mdadm --zero-superblock --force /dev/sdb /dev/sdc /dev/sdd || true
mdadm --create --verbose /dev/md3 -l 5 -n 3 /dev/sdb /dev/sdc /dev/sdd

mdadm --detail --scan --verbose | tee -a /etc/mdadm.conf

mkfs.ext4 /dev/md3

mkdir -p /raid

printf '%s\n' \
$'proc\t/proc\t\t\tproc\tnosuid,noexec,gid=proc\t\t0 0' \
$'devpts\t\t/dev/pts\t\tdevpts\tnosuid,noexec,gid=tty,mode=620\t0 0' \
$'tmpfs\t\t\tmp\t\t\ttmpfs\tnosuid\t\t\t\t0 0' \
$'UUID=302239da-1acc-4d68-8023-7370e7f4268c\t/\text4\trelatime\t1\t1' \
$'UUID=c9214986-6733-42bc-92fe-7e09c7acb00d\t/var/log\text4\tnosuid,nodev,noexec,noatime,usrquota,grpquota\t1\t2' \
$'/dev/md3\t/raid\text4\tdefaults\t0\t0'\
> /etc/fstab

mount -av

mkdir -p /raid/nfs

chmod 777 /raid/nfs

printf '%s\n' \
$'/srv/public -ro,insecure,no_subtree_check,fsid=1 *' \
$'#/srv/share -rw,insecure,fsid=0,sec=krb5 *' \
$'/raid/nfs\t192.168.200.0/24(rw,no_root_squash)'\
> /etc/exports

exportfs -arv

systemctl enable --now nfs-server

cat > /etc/chrony.conf <<EOF
server 172.16.2.1 iburst
EOF

systemctl restart chronyd

mount /dev/sr0 /mnt || true

cp /mnt/web/index.php /var/www/html/
cp /mnt/web/logo.png /var/www/html/

sed -i "s/\$username = \"user\";/\$username = \"web3\";/" /var/www/html/index.php
sed -i "s/\$password = \"password\";/\$password = \"P@ssw0rd\";/" /var/www/html/index.php
sed -i "s/\$dbname = \"db\";/\$dbname = \"webdb\";/" /var/www/html/index.php

systemctl enable --now mariadb

--------------------------------------------------------------------------------------------------

mariadb -u root <<EOF
CREATE DATABASE IF NOT EXISTS webdb;
CREATE USER IF NOT EXISTS 'web3'@'localhost' IDENTIFIED BY 'P@ssw0rd';
GRANT ALL PRIVILEGES ON webdb.* TO 'web3'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EOF

mariadb -u web3 -p'P@ssw0rd' webdb < /mnt/web/dump.sql

mariadb -u root <<EOF
USE webdb;
SHOW TABLES;
EOF

systemctl enable --now httpd2

sed -i "s/^#\?Port .*/Port 2013/" /etc/openssh/sshd_config

systemctl restart sshd

BR-SRV--------------------------------------------------------------------------------

apt-get update

apt-get install -y task-samba-dc

for service in smb nmb krb5kdc slapd bind;
do
  systemctl disable $service --now;
done

rm -f /etc/samba/smb.conf

rm -f /etc/cache/smb.conf

rm -rf /var/lib/samba 
rm -rf /var/cache/samba

mkdir -p /var/lib/samba/sysvol

samba-tool domain provision \
  --realm="AU-TEAM.IRPO" \
  --domain="AU-TEAM" \
  --server-role="dc" \
  --dns-backend="SAMBA_INTERNAL" \
  --option="dns forwarder=192.168.100.2" \
  --adminpass="P@ssw0rd" 

systemctl enable --now samba

/bin/cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf

systemctl restart samba

cat > "/etc/net/ifaces/enp7s1/resolv.conf" <<EOF
search au-team.irpo
nameserver 127.0.0.1
EOF

systemctl restart network

echo "P@ssw0rd" | kinit Administrator@AU-TEAM.IRPO

samba-tool group add hq

for i in {1..5};
do
  samba-tool user add hquser$i P@ssw0rd;
  samba-tool user setexpiry hquser$i --noexpiry;
  samba-tool group addmembers "hq" hquser$i;
done

cat > /etc/chrony.conf <<EOF
server 172.16.2.1 iburst
EOF

systemctl restart chronyd

apt-get update

apt-get install -y ansible sshpass python3-module-pip

cat > /etc/ansible/hosts <<EOF
HQ-SRV ansible_host=192.168.100.2 ansible_user=sshuser ansible_password=P@ssw0rd ansible_port=2013
HQ-CLI ansible_host=192.168.200.2 ansible_user=user ansible_password=resu
HQ-RTR ansible_host=10.10.10.1 ansible_user=net_admin ansible_password=P@ssw0rd ansible_connection=network_cli ansible_network_os=ios
BR-RTR ansible_host=192.168.0.1 ansible_user=net_admin ansible_password=P@ssw0rd ansible_connection=network_cli ansible_network_os=ios

[all:vars]
ansible_python_interpreter=/usr/bin/python3
EOF

cat > /etc/ansible/ansible.cfg <<EOF
[defaults]
inventory = /etc/ansible/hosts
host_key_checking = False
EOF

ansible-galaxy collection install ansible.netcommon

ansible-galaxy collection install cisco.ios

pip3 install ansible-pylibssh

ansible -m ping all

apt-get update

apt-get install -y docker-engine docker-compose-v2

systemctl enable --now docker.service

mount /dev/sr0 /mnt/

docker load < /mnt/docker/site_latest.tar

docker load < /mnt/docker/postgresql_latest.tar

cat > compose.yaml <<EOF
services:
  database:
    container_name: db
    image: postgres:15-alpine
    restart: always
    ports:
      - "5432:5432"
    environment:
      POSTGRES_DB: "testdb3"
      POSTGRES_USER: "test3"
      POSTGRES_PASSWORD: "P@ssw0rd"

  app:
    container_name: site
    image: site:latest
    restart: always
    ports:
      - "8083:8000"
    environment:
      DB_TYPE: "postgres"
      DB_HOST: "database"
      DB_PORT: "5432"
      DB_NAME: "testdb3"
      DB_USER: "test3"
      DB_PASS: "P@ssw0rd"
    depends_on:
      - database
EOF

docker compose up -d

docker compose ps

HQ-CLI--------------------------------------------------------------------------------

cat > /etc/net/ifaces/enp7s1/resolv.conf <<EOF
search au-team.irpo
nameserver 192.168.0.2
EOF

systemctl restart network

apt-get update

apt-get install -y task-auth-ad-sssd

apt-get install -y libnss-role

roleadd hq wheel

echo "Cmnd_Alias SHELLCMD = /bin/cat, /bin/grep, /usr/bin/id" >> /etc/sudoers

echo "WHEEL_USERS ALL=(ALL:ALL) SHELLCMD" >> /etc/sudoers

apt-get update && apt-get install -y nfs-utils nfs-clients

mkdir /mnt/nfs 

chmod 777 /mnt/nfs 

printf '%s\n' \
$'proc\t/proc\t\t\tproc\tnosuid,noexec,gid=proc\t0 0' \
$'devpts\t/dev/pts\t\tdevpts\tnosuid,noexec,gid=tty,mode=620\t0 0' \
$'tmpfs\t/tmp\t\t\ttmpfs\tnosuid\t\t\t\t0 0' \
$'UUID=d2b61289-8f7e-4538-8879-725fd07ac83c\t/\text4\trelatime\t1\t1' \
$'UUID=ce9b5b16-dea4-4667-a8af-7edad24c8c6c\t/var/log\text4\tnosuid,nodev,noexec,noatime\t1\t2' \
$'/dev/sr0\t/media/ALTLinux\tudf,iso9660\tro,noauto,user,utf8,nofail,comment=x-gvfs-show\t0 0' \
$'192.168.100.2:/raid/nfs\t/mnt/nfs\tnfs\tdefaults\t0\t0'\
> /etc/fstab

cat > /etc/chrony.conf <<EOF
server 172.16.1.1 iburst
EOF

systemctl restart chronyd

systemctl restart sshd

cat <<EOF >> /etc/hosts
172.16.1.1    web.au-team.irpo
172.16.2.1    docker.au-team.irpo
EOF

apt-get install -y yandex-browser-stable