@ -0,0 +1,19 @@
|
||||
#!/bin/bash
|
||||
# build.sh
|
||||
# GPLv3+
|
||||
set -x
|
||||
|
||||
# A function to jump to application's root, default .../forksand-it-manual
|
||||
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
|
||||
rootPath=$PWD
|
||||
|
||||
cd source || exit
|
||||
rm ./*.aux
|
||||
rm ./*.l*
|
||||
rm ./*.glo
|
||||
rm ./*.idx
|
||||
rm ./*.out
|
||||
rm ./*.pyg
|
||||
rm ./*.toc
|
||||
|
||||
rm ./_minted-forksand-it-manual/*.pyg*
|
@ -1,51 +0,0 @@
|
||||
%
|
||||
% ClusterHardware.tex
|
||||
%
|
||||
% Fork Sand IT Manual
|
||||
%
|
||||
% Copyright (C) 2018, Fork Sand, Inc.
|
||||
% Copyright (C) 2017, Jeff Moe
|
||||
% Copyright (C) 2017 Aleph Objects, Inc.
|
||||
%
|
||||
% This document is licensed under the Creative Commons Attribution 4.0
|
||||
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
||||
%
|
||||
|
||||
\section{Cluster Hardware Overview}
|
||||
The cluster will require rackmountable equipment:
|
||||
|
||||
\begin{itemize}
|
||||
\item GNU/Linux Servers
|
||||
\end{itemize}
|
||||
|
||||
|
||||
\section{GNU/Linux Servers}
|
||||
The servers will all run Debian GNU/Linux
|
||||
|
||||
\subsection{Denver Server List}
|
||||
\begin{itemize}
|
||||
\item \texttt{oc1.forksand.com} --- KVM host.
|
||||
\item \texttt{rd1.forksand.com} --- Misc.
|
||||
\end{itemize}
|
||||
|
||||
\section{Network Hardware}
|
||||
The network switches do not run free software.
|
||||
|
||||
\section{Disk Drives}
|
||||
The disk drives do not run free software.
|
||||
|
||||
\begin{itemize}
|
||||
\item Hard drive platters, 7200 RPM, 2.5" and 3.5"
|
||||
\item SSD
|
||||
\item NVMe
|
||||
\end{itemize}
|
||||
|
||||
\section{Suppliers}
|
||||
Who we'll get hardware from.
|
||||
|
||||
\begin{itemize}
|
||||
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
|
||||
\item Viking.net --- Coreboot Opteron servers in Germany.
|
||||
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
|
||||
\end{itemize}
|
||||
|
@ -0,0 +1,496 @@
|
||||
%
|
||||
% Source.tex
|
||||
%
|
||||
% Fork Sand IT Manual
|
||||
%
|
||||
% Copyright (C) 2018, Fork Sand, Inc.
|
||||
% Copyright (C) 2017, Jeff Moe
|
||||
% Copyright (C) 2017 Aleph Objects, Inc.
|
||||
%
|
||||
% This document is licensed under the Creative Commons Attribution 4.0
|
||||
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
||||
%
|
||||
\section{Hardware}
|
||||
|
||||
\subsection{Cluster Evolution}
|
||||
Forksand started deployment on dedicated servers.
|
||||
\vspace{0.6cm}
|
||||
First stage. Exclusively dedicated servers (deprecated)
|
||||
\vspace{0.4cm}
|
||||
\centering
|
||||
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
|
||||
{sharkfork-cabling-1-dedicated-vlan.pdf} \\ %
|
||||
%
|
||||
\vspace{0.2cm}
|
||||
\raggedright
|
||||
Second stage. Dedicated servers along with a colocation
|
||||
cabinet. Flat hierarchy. (deprecated)
|
||||
|
||||
\vspace{0.1cm}
|
||||
In progress, services were being migrated one after another to
|
||||
a colocation instance. On the next stage hierarchy becomes vertical. \\
|
||||
\vspace{0.1cm}
|
||||
\centering
|
||||
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
|
||||
{sharkfork-cabling-2-mixed-vlan.pdf} \\ %
|
||||
%
|
||||
\raggedright
|
||||
Third stage. Dedicated servers buffered by
|
||||
a colocation cabinet. Vertical hierarchy. (deprecated)
|
||||
\vspace{0.4cm}
|
||||
\centering
|
||||
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
|
||||
{sharkfork-cabling-3-colo-dedicated.pdf} \\ %
|
||||
%
|
||||
\vspace{0.2cm}
|
||||
\raggedright
|
||||
Fourth stage. Dedicated servers discarded.
|
||||
Colocation cabinet buffered only with a firewall. (current)
|
||||
\vspace{0.4cm}
|
||||
\centering
|
||||
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
|
||||
{sharkfork-cabling-4-final-colocation.pdf} \\ %
|
||||
%
|
||||
\vspace{0.2cm}
|
||||
\raggedright
|
||||
Final stage. Firewall discarded. Single colocation cabinet. (in process)
|
||||
\vspace{0.4cm}
|
||||
\centering
|
||||
%\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm]
|
||||
%{sharkfork-cabling-4-single-colocation.pdf} \\ %
|
||||
%
|
||||
\raggedright
|
||||
\newpage
|
||||
|
||||
\section{Cluster Hardware Overview}
|
||||
The cluster will require rackmountable equipment:
|
||||
|
||||
\begin{itemize}
|
||||
\item GNU/Linux Servers
|
||||
\end{itemize}
|
||||
|
||||
\begin{minipage}{0.9\textwidth}
|
||||
\subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U}
|
||||
%\includepdf[width=150mm,offset=0 15,clip]
|
||||
%{sharkfork-21U.pdf}
|
||||
\includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0]
|
||||
{sharkfork-21U.png}
|
||||
% \vspace{150mm}
|
||||
\label{fig:sharkfork-21U}
|
||||
%\vspace{60mm}
|
||||
\end{minipage}
|
||||
|
||||
\newpage
|
||||
|
||||
%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U}
|
||||
|
||||
\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5
|
||||
\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0
|
||||
\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31
|
||||
\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31
|
||||
|
||||
\newcommand{\nodeUnitName}[4]{
|
||||
\rowcolor{#3}\vspace{-1pt}
|
||||
{{\grenewcommand{\currentColor}{#3}}}
|
||||
{{\grenewcommand{\currentTextColor}{#4}}}
|
||||
\Large{\textcolor{#4}{#1}} & \rule[-0.5em]{0pt}{1.8em} \Large{\textcolor{#4}{#2}} \\
|
||||
\rowcolor{#3}\vspace{-1pt}
|
||||
}
|
||||
\newcommand{\nodeUnitParameter}[1]{
|
||||
\rule[1.0em]{0pt}{-1em} & \small{\textcolor{\currentTextColor}{ - #1}} \\
|
||||
\rowcolor{\currentColor}\vspace{-1pt}
|
||||
}
|
||||
\newcommand{\nodeUnitLastParameter}[1]{
|
||||
\rule[-0.5em]{0pt}{0em} & \small{\textcolor{\currentTextColor}{ - #1}} \\
|
||||
\tabucline[0.2pt]{1-2}
|
||||
}
|
||||
\newcommand{\nodeUnitSetItem}[2]{
|
||||
\rowcolor{\currentColor}\vspace{-1pt}
|
||||
\rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\
|
||||
\tabucline[0.2pt]{1-2}
|
||||
}
|
||||
\newcommand{\nodeUnitSetLastItem}[2]{
|
||||
\rowcolor{\currentColor}\vspace{-1pt}
|
||||
\rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\
|
||||
\tabucline[2pt]{1-2}
|
||||
}
|
||||
%\newcommand{\nodeUnitSetNotes}[2]{
|
||||
% \pickColor{#2}
|
||||
% \rule[-0.3em]{0pt}{0em}\small{Notes:} & \small{#1} \\ \tabucline[2pt]{1-2}
|
||||
%}
|
||||
|
||||
\newcommand{\currentColor}{secondary-brown}
|
||||
\newcommand{\currentTextColor}{secondary-brown}
|
||||
|
||||
\begin{table}[!htb]
|
||||
%\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig}
|
||||
\begin{tabu}{|[2pt]l|[2pt]p{14.5cm}|[2pt]}
|
||||
\tabucline[2pt]{1-2}
|
||||
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} Qty}&
|
||||
\multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2}
|
||||
%%% UNIT %%%
|
||||
% Unit name
|
||||
\nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black}
|
||||
% Unit configuration parameters
|
||||
\nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU }
|
||||
\nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory }
|
||||
\nodeUnitParameter{ Dual 10G SFP+ and Six Gigabit Ethernet }
|
||||
\nodeUnitLastParameter{ 400W Platinum Level Redundant Power Supply }
|
||||
% Unit has a set of components parameters
|
||||
\nodeUnitSetItem {2}{ 8GB DDR4 2666MHz ECC Registered DIMM }
|
||||
%\nodeUnitSetItem {1}{ No Operating System. Include testing%
|
||||
% and customer OS preference in notes. }
|
||||
%\nodeUnitSetItem {1}{ Return to Depot Warranty (3 Year Hardware%
|
||||
% Warranty with Standard Advance Parts Replacement) }
|
||||
\nodeUnitSetItem {1}{ 128GB SATA DOM }
|
||||
\nodeUnitSetLastItem {1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
|
||||
% Unit ends with notes, pass "none" parameter if no notes
|
||||
%\nodeUnitSetNotes { none }
|
||||
%%% END UNIT %%%
|
||||
|
||||
%%% UNIT %%%
|
||||
% Unit name
|
||||
\nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black}
|
||||
% Unit configuration parameters
|
||||
\nodeUnitParameter{ 2U Form Factor ~~- Dual Intel Xeon SP Processor }
|
||||
\nodeUnitParameter{ Up to 768GB DDR4 2133MHz ECC Registered Memory }
|
||||
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
|
||||
\nodeUnitParameter{ Intel x550 Quad port 10G Ethernet }
|
||||
\nodeUnitLastParameter{ 1600W Redundant High-efficiency Power Supply }
|
||||
% Unit has a set of components parameters
|
||||
\nodeUnitSetItem{2}{ Intel Xeon Gold 5115 10C 2.4GHz 13.75MB Cache }
|
||||
\nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (4 x 32GB) }
|
||||
\nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB }
|
||||
\nodeUnitSetItem{4}{ Ultrastar SN200 800GB NVMe SSD }
|
||||
%\nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
|
||||
% OS preference in notes. }
|
||||
%\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
|
||||
% with Standard Advance Parts Replacement) }
|
||||
\nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
|
||||
% Unit ends with notes, pass "none" parameter if no notes
|
||||
%\nodeUnitSetNotes { none }
|
||||
%%% END UNIT %%%
|
||||
|
||||
%%% UNIT %%%
|
||||
% Unit name
|
||||
\nodeUnitName{2}{Iris 1292-R4T}{primary-brown}{ao-black}
|
||||
% Unit configuration parameters
|
||||
\nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processors }
|
||||
\nodeUnitParameter{ Intel C620 Chipset with QPI up to 9.6GT/sec }
|
||||
\nodeUnitParameter{ Up to 768GB DDR4 2666MHz ECC Registered Memory }
|
||||
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
|
||||
\nodeUnitParameter{ Intel Quad-port 10GBaseT Ethernet Controller }
|
||||
\nodeUnitParameter{ 4 x 3.5'' Hot-swap Drive Bays For customizable Storage }
|
||||
\nodeUnitLastParameter{ 750W Redundant Power Supply }
|
||||
% Unit has a set of components parameters
|
||||
\nodeUnitSetItem{2}{ Intel Xeon Silver 4110 8C 2.1GHz 11MB Cache }
|
||||
\nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (8 x 16GB) }
|
||||
\nodeUnitSetItem{4}{ HGST Ultrastar 6TB 7200RPM SATA 6Gb/s }
|
||||
%\nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
|
||||
% OS preference in notes. }
|
||||
%\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
|
||||
% with Standard Advance Parts Replacement) }
|
||||
\nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
|
||||
% Unit ends with notes, pass "none" parameter if no notes
|
||||
%\nodeUnitSetNotes { none }
|
||||
%%% END UNIT %%%
|
||||
|
||||
%%% UNIT %%%
|
||||
% Unit name
|
||||
\nodeUnitName{2}{Iris NV1211}{nonbrand-dark-blue}{ao-white}
|
||||
% Unit configuration parameters
|
||||
\nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processor }
|
||||
\nodeUnitParameter{ Up to 1534GB DDR4 2400MHz ECC Registered Memory }
|
||||
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
|
||||
\nodeUnitParameter{ Intel x540 Dual-port 10Gigabit Ethernet }
|
||||
\nodeUnitParameter{ 10 x 2.5'' Solid State NVMe Disks }
|
||||
\nodeUnitLastParameter{ 1000W Redundant High-efficiency Power Supply }
|
||||
% Unit has a set of components parameters
|
||||
\nodeUnitSetItem{2}{ Intel Xeon Silver 4114 10C 2.2GHz 13.75MB Cache }
|
||||
\nodeUnitSetItem{1}{ 64GB DDR4 2666MHz ECC Reg (4 x 16GB) }
|
||||
\nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB }
|
||||
\nodeUnitSetItem{6}{ Ultrastar SN200 800GB NVMe SSD }
|
||||
% \nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
|
||||
% OS preference in notes. }
|
||||
% \nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
|
||||
% with Standard Advance Parts Replacement) }
|
||||
\nodeUnitSetLastItem{1}{ Intel X710 Converged Network Adapter Quad-port 10GBaseT }
|
||||
% Unit ends with notes, pass "none" parameter if no notes
|
||||
%\nodeUnitSetNotes { none }
|
||||
%%% END UNIT %%%
|
||||
|
||||
\end{tabu}
|
||||
\end{table}
|
||||
|
||||
Notes applicable to all units:
|
||||
|
||||
{ 1. No Operating System. Include testing and customer OS preference in notes. }
|
||||
|
||||
{ 2. Return to Depot Warranty (3 Year Hardware Warranty with Standard Advance Parts Replacement) }
|
||||
|
||||
\newpage
|
||||
|
||||
\section{GNU/Linux Servers}
|
||||
The servers will all run Debian GNU/Linux
|
||||
|
||||
\subsection{Denver Server List}
|
||||
\begin{itemize}
|
||||
\item \texttt{oc1.forksand.com} --- KVM host.
|
||||
\item \texttt{rd1.forksand.com} --- Misc.
|
||||
\end{itemize}
|
||||
|
||||
\vspace{10mm}
|
||||
|
||||
\texttt{\qquad oc1.forksand.com parameters}
|
||||
\begin{minted}{sh}
|
||||
Full Network:
|
||||
70.39.125.64/27 Network
|
||||
70.39.125.65 Gateway
|
||||
70.39.125.66 AVAILABLE
|
||||
70.39.125.94 AVAILABLE
|
||||
70.39.125.95 Broadcast
|
||||
255.255.255.224 Netmask
|
||||
|
||||
Break the main IP into a /30
|
||||
|
||||
# Main network interface
|
||||
# 2 IPs
|
||||
70.39.125.64/30 Network
|
||||
70.39.125.65 Gateway
|
||||
70.39.125.66 oc1
|
||||
70.39.125.67 Broadcast
|
||||
255.255.255.252 Netmask
|
||||
|
||||
# vmbr0 Bridge 0 with 2 IPs
|
||||
70.39.125.68/30 Network
|
||||
70.39.125.69 vmbr0 gateway
|
||||
70.39.125.70 AVAILABLE
|
||||
70.39.125.71 Broadcast
|
||||
255.255.255.252 Netmask
|
||||
|
||||
# vmbr1 Bridge 1 with 6 IPs
|
||||
70.39.125.72/29 Network
|
||||
70.39.125.73 vmbr1 gateway
|
||||
70.39.125.74 AVAILABLE
|
||||
70.39.125.76 test99
|
||||
70.39.125.78 AVAILABLE
|
||||
70.39.125.79 Broadcast
|
||||
255.255.255.248 Netmask
|
||||
|
||||
# vmbr2 Bridge 2 with 14 IPs
|
||||
70.39.125.80/28 Network
|
||||
70.39.125.81 vmbr2 gateway
|
||||
70.39.125.92 AVAILABLE
|
||||
70.39.125.94 AVAILABLE
|
||||
70.39.125.95 Broadcast
|
||||
255.255.255.240 Netmask
|
||||
\end{minted}
|
||||
|
||||
\newpage
|
||||
|
||||
\texttt{\qquad rd1.forksand.com parameters}
|
||||
\begin{minted}{sh}
|
||||
Full Network:
|
||||
174.128.229.128/27 Network
|
||||
174.128.229.129 Gateway
|
||||
174.128.229.130 Main rd1 IP
|
||||
174.128.229.131 AVAILABLE
|
||||
174.128.229.158 AVAILABLE
|
||||
174.128.229.159 Broadcast
|
||||
255.255.255.224 Netmask
|
||||
|
||||
Break the main network into a /30
|
||||
|
||||
# Main network interface
|
||||
# 2 IPs
|
||||
174.128.229.128/30 Network
|
||||
174.128.229.129 Gateway
|
||||
174.128.229.130 oc1
|
||||
174.128.229.131 Broadcast
|
||||
255.255.255.252 Netmask
|
||||
|
||||
# vmbr0 Bridge 0 with 2 IPs
|
||||
174.128.229.132/30 Network
|
||||
174.128.229.133 vmbr0 gateway
|
||||
174.128.229.134 AVAILABLE
|
||||
174.128.229.135 Broadcast
|
||||
255.255.255.252 Netmask
|
||||
|
||||
# vmbr1 Bridge 1 with 6 IPs
|
||||
174.128.229.136/29 Network
|
||||
174.128.229.137 vmbr1 gateway
|
||||
174.128.229.138 AVAILABLE
|
||||
174.128.229.140 test99
|
||||
174.128.229.142 AVAILABLE
|
||||
174.128.229.143 Broadcast
|
||||
255.255.255.248 Netmask
|
||||
|
||||
# vmbr2 Bridge 2 with 14 IPs
|
||||
174.128.229.144/28 Network
|
||||
174.128.229.145 vmbr2 gateway
|
||||
174.128.229.156 AVAILABLE
|
||||
174.128.229.158 AVAILABLE
|
||||
174.128.229.159 Broadcast
|
||||
255.255.255.240 Netmask
|
||||
\end{minted}
|
||||
|
||||
\section{Network Hardware}
|
||||
The network switches do not run free software.
|
||||
|
||||
\section{Disk Drives}
|
||||
The disk drives do not run free software.
|
||||
|
||||
\begin{itemize}
|
||||
\item Hard drive platters, 7200 RPM, 2.5'' and 3.5''
|
||||
\item SSD
|
||||
\item NVMe
|
||||
\end{itemize}
|
||||
|
||||
\section{Suppliers}
|
||||
Who we'll get hardware from.
|
||||
|
||||
\begin{itemize}
|
||||
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
|
||||
\item Viking.net --- Coreboot Opteron servers in Germany.
|
||||
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
|
||||
\end{itemize}
|
||||
|
||||
\newcommand{\includescreen}[3]{
|
||||
\begin{figure}[!ht]
|
||||
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1}
|
||||
\caption{#2}
|
||||
#3
|
||||
\end{figure}
|
||||
}
|
||||
|
||||
\section{Shark nodes configuration. Using an example Shark2}
|
||||
|
||||
%\includescreen{shark2/01.png}{Log in to admin-webview}{}
|
||||
\includescreen{shark2/02.png}{Log in to admin-webview}{\label{fig:shark2login}}
|
||||
%\includescreen{shark2/03.png}{Logged in to admin-webview. Notification of no valid subscription}{}
|
||||
%\includescreen{shark2/04.png}{Browse Datacenter, log hidden}{\label{fig:shark2browsedatacenter}}
|
||||
%\includescreen{shark2/05.png}{Browse shark2 Node}{\label{fig:shark2browsenode}}
|
||||
\includescreen{shark2/06.png}{Browse shark2 Network}{\label{fig:shark2network}}
|
||||
%\includescreen{shark2/07.png}{Select first shark2 Network device}{}
|
||||
\includescreen{shark2/08.png}{Edit first shark2 Network device}{}
|
||||
\includescreen{shark2/09.png}{Cleanup first shark2 Network device}{\label{fig:shark2cleanupnetdevice1}}
|
||||
\includescreen{shark2/10.png}{Browse shark2 Network}{}
|
||||
\includescreen{shark2/11.png}{Create shark2 Linux Bridge}{\label{fig:shark2linuxbridge}}
|
||||
%\includescreen{shark2/12.png}{Create shark2 Linux Bridge}{}
|
||||
\includescreen{shark2/13.png}{Create shark2 Linux Bridge}{}
|
||||
\begin{table}[!htb]
|
||||
\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig}
|
||||
\begin{tabular}{|l|l|l|l|}
|
||||
\hline
|
||||
\multicolumn {1}{|l|}{ Parameter}&
|
||||
\multicolumn {1}{l|}{ Shark2}&
|
||||
\multicolumn {1}{l|}{ Shark3}&
|
||||
\multicolumn {1}{l|}{ Shark4} \\ \hline
|
||||
Linux bridge & & & \\ %\hline
|
||||
Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline
|
||||
IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline
|
||||
Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline
|
||||
Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline
|
||||
Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline
|
||||
|
||||
Network Device & & & \\ %\hline
|
||||
Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline
|
||||
IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline
|
||||
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
|
||||
|
||||
Network Device & & & \\ %\hline
|
||||
Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline
|
||||
IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline
|
||||
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
|
||||
|
||||
\end{tabular}
|
||||
\end{table}
|
||||
\includescreen{shark2/14.png}{Browse shark2 Network}{}
|
||||
%\includescreen{shark2/15.png}{Select second shark2 Network device}{}
|
||||
%\includescreen{shark2/16.png}{Edit second shark2 Network device}{}
|
||||
\includescreen{shark2/17.png}{Edit second on the list shark2 Network device}{}
|
||||
%\includescreen{shark2/18.png}{Browse shark2 Network}{}
|
||||
%\includescreen{shark2/19.png}{Select third shark2 Network device}{}
|
||||
%\includescreen{shark2/20.png}{Edit third shark2 Network device}{}
|
||||
\includescreen{shark2/21.png}{Edit third on the list shark2 Network device}{}
|
||||
\begin{table}[!htb]
|
||||
\caption{IP configs of nodes, duplicate of table \ref{tab:sharkNodeIPConfig}} % \label{tab:sharkLinuxBridge}
|
||||
\begin{tabular}{|l|l|l|l|}
|
||||
\hline
|
||||
\multicolumn {1}{|l|}{ Parameter}&
|
||||
\multicolumn {1}{l|}{ Shark2}&
|
||||
\multicolumn {1}{l|}{ Shark3}&
|
||||
\multicolumn {1}{l|}{ Shark4} \\ \hline
|
||||
Linux bridge & & & \\ %\hline
|
||||
Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline
|
||||
IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline
|
||||
Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline
|
||||
Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline
|
||||
Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline
|
||||
|
||||
Network Device & & & \\ %\hline
|
||||
Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline
|
||||
IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline
|
||||
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
|
||||
|
||||
Network Device & & & \\ %\hline
|
||||
Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline
|
||||
IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline
|
||||
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
|
||||
|
||||
\end{tabular}
|
||||
\end{table}
|
||||
\includescreen{shark2/22.png}{Browse shark2 Network}{}
|
||||
%\includescreen{shark2/23.png}{Browse shark2 node}{}
|
||||
\includescreen{shark2/24.png}{Restart shark2 node}{}
|
||||
|
||||
%\clearpage % avoid LaTeX Error: Too many unprocessed floats.
|
||||
%\section{Shark3 configuration}
|
||||
%
|
||||
%\includescreen{shark3/01.png}{Log in to admin-webview}{\label{fig:shark3login}}
|
||||
%\includescreen{shark3/02.png}{Logged in to admin-webview. Notification of no valid subscription}{}
|
||||
%\includescreen{shark3/03.png}{Browse Datacenter, log hidden}{\label{fig:shark3browsedatacenter}}
|
||||
%\includescreen{shark3/04.png}{Browse Shark3 Node}{\label{fig:shark3browsenode}}
|
||||
%\includescreen{shark3/05.png}{Shark3 Network}{\label{fig:shark3network}}
|
||||
%\includescreen{shark3/06.png}{Browse Shark3 Network}{}
|
||||
%\includescreen{shark3/07.png}{Select first Shark3 Network device}{}
|
||||
%\includescreen{shark3/08.png}{Edit first Shark3 Network device}{}
|
||||
%\includescreen{shark3/09.png}{Cleanup first Shark3 Network device}{\label{fig:shark3cleanupnetdevice1}}
|
||||
%\includescreen{shark3/10.png}{Create Shark3 Linux Bridge}{\label{fig:shark3linuxbridge}}
|
||||
%\includescreen{shark3/11.png}{Create Shark3 Linux Bridge}{}
|
||||
%\includescreen{shark3/12.png}{Create Shark3 Linux Bridge}{}
|
||||
%\includescreen{shark3/13.png}{Create Shark3 Linux Bridge}{}
|
||||
%\includescreen{shark3/14.png}{Select second Shark3 Network device}{}
|
||||
%\includescreen{shark3/15.png}{Edit second Shark3 Network device}{}
|
||||
%\includescreen{shark3/16.png}{Edit second Shark3 Network device}{}
|
||||
%\includescreen{shark3/17.png}{Select third Shark3 Network device}{}
|
||||
%\includescreen{shark3/18.png}{Edit third Shark3 Network device}{}
|
||||
%\includescreen{shark3/19.png}{Edit third Shark3 Network device}{}
|
||||
%\includescreen{shark3/20.png}{Edit third Shark3 Network device}{}
|
||||
%\includescreen{shark3/21.png}{Browse Shark3 node}{}
|
||||
%\includescreen{shark3/22.png}{Restart Shark3 node}{}
|
||||
%
|
||||
%\clearpage % avoid LaTeX Error: Too many unprocessed floats.
|
||||
%\section{Shark4 configuration}
|
||||
%
|
||||
%
|
||||
%\includescreen{shark4/01.png}{Log in to admin-webview}{}
|
||||
%\includescreen{shark4/02.png}{Log in to admin-webview}{\label{fig:shark4login}}
|
||||
%\includescreen{shark4/03.png}{Browse Datacenter}{\label{fig:shark4browsedatacenter}}
|
||||
%\includescreen{shark4/04.png}{Browse Datacenter, log hidden}{}
|
||||
%\includescreen{shark4/05.png}{Browse Shark4 Node}{\label{fig:shark4browsenode}}
|
||||
%\includescreen{shark4/06.png}{Shark4 Network}{\label{fig:shark4network}}
|
||||
%\includescreen{shark4/07.png}{Select first Shark4 Network device}{}
|
||||
%\includescreen{shark4/08.png}{Edit first Shark4 Network device}{}
|
||||
%\includescreen{shark4/09.png}{Cleanup first Shark4 Network device}{\label{fig:shark4cleanupnetdevice1}}
|
||||
%\includescreen{shark4/10.png}{Create Shark4 Linux Bridge}{\label{fig:shark4linuxbridge}}
|
||||
%\includescreen{shark4/11.png}{Create Shark4 Linux Bridge}{}
|
||||
%\includescreen{shark4/12.png}{Select second Shark4 Network device}{}
|
||||
%\includescreen{shark4/13.png}{Select second Shark4 Network device}{}
|
||||
%\includescreen{shark4/14.png}{Edit second Shark4 Network device}{}
|
||||
%\includescreen{shark4/15.png}{Edit second Shark4 Network device}{}
|
||||
%\includescreen{shark4/16.png}{Select second Shark4 Network device}{}
|
||||
%\includescreen{shark4/17.png}{Edit second Shark4 Network device}{}
|
||||
%\includescreen{shark4/18.png}{Edit second Shark4 Network device}{}
|
||||
%\includescreen{shark4/19.png}{Restart Shark4 node}{}
|
||||
|
@ -1,197 +0,0 @@
|
||||
%
|
||||
% OpenNebula.tex
|
||||
%
|
||||
% Fork Sand IT Manual
|
||||
%
|
||||
% Copyright (C) 2018, Fork Sand, Inc.
|
||||
% Copyright (C) 2017, Jeff Moe
|
||||
% Copyright (C) 2017 Aleph Objects, Inc.
|
||||
%
|
||||
% This document is licensed under the Creative Commons Attribution 4.0
|
||||
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
||||
%
|
||||
% XXX TODO: opennebula-sunstone-login.png
|
||||
|
||||
\section{Overview}
|
||||
OpenNebula is a virtual machine manager.
|
||||
|
||||
The private cloud deployment will be based on OpenNebula version 5.4, which
|
||||
is currently in beta. There are only Debian 8 (Jessie, oldstable) releases.
|
||||
Debian hasn't packaged OpenNebula since wheezy. It has it in sid, but even
|
||||
that is an old version. The only packages available for Debian are the
|
||||
upstream ones for Jessie made by OpenNebula. UPDATE: although it isn't listed
|
||||
on their website, it does appear their are Debian 9 (Stretch) builds of
|
||||
OpenNebula for the betas of the forthcoming 5.4 version, which is great.
|
||||
|
||||
Documentation:
|
||||
\url{https://docs.opennebula.org/5.4/}
|
||||
|
||||
\begin{figure}[h!]
|
||||
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-opennebula.png}
|
||||
\caption{OpenNebula Website}
|
||||
\label{fig:www-opennebula}
|
||||
\end{figure}
|
||||
|
||||
\begin{itemize}
|
||||
\item Website: \\ \url{https://opennebula.org/}
|
||||
\item Debian Stretch Repo: \\
|
||||
\url{http://downloads.opennebula.org/repo/5.4/Debian/9/pool/opennebula/}
|
||||
\end{itemize}
|
||||
|
||||
|
||||
The following servers will be deployed to host OpenNebula and the KVMs:
|
||||
|
||||
\begin{itemize}
|
||||
\item \texttt{waz-kvm-001.forksand.com} --- Virtual Machine Server 1
|
||||
\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
|
||||
\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
|
||||
\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
|
||||
\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
|
||||
\item \texttt{waz-sun-001.forksand.com} --- OpenNebula Sunstone Web GUI 1
|
||||
\item \texttt{waz-sun-002.forksand.com} --- OpenNebula Sunstone Web GUI 2
|
||||
\end{itemize}
|
||||
|
||||
\subsection{Virtual Machine Servers}
|
||||
KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
|
||||
virtual images.
|
||||
|
||||
\subsection{Sunstone Web GUI Servers}
|
||||
Sunstone is OpenNebula's Web GUI for administration of the cluster.
|
||||
|
||||
\begin{figure}[h!]
|
||||
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{opennebula-sunstone.png}
|
||||
\caption{OpenNebula Sunstone Web Admin GUI}
|
||||
\label{fig:opennebula-sunstone}
|
||||
\end{figure}
|
||||
|
||||
|
||||
\begin{minted}{sh}
|
||||
wget -q -O- https://downloads.opennebula.org/repo/repo.key | apt-key add -
|
||||
echo "deb http://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula" > /etc/apt/sources.list.d/opennebula.list
|
||||
apt update
|
||||
apt -y install opennebula-node
|
||||
service libvirtd restart
|
||||
\end{minted}
|
||||
|
||||
|
||||
\section{Bugs}
|
||||
Things that are bugs or at least aren't configured correctly.
|
||||
|
||||
|
||||
\section{Sunstone Configuration}
|
||||
At this point, you should have the OpenNebula Sunstone server up and running.
|
||||
See scripts in \texttt{source/resources/ns24} for automation.
|
||||
|
||||
\begin{enumerate}
|
||||
\item Set up ssh tunnel (use Sunstone server name for ns24):
|
||||
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
|
||||
\item In workstation, open browser to url:
|
||||
URL: \\ \url{http://localhost:9869/}
|
||||
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
|
||||
\item Click \texttt{OpenNebula} in the upper right to get the full web console.
|
||||
\item Click \texttt{Infrastructure}.
|
||||
\item Click \texttt{Hosts}.
|
||||
\item Click The \texttt{+} plus icon.
|
||||
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
|
||||
\texttt{Type: KVM}
|
||||
\texttt{Hostname: ns24}
|
||||
\item Click \texttt{Create}.
|
||||
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
|
||||
stages of setup, starting at \texttt{INIT}.
|
||||
\item Confirm status is \texttt{ON}.
|
||||
\end{enumerate}
|
||||
|
||||
\section{Sunstone Deploy Image}
|
||||
This is a quick and dirty way to deploy a first test image.
|
||||
NOTE: It is note privacy aware, as it pulls the image from the
|
||||
OpenNebula ``store''.
|
||||
|
||||
How to deploy an image from the OpenNebula App store:
|
||||
\begin{enumerate}
|
||||
\item Click \texttt{Storage}.
|
||||
\item Click \texttt{Apps}
|
||||
\item Click \texttt{Debian 9 - KVM}.
|
||||
\item Click on the icon that is a cloud with an arrow in it. This downloads it to OpenNebula.
|
||||
\item Select a datastore by clicking the \texttt{default} line.
|
||||
\item Leave name and all that the same, and click \texttt{Download}.
|
||||
\item Click \texttt{Images} under \texttt{Storage} in the left column.
|
||||
\item Hit the refresh icon repeatedly.
|
||||
\item When \texttt{Status} is \texttt{READY}, it is good to go.
|
||||
\item Click \texttt{Templates} in the left column.
|
||||
\item Click \texttt{VMs}.
|
||||
\item Click \texttt{Debian 9 - KVM}.
|
||||
\item Click \texttt{Instantiate}.
|
||||
\item \texttt{VM Name} enter \texttt{deb9}.
|
||||
\item \texttt{Number of instances} enter \texttt{1}.
|
||||
\item \texttt{Memory} enter \texttt{768}.
|
||||
\item \texttt{CPU} enter \texttt{1}.
|
||||
\item Click the slider to \texttt{Instantiate as persistent}.
|
||||
\item Click \texttt{Instantiate}.
|
||||
\item Click \texttt{Instances} in the left column.
|
||||
\item Click \texttt{VMs}.
|
||||
\item Click the reload icon, repeat.
|
||||
\item It is good when \texttt{Status} is \texttt{RUNNING}.
|
||||
\item Set up an \texttt{ssh} tunnel so VNC can be used:
|
||||
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
|
||||
\item Click on the little monitor icon to launch VNC.
|
||||
\item Look at booted up screen at \texttt{login:} prompt.
|
||||
\item This means a Debian KVM booted up and the VNC is working.
|
||||
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
|
||||
So without network setup, you can't really do anything with this image.
|
||||
Booted, it just shows it works.
|
||||
\end{enumerate}
|
||||
|
||||
I think delete this section, it would go before the \texttt{Templates} above.:
|
||||
\begin{enumerate}
|
||||
\item Click \texttt{Debian 9 - KVM}.
|
||||
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
|
||||
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
|
||||
\item Click on the icon with three dots.
|
||||
\item Click \texttt{Make Persistent}.
|
||||
\item Click on the icon with three dots.
|
||||
\item Click \texttt{Enable}.
|
||||
\end{enumerate}
|
||||
|
||||
\section{OpenNebula Networking}
|
||||
XXX Yes, this part needs set up...
|
||||
|
||||
\begin{minted}{sh}
|
||||
# /etc/network/interfaces bridge section, add this:
|
||||
auto br0
|
||||
iface br0 inet static
|
||||
bridge_ports eth0
|
||||
bridge_fd 0
|
||||
address 192.168.100.1
|
||||
netmask 255.255.255.0
|
||||
network 192.168.100.0
|
||||
broadcast 192.168.100.255
|
||||
gateway 192.168.100.1
|
||||
dns-nameservers 37.235.1.174
|
||||
dns-search forksand.com
|
||||
\end{minted}
|
||||
|
||||
As user \texttt{jebba}, on the server, run this to generate a key.
|
||||
Then paste that key into Sunstone under "SSH Public Key".
|
||||
|
||||
\begin{minted}{sh}
|
||||
ssh-keygen -t ed25519
|
||||
\end{minted}
|
||||
|
||||
\begin{minted}{sh}
|
||||
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
|
||||
# Comment this out:
|
||||
auto eth0:27
|
||||
iface eth0:27 inet static
|
||||
address 174.128.229.158
|
||||
netmask 255.255.255.224
|
||||
gateway 174.128.229.129
|
||||
\end{minted}
|
||||
|
||||
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
|
||||
|
||||
If things are set up to use a bridge and 192.168.100.100,
|
||||
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
|
||||
Will bring things up to NAT.
|
||||
|
||||
|
||||
XXX The port forwarding is forwarding all port 53 to guest at the moment.
|
@ -0,0 +1,230 @@
|
||||
%
|
||||
% Proxmox.tex
|
||||
%
|
||||
% Fork Sand IT Manual
|
||||
%
|
||||
% Copyright (C) 2018, Fork Sand, Inc.
|
||||
% Copyright (C) 2017, Jeff Moe
|
||||
% Copyright (C) 2017 Aleph Objects, Inc.
|
||||
%
|
||||
% This document is licensed under the Creative Commons Attribution 4.0
|
||||
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
||||
%
|
||||
% XXX TODO: Proxmox-GUI-login.png
|
||||
|
||||
\section{Overview}
|
||||
Proxmox is a virtual machine manager.
|
||||
|
||||
The private cloud deployment will be based on Proxmox version 5.x.
|
||||
%There are only Debian 8 (Jessie, oldstable) releases.
|
||||
%Debian hasn't packaged Proxmox since wheezy. It has it in sid, but even
|
||||
%that is an old version. The only packages available for Debian are the
|
||||
%upstream ones for Jessie made by Proxmox.
|
||||
UPDATE: although Proxmox isn't listed on Debian 9 (Stretch) packages,
|
||||
there is an installation manual for 5.x version, which is great.
|
||||
|
||||
Documentation:
|
||||
\url{https://pve.proxmox.com/wiki/Documentation}
|
||||
|
||||
\begin{figure}[h!]
|
||||
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png}
|
||||
\caption{Proxmox Website}
|
||||
\label{fig:www-proxmox}
|
||||
\end{figure}
|
||||
|
||||
\begin{itemize}
|
||||
\item Website: \\ \url{https://proxmox.com/}
|
||||
\item Debian Stretch Repo: \\
|
||||
\url{http://downloads.Proxmox.com/repo/5.4/Debian/9/pool/Proxmox/}
|
||||
\end{itemize}
|
||||
|
||||
|
||||
The following servers will be deployed to host Proxmox and the KVMs:
|
||||
|
||||
\begin{itemize}
|
||||
%\item \texttt{waz-kvm-001.forksand.com}
|
||||
%\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
|
||||
%\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
|
||||
%\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
|
||||
%\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
|
||||
%\item \texttt{waz-sun-001.forksand.com} --- Proxmox Web GUI 1
|
||||
%\item \texttt{waz-sun-002.forksand.com} --- Proxmox Web GUI 2
|
||||
\item \texttt{forksand-hk1} --- Virtual Machine Node 1
|
||||
\item \texttt{forksand-hk2} --- Virtual Machine Node 2
|
||||
\item \texttt{forksand-hk3} --- Virtual Machine Node 3
|
||||
\item \texttt{\textcolor[rgb]{0.80,0.00,0.00}{forksand-shark1}} \textcolor[rgb]{0.80,0.00,0.00}{--- Virtual Machine Node ?}
|
||||
\item \texttt{forksand-shark2} --- Virtual Machine Node 4
|
||||
\item \texttt{forksand-shark3} --- Virtual Machine Node 5
|
||||
\item \texttt{forksand-shark4} --- Virtual Machine Node 6
|
||||
\item \texttt{forksand-the} --- Virtual Machine Node 7
|
||||
\item \texttt{forksand-truck} --- Virtual Machine Node 8
|
||||
\end{itemize}
|
||||
|
||||
%\subsection{Virtual Machine Servers}
|
||||
%KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
|
||||
%virtual images.
|
||||
%
|
||||
%\subsection{Proxmox Web GUI Servers}
|
||||
%A Proxmox's Web GUI for administration of the cluster.
|
||||
|
||||
\subsection{Virtual Machine Nodes}
|
||||
Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store
|
||||
virtual images.
|
||||
|
||||
Every node includes a Proxmox's Web GUI for administration of the cluster.
|
||||
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify}
|
||||
|
||||
|
||||
\begin{figure}[h!]
|
||||
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png}
|
||||
\caption{Proxmox Sunstone Web Admin GUI}
|
||||
\label{fig:proxmox-gui}
|
||||
\end{figure}
|
||||
|
||||
|
||||
\begin{minted}{sh}
|
||||
echo "deb http://download.proxmox.com/debian/pve stretch pve-no-subscription" \
|
||||
> /etc/apt/sources.list.d/pve-install-repo.list
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg \
|
||||
-O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
apt-get -y install ksm-control-daemon proxmox-veupdate-grub
|
||||
apt remove os-prober
|
||||
\end{minted}
|
||||
|
||||
\section{Bugs}
|
||||
Things that are bugs or at least aren't configured correctly.
|
||||
|
||||
\section{GUI Configuration}
|
||||
At this point, you should have the Proxmox server up and running.
|
||||
|
||||
\textcolor[rgb]{0.80,0.00,0.00}{
|
||||
Todo check related, modify/replace unrelated
|
||||
}
|
||||
|
||||
\begin{minted}{sh}
|
||||
See scripts in \texttt{source/resources/ns24} for automation.
|
||||
|
||||
\begin{enumerate}
|
||||
\item Set up Linux Bridge (use Sunstone server name for ns24):
|
||||
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
|
||||
\item In workstation, open browser to url:
|
||||
URL: \\ \url{http://localhost:9869/}
|
||||
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
|
||||
\item Click \texttt{Proxmox} in the upper right to get the full web console.
|
||||
\item Click \texttt{Infrastructure}.
|
||||
\item Click \texttt{Hosts}.
|
||||
\item Click The \texttt{+} plus icon.
|
||||
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
|
||||
\texttt{Type: KVM}
|
||||
\texttt{Hostname: ns24}
|
||||
\item Click \texttt{Create}.
|
||||
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
|
||||
stages of setup, starting at \texttt{INIT}.
|
||||
\item Confirm status is \texttt{ON}.
|
||||
\end{enumerate}
|
||||
\end{minted}
|
||||
|
||||
\section{GUI Deploy Image}
|
||||
\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated}
|
||||
\begin{minted}{sh}
|
||||
This is a quick and dirty way to deploy a first test image.
|
||||
NOTE: It is note privacy aware, as it pulls the image from the
|
||||
Proxmox ``store''.
|
||||
\end{minted}
|
||||
|
||||
\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated}
|
||||
\begin{minted}{sh}
|
||||
How to deploy an image from the Proxmox App store:
|
||||
\begin{enumerate}
|
||||
\item Click \texttt{Storage}.
|
||||
\item Click \texttt{Apps}
|
||||
\item Click \texttt{Debian 9 - KVM}.
|
||||
\item Click on the icon that is a cloud with an arrow in it. This downloads it to Proxmox.
|
||||
\item Select a datastore by clicking the \texttt{default} line.
|
||||
\item Leave name and all that the same, and click \texttt{Download}.
|
||||
\item Click \texttt{Images} under \texttt{Storage} in the left column.
|
||||
\item Hit the refresh icon repeatedly.
|
||||
\item When \texttt{Status} is \texttt{READY}, it is good to go.
|
||||
\item Click \texttt{Templates} in the left column.
|
||||
\item Click \texttt{VMs}.
|
||||
\item Click \texttt{Debian 9 - KVM}.
|
||||
\item Click \texttt{Instantiate}.
|
||||
\item \texttt{VM Name} enter \texttt{deb9}.
|
||||
\item \texttt{Number of instances} enter \texttt{1}.
|
||||
\item \texttt{Memory} enter \texttt{768}.
|
||||
\item \texttt{CPU} enter \texttt{1}.
|
||||
\item Click the slider to \texttt{Instantiate as persistent}.
|
||||
\item Click \texttt{Instantiate}.
|
||||
\item Click \texttt{Instances} in the left column.
|
||||
\item Click \texttt{VMs}.
|
||||
\item Click the reload icon, repeat.
|
||||
\item It is good when \texttt{Status} is \texttt{RUNNING}.
|
||||
\item Set up an \texttt{ssh} tunnel so VNC can be used:
|
||||
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
|
||||
\item Click on the little monitor icon to launch VNC.
|
||||
\item Look at booted up screen at \texttt{login:} prompt.
|
||||
\item This means a Debian KVM booted up and the VNC is working.
|
||||
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
|
||||
So without network setup, you can't really do anything with this image.
|
||||
Booted, it just shows it works.
|
||||
\end{enumerate}
|
||||
|
||||
I think delete this section, it would go before the \texttt{Templates} above.:
|
||||
\begin{enumerate}
|
||||
\item Click \texttt{Debian 9 - KVM}.
|
||||
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
|
||||
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
|
||||
\item Click on the icon with three dots.
|
||||
\item Click \texttt{Make Persistent}.
|
||||
\item Click on the icon with three dots.
|
||||
\item Click \texttt{Enable}.
|
||||
\end{enumerate}
|
||||
\end{minted}
|
||||
|
||||
\section{Proxmox Networking}
|
||||
Create --> Linux Bridge: vmbr0
|
||||
|
||||
XXX best way for this server? No subnet.
|
||||
|
||||
\textcolor[rgb]{0.80,0.00,0.00}{taken from forksand-shark4-bootstrap}
|
||||
|
||||
\begin{minted}{sh}
|
||||
source /etc/network/interfaces.d/*
|
||||
auto enp1s0f1
|
||||
iface enp1s0f1 inet static
|
||||
address 70.39.103.210/29
|
||||
gateway 70.39.103.209
|
||||
dns-nameservers 208.67.222.222
|
||||
dns-search forksand.com
|
||||
\end{minted}
|
||||
|
||||
As user \texttt{jebba}, on the server, run this to generate a key.
|
||||
Then paste that key into Sunstone under "SSH Public Key".
|
||||
|
||||
\begin{minted}{sh}
|
||||
ssh-keygen -t ed25519
|
||||
\end{minted}
|
||||
|
||||
\begin{minted}{sh}
|
||||
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
|
||||
# Comment this out:
|
||||
auto eth0:27
|
||||
iface eth0:27 inet static
|
||||
address 174.128.229.158
|
||||
netmask 255.255.255.224
|
||||
gateway 174.128.229.129
|
||||
\end{minted}
|
||||
|
||||
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
|
||||
|
||||
If things are set up to use a bridge and 192.168.100.100,
|
||||
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
|
||||
Will bring things up to NAT.
|
||||
|
||||
|
||||
XXX The port forwarding is forwarding all port 53 to guest at the moment.
|
@ -1,21 +0,0 @@
|
||||
%
|
||||
% forksand-it-manual.gst
|
||||
% makindex glossary style file
|
||||
%
|
||||
% Fork Sand IT Manual
|
||||
%
|
||||
% Copyright (C) 2017, Jeff Moe
|
||||
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
|
||||
%
|
||||
% This document is licensed under the Creative Commons Attribution 4.0
|
||||
% International Public License (CC BY-SA 4.0) by Jeff Moe.
|
||||
%
|
||||
preamble "\\begin{theglossary}"
|
||||
postamble "\n\\end{theglossary}\n"
|
||||
item_0 "\n\\glossitem"
|
||||
delim_0 "{\\memglonum{"
|
||||
encap_suffix "}}}"
|
||||
headings_flag 0
|
||||
heading_prefix "{"
|
||||
heading_suffix "}"
|
||||
keyword "\\glossaryentry"
|
@ -1,15 +0,0 @@
|
||||
%
|
||||
% forksand-it-manual.ist
|
||||
% makindex index style file
|
||||
%
|
||||
% Fork Sand IT Manual
|
||||
%
|
||||
% Copyright (C) 2017, Jeff Moe
|
||||
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
|
||||
%
|
||||
% This document is licensed under the Creative Commons Attribution 4.0
|
||||
% International Public License (CC BY-SA 4.0) by Jeff Moe.
|
||||
%
|
||||
heading_prefix "{\\normalsize \\bfseries\\hfil\\ "
|
||||
heading_suffix " \\ \\hfil}\\nopagebreak\n"
|
||||
headings_flag 1
|
@ -1,2 +1,2 @@
|
||||
There are 22 source code files included.
|
||||
There are 22 unique files.
|
||||
There are 86 source code files included.
|
||||
There are 83 unique files.
|
||||
|
@ -0,0 +1,661 @@
|
||||
GNU AFFERO GENERAL PUBLIC LICENSE
|
||||
Version 3, 19 November 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU Affero General Public License is a free, copyleft license for
|
||||
software and other kinds of works, specifically designed to ensure
|
||||
cooperation with the community in the case of network server software.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
our General Public Licenses are intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
Developers that use our General Public Licenses protect your rights
|
||||
with two steps: (1) assert copyright on the software, and (2) offer
|
||||
you this License which gives you legal permission to copy, distribute
|
||||
and/or modify the software.
|
||||
|
||||
A secondary benefit of defending all users' freedom is that
|
||||
improvements made in alternate versions of the program, if they
|
||||
receive widespread use, become available for other developers to
|
||||
incorporate. Many developers of free software are heartened and
|
||||
encouraged by the resulting cooperation. However, in the case of
|
||||
software used on network servers, this result may fail to come about.
|
||||
The GNU General Public License permits making a modified version and
|
||||
letting the public access it on a server without ever releasing its
|
||||
source code to the public.
|
||||
|
||||
The GNU Affero General Public License is designed specifically to
|
||||
ensure that, in such cases, the modified source code becomes available
|
||||
to the community. It requires the operator of a network server to
|
||||
provide the source code of the modified version running there to the
|
||||
users of that server. Therefore, public use of a modified version, on
|
||||
a publicly accessible server, gives the public access to the source
|
||||
code of the modified version.
|
||||
|
||||
An older license, called the Affero General Public License and
|
||||
published by Affero, was designed to accomplish similar goals. This is
|
||||
a different license, not a version of the Affero GPL, but Affero has
|
||||
released a new version of the Affero GPL which permits relicensing under
|
||||
this license.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU Affero General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Remote Network Interaction; Use with the GNU General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, if you modify the
|
||||
Program, your modified version must prominently offer all users
|
||||
interacting with it remotely through a computer network (if your version
|
||||
supports such interaction) an opportunity to receive the Corresponding
|
||||
Source of your version by providing access to the Corresponding Source
|
||||
from a network server at no charge, through some standard or customary
|
||||
means of facilitating copying of software. This Corresponding Source
|
||||
shall include the Corresponding Source for any work covered by version 3
|
||||
of the GNU General Public License that is incorporated pursuant to the
|
||||
following paragraph.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the work with which it is combined will remain governed by version
|
||||
3 of the GNU General Public License.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU Affero General Public License from time to time. Such new versions
|
||||
will be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU Affero General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU Affero General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU Affero General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If your software can interact with users remotely through a computer
|
||||
network, you should also make sure that it provides a way for users to
|
||||
get its source. For example, if your program is a web application, its
|
||||
interface could display a "Source" link that leads users to an archive
|
||||
of the code. There are many ways you could offer source, and different
|
||||
solutions will be better for different programs; see section 13 for the
|
||||
specific requirements.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU AGPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
@ -0,0 +1,674 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 3, 29 June 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU General Public License is a free, copyleft license for
|
||||
software and other kinds of works.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
the GNU General Public License is intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users. We, the Free Software Foundation, use the
|
||||
GNU General Public License for most of our software; it applies also to
|
||||
any other work released this way by its authors. You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to prevent others from denying you
|
||||
these rights or asking you to surrender the rights. Therefore, you have
|
||||
certain responsibilities if you distribute copies of the software, or if
|
||||
you modify it: responsibilities to respect the freedom of others.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must pass on to the recipients the same
|
||||
freedoms that you received. You must make sure that they, too, receive
|
||||
or can get the source code. And you must show them these terms so they
|
||||
know their rights.
|
||||
|
||||
Developers that use the GNU GPL protect your rights with two steps:
|
||||
(1) assert copyright on the software, and (2) offer you this License
|
||||
giving you legal permission to copy, distribute and/or modify it.
|
||||
|
||||
For the developers' and authors' protection, the GPL clearly explains
|
||||
that there is no warranty for this free software. For both users' and
|
||||
authors' sake, the GPL requires that modified versions be marked as
|
||||
changed, so that their problems will not be attributed erroneously to
|
||||
authors of previous versions.
|
||||
|
||||
Some devices are designed to deny users access to install or run
|
||||
modified versions of the software inside them, although the manufacturer
|
||||
can do so. This is fundamentally incompatible with the aim of
|
||||
protecting users' freedom to change the software. The systematic
|
||||
pattern of such abuse occurs in the area of products for individuals to
|
||||
use, which is precisely where it is most unacceptable. Therefore, we
|
||||
have designed this version of the GPL to prohibit the practice for those
|
||||
products. If such problems arise substantially in other domains, we
|
||||
stand ready to extend this provision to those domains in future versions
|
||||
of the GPL, as needed to protect the freedom of users.
|
||||
|
||||
Finally, every program is threatened constantly by software patents.
|
||||
States should not allow patents to restrict development and use of
|
||||
software on general-purpose computers, but in those that do, we wish to
|
||||
avoid the special danger that patents applied to a free program could
|
||||
make it effectively proprietary. To prevent this, the GPL assures that
|
||||
patents cannot be used to render the program non-free.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Use with the GNU Affero General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU Affero General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the special requirements of the GNU Affero General Public License,
|
||||
section 13, concerning interaction through a network will apply to the
|
||||
combination as such.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program does terminal interaction, make it output a short
|
||||
notice like this when it starts in an interactive mode:
|
||||
|
||||
<program> Copyright (C) <year> <name of author>
|
||||
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, your program's commands
|
||||
might be different; for a GUI interface, you would use an "about box".
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU GPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
||||
|
||||
The GNU General Public License does not permit incorporating your program
|
||||
into proprietary programs. If your program is a subroutine library, you
|
||||
may consider it more useful to permit linking proprietary applications with
|
||||
the library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License. But first, please read
|
||||
<https://www.gnu.org/licenses/why-not-lgpl.html>.
|
@ -0,0 +1,172 @@
|
||||
# Forksand Bootstrap Gitea
|
||||
|
||||
This Ansible playbook was written to set up a Gitea server on Debian systems.
|
||||
|
||||
## Table of contents
|
||||
1. [Requirements](#requirements)
|
||||
2. [Quick Start](#quick-start)
|
||||
* [Project Configuration](#project-configuration)
|
||||
* [Playbook Execution](#playbook-execution)
|
||||
3. [Project Structure](#project-structure)
|
||||
* [File and Directory Descriptions](#file-and-directory-descriptions)
|
||||
* [Role Descriptions](#role-descriptions)
|
||||
* [Role Parameters](#role-parameters)
|
||||
4. [Ansible Logging](#ansible-logging)
|
||||
5. [Troubleshooting](#troubleshooting)
|
||||
|
||||
## Requirements
|
||||
The following applications are required to utilize this playbook. Ansible can be installed using Python PIP.
|
||||
|
||||
* Ansible 2.4.x+
|
||||
* Python 2.7.9+
|
||||
|
||||
## Quick Start
|
||||
The follow steps will help quickly set up and execute this playbook.
|
||||
|
||||
### Project Configuration
|
||||
The following files need to be edited and configured before executing this playbook.
|
||||
|
||||
| File | Description |
|
||||
| -- | -- |
|
||||
| roles/gitea/default/main.yml | Variables for Gitea configuration - (default - standalone with sqlite) |
|
||||
| roles/nginx/default/main.yml | Variables for Nginx and Letsencrypt configuration |
|
||||
| inventory.yml | List of server IPs to connect to |
|
||||
|
||||
### Playbook Execution
|
||||
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
|
||||
|
||||
`ansible-playbook -i inventory.yml site.yml`
|
||||
|
||||
## Project Structure
|
||||
The following tree depicts the high level structure of this Ansible project.
|
||||
|
||||
```bash
|
||||
├── inventory.yml
|
||||
├── LICENSE.AGPLv3
|
||||
├── LICENSE.GPLv3
|
||||
├── README.md
|
||||
├── roles
|
||||
│ ├── gitea
|
||||
│ ├── nginx
|
||||
├── playbook_execution.log
|
||||
└── site.yml
|
||||
```
|
||||
|
||||
### File and Directory Descriptions
|
||||
The following table consists of a description of what each file and directory stands for.
|
||||
|
||||
| Name | Description |
|
||||
| -- | -- |
|
||||
| site.yml | Master playbook. Executes all roles in sequential order |
|
||||
| inventory.yml | Inventory file containing server IP addresses |
|
||||
| ansible.cfg | Ansible configuration file for various Ansible options. |
|
||||
| roles/ | Directory containing all roles needed by this project |
|
||||
|
||||
### Role descriptions
|
||||
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
|
||||
|
||||
| Role Name | Role Description |
|
||||
| -- | -- |
|
||||
| gitea | This roles performs installation and configuration of Gitea server |
|
||||
| nginx | This roles performs installation and configuration of Nginx server |
|
||||
|
||||
### Role parameters
|
||||
|
||||
Description of the role parameters for each role.
|
||||
|
||||
|
||||
#### Gitea roles parameters
|
||||
|
||||
```
|
||||
# Application name
|
||||
gitea_app_name: "Gitea"
|
||||
# Application gitea_user_repo_limit
|
||||
gitea_user: "gitea"
|
||||
# Application home
|
||||
gitea_home: "/var/lib/gitea"
|
||||
# Repo Limit
|
||||
gitea_user_repo_limit: -1
|
||||
# Domain Name (FOR REVER PROXY LEAVE AS DEFAULT)
|
||||
gitea_http_domain: localhost
|
||||
# Gitea url (FOR REVER PROXY LEAVE AS DEFAULT)
|
||||
gitea_root_url: http://localhost:3000
|
||||
# Protocol (FOR REVER PROXY LEAVE AS DEFAULT)
|
||||
gitea_protocol: http
|
||||
# listen IP (FOR REVER PROXY LEAVE AS DEFAULT)
|
||||
gitea_http_listen: 127.0.0.1
|
||||
# Listen port (FOR REVER PROXY LEAVE AS DEFAULT)
|
||||
gitea_http_port: 3000
|
||||
# HTTP git Options
|
||||
gitea_disable_http_git: false
|
||||
# Offline mode options
|
||||
gitea_offline_mode: true
|
||||
|
||||
## DB details
|
||||
# DB Type 'mysql', 'postgres' or 'sqlite3'
|
||||
gitea_db_type: sqlite3
|
||||
# DB host
|
||||
gitea_db_host: 127.0.0.0:3306
|
||||
# DB name
|
||||
gitea_db_name: root
|
||||
# DB username
|
||||
gitea_db_user: gitea
|
||||
# DB password
|
||||
gitea_db_passord: lel
|
||||
# DB ssl options
|
||||
gitea_db_ssl: disable
|
||||
# DB path (Not needed for postgres and mysql hash it in template file )
|
||||
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
|
||||
|
||||
## SSH Details
|
||||
# SSH Listen IP
|
||||
gitea_ssh_listen: 0.0.0.0
|
||||
# SSH domain
|
||||
gitea_ssh_domain: localhost
|
||||
# SSH options
|
||||
gitea_start_ssh: true
|
||||
# SSH post
|
||||
gitea_ssh_port: 2222
|
||||
|
||||
# gitea key (GENERATE A NEW KEY)
|
||||
gitea_secret_key: T0pS3cr31
|
||||
|
||||
## General Settings
|
||||
# User email settings
|
||||
gitea_show_user_email: false
|
||||
# User avatar settings
|
||||
gitea_disable_gravatar: true
|
||||
# User register options
|
||||
gitea_disable_registration: false
|
||||
# User signup options
|
||||
gitea_require_signin: true
|
||||
# User captcha options
|
||||
gitea_enable_captcha: true
|
||||
```
|
||||
|
||||
#### Nginx roles parameters
|
||||
```
|
||||
# Domain name for the server
|
||||
nginx_domain_name: "test.hostnats.com"
|
||||
# Gitea listening port
|
||||
gitea_http_port: 3000
|
||||
# letsencrypt email address
|
||||
letsencrypt_email: "test@example.com"
|
||||
```
|
||||
|
||||
## Ansible Logging
|
||||
Ansible playbook executions are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
|
||||
|
||||
## Troubleshooting
|
||||
Ansible has a built in debug output. Simple run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
|
||||
|
||||
Level 1: `-v`
|
||||
|
||||
Level 2: `-vv`
|
||||
|
||||
Level 3: `-vvv`
|
||||
|
||||
Level 4: `-vvvv`
|
||||
|
||||
Level 5: `-vvvvv`
|
||||
|
||||
Example execution with level 3 debug output: `ansible-playbook -i inventory.yml site.yml -vvv`
|
@ -0,0 +1,2 @@
|
||||
[defaults]
|
||||
log_path=playbook_execution.log
|
@ -0,0 +1,7 @@
|
||||
all:
|
||||
hosts:
|
||||
10.0.0.1: # Example host
|
||||
|
||||
# Additional hosts can be specified by adding them below
|
||||
#10.0.0.2: # Example host 2. Uncomment line to use
|
||||
#10.0.0.3: # Example host 3. Uncomment line to use
|
@ -0,0 +1,34 @@
|
||||
gitea_app_name: "Gitea"
|
||||
gitea_user: "gitea"
|
||||
gitea_home: "/var/lib/gitea"
|
||||
|
||||
gitea_user_repo_limit: -1
|
||||
|
||||
gitea_http_domain: localhost
|
||||
gitea_root_url: http://localhost:3000
|
||||
gitea_protocol: http
|
||||
gitea_http_listen: 127.0.0.1
|
||||
gitea_http_port: 3000
|
||||
gitea_disable_http_git: false
|
||||
gitea_offline_mode: true
|
||||
|
||||
gitea_db_type: sqlite3
|
||||
gitea_db_host: 127.0.0.0:3306
|
||||
gitea_db_name: root
|
||||
gitea_db_user: gitea
|
||||
gitea_db_passord: lel
|
||||
gitea_db_ssl: disable
|
||||
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
|
||||
|
||||
gitea_ssh_listen: 0.0.0.0
|
||||
gitea_ssh_domain: localhost
|
||||
gitea_start_ssh: true
|
||||
gitea_ssh_port: 2222
|
||||
|
||||
gitea_secret_key: T0pS3cr31
|
||||
|
||||
gitea_show_user_email: false
|
||||
gitea_disable_gravatar: true
|
||||
gitea_disable_registration: false
|
||||
gitea_require_signin: true
|
||||
gitea_enable_captcha: true
|
@ -0,0 +1,5 @@
|
||||
- name: "Restart gitea"
|
||||
service: name=gitea state=restarted
|
||||
|
||||
- name: "Reload systemd"
|
||||
systemd: daemon_reload=yes
|
@ -0,0 +1,6 @@
|
||||
- name: "Create Gitea user"
|
||||
user:
|
||||
name: "{{ gitea_user }}"
|
||||
comment: "Gitea user"
|
||||
home: "{{ gitea_home }}"
|
||||
shell: "/bin/false"
|
@ -0,0 +1,10 @@
|
||||
- name: "Setup systemd service"
|
||||
template:
|
||||
src: gitea.service.j2
|
||||
dest: /lib/systemd/system/gitea.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- "Reload systemd"
|
||||
- "Restart gitea"
|
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Gitea git server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User={{ gitea_user }}
|
||||
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
|
||||
Restart=on-failure
|
||||
WorkingDirectory={{ gitea_home }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,3 @@
|
||||
nginx_domain_name: "gitea.example.com"
|
||||
gitea_http_port: 3000
|
||||
letsencrypt_email: "test@example.com"
|
@ -0,0 +1,5 @@
|
||||
- name: "Restart nginx"
|
||||
service: name=nginx state=restarted
|
||||
|
||||
- name: "Reload systemd"
|
||||
shell: "systemctl daemon-reload"
|
@ -0,0 +1,48 @@
|
||||
- name: "Installing Nginx"
|
||||
apt:
|
||||
name: nginx
|
||||
state: latest
|
||||
update_cache: yes
|
||||
notify: "Restart nginx"
|
||||
|
||||
- name: "Install letsencrypt"
|
||||
apt:
|
||||
name: letsencrypt
|
||||
state: latest
|
||||
|
||||
- name: "Remove default nginx config"
|
||||
file:
|
||||
name: /etc/nginx/sites-enabled/default
|
||||
state: absent
|
||||
|
||||
- name: "Configure nginx Non SSL"
|
||||
template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/sites-enabled/default.conf
|
||||
owner: root
|
||||
mode: 0600
|
||||
notify: "Restart nginx"
|
||||
|
||||
- name: "Creating letsencrypt certificate"
|
||||
shell: letsencrypt certonly -n --webroot -w /var/www/html -m {{ letsencrypt_email }} --agree-tos -d {{ nginx_domain_name }}
|
||||
args:
|
||||
creates: /etc/letsencrypt/live/{{ nginx_domain_name }}
|
||||
|
||||
- name: "Generate dhparams NOTE: This will take a long time to complete "
|
||||
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
|
||||
args:
|
||||
creates: /etc/nginx/dhparams.pem
|
||||
|
||||
- name: "Configure nginx SSL"
|
||||
template:
|
||||
src: nginxssl.conf.j2
|
||||
dest: /etc/nginx/sites-enabled/default_ssl.conf
|
||||
owner: root
|
||||
mode: 0600
|
||||
notify: "Restart nginx"
|
||||
|
||||
- name: "Add letsencrypt cronjob for cert renewal"
|
||||
cron:
|
||||
name: letsencrypt_renewal
|
||||
special_time: monthly
|
||||
job: letsencrypt --renew certonly -n --webroot -w /var/www/html -m {{ letsencrypt_email }} --agree-tos -d {{ nginx_domain_name }} && service nginx reload
|
@ -0,0 +1,13 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name {{ nginx_domain_name }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
root /var/www/html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^ https://{{ nginx_domain_name }}$request_uri? permanent;
|
||||
}
|
||||
}
|
@ -0,0 +1,59 @@
|
||||
server {
|
||||
# Bindings
|
||||
listen 443 default_server ssl http2;
|
||||
server_name {{ nginx_domain_name }};
|
||||
root /var/www/html;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
# Certificate information
|
||||
ssl_certificate /etc/letsencrypt/live/{{ nginx_domain_name }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain_name }}/privkey.pem;
|
||||
|
||||
# Limit ciphers to PCI DSS compliant ciphers.
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_dhparam /etc/nginx/dhparams.pem;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
gzip on;
|
||||
gzip_http_version 1.0;
|
||||
gzip_comp_level 2;
|
||||
gzip_min_length 1100;
|
||||
gzip_buffers 4 8k;
|
||||
gzip_proxied any;
|
||||
gzip_types
|
||||
# text/html is always compressed by HttpGzipModule
|
||||
text/css
|
||||
text/javascript
|
||||
text/xml
|
||||
text/plain
|
||||
text/x-component
|
||||
application/javascript
|
||||
application/json
|
||||
application/xml
|
||||
application/rss+xml
|
||||
font/truetype
|
||||
font/opentype
|
||||
application/vnd.ms-fontobject
|
||||
image/svg+xml;
|
||||
|
||||
gzip_static on;
|
||||
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_vary on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ gitea_http_port }};
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
|
||||
}
|
@ -0,0 +1,4 @@
|
||||
- hosts : all
|
||||
roles :
|
||||
- nginx
|
||||
- gitea
|
@ -0,0 +1 @@
|
||||
site.retry
|
@ -0,0 +1,661 @@
|
||||
GNU AFFERO GENERAL PUBLIC LICENSE
|
||||
Version 3, 19 November 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU Affero General Public License is a free, copyleft license for
|
||||
software and other kinds of works, specifically designed to ensure
|
||||
cooperation with the community in the case of network server software.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
our General Public Licenses are intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
Developers that use our General Public Licenses protect your rights
|
||||
with two steps: (1) assert copyright on the software, and (2) offer
|
||||
you this License which gives you legal permission to copy, distribute
|
||||
and/or modify the software.
|
||||
|
||||
A secondary benefit of defending all users' freedom is that
|
||||
improvements made in alternate versions of the program, if they
|
||||
receive widespread use, become available for other developers to
|
||||
incorporate. Many developers of free software are heartened and
|
||||
encouraged by the resulting cooperation. However, in the case of
|
||||
software used on network servers, this result may fail to come about.
|
||||
The GNU General Public License permits making a modified version and
|
||||
letting the public access it on a server without ever releasing its
|
||||
source code to the public.
|
||||
|
||||
The GNU Affero General Public License is designed specifically to
|
||||
ensure that, in such cases, the modified source code becomes available
|
||||
to the community. It requires the operator of a network server to
|
||||
provide the source code of the modified version running there to the
|
||||
users of that server. Therefore, public use of a modified version, on
|
||||
a publicly accessible server, gives the public access to the source
|
||||
code of the modified version.
|
||||
|
||||
An older license, called the Affero General Public License and
|
||||
published by Affero, was designed to accomplish similar goals. This is
|
||||
a different license, not a version of the Affero GPL, but Affero has
|
||||
released a new version of the Affero GPL which permits relicensing under
|
||||
this license.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU Affero General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Remote Network Interaction; Use with the GNU General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, if you modify the
|
||||
Program, your modified version must prominently offer all users
|
||||
interacting with it remotely through a computer network (if your version
|
||||
supports such interaction) an opportunity to receive the Corresponding
|
||||
Source of your version by providing access to the Corresponding Source
|
||||
from a network server at no charge, through some standard or customary
|
||||
means of facilitating copying of software. This Corresponding Source
|
||||
shall include the Corresponding Source for any work covered by version 3
|
||||
of the GNU General Public License that is incorporated pursuant to the
|
||||
following paragraph.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the work with which it is combined will remain governed by version
|
||||
3 of the GNU General Public License.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU Affero General Public License from time to time. Such new versions
|
||||
will be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU Affero General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU Affero General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU Affero General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If your software can interact with users remotely through a computer
|
||||
network, you should also make sure that it provides a way for users to
|
||||
get its source. For example, if your program is a web application, its
|
||||
interface could display a "Source" link that leads users to an archive
|
||||
of the code. There are many ways you could offer source, and different
|
||||
solutions will be better for different programs; see section 13 for the
|
||||
specific requirements.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU AGPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
@ -0,0 +1,674 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 3, 29 June 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU General Public License is a free, copyleft license for
|
||||
software and other kinds of works.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
the GNU General Public License is intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users. We, the Free Software Foundation, use the
|
||||
GNU General Public License for most of our software; it applies also to
|
||||
any other work released this way by its authors. You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to prevent others from denying you
|
||||
these rights or asking you to surrender the rights. Therefore, you have
|
||||
certain responsibilities if you distribute copies of the software, or if
|
||||
you modify it: responsibilities to respect the freedom of others.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must pass on to the recipients the same
|
||||
freedoms that you received. You must make sure that they, too, receive
|
||||
or can get the source code. And you must show them these terms so they
|
||||
know their rights.
|
||||
|
||||
Developers that use the GNU GPL protect your rights with two steps:
|
||||
(1) assert copyright on the software, and (2) offer you this License
|
||||
giving you legal permission to copy, distribute and/or modify it.
|
||||
|
||||
For the developers' and authors' protection, the GPL clearly explains
|
||||
that there is no warranty for this free software. For both users' and
|
||||
authors' sake, the GPL requires that modified versions be marked as
|
||||
changed, so that their problems will not be attributed erroneously to
|
||||
authors of previous versions.
|
||||
|
||||
Some devices are designed to deny users access to install or run
|
||||
modified versions of the software inside them, although the manufacturer
|
||||
can do so. This is fundamentally incompatible with the aim of
|
||||
protecting users' freedom to change the software. The systematic
|
||||
pattern of such abuse occurs in the area of products for individuals to
|
||||
use, which is precisely where it is most unacceptable. Therefore, we
|
||||
have designed this version of the GPL to prohibit the practice for those
|
||||
products. If such problems arise substantially in other domains, we
|
||||
stand ready to extend this provision to those domains in future versions
|
||||
of the GPL, as needed to protect the freedom of users.
|
||||
|
||||
Finally, every program is threatened constantly by software patents.
|
||||
States should not allow patents to restrict development and use of
|
||||
software on general-purpose computers, but in those that do, we wish to
|
||||
avoid the special danger that patents applied to a free program could
|
||||
make it effectively proprietary. To prevent this, the GPL assures that
|
||||
patents cannot be used to render the program non-free.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Use with the GNU Affero General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU Affero General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the special requirements of the GNU Affero General Public License,
|
||||
section 13, concerning interaction through a network will apply to the
|
||||
combination as such.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program does terminal interaction, make it output a short
|
||||
notice like this when it starts in an interactive mode:
|
||||
|
||||
<program> Copyright (C) <year> <name of author>
|
||||
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, your program's commands
|
||||
might be different; for a GUI interface, you would use an "about box".
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU GPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
||||
|
||||
The GNU General Public License does not permit incorporating your program
|
||||
into proprietary programs. If your program is a subroutine library, you
|
||||
may consider it more useful to permit linking proprietary applications with
|
||||
the library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License. But first, please read
|
||||
<https://www.gnu.org/licenses/why-not-lgpl.html>.
|
@ -0,0 +1,107 @@
|
||||
# Forksand Bootstrap Postfix
|
||||
This Ansible playbook was written to set up a mail server on Debian systems.
|
||||
|
||||
## Table of contents
|
||||
1. [Requirements](#requirements)
|
||||
2. [Quick Start](#quick-start)
|
||||
* [Project Configuration](#project-configuration)
|
||||
* [Playbook Execution](#playbook-execution)
|
||||
3. [Project Structure](#project-structure)
|
||||
* [File and Directory Descriptions](#file-and-directory-descriptions)
|
||||
* [Role Descriptions](#role-descriptions)
|
||||
4. [Ansible Logging](#ansible-logging)
|
||||
5. [Troubleshooting](#troubleshooting)
|
||||
|
||||
## Requirements
|
||||
The following applications are required to utilize this playbook. Ansible can be installed using Python PIP.
|
||||
|
||||
* Ansible 2.4.x+
|
||||
* Python 2.7.9+
|
||||
|
||||
## Quick Start
|
||||
The follow steps will help quickly set up and execute this playbook.
|
||||
|
||||
### Project Configuration
|
||||
The following files need to be edited and configured before executing this playbook.
|
||||
|
||||
| File | Description |
|
||||
| -- | -- |
|
||||
| groups_vars/all.yml | Server credential information and domain variables |
|
||||
| inventory.yml | List of server IPs to connect to |
|
||||
|
||||
### Playbook Execution
|
||||
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
|
||||
|
||||
`ansible-playbook -i inventory.yml site.yml`
|
||||
|
||||
## Project Structure
|
||||
The following tree depicts the high level structure of this Ansible project.
|
||||
|
||||
```bash
|
||||
├── ansible.cfg
|
||||
├── group_vars
|
||||
│ └── all.yml
|
||||
├── inventory.yml
|
||||
├── LICENSE.AGPLv3
|
||||
├── LICENSE.GPLv3
|
||||
├── README.md
|
||||
├── roles
|
||||
│ ├── dkim_configuration
|
||||
│ ├── dovecot_configuration
|
||||
│ ├── fail2ban_configuration
|
||||
│ ├── letsencrypt_configuration
|
||||
│ ├── mikegleasonjr.firewall
|
||||
│ ├── outputs
|
||||
│ ├── postfix_configuration
|
||||
│ ├── server_tasks
|
||||
│ ├── spamassassin_configuration
|
||||
│ └── sqlgrey_configuration
|
||||
├── playbook_execution.log
|
||||
└── site.yml
|
||||
```
|
||||
|
||||
### File and Directory Descriptions
|
||||
The following table consists of a description of what each file and directory stands for.
|
||||
|
||||
| Name | Description |
|
||||
| -- | -- |
|
||||
| site.yml | Master playbook. Executes all roles in sequential order |
|
||||
| inventory.yml | Inventory file containing server IP addresses |
|
||||
| ansible.cfg | Ansible configuration file for various Ansible options. |
|
||||
| group_vars/ | Group_vars directory contains variable files for the entire group. The files are named according to the group name. 'all.yml' = group 'all' |
|
||||
| group_vars/all.yml | Group variables for the 'all' group. Contains server connection information along with domain variables |
|
||||
| roles/ | Directory containing all roles needed by this project |
|
||||
|
||||
### Role descriptions
|
||||
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
|
||||
|
||||
| Role Name | Role Description | Depends on |
|
||||
| -- | -- | --|
|
||||
| server_tasks | This roles performs all server tasks. Updating server, configuring SSH, disable IPv6, etc. Depends on the mikegleasonjr.firewall role. | mikebleasonjr.firewall |
|
||||
| mikegleasonjr.firewall | This role set up iptables rules. It is called and ran by the server_tasks roles. | None |
|
||||
| letsencrypt_configuration | This role installs and executes let's encrypt | None |
|
||||
| postfix_configuration | This roles installs postfix, configures postfix using postconf, and sets up virtual file, master.cf file, and aliases file | letsencrypt_configuration |
|
||||
| dkim_configuration | This roles installs OpenDKIM, OpenDMARC and configures them. | None |
|
||||
| dovecot_configuration | This role installs and configures dovecot | letsencrypt_configuration |
|
||||
| spamassassin_configuration | This role installs spamassassin. | None |
|
||||
| sqlgrey_configuration| This role installs sqlgrey. | None |
|
||||
| fail2ban_configuration | This role installs fail2ban. | None |
|
||||
| outputs | This role gathers DNS information for the SPF, DMARC, and DKIM records and outputs them to the screen. | None |
|
||||
|
||||
## Ansible Logging
|
||||
Ansible playbook executions are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
|
||||
|
||||
## Troubleshooting
|
||||
Ansible has a built in debug output. Simple run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
|
||||
|
||||
Level 1: `-v`
|
||||
|
||||
Level 2: `-vv`
|
||||
|
||||
Level 3: `-vvv`
|
||||
|
||||
Level 4: `-vvvv`
|
||||
|
||||
Level 5: `-vvvvv`
|
||||
|
||||
Example execution with level 3 debug output: `ansible-playbook -i inventory.yml site.yml -vvv`
|
@ -0,0 +1,2 @@
|
||||
[defaults]
|
||||
log_path=playbook_execution.log
|
@ -0,0 +1,14 @@
|
||||
# Ansible connection configuration
|
||||
# It is suggested that this file be encrypted with ansible-vault
|
||||
ansible_port: 22
|
||||
ansible_user: ssh_user
|
||||
ansible_ssh_private_key_file: /path/to/pem
|
||||
|
||||
# Uncomment to use SSH password instead of pem key
|
||||
# If you uncomment this, comment out the key_file line above
|
||||
#ansible_ssh_pass: mypassword
|
||||
|
||||
# Domain variables required for the playbook
|
||||
var_domain: forksand.io
|
||||
var_mail_domain: mail.forksand.io
|
||||
var_relay_domain: forksand.com
|
@ -0,0 +1,7 @@
|
||||
all:
|
||||
hosts:
|
||||
10.0.0.1: # Example host
|
||||
|
||||
# Additional hosts can be specified by adding them below
|
||||
#10.0.0.2: # Example host 2. Uncomment line to use
|
||||
#10.0.0.3: # Example host 3. Uncomment line to use
|
@ -0,0 +1,76 @@
|
||||
---
|
||||
- name: Install packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- opendkim
|
||||
- opendkim-tools
|
||||
- opendmarc
|
||||
|
||||
- name: Create directories folder in /etc
|
||||
file:
|
||||
path: "/etc/{{ item }}"
|
||||
state: directory
|
||||
with_items:
|
||||
- opendkim
|
||||
- opendmarc
|
||||
|
||||
- name: Create key with opendkim-genkey
|
||||
shell: "opendkim-genkey -b 2048 -d {{ domain }} -s {{ domain }}.dkim"
|
||||
args:
|
||||
chdir: /root/
|
||||
|
||||
- name: Move private dkim key
|
||||
command: "mv /root/{{ domain }}.dkim.private /etc/opendkim/"
|
||||
|
||||
- name: Update private key permissions
|
||||
file:
|
||||
path: "/etc/opendkim/{{ domain }}.dkim.private"
|
||||
mode: 0600
|
||||
|
||||
- name: Copy conf files to remote
|
||||
template:
|
||||
src: "{{ item.name}}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- {name: 'opendkim.conf.j2', dest: '/etc/opendkim.conf'}
|
||||
- {name: 'internalhosts.j2', dest: '/etc/opendkim/internalhosts'}
|
||||
- {name: 'trustedhosts.j2', dest: '/etc/opendkim/trustedhosts'}
|
||||
- {name: 'opendmarc.conf.j2', dest: '/etc/opendmarc.conf'}
|
||||
- {name: 'opendkim.j2', dest: '/etc/default/opendkim'}
|
||||
- {name: 'opendmarc.j2', dest: '/etc/default/opendmarc'}
|
||||
|
||||
- name: Add domain to signing table file
|
||||
lineinfile:
|
||||
path: /etc/opendkim/signingtable
|
||||
state: present
|
||||
create: yes
|
||||
line: "*@{{ domain }} {{ domain }}"
|
||||
|
||||
- name: Add configuration to key table file
|
||||
lineinfile:
|
||||
path: /etc/opendkim/keytable
|
||||
state: present
|
||||
create: yes
|
||||
line: "{{ domain }} {{ domain }}:mail:/etc/opendkim/{{ domain }}.dkim.private"
|
||||
|
||||
- name: Create log file
|
||||
file:
|
||||
path: "/var/log/{{ item }}.log"
|
||||
state: touch
|
||||
owner: "{{ item }}"
|
||||
group: "{{ item }}"
|
||||
with_items:
|
||||
- opendmarc
|
||||
|
||||
- name: Add items to ignore hosts
|
||||
blockinfile:
|
||||
path: /etc/opendmarc/ignore.hosts
|
||||
create: yes
|
||||
insertafter: EOF
|
||||
content: |
|
||||
localhost
|
||||
127.0.0.0/8
|
||||
10.0.2.0/24
|
@ -0,0 +1,3 @@
|
||||
{{ domain }}
|
||||
10.0.2.15/255.255.255.0
|
||||
70.39.125.71
|
@ -0,0 +1,26 @@
|
||||
AutoRestartRate 10/1h
|
||||
AutoRestart Yes
|
||||
Background yes
|
||||
#Canonicalization relaxed/relaxed
|
||||
Canonicalization relaxed/simple
|
||||
DNSTimeout 5
|
||||
ExternalIgnoreList refile:/etc/opendkim/trustedhosts
|
||||
InternalHosts refile:/etc/opendkim/internalhosts
|
||||
KeyTable refile:/etc/opendkim/keytable
|
||||
LogWhy Yes
|
||||
Mode sv
|
||||
OversignHeaders From
|
||||
PidFile /var/run/opendkim/opendkim.pid
|
||||
#Selector mail
|
||||
SignatureAlgorithm rsa-sha256
|
||||
SigningTable refile:/etc/opendkim/signingtable
|
||||
Socket inet:12301@localhost
|
||||
#Socket local:/var/spool/postfix/private/opendkim
|
||||
SoftwareHeader yes
|
||||
SubDomains yes
|
||||
SyslogSuccess Yes
|
||||
Syslog Yes
|
||||
TrustAnchorFile /usr/share/dns/root.key
|
||||
UMask 002
|
||||
UserID opendkim:opendkim
|
||||
#UserID postfix
|
@ -0,0 +1 @@
|
||||
SOCKET="inet:12301@localhost"
|
@ -0,0 +1,16 @@
|
||||
IgnoreAuthenticatedClients true
|
||||
PidFile /var/run/opendmarc/opendmarc.pid
|
||||
# Set to true when everything is confirmed working XXX
|
||||
RejectFailures false
|
||||
AuthservID {{ mail_domain }}
|
||||
Syslog true
|
||||
SyslogFacility mail
|
||||
TrustedAuthservIDs {{ mail_domain }}
|
||||
IgnoreHosts /etc/opendkim/trustedhosts
|
||||
UMask 002
|
||||
UserID opendmarc:opendmarc
|
||||
FailureReportsSentBy postmaster@{{ domain }}
|
||||
FailureReportsBcc postmaster@{{ domain }}
|
||||
AutoRestart true
|
||||
HistoryFile /var/log/opendmarc.log
|
||||
Socket inet:54321@localhost
|
@ -0,0 +1,5 @@
|
||||
localhost
|
||||
127.0.0.0/8
|
||||
{{ domain }}
|
||||
70.39.125.71
|
||||
10.0.2.0/24
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: restart dovecot
|
||||
service:
|
||||
name: dovecot
|
||||
state: restarted
|
@ -0,0 +1,80 @@
|
||||
---
|
||||
# Disable IPv6 for Dovecot / force IPv4
|
||||
- name: Create dovecot conf.d directory
|
||||
file:
|
||||
path: /etc/dovecot/conf.d
|
||||
state: directory
|
||||
|
||||
- name: Add dovecot conf
|
||||
lineinfile:
|
||||
path: /etc/dovecot/conf.d/99-ipv4-only.conf
|
||||
create: yes
|
||||
line: "listen = *"
|
||||
insertafter: EOF
|
||||
state: present
|
||||
|
||||
- name: Install dovecot
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- dovecot-antispam
|
||||
- dovecot-imapd
|
||||
|
||||
- name: Create directors for dovecot users
|
||||
shell: maildirmake.dovecot /etc/skel/"{{ item }}"
|
||||
with_items:
|
||||
- Maildir
|
||||
- Maildir/.Drafts
|
||||
- Maildir/.Sent
|
||||
- Maildir/.Trash
|
||||
- Maildir/.Templates
|
||||
|
||||
- name: Copy dovecot skel directory to users
|
||||
synchronize:
|
||||
src: /etc/skel/Maildir
|
||||
dest: "/home/{{ item }}/"
|
||||
recursive: yes
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
with_items:
|
||||
- jebba
|
||||
- mailarchive
|
||||
|
||||
- name: Update Maildir folder permissions in users folder
|
||||
file:
|
||||
path: "/home/{{ item }}/Maildir"
|
||||
mode: 0700
|
||||
owner: "{{ item }}"
|
||||
group: "{{ item }}"
|
||||
with_items:
|
||||
- jebba
|
||||
- mailarchive
|
||||
|
||||
- name: Update users folder permissions
|
||||
file:
|
||||
path: "/home/{{ item }}"
|
||||
mode: og-rwx
|
||||
with_items:
|
||||
- jebba
|
||||
- mailarchive
|
||||
|
||||
- name: Update 10-auth.conf and 10-mail.conf
|
||||
lineinfile:
|
||||
path: "/etc/dovecot/conf.d/{{ item.conf }}"
|
||||
regexp: '{{ item.find }}'
|
||||
line: '{{ item.replace }}'
|
||||
with_items:
|
||||
- {find: '^.*?disable_plaintext_auth.*=.*', replace: 'disable_plaintext_auth = yes', conf: '10-auth.conf'}
|
||||
- {find: '^.*?auth_mechanisms.*=.*', replace: 'auth_mechanisms = plain login', conf: '10-auth.conf'}
|
||||
- {find: '^.*?mail_location.*', replace: 'mail_location = maildir:~/Maildir', conf: '10-mail.conf'}
|
||||
|
||||
- name: Copy conf files to remote
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/dovecot/conf.d/{{ item }}"
|
||||
with_items:
|
||||
- 10-master.conf
|
||||
- 10-ssl.conf
|
||||
notify:
|
||||
- restart dovecot
|
@ -0,0 +1,23 @@
|
||||
service imap-login {
|
||||
inet_listener imaps {
|
||||
port = 993
|
||||
ssl = yes
|
||||
}
|
||||
}
|
||||
service lmtp {
|
||||
unix_listener lmtp {
|
||||
mode = 0666
|
||||
}
|
||||
}
|
||||
service imap {
|
||||
}
|
||||
service auth {
|
||||
unix_listener /var/spool/postfix/private/auth {
|
||||
mode = 0660
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
service auth-worker {
|
||||
user = $default_internal_user
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
ssl = required
|
||||
ssl_cert = </etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem
|
||||
ssl_key = </etc/letsencrypt/live/{{ mail_domain }}/privkey.pem
|
||||
# SSL protocols to use
|
||||
ssl_protocols = !SSLv3
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- fail2ban
|
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: Install letsencrypt
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- letsencrypt
|
||||
|
||||
- name: Install certificate
|
||||
shell: "letsencrypt certonly --standalone -d {{ mail_domain }} -n --agree-tos -m letsencrypt@{{ relay_domain }}"
|
@ -0,0 +1,2 @@
|
||||
.vagrant
|
||||
*~
|
@ -0,0 +1,18 @@
|
||||
---
|
||||
language: python
|
||||
python: "2.7"
|
||||
|
||||
install:
|
||||
- pip install ansible
|
||||
|
||||
script:
|
||||
- ansible-playbook -i localhost, tests.yml --syntax-check
|
||||
- ansible-playbook -i localhost, tests.yml --connection=local --sudo
|
||||
- >
|
||||
ansible-playbook -i localhost, tests.yml --connection=local --sudo
|
||||
| grep -q 'changed=0.*failed=0'
|
||||
&& (echo 'Idempotence test: pass' && exit 0)
|
||||
|| (echo 'Idempotence test: fail' && exit 1)
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
@ -0,0 +1,25 @@
|
||||
BSD 2-Clause License
|
||||
|
||||
Copyright (c) 2017, Mike Gleason jr Couturier
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
@ -0,0 +1,230 @@
|
||||
Ansible Firewall Role
|
||||
=========
|
||||
|
||||
[![Build Status](https://travis-ci.org/mikegleasonjr/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/mikegleasonjr/ansible-role-firewall)
|
||||
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-mikegleasonjr.firewall-5bbdbf.svg?style=flat)](https://galaxy.ansible.com/detail#/role/5878)
|
||||
|
||||
After I found out `UFW` was too limited in terms of functionalities, I tried several firewall roles out there but none satisfied the requirements I had:
|
||||
|
||||
- Support virtually all iptables rules from the start
|
||||
- Allow granular rules addition/overriding for specific hosts
|
||||
- Easily inject variables in the rules
|
||||
- Allow rules ordering
|
||||
- Simplicity (not having to learn how role variables would generate the rules)
|
||||
- Persistence (reload the rules at boot)
|
||||
|
||||
This role is an attempt to solve these requirements.
|
||||
|
||||
It supports **ipv4** and **ipv6*** on Debian and RedHat distributions.
|
||||
|
||||
*ipv6 support was brought up thanks to [@maloddon](https://github.com/maloddon). It is currently in early stages and knowledgable people should review the [default rules](https://github.com/mikegleasonjr/ansible-role-firewall/blob/master/defaults/main.yml). ipv6 rules are not configured by default. If you which to use them, don't forget to set `firewall_v6_configure` to `true`.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
* Ansible 2.2.1.0
|
||||
* `iptables` (installed by default on all official Debian and RedHat distributions)
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
`$ ansible-galaxy install mikegleasonjr.firewall`
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
`defaults/main.yml`:
|
||||
|
||||
```
|
||||
firewall_v4_configure: true
|
||||
firewall_v6_configure: false
|
||||
|
||||
firewall_v4_default_rules:
|
||||
001 default policies:
|
||||
- -P INPUT ACCEPT
|
||||
- -P OUTPUT ACCEPT
|
||||
- -P FORWARD DROP
|
||||
002 allow loopback:
|
||||
- -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
|
||||
003 allow ping replies:
|
||||
- -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
- -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
100 allow established related:
|
||||
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
200 allow ssh:
|
||||
- -A INPUT -p tcp --dport ssh -j ACCEPT
|
||||
999 drop everything:
|
||||
- -P INPUT DROP
|
||||
firewall_v4_group_rules: {}
|
||||
firewall_v4_host_rules: {}
|
||||
|
||||
firewall_v6_default_rules:
|
||||
001 default policies:
|
||||
- -P INPUT ACCEPT
|
||||
- -P OUTPUT ACCEPT
|
||||
- -P FORWARD DROP
|
||||
002 allow loopback:
|
||||
- -A INPUT -i lo -s ::1/128 -d ::1/128 -j ACCEPT
|
||||
003 allow ping replies:
|
||||
- -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||
- -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
||||
100 allow established related:
|
||||
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
200 allow ssh:
|
||||
- -A INPUT -p tcp --dport ssh -j ACCEPT
|
||||
999 drop everything:
|
||||
- -P INPUT DROP
|
||||
firewall_v6_group_rules: {}
|
||||
firewall_v6_host_rules: {}
|
||||
|
||||
```
|
||||
|
||||
The keys to the `*_rules` dictionaries (`001 default policies`, `002 allow loopback`, ...) can be anything. They are only used for rules **ordering** and **overriding**. On rules generation, the keys are sorted alphabetically. That's why I chose here the 001s and 999s.
|
||||
|
||||
Those defaults will generate the following script to be executed on the host (for ipv4):
|
||||
|
||||
```
|
||||
#!/bin/sh
|
||||
# Ansible managed: <redacted>
|
||||
|
||||
# flush rules & delete user-defined chains
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t raw -F
|
||||
iptables -t raw -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
|
||||
# 001 default policies
|
||||
iptables -P INPUT ACCEPT
|
||||
iptables -P OUTPUT ACCEPT
|
||||
iptables -P FORWARD DROP
|
||||
|
||||
# 002 allow loopback
|
||||
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
|
||||
|
||||
# 003 allow ping replies
|
||||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
|
||||
# 100 allow established related
|
||||
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# 200 allow ssh
|
||||
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
|
||||
|
||||
# 999 drop everything
|
||||
iptables -P INPUT DROP
|
||||
```
|
||||
|
||||
As you can see, you have complete control over the rules syntax.
|
||||
|
||||
`$ iptables -L -n` on the host then shows...
|
||||
|
||||
```
|
||||
Chain INPUT (policy DROP)
|
||||
target prot opt source destination
|
||||
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
|
||||
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
||||
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
|
||||
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
|
||||
|
||||
Chain FORWARD (policy DROP)
|
||||
target prot opt source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT)
|
||||
target prot opt source destination
|
||||
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
|
||||
```
|
||||
|
||||
Now that takes care of the default rules. What about overriding?
|
||||
|
||||
You can change the rules for specific hosts and groups instead of re-defining everything. Rules in `firewall_v4_host_rules` will be merged with `firewall_v4_group_rules`, and then the result will be merged back with the defaults. Same thing for ipv6.
|
||||
|
||||
This allows 3 levels of rules definition and overriding. I simply chose the names to match how the variable precedence works in Ansible (`all` -> `group` -> `host`). See the example playbook below to see rules overriding in action.
|
||||
|
||||
Example Playbook (ipv4)
|
||||
----------------
|
||||
|
||||
```
|
||||
- hosts: all
|
||||
roles:
|
||||
- mikegleasonjr.firewall
|
||||
```
|
||||
|
||||
in `group_vars/all.yml` you could define the default rules for all your hosts:
|
||||
|
||||
```
|
||||
firewall_v4_default_rules:
|
||||
001 default policies:
|
||||
- -P INPUT ACCEPT
|
||||
- -P OUTPUT ACCEPT
|
||||
- -P FORWARD DROP
|
||||
002 allow loopback:
|
||||
- -A INPUT -i lo -j ACCEPT
|
||||
003 allow ping replies:
|
||||
- -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
- -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
100 allow established related:
|
||||
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
200 allow ssh limiting brute force:
|
||||
- -I INPUT -p tcp -d {{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} --dport 22 -m state --state NEW -m recent --set
|
||||
- -I INPUT -p tcp -d {{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
|
||||
999 drop everything:
|
||||
- -P INPUT DROP
|
||||
```
|
||||
|
||||
in `group_vars/webservers.yml` you would open up port 80:
|
||||
|
||||
```
|
||||
firewall_v4_group_rules:
|
||||
400 allow web traffic:
|
||||
- -A INPUT -p tcp --dport http -j ACCEPT
|
||||
```
|
||||
|
||||
in `host_vars/secureweb.yml` you would want to open https as well and remove ssh logins:
|
||||
|
||||
```
|
||||
firewall_v4_host_rules:
|
||||
400 allow web traffic:
|
||||
- -A INPUT -p tcp --dport http -j ACCEPT # need to redefine this one as well because the whole key is overwritten
|
||||
- -A INPUT -p tcp --dport https -j ACCEPT
|
||||
200 allow ssh limiting brute force: []
|
||||
```
|
||||
|
||||
To "delete" rules, you just assign an empty list to an existing dictionary key.
|
||||
|
||||
To summarize, rules in `firewall_v4_host_rules` will overwrite rules in `firewall_v4_group_rules`, and then rules in `firewall_v4_group_rules` will overwrite rules in `firewall_v4_default_rules`.
|
||||
|
||||
You can play with the rules and see the generated script on the host at the following location: `/etc/iptables.v4.generated` and `/etc/iptables.v6.generated`.
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
none
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
BSD
|
||||
|
||||
Contributing
|
||||
-------
|
||||
|
||||
A vagrant environment has been provided to test the role on different distributions. Add your tests in `tests.yml` and...
|
||||
|
||||
```
|
||||
$ vagrant up
|
||||
$ vagrant provision
|
||||
```
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
Mike Gleason jr Couturier (mikegleasonjr@gmail.com)
|
||||
|
||||
Other roles from the same author:
|
||||
|
||||
- [swap](https://github.com/mikegleasonjr/ansible-role-swap)
|
@ -0,0 +1,41 @@
|
||||
boxes = {
|
||||
"ubuntu/trusty64" => {
|
||||
:ip => '192.168.33.10',
|
||||
:cpu => "2",
|
||||
:ram => "256"
|
||||
},
|
||||
"ubuntu/xenial64" => {
|
||||
:ip => '192.168.33.11',
|
||||
:cpu => "2",
|
||||
:ram => "256"
|
||||
},
|
||||
"centos/7" => {
|
||||
:ip => '192.168.33.12',
|
||||
:cpu => "2",
|
||||
:ram => "256"
|
||||
},
|
||||
"centos/6" => {
|
||||
:ip => '192.168.33.13',
|
||||
:cpu => "2",
|
||||
:ram => "256"
|
||||
},
|
||||
}
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
boxes.each do |box, options|
|
||||
config.vm.define box.dup.sub!("/", "-") do |machine|
|
||||
machine.vm.box = box
|
||||
machine.vm.box_check_update = false
|
||||
machine.vm.network :private_network, ip: options[:ip]
|
||||
|
||||
machine.vm.provider "virtualbox" do |vb|
|
||||
vb.memory = options[:ram]
|
||||
vb.cpus = options[:cpu]
|
||||
end
|
||||
|
||||
machine.vm.provision "ansible" do |ansible|
|
||||
ansible.playbook = "tests.yml"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,33 @@
|
||||
---
|
||||
firewall_v4_configure: true
|
||||
firewall_v6_configure: false
|
||||
|
||||
firewall_v4_default_rules:
|
||||
001 default policies:
|
||||
- -A OUTPUT -j ACCEPT # Accept all output traffic
|
||||
002 allow loopback:
|
||||
- -A INPUT -i lo -j ACCEPT
|
||||
100 allow established related:
|
||||
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
200 allow ssh ports:
|
||||
- -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
- -A INPUT -p tcp --dport 33957 -j ACCEPT
|
||||
201 allow http port:
|
||||
- -A INPUT -p tcp --dport 80 -j ACCEPT
|
||||
202 allow smtp ports:
|
||||
- -A INPUT -p tcp --dport 25 -j ACCEPT
|
||||
- -A INPUT -p tcp --dport 465 -j ACCEPT
|
||||
- -A INPUT -p tcp --dport 587 -j ACCEPT
|
||||
- -A INPUT -p tcp --dport 993 -j ACCEPT
|
||||
203 enable logging:
|
||||
- -A INPUT -m limit --limit 5/min -j LOG --log-prefix \"iptables denied: \" --log-level 7
|
||||
999 drop everything else:
|
||||
- -A INPUT -j REJECT
|
||||
- -A FORWARD -j REJECT
|
||||
|
||||
firewall_v4_group_rules: {}
|
||||
firewall_v4_host_rules: {}
|
||||
|
||||
firewall_v6_default_rules: {}
|
||||
firewall_v6_group_rules: {}
|
||||
firewall_v6_host_rules: {}
|
@ -0,0 +1 @@
|
||||
{install_date: 'Fri Feb 23 18:35:56 2018', version: 1.1.3}
|
@ -0,0 +1,22 @@
|
||||
---
|
||||
galaxy_info:
|
||||
author: Mike Gleason jr Couturier
|
||||
description: A role to manage iptables rules which doesn't suck.
|
||||
company: N/A
|
||||
issue_tracker_url: https://github.com/mikegleasonjr/ansible-role-firewall/issues
|
||||
license: BSD
|
||||
min_ansible_version: 1.2
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- all
|
||||
- name: Debian
|
||||
versions:
|
||||
- all
|
||||
- name: EL
|
||||
versions:
|
||||
- all
|
||||
categories:
|
||||
- networking
|
||||
- system
|
||||
dependencies: []
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
- include_tasks: rules.yml
|
||||
|
||||
- include_tasks: persist-debian.yml
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- include_tasks: persist-redhat.yml
|
||||
when: ansible_os_family == 'RedHat'
|
@ -0,0 +1,22 @@
|
||||
---
|
||||
- name: Install iptables-persistent
|
||||
apt:
|
||||
name: iptables-persistent
|
||||
update_cache: yes
|
||||
state: present
|
||||
|
||||
- name: Check if netfilter-persistent is present
|
||||
shell: which netfilter-persistent
|
||||
register: is_netfilter
|
||||
when: v4_script|changed or v6_script|changed
|
||||
changed_when: false
|
||||
ignore_errors: yes
|
||||
check_mode: no
|
||||
|
||||
- name: Save rules (netfilter-persistent)
|
||||
command: netfilter-persistent save
|
||||
when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 0
|
||||
|
||||
- name: Save rules (iptables-persistent)
|
||||
command: /etc/init.d/iptables-persistent save
|
||||
when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 1
|
@ -0,0 +1,23 @@
|
||||
---
|
||||
- name: Save v4 rules (/etc/sysconfig/iptables)
|
||||
shell: iptables-save -c > /etc/sysconfig/iptables
|
||||
when: v4_script|changed
|
||||
|
||||
- name: Save v6 rules (/etc/sysconfig/ip6tables)
|
||||
shell: ip6tables-save -c > /etc/sysconfig/ip6tables
|
||||
when: v6_script|changed
|
||||
|
||||
- name: Ensure iptables service is installed
|
||||
yum: name=iptables-services state=present update_cache=yes
|
||||
when: ansible_distribution_major_version >= '7'
|
||||
|
||||
- name: Ensure iptables service is installed
|
||||
yum: name=iptables state=present update_cache=yes
|
||||
when: ansible_distribution_major_version < '7'
|
||||
|
||||
- name: Ensure iptables service is enabled & started
|
||||
service: name=iptables enabled=yes state=started
|
||||
|
||||
- name: Ensure ip6tables service is enabled & started
|
||||
service: name=ip6tables enabled=yes state=started
|
||||
when: firewall_v6_configure
|
@ -0,0 +1,28 @@
|
||||
---
|
||||
- name: Generate v4 rules
|
||||
template: src=generated.v4.j2 dest=/etc/iptables.v4.generated owner=root group=root mode=755
|
||||
register: v4_script
|
||||
when: firewall_v4_configure
|
||||
|
||||
- name: Load v4 rules
|
||||
command: /etc/iptables.v4.generated
|
||||
register: v4_script_load_result
|
||||
failed_when: >-
|
||||
v4_script_load_result.rc != 0 or
|
||||
'unknown option' in v4_script_load_result.stderr or
|
||||
'Table does not exist' in v4_script_load_result.stderr
|
||||
when: v4_script|changed
|
||||
|
||||
- name: Generate v6 rules
|
||||
template: src=generated.v6.j2 dest=/etc/iptables.v6.generated owner=root group=root mode=755
|
||||
register: v6_script
|
||||
when: firewall_v6_configure
|
||||
|
||||
- name: Load v6 rules
|
||||
command: /etc/iptables.v6.generated
|
||||
register: v6_script_load_result
|
||||
failed_when: >-
|
||||
v6_script_load_result.rc != 0 or
|
||||
'unknown option' in v6_script_load_result.stderr or
|
||||
'Table does not exist' in v6_script_load_result.stderr
|
||||
when: v6_script|changed
|
@ -0,0 +1,26 @@
|
||||
#!/bin/sh
|
||||
# {{ ansible_managed }}
|
||||
{% set merged = firewall_v4_default_rules.copy() %}
|
||||
{% set _ = merged.update(firewall_v4_group_rules) %}
|
||||
{% set _ = merged.update(firewall_v4_host_rules) %}
|
||||
|
||||
# flush rules & delete user-defined chains
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t raw -F
|
||||
iptables -t raw -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
|
||||
{% for group, rules in merged|dictsort %}
|
||||
# {{ group }}
|
||||
{% if not rules %}
|
||||
# (none)
|
||||
{% endif %}
|
||||
{% for rule in rules %}
|
||||
iptables {{ rule }}
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
@ -0,0 +1,26 @@
|
||||
#!/bin/sh
|
||||
# {{ ansible_managed }}
|
||||
{% set merged = firewall_v6_default_rules.copy() %}
|
||||
{% set _ = merged.update(firewall_v6_group_rules) %}
|
||||
{% set _ = merged.update(firewall_v6_host_rules) %}
|
||||
|
||||
# flush rules & delete user-defined chains
|
||||
ip6tables -F
|
||||
ip6tables -X
|
||||
ip6tables -t raw -F
|
||||
ip6tables -t raw -X
|
||||
ip6tables -t nat -F
|
||||
ip6tables -t nat -X
|
||||
ip6tables -t mangle -F
|
||||
ip6tables -t mangle -X
|
||||
|
||||
{% for group, rules in merged|dictsort %}
|
||||
# {{ group }}
|
||||
{% if not rules %}
|
||||
# (none)
|
||||
{% endif %}
|
||||
{% for rule in rules %}
|
||||
ip6tables {{ rule }}
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
@ -0,0 +1,68 @@
|
||||
---
|
||||
- hosts: all
|
||||
become: true
|
||||
|
||||
roles:
|
||||
- role: .
|
||||
firewall_v6_configure: true
|
||||
|
||||
firewall_v4_group_rules:
|
||||
400 allow http:
|
||||
- -A INPUT -p tcp --dport http -j ACCEPT
|
||||
400 allow 7890:
|
||||
- -A INPUT -p tcp --dport 7890 -j ACCEPT
|
||||
firewall_v4_host_rules:
|
||||
400 allow 7890: []
|
||||
|
||||
firewall_v6_group_rules:
|
||||
400 allow http:
|
||||
- -A INPUT -p tcp --dport http -j ACCEPT
|
||||
400 allow 7890:
|
||||
- -A INPUT -p tcp --dport 7890 -j ACCEPT
|
||||
firewall_v6_host_rules:
|
||||
400 allow 7890: []
|
||||
|
||||
tasks:
|
||||
- name: Retrieve v4 rules
|
||||
command: iptables -L -n
|
||||
changed_when: false
|
||||
register: v4_rules
|
||||
when: not ansible_check_mode
|
||||
- name: Check that INPUT policy has been applied
|
||||
assert:
|
||||
that: "'Chain INPUT (policy DROP' in v4_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
- name: Check that a default rule has been applied
|
||||
assert:
|
||||
that: "'tcp dpt:22' in v4_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
- name: Check that a group rule has been applied
|
||||
assert:
|
||||
that: "'tcp dpt:80' in v4_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
- name: Check that deleted rules are deleted
|
||||
assert:
|
||||
that: "'tcp dpt:7890' not in v4_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: Retrieve v6 rules
|
||||
command: ip6tables -L -n
|
||||
changed_when: false
|
||||
register: v6_rules
|
||||
when: not ansible_check_mode
|
||||
- name: Check that INPUT policy has been applied
|
||||
assert:
|
||||
that: "'Chain INPUT (policy DROP' in v6_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
- name: Check that a default rule has been applied
|
||||
assert:
|
||||
that: "'tcp dpt:22' in v6_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
- name: Check that a group rule has been applied
|
||||
assert:
|
||||
that: "'tcp dpt:80' in v6_rules.stdout"
|
||||
when: not ansible_check_mode
|
||||
- name: Check that deleted rules are deleted
|
||||
assert:
|
||||
that: "'tcp dpt:7890' not in v6_rules.stdout"
|
||||
when: not ansible_check_mode
|
@ -0,0 +1,26 @@
|
||||
- name: Get Public IP
|
||||
uri:
|
||||
url: https://ipinfo.io/ip
|
||||
return_content: yes
|
||||
register: public_ip
|
||||
|
||||
- name: Read file
|
||||
command: "cat /root/{{ domain }}.dkim.txt"
|
||||
register: dkim_txt
|
||||
|
||||
- name: 'Clean up DKIM line 1 and 2'
|
||||
set_fact:
|
||||
line1: "{{ dkim_txt.stdout_lines[1] | regex_replace('^.+?\\\"p=|\\\"', '') }}"
|
||||
line2: "{{ dkim_txt.stdout_lines[2] | regex_replace('^.+?\\\"|\\\".+', '') }}"
|
||||
|
||||
- name: SPF Record
|
||||
debug:
|
||||
msg: "{{ domain }}. 1800 IN TXT 'v=spf1 mx ip4:{{ public_ip.content | replace('\n', '') }} -all'"
|
||||
|
||||
- name: DMARC Record
|
||||
debug:
|
||||
msg: "_dmarc.{{ domain }}. 1800 IN TXT 'v=DMARC1; p=reject; rua=mailto:postmaster@{{ domain }}'"
|
||||
|
||||
- name: 'DKIM Record'
|
||||
debug:
|
||||
msg: "mail._domainkey.{{ domain }}. 1800 IN TXT 'v=DKIM1; h=sha256; k=rsa; p={{ line1 }}{{ line2 }}'"
|
@ -0,0 +1,2 @@
|
||||
/^\s*Received: / IGNORE
|
||||
/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
|
@ -0,0 +1,60 @@
|
||||
smtp inet n - y - - smtpd
|
||||
-o receive_override_options=no_address_mappings
|
||||
submission inet n - y - - smtpd
|
||||
-o syslog_name=submission
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path=private/auth
|
||||
-o smtpd_sasl_security_options=noplaintext,noanonymous
|
||||
-o smtpd_sasl_tls_security_options=noanonymous
|
||||
-o smtpd_sasl_authenticated_header=yes
|
||||
-o broken_sasl_auth_clients=no
|
||||
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o cleanup_service_name=auth-cleanup
|
||||
-o smtpd_milters=$non_smtpd_milters
|
||||
pickup fifo n - y 60 1 pickup
|
||||
cleanup unix n - y - 0 cleanup
|
||||
auth-cleanup unix n - y - 0 cleanup
|
||||
-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre
|
||||
qmgr fifo n - n 300 1 qmgr
|
||||
tlsmgr unix - - y 1000? 1 tlsmgr
|
||||
rewrite unix - - y - - trivial-rewrite
|
||||
bounce unix - - y - 0 bounce
|
||||
defer unix - - y - 0 bounce
|
||||
trace unix - - y - 0 bounce
|
||||
verify unix - - y - 1 verify
|
||||
flush unix n - y 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - y - - smtp
|
||||
relay unix - - y - - smtp
|
||||
-o smtp_fallback_relay=
|
||||
showq unix n - y - - showq
|
||||
error unix - - y - - error
|
||||
retry unix - - y - - error
|
||||
discard unix - - y - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - y - - lmtp
|
||||
anvil unix - - y - 1 anvil
|
||||
scache unix - - y - 1 scache
|
||||
maildrop unix - n n - - pipe
|
||||
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||
uucp unix - n n - - pipe
|
||||
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||
ifmail unix - n n - - pipe
|
||||
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||
bsmtp unix - n n - - pipe
|
||||
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||
scalemail-backend unix - n n - 2 pipe
|
||||
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||
mailman unix - n n - - pipe
|
||||
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
${nexthop} ${user}
|
||||
spamassassin unix - n n - - pipe
|
||||
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
|
||||
policy-spf unix - n n - - spawn
|
||||
user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
|
@ -0,0 +1,18 @@
|
||||
# handlers file for postfix
|
||||
---
|
||||
- name: restart postfix service
|
||||
service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
|
||||
- name: new aliases
|
||||
shell: newaliases
|
||||
|
||||
- name: post alias
|
||||
shell: postalias /etc/aliases
|
||||
|
||||
- name: new virtual aliases
|
||||
shell: postmap /etc/postfix/virtual
|
||||
|
||||
- name: reload postfix
|
||||
shell: postfix reload
|
@ -0,0 +1,128 @@
|
||||
# Task to install and configure postfix
|
||||
---
|
||||
- name: Add mail archive user
|
||||
user:
|
||||
name: mailarchive
|
||||
shell: /bin/false
|
||||
|
||||
- name: Install postfix
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- postfix
|
||||
- postfix-doc
|
||||
- postfix-policyd-spf-python
|
||||
- postfix-pcre
|
||||
- postfix-policyd-spf-perl
|
||||
|
||||
- name: Configure Postfix
|
||||
shell: postconf -e "{{ item }}"
|
||||
with_items:
|
||||
# Set up domain
|
||||
- "myorigin = {{ domain }}"
|
||||
- "myhostname = {{ mail_domain }}"
|
||||
- "relay_domains = {{ relay_domain}}, {{ domain }}"
|
||||
# Set up alias maps
|
||||
- alias_maps = hash:/etc/aliases
|
||||
# Use Maildir mail boxes (single files, not one huge file)
|
||||
- home_mailbox = Maildir/
|
||||
- mailbox_command =
|
||||
# AO
|
||||
- smtpd_milters = inet:localhost:12301, inet:localhost:54321
|
||||
- non_smtpd_milters = unix:private/opendkim unix:private/opendmarc
|
||||
- smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
|
||||
- smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
|
||||
- smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
|
||||
- mynetworks = 127.0.0.0/8
|
||||
# TLS parameters
|
||||
# Incoming e-mails
|
||||
- smtpd_tls_CApath = /etc/ssl/certs
|
||||
- "smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem"
|
||||
- "smtpd_tls_key_file = /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem"
|
||||
- smtpd_tls_security_level = may
|
||||
- smtpd_tls_ask_ccert = yes
|
||||
- smtpd_tls_eecdh_grade = strong
|
||||
- smtpd_tls_protocols = !SSLv2, !SSLv3
|
||||
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
||||
- smtpd_tls_mandatory_ciphers = high
|
||||
- tls_preempt_cipherlist = yes
|
||||
#disable following ciphers for smtpd_tls_security_level=encrypt
|
||||
- smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
|
||||
#disable following ciphers for smtpd_tls_security_level=may
|
||||
- smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
|
||||
- smtpd_tls_loglevel = 1
|
||||
- smtpd_use_tls = yes
|
||||
- smtp_tls_note_starttls_offer = yes
|
||||
- smtpd_tls_received_header = yes
|
||||
# Outgoing e-mails
|
||||
- smtp_tls_CApath = /etc/ssl/certs
|
||||
- smtp_tls_security_level = may
|
||||
- smtp_tls_loglevel = 1
|
||||
- smtp_use_tls = yes
|
||||
- smtp_tls_mandatory_ciphers=high
|
||||
- smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
||||
- inet_interfaces = all
|
||||
- inet_protocols = ipv4
|
||||
- message_size_limit = 52428800
|
||||
- disable_vrfy_command = yes
|
||||
- smtpd_helo_required = yes
|
||||
# Maybe: permit_sasl_authenticated, reject_unknown_hostname
|
||||
- smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
|
||||
- smtpd_delay_reject = yes
|
||||
# bcc all mail to the mailarchive user
|
||||
- always_bcc = mailarchive
|
||||
# DKIM enabled protocol
|
||||
- milter_protocol = 2
|
||||
- milter_default_action = accept
|
||||
# DKIM only for internal messages
|
||||
- non_smtpd_milters = inet:localhost:12301
|
||||
- allow_mail_to_commands = alias,forward,include
|
||||
# mydestination at is also alt domains
|
||||
- "mydestination = localhost, localhost.localdomain, {{ domain }}"
|
||||
# From certbot
|
||||
# https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
|
||||
- smtpd_sasl_type = dovecot
|
||||
- smtpd_sasl_path = private/auth
|
||||
- smtpd_sasl_local_domain =
|
||||
- smtpd_sasl_security_options = noanonymous
|
||||
- broken_sasl_auth_clients = yes
|
||||
- smtpd_sasl_auth_enable = yes
|
||||
- virtual_alias_domains = $mydomain
|
||||
- virtual_alias_maps = hash:/etc/postfix/virtual
|
||||
|
||||
- name: Adding to virtual
|
||||
blockinfile:
|
||||
path: /etc/postfix/virtual
|
||||
insertafter: EOF
|
||||
state: present
|
||||
block: |
|
||||
postmaster@{{ domain }} root
|
||||
webmaster@{{ domain }} root
|
||||
@{{ domain }} jebba
|
||||
create: yes
|
||||
tags:
|
||||
- pfvirtual
|
||||
|
||||
- name: Copy master.cf file to remote host
|
||||
copy:
|
||||
src: master.cf
|
||||
dest: /etc/postfix/master.cf
|
||||
notify:
|
||||
- new virtual aliases
|
||||
- reload postfix
|
||||
|
||||
- name: Create Auth Header Checks file
|
||||
copy:
|
||||
src: auth_header_checks.pcre
|
||||
dest: /etc/postfix/auth_header_checks.pcre
|
||||
|
||||
- name: Copy aliases
|
||||
template:
|
||||
src: aliases.j2
|
||||
dest: /etc/aliases
|
||||
notify:
|
||||
- new aliases
|
||||
- post alias
|
||||
- restart postfix service
|
@ -0,0 +1,3 @@
|
||||
root: jebba
|
||||
jebba: jebba-mail@{{ relay_domain }}
|
||||
nobody: /dev/null
|
@ -0,0 +1,22 @@
|
||||
- name: update grub
|
||||
shell: update-grub
|
||||
|
||||
- name: restart ssh
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
|
||||
- name: sysctl
|
||||
shell: sysctl -p
|
||||
|
||||
- name: locale gen
|
||||
shell: locale-gen
|
||||
|
||||
- name: update locale
|
||||
shell: update-locale
|
||||
|
||||
- name: restart cron
|
||||
service:
|
||||
name: cron
|
||||
state: restarted
|
||||
when: ansible_os_family == 'Debian'
|
@ -0,0 +1,186 @@
|
||||
- name: Set locale
|
||||
lineinfile:
|
||||
path: /etc/locale.gen
|
||||
line: en_US.UTF-8 UTF-8
|
||||
state: present
|
||||
create: yes
|
||||
notify:
|
||||
- locale gen
|
||||
- update locale
|
||||
|
||||
- name: Set timezone to America/Denver
|
||||
file:
|
||||
src: /usr/share/zoneinfo/America/Denver
|
||||
dest: /etc/localtime
|
||||
state: link
|
||||
force: yes
|
||||
owner: root
|
||||
group: root
|
||||
notify: restart cron
|
||||
|
||||
# Set up iptables
|
||||
- name: Configure iptables
|
||||
include_role:
|
||||
name: mikegleasonjr.firewall
|
||||
|
||||
- name: Set up APT
|
||||
apt_repository:
|
||||
repo: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- deb http://mirrors.kernel.org/debian/ buster main
|
||||
- deb http://mirrors.kernel.org/debian/ buster-updates main
|
||||
- deb http://security.debian.org/ buster/updates main
|
||||
#- deb http://mirrors.kernel.org/debian/ buster-backports main
|
||||
|
||||
# Make apt use IPv4
|
||||
- name: Make apt use IPv4
|
||||
lineinfile:
|
||||
path: /etc/apt/apt.conf.d/99force-ipv4
|
||||
line: 'Acquire::ForceIPv4 "true";'
|
||||
state: present
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
|
||||
# Upgrade server
|
||||
- name: Upgrade server
|
||||
apt:
|
||||
upgrade: dist
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
|
||||
- name: Install utilities
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- apt-transport-https
|
||||
#- bind9-host
|
||||
- bzip2
|
||||
- ca-certificates
|
||||
- colordiff
|
||||
- curl
|
||||
- debian-archive-keyring
|
||||
- exuberant-ctags
|
||||
- git
|
||||
- less
|
||||
- locales
|
||||
- lsb-release
|
||||
- man-db
|
||||
- manpages
|
||||
- molly-guard
|
||||
- net-tools
|
||||
- ntp
|
||||
- openssh-server
|
||||
- python3
|
||||
- rsync
|
||||
- telnet
|
||||
- traceroute
|
||||
- vim
|
||||
- vim-scripts
|
||||
|
||||
# Small user tweaks
|
||||
- name: Update vimrc
|
||||
lineinfile:
|
||||
path: ~/.vimrc
|
||||
line: ':syntax on'
|
||||
state: present
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
|
||||
- name: Update .bashrc
|
||||
lineinfile:
|
||||
path: /root/.bashrc
|
||||
line: 'export EDITOR=vi'
|
||||
state: present
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
- name: Passwordless sudo
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
regexp: '^%sudo[\t]ALL=\(ALL:ALL\) ALL'
|
||||
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
||||
state: present
|
||||
|
||||
# SSH Config
|
||||
- name: SSH Configuration
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '{{ item.find }}'
|
||||
line: '{{ item.replace }}'
|
||||
state: present
|
||||
with_items:
|
||||
- {find: '^.*PermitRootLogin.*', replace: 'PermitRootLogin no'}
|
||||
- {find: '^.*PasswordAuthentication.*', replace: 'PasswordAuthentication no'}
|
||||
- {find: '^.*RSAAuthentication.*', replace: 'RSAAuthentication no'}
|
||||
- {find: '^.*X11Forwarding.*', replace: 'X11Forwarding no'}
|
||||
notify:
|
||||
- restart ssh
|
||||
|
||||
- name: Adding SSH configuration to the end of file
|
||||
blockinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
block: |
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
AllowUsers jebba
|
||||
notify:
|
||||
- restart ssh
|
||||
|
||||
# Startup XXX disable as unneeded
|
||||
# To disable additional services
|
||||
# Add more "- service_name" lines as needed
|
||||
- name: Disabling unneeded services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
enabled: no
|
||||
with_items:
|
||||
- rsync
|
||||
|
||||
# Disable IPv6 in Grub
|
||||
- name: Disabling IPv6 in Grub
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
regexp: '{{ item.find }}'
|
||||
line: '{{ item.replace }}'
|
||||
state: present
|
||||
with_items:
|
||||
- { find: '^.*?GRUB_TIMEOUT=.*', replace: 'GRUB_TIMEOUT=1'}
|
||||
- { find: '^.*?GRUB_CMDLINE_LINUX=.*', replace: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'}
|
||||
- { find: '^.*?GRUB_TERMINAL=.*', replace: 'GRUB_TERMINAL=console'}
|
||||
notify:
|
||||
- update grub
|
||||
|
||||
- name: Disable IPv6 in modprobe ipv6 conf file
|
||||
lineinfile:
|
||||
path: /etc/modprobe.d/ipv6.conf
|
||||
line: 'blacklist ipv6'
|
||||
state: present
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
|
||||
- name: Disable IPv6 in modprobe aliases conf file
|
||||
blockinfile:
|
||||
path: /etc/modprobe.d/aliases.conf
|
||||
block: |
|
||||
alias net-pf-10 off
|
||||
alias ivp6 off
|
||||
insertafter: EOF
|
||||
state: present
|
||||
create: yes
|
||||
|
||||
- name: Disable IPv6 with sysctl
|
||||
blockinfile:
|
||||
path: /etc/sysctl.conf
|
||||
block: |
|
||||
net.ipv6.conf.all.disable_ipv6 = 1
|
||||
net.ipv6.conf.default.disable_ipv6 = 1
|
||||
net.ipv6.conf.lo.disable_ipv6 = 1
|
||||
insertafter: EOF
|
||||
state: present
|
||||
notify:
|
||||
- sysctl
|
@ -0,0 +1,7 @@
|
||||
- name: Install Spam Assassin
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- spamassassin
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Install SQL Grey
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
dpkg_options: 'force-confdef,force-confnew'
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- sqlgrey
|
@ -0,0 +1,58 @@
|
||||
# Master playbook
|
||||
- name: Forksand Bootstrap Postfix
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: Run server tasks
|
||||
import_role:
|
||||
name: server_tasks
|
||||
|
||||
- name: Install and configuration letsencrypt
|
||||
import_role:
|
||||
name: letsencrypt_configuration
|
||||
vars:
|
||||
mail_domain: "{{ var_mail_domain }}"
|
||||
relay_domain: "{{ var_relay_domain }}"
|
||||
|
||||
- name: Install and configure postfix
|
||||
import_role:
|
||||
name: postfix_configuration
|
||||
vars:
|
||||
domain: "{{ var_domain }}"
|
||||
relay_domain: "{{ var_relay_domain }}"
|
||||
mail_domain: "{{ var_mail_domain }}"
|
||||
|
||||
- name: Install and configure OpenDKIM
|
||||
import_role:
|
||||
name: dkim_configuration
|
||||
vars:
|
||||
domain: "{{ var_domain }}"
|
||||
mail_domain: "{{ var_mail_domain }}"
|
||||
|
||||
- name: Install and configure Dovecot
|
||||
import_role:
|
||||
name: dovecot_configuration
|
||||
vars:
|
||||
mail_domain: "{{ var_mail_domain }}"
|
||||
|
||||
- name: Install and configure Spamassassin
|
||||
import_role:
|
||||
name: spamassassin_configuration
|
||||
|
||||
- name: Install and configure SQLGrey
|
||||
import_role:
|
||||
name: sqlgrey_configuration
|
||||
|
||||
- name: Install and configure Fail2Ban
|
||||
import_role:
|
||||
name: fail2ban_configuration
|
||||
|
||||
- name: Clean apt cache
|
||||
apt:
|
||||
autoclean: yes
|
||||
|
||||
- name: Print DNS outputs to screen
|
||||
import_role:
|
||||
name: outputs
|
||||
vars:
|
||||
domain: "{{ var_domain }}"
|
@ -0,0 +1,329 @@
|
||||
#!/bin/bash
|
||||
# forksand-bootstrap-hk1
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
# Sets up Proxmox.
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-hk1.log) 2>/root/bootstrap-hk1.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "debian"
|
||||
git config --global user.email git@localhost
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk1 server.'
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
postfix \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
postfix \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# Speed up
|
||||
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
||||
/etc/init.d/cpufrequtils restart
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
|
||||
apt-get -y remove os-prober
|
||||
|
||||
# Proxmox
|
||||
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
||||
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
||||
#EOF
|
||||
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
||||
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
||||
EOF
|
||||
|
||||
# Add Proxmox enterprise key XXX Add key
|
||||
#cat > /etc/apt/auth.conf<<EOF
|
||||
#machine enterprise.proxmox.com
|
||||
# login pve2s-0000000000
|
||||
# password 00000000000000000000000000000000
|
||||
#EOF
|
||||
|
||||
# XXX crufty add proxmox apt key
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
apt-get -y \
|
||||
install \
|
||||
ksm-control-daemon \
|
||||
omping \
|
||||
proxmox-ve
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
# Run this on workstation:
|
||||
# ssh -N -C -L 8201:localhost:8006 hk1
|
||||
# firefox https://localhost:8201
|
||||
# Login as root user via PAM
|
||||
# Set up Enterprise Key, if used
|
||||
#
|
||||
#
|
||||
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
|
||||
#
|
||||
#
|
||||
# XXX Set up vmbr0 via web interface.
|
||||
#
|
||||
# Netwok
|
||||
# hk1 (host) --> System --> Network
|
||||
# Fix subnet mask, IP in web gui.
|
||||
# Create --> Linux Bridge:
|
||||
# vmbr0
|
||||
# XXX best way for this server? No subnet.
|
||||
#
|
||||
# Set up ethernet ports
|
||||
# XXX check name Disable enp2s0 (Autostart no)
|
||||
# set up vmbr0 to the main IP, gateway, etc.
|
||||
# Create Linux Bridge in web interface
|
||||
# vmbr0
|
||||
#XXX THIS ISN'T CORRECT IP
|
||||
# 174.128.229.130/27
|
||||
# 255.255.255.224
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge: enp2s0
|
||||
# Comment Main bridge
|
||||
#
|
||||
# Set up 10.2.2.0 and 10.99.99.0 networks statically
|
||||
# on secondary ethernet interfaces
|
||||
|
||||
# Reboot! hk1 (host) --> Restart
|
||||
|
||||
# Configure Corosync
|
||||
# Set up hosts
|
||||
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
|
||||
echo "10.3.3.1 hk1-coro" >> /etc/hosts
|
||||
echo "10.3.3.2 hk2-coro" >> /etc/hosts
|
||||
echo "10.3.3.3 hk3-coro" >> /etc/hosts
|
||||
|
||||
echo "10.88.88.1 hk2-fs" >> /etc/hosts
|
||||
echo "10.88.88.2 hk2-fs" >> /etc/hosts
|
||||
echo "10.88.88.3 hk3-fs" >> /etc/hosts
|
||||
|
||||
# Test cluster ping
|
||||
for i in hk1-coro hk2-coro hk3-coro
|
||||
do ping -q -c1 $i
|
||||
done
|
||||
|
||||
# Test ssh
|
||||
for i in hk1-coro hk2-coro hk3-coro
|
||||
do ssh $i hostname
|
||||
done
|
||||
# ssh via IP
|
||||
for i in 10.2.2.3
|
||||
do ssh $i hostname
|
||||
done
|
||||
|
||||
# Note this is needed on at least one of the SharkTech servers or
|
||||
# you get bad UDP checksums
|
||||
# Also set to correct ethernet device
|
||||
# XXX CHECK
|
||||
ethtool -K enp3s0 gso off
|
||||
ethtool --offload enp3s0 rx off tx off
|
||||
ethtool -K enp4s0 gso off
|
||||
ethtool --offload enp4s0 rx off tx off
|
||||
|
||||
# Run this on just one node, hk1, to get the cluster started
|
||||
pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro
|
||||
|
||||
# Run this on hk3
|
||||
#pvecm add 10.2.2.1 --ring0_addr hk3-coro
|
||||
|
||||
pvecm status
|
||||
pvecm nodes
|
||||
|
||||
# rebootz ?
|
||||
|
||||
# After Cluster is Configured
|
||||
# ===========================
|
||||
|
||||
# Data Center --> Permissions --> Users
|
||||
# Add user with Realm Proxmox VE authentication server.
|
||||
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
|
||||
# Path: / User: j Role: Administrator
|
||||
# XXX Or create admin group, add perms to that...
|
||||
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
|
||||
|
||||
# Storage
|
||||
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
|
||||
#
|
||||
# DNS
|
||||
# hk1 (host) --> System --> DNS
|
||||
# Add servers:
|
||||
# 208.67.222.222 208.67.220.220 37.235.1.174
|
||||
#
|
@ -0,0 +1,329 @@
|
||||
#!/bin/bash
|
||||
# forksand-bootstrap-hk2
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
# Sets up Proxmox.
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-hk2.log) 2>/root/bootstrap-hk2.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "debian"
|
||||
git config --global user.email git@localhost
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk2 server.'
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
postfix \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
postfix \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# Speed up
|
||||
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
||||
/etc/init.d/cpufrequtils restart
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
|
||||
apt-get -y remove os-prober
|
||||
|
||||
# Proxmox
|
||||
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
||||
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
||||
#EOF
|
||||
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
||||
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
||||
EOF
|
||||
|
||||
# Add Proxmox enterprise key XXX Add key
|
||||
#cat > /etc/apt/auth.conf<<EOF
|
||||
#machine enterprise.proxmox.com
|
||||
# login pve2s-0000000000
|
||||
# password 00000000000000000000000000000000
|
||||
#EOF
|
||||
|
||||
# XXX crufty add proxmox apt key
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
apt-get -y \
|
||||
install \
|
||||
ksm-control-daemon \
|
||||
omping \
|
||||
proxmox-ve
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
# Run this on workstation:
|
||||
# ssh -N -C -L 8202:localhost:8006 hk2
|
||||
# firefox https://localhost:8202
|
||||
# Login as root user via PAM
|
||||
# Set up Enterprise Key, if used
|
||||
#
|
||||
#
|
||||
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
|
||||
#
|
||||
#
|
||||
# XXX Set up vmbr0 via web interface.
|
||||
#
|
||||
# Netwok
|
||||
# hk2 (host) --> System --> Network
|
||||
# Fix subnet mask, IP in web gui.
|
||||
# Create --> Linux Bridge:
|
||||
# vmbr0
|
||||
# XXX best way for this server? No subnet.
|
||||
#
|
||||
# Set up ethernet ports
|
||||
# XXX check name Disable enp2s0 (Autostart no)
|
||||
# set up vmbr0 to the main IP, gateway, etc.
|
||||
# Create Linux Bridge in web interface
|
||||
# vmbr0
|
||||
#XXX THIS ISN'T CORRECT IP
|
||||
# 174.128.229.130/27
|
||||
# 255.255.255.224
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge: enp2s0
|
||||
# Comment Main bridge
|
||||
#
|
||||
# Set up 10.2.2.0 and 10.99.99.0 networks statically
|
||||
# on secondary ethernet interfaces
|
||||
|
||||
# Reboot! hk2 (host) --> Restart
|
||||
|
||||
# Configure Corosync
|
||||
# Set up hosts
|
||||
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
|
||||
echo "10.3.3.1 hk1-coro" >> /etc/hosts
|
||||
echo "10.3.3.2 hk2-coro" >> /etc/hosts
|
||||
echo "10.3.3.3 hk3-coro" >> /etc/hosts
|
||||
|
||||
echo "10.88.88.1 hk2-fs" >> /etc/hosts
|
||||
echo "10.88.88.2 hk2-fs" >> /etc/hosts
|
||||
echo "10.88.88.3 hk3-fs" >> /etc/hosts
|
||||
|
||||
# Test cluster ping
|
||||
for i in hk1-coro hk2-coro hk3-coro
|
||||
do ping -q -c1 $i
|
||||
done
|
||||
|
||||
# Test ssh
|
||||
for i in hk1-coro hk2-coro hk3-coro
|
||||
do ssh $i hostname
|
||||
done
|
||||
# ssh via IP
|
||||
for i in 10.2.2.3
|
||||
do ssh $i hostname
|
||||
done
|
||||
|
||||
# Note this is needed on at least one of the SharkTech servers or
|
||||
# you get bad UDP checksums
|
||||
# Also set to correct ethernet device
|
||||
# XXX CHECK
|
||||
ethtool -K enp3s0 gso off
|
||||
ethtool --offload enp3s0 rx off tx off
|
||||
ethtool -K enp4s0 gso off
|
||||
ethtool --offload enp4s0 rx off tx off
|
||||
|
||||
# Run this on just one node, hk1, to get the cluster started
|
||||
#pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro
|
||||
|
||||
# Run this on hk2
|
||||
pvecm add 10.2.2.1 --ring0_addr hk1-coro
|
||||
|
||||
pvecm status
|
||||
pvecm nodes
|
||||
|
||||
# rebootz ?
|
||||
|
||||
# After Cluster is Configured
|
||||
# ===========================
|
||||
|
||||
# Data Center --> Permissions --> Users
|
||||
# Add user with Realm Proxmox VE authentication server.
|
||||
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
|
||||
# Path: / User: j Role: Administrator
|
||||
# XXX Or create admin group, add perms to that...
|
||||
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
|
||||
|
||||
# Storage
|
||||
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
|
||||
#
|
||||
# DNS
|
||||
# hk2 (host) --> System --> DNS
|
||||
# Add servers:
|
||||
# 208.67.222.222 208.67.220.220 37.235.1.174
|
||||
#
|
@ -0,0 +1,329 @@
|
||||
#!/bin/bash
|
||||
# forksand-bootstrap-hk3
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
# Sets up Proxmox.
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-hk3.log) 2>/root/bootstrap-hk3.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "debian"
|
||||
git config --global user.email git@localhost
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk3 server.'
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
postfix \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
postfix \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# Speed up
|
||||
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
||||
/etc/init.d/cpufrequtils restart
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
|
||||
apt-get -y remove os-prober
|
||||
|
||||
# Proxmox
|
||||
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
||||
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
||||
#EOF
|
||||
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
||||
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
||||
EOF
|
||||
|
||||
# Add Proxmox enterprise key XXX Add key
|
||||
#cat > /etc/apt/auth.conf<<EOF
|
||||
#machine enterprise.proxmox.com
|
||||
# login pve2s-0000000000
|
||||
# password 00000000000000000000000000000000
|
||||
#EOF
|
||||
|
||||
# XXX crufty add proxmox apt key
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
apt-get -y \
|
||||
install \
|
||||
ksm-control-daemon \
|
||||
omping \
|
||||
proxmox-ve
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
# Run this on workstation:
|
||||
# ssh -N -C -L 8203:localhost:8006 hk3
|
||||
# firefox https://localhost:8203
|
||||
# Login as root user via PAM
|
||||
# Set up Enterprise Key, if used
|
||||
#
|
||||
#
|
||||
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
|
||||
#
|
||||
#
|
||||
# XXX Set up vmbr0 via web interface.
|
||||
#
|
||||
# Netwok
|
||||
# hk3 (host) --> System --> Network
|
||||
# Fix subnet mask, IP in web gui.
|
||||
# Create --> Linux Bridge:
|
||||
# vmbr0
|
||||
# XXX best way for this server? No subnet.
|
||||
#
|
||||
# Set up ethernet ports
|
||||
# XXX check name Disable enp2s0 (Autostart no)
|
||||
# set up vmbr0 to the main IP, gateway, etc.
|
||||
# Create Linux Bridge in web interface
|
||||
# vmbr0
|
||||
#XXX THIS ISN'T CORRECT IP
|
||||
# 174.128.229.130/27
|
||||
# 255.255.255.224
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge: enp2s0
|
||||
# Comment Main bridge
|
||||
#
|
||||
# Set up 10.2.2.0 and 10.99.99.0 networks statically
|
||||
# on secondary ethernet interfaces
|
||||
|
||||
# Reboot! hk3 (host) --> Restart
|
||||
|
||||
# Configure Corosync
|
||||
# Set up hosts
|
||||
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
|
||||
echo "10.3.3.1 hk1-coro" >> /etc/hosts
|
||||
echo "10.3.3.2 hk2-coro" >> /etc/hosts
|
||||
echo "10.3.3.3 hk3-coro" >> /etc/hosts
|
||||
|
||||
echo "10.88.88.1 hk2-fs" >> /etc/hosts
|
||||
echo "10.88.88.2 hk2-fs" >> /etc/hosts
|
||||
echo "10.88.88.3 hk3-fs" >> /etc/hosts
|
||||
|
||||
# Test cluster ping
|
||||
for i in hk1-coro hk2-coro hk3-coro
|
||||
do ping -q -c1 $i
|
||||
done
|
||||
|
||||
# Test ssh
|
||||
for i in hk1-coro hk2-coro hk3-coro
|
||||
do ssh $i hostname
|
||||
done
|
||||
# ssh via IP
|
||||
for i in 10.2.2.3
|
||||
do ssh $i hostname
|
||||
done
|
||||
|
||||
# Note this is needed on at least one of the SharkTech servers or
|
||||
# you get bad UDP checksums
|
||||
# Also set to correct ethernet device
|
||||
# XXX CHECK
|
||||
ethtool -K enp3s0 gso off
|
||||
ethtool --offload enp3s0 rx off tx off
|
||||
ethtool -K enp4s0 gso off
|
||||
ethtool --offload enp4s0 rx off tx off
|
||||
|
||||
# Run this on just one node, hk3, to get the cluster started
|
||||
#pvecm create hkfork --bindnet0_addr 10.2.2.3 --ring0_addr hk3-coro
|
||||
|
||||
# Run this on hk3
|
||||
pvecm add 10.2.2.1 --ring0_addr hk3-coro
|
||||
|
||||
pvecm status
|
||||
pvecm nodes
|
||||
|
||||
# rebootz ?
|
||||
|
||||
# After Cluster is Configured
|
||||
# ===========================
|
||||
|
||||
# Data Center --> Permissions --> Users
|
||||
# Add user with Realm Proxmox VE authentication server.
|
||||
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
|
||||
# Path: / User: j Role: Administrator
|
||||
# XXX Or create admin group, add perms to that...
|
||||
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
|
||||
|
||||
# Storage
|
||||
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
|
||||
#
|
||||
# DNS
|
||||
# hk3 (host) --> System --> DNS
|
||||
# Add servers:
|
||||
# 208.67.222.222 208.67.220.220 37.235.1.174
|
||||
#
|
@ -0,0 +1,314 @@
|
||||
#!/bin/bash
|
||||
# forksand-bootstrap-shark4
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
# Sets up Proxmox.
|
||||
# IPv6 is left enabled.
|
||||
# Firewalling is done through Proxmox.
|
||||
# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
|
||||
|
||||
# XXX set network to auto not hotplug XXX
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-shark4.log) 2>/root/bootstrap-shark4.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "debian"
|
||||
git config --global user.email git@localhost
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch shark4 server.'
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# NTP SharkTech
|
||||
sed -i \
|
||||
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
|
||||
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
|
||||
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
|
||||
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
|
||||
/etc/ntp.conf
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
|
||||
|
||||
# Speed up
|
||||
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
||||
/etc/init.d/cpufrequtils restart
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
|
||||
# Proxmox
|
||||
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
||||
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
||||
#EOF
|
||||
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
||||
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
||||
EOF
|
||||
|
||||
# Add Proxmox enterprise key XXX Add key
|
||||
#cat > /etc/apt/auth.conf<<EOF
|
||||
#machine enterprise.proxmox.com
|
||||
# login pve2s-0000000000
|
||||
# password 00000000000000000000000000000000
|
||||
#EOF
|
||||
|
||||
# XXX crufty add proxmox apt key
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
apt-get -y \
|
||||
install \
|
||||
ksm-control-daemon \
|
||||
proxmox-ve
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
# Run this on workstation:
|
||||
# ssh -N -C -L 8007:localhost:8006 shark4
|
||||
# firefox https://localhost:8006
|
||||
# Login as root user via PAM
|
||||
# Set up Enterprise Key
|
||||
# Data Center --> Permissions --> Users
|
||||
# Add user with Realm Proxmox VE authentication server.
|
||||
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
|
||||
# Path: / User: j Role: Administrator
|
||||
# XXX Or create admin group, add perms to that...
|
||||
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
|
||||
#
|
||||
# Enable firewall.
|
||||
# Datacenter --> shark4 (host) --> Firewall --> Add.
|
||||
# Open up for SSH and SSH alt port.
|
||||
# Enable firewall for datacenter:
|
||||
# Datacenter --> Firewall --> Options --> Firewall --> Yes
|
||||
# Enable firewall for shark4:
|
||||
# Open up for SSH and SSH alt port.
|
||||
# REJECT everything coming in. (then DROP)
|
||||
# Reorder to ACCEPT SSH at top
|
||||
#
|
||||
# Reboot! shark4 (host) --> Restart
|
||||
#
|
||||
#
|
||||
# XXX
|
||||
# Datacenter --> Firewall --> Add.
|
||||
# REJECT any in
|
||||
#
|
||||
# Storage
|
||||
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
|
||||
#
|
||||
# XXX postfix
|
||||
#
|
||||
# DNS
|
||||
# shark4 (host) --> System --> DNS
|
||||
# Add servers:
|
||||
# 208.67.222.222 208.67.220.220 37.235.1.174
|
||||
#
|
||||
# Netwok
|
||||
# shark4 (host) --> System --> Network
|
||||
# Fix subnet mask, IP in web gui.
|
||||
# Create --> Linux Bridge:
|
||||
# vmbr0
|
||||
# XXX best way for this server? No subnet.
|
||||
#
|
||||
source /etc/network/interfaces.d/*
|
||||
|
||||
# The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
# The primary network interface
|
||||
auto enp1s0f1
|
||||
iface enp1s0f1 inet static
|
||||
address 70.39.103.210/29
|
||||
gateway 70.39.103.209
|
||||
dns-nameservers 208.67.222.222
|
||||
dns-search forksand.com
|
||||
|
||||
#
|
||||
# rebootz
|
||||
#
|
||||
# Set up templates
|
||||
# Datacenter --> shark4 --> local (shark4) --> Content --> Templates
|
||||
# Select Debian. maybe arch, alpine
|
||||
|
||||
# XXX TOTAL MEH XXX
|
||||
# add this to the workstation:
|
||||
# 127.0.0.1 localhost shark3-tun shark4-tun
|
||||
# Then use URLs
|
||||
# https://shark3-tun:8006
|
||||
# https://shark4-tun:8007
|
||||
# Or you can only be logged into one at a time.
|
||||
# XXX find better workaround
|
@ -0,0 +1,375 @@
|
||||
#!/bin/bash
|
||||
# forksand-bootstrap-the
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
# Sets up Proxmox.
|
||||
# IPv6 is left enabled.
|
||||
# Firewalling is done through Proxmox.
|
||||
# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
|
||||
|
||||
# XXX set up hostname
|
||||
|
||||
# XXX set network to auto not hotplug XXX
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-the.log) 2>/root/bootstrap-the.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "debian"
|
||||
git config --global user.email git@localhost
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch the server.'
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
# ZFS tools
|
||||
modprobe zfs
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
rsync \
|
||||
tcpdump \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts \
|
||||
zfsutils-linux
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
rsync \
|
||||
tcpdump \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts \
|
||||
zfsutils-linux
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# Speed up
|
||||
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
||||
/etc/init.d/cpufrequtils restart
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
|
||||
# Proxmox
|
||||
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
||||
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
||||
#EOF
|
||||
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
||||
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
||||
EOF
|
||||
|
||||
# Add Proxmox enterprise key XXX Add key
|
||||
#cat > /etc/apt/auth.conf<<EOF
|
||||
#machine enterprise.proxmox.com
|
||||
# login pve2s-0000000000
|
||||
# password 00000000000000000000000000000000
|
||||
#EOF
|
||||
|
||||
# XXX crufty add proxmox apt key
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
apt-get -y \
|
||||
install \
|
||||
ksm-control-daemon \
|
||||
omping \
|
||||
proxmox-ve
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
|
||||
#
|
||||
# XXX use postfix not exim4
|
||||
#
|
||||
# Create --> Linux Bridge:
|
||||
# vmbr0
|
||||
|
||||
# rebootz
|
||||
#
|
||||
# Set up templates
|
||||
|
||||
# Cluster Corosync
|
||||
exit 0
|
||||
echo "10.8.8.88 truck-coro" >> /etc/hosts
|
||||
echo "10.8.8.90 swutch-coro" >> /etc/hosts
|
||||
echo "10.8.8.87 wall-coro" >> /etc/hosts
|
||||
echo "10.8.8.66 the-coro" >> /etc/hosts
|
||||
echo "10.99.99.88 truck-fs" >> /etc/hosts
|
||||
echo "10.99.99.90 swutch-fs" >> /etc/hosts
|
||||
echo "10.99.99.87 wall-fs" >> /etc/hosts
|
||||
echo "10.99.99.66 the-fs" >> /etc/hosts
|
||||
|
||||
# Test cluster ping
|
||||
for i in truck-coro swutch-coro wall-coro the-coro
|
||||
do ping -q -c1 $i
|
||||
done
|
||||
|
||||
# more stuff
|
||||
apt remove os-prober
|
||||
|
||||
# Disable enp3s0 (Autostart no)
|
||||
#
|
||||
# set up vmbr0 to the main IP, gateway, etc.
|
||||
# Create Linux Bridge in web interface
|
||||
# vmbr0
|
||||
# 192.168.110.66
|
||||
# 255.255.255.0
|
||||
# Gateway 192.168.110.252
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge: enp3s0f1
|
||||
# Comment Main bridge
|
||||
|
||||
# Set up corosync ethernet interfaces
|
||||
# 10.8.8.66
|
||||
# 255.255.255.0
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge enx000acd31ac3d
|
||||
# Comment the-coro
|
||||
|
||||
# Set up ceph ethernet interfaces
|
||||
# 10.99.99.66
|
||||
# 255.255.255.0
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge enx000acd31ac3e
|
||||
# Comment fs-coro
|
||||
|
||||
# rebooootz
|
||||
|
||||
# Add the to /etc/hosts on other servers:
|
||||
10.8.8.66 the-coro
|
||||
10.99.99.66 the-fs
|
||||
|
||||
# Add the the ssh key to ONE node
|
||||
|
||||
# Add truck, wall, swutch ssh keys to the
|
||||
|
||||
|
||||
# Test flood multicast on private interface
|
||||
omping -c 10000 -i 0.001 -F -q swutch-coro truck-coro the-coro wall-coro
|
||||
# Ten minute test:
|
||||
omping -c 600 -i 1 -q swutch-coro truck-coro wall-coro the-coro
|
||||
|
||||
# Set up ssh as root to/from all nodes
|
||||
# Best way to do this ... XXX
|
||||
echo "fookey" >> /root/.ssh/authorized_keys
|
||||
# test SSH
|
||||
/etc/init.d/ssh restart
|
||||
|
||||
for i in the wall truck swutch ;do ssh $i hostname ;done
|
||||
for i in the-coro wall-coro truck-coro swutch-coro ;do ssh $i hostname ;done
|
||||
for i in the-fs wall-fs truck-fs swutch-fs ;do ssh $i hostname ;done
|
||||
|
||||
|
||||
# Run on the:
|
||||
pvecm add 10.8.8.88 --ring0_addr the-coro
|
||||
|
||||
# If `tcpdump -vvv -i enp10s0` show bad udp checksums, run this:
|
||||
# XXX ok on the, wall, swutch, truck
|
||||
ethtool -K enp10s0 gso off
|
||||
ethtool --offload enp10s0 rx off tx off
|
||||
|
||||
# Run on all nodes:
|
||||
pveceph install --version luminous
|
||||
|
||||
# Then run on remaining nodes, the:
|
||||
pveceph createmon
|
||||
|
||||
# On all nodes:
|
||||
pveceph createmgr
|
||||
|
||||
# internal drives
|
||||
# Create a GPT disklabel with fdisk
|
||||
fdisk /dev/nvme0n1
|
||||
# g
|
||||
# w
|
||||
pveceph createosd /dev/nvme0n1
|
||||
# Create a GPT disklabel with fdisk
|
||||
fdisk /dev/sda
|
||||
# g
|
||||
# w
|
||||
pveceph createosd /dev/sda
|
||||
|
||||
|
||||
#===================== XXX best way? XXX ====================
|
||||
# XXX maybe not needed ?
|
||||
# XXX actually, remove this and do no auth since it is private network.
|
||||
mkdir /etc/pve/priv/ceph
|
||||
cp -p /etc/pve/priv/ceph.client.admin.keyring /etc/pve/priv/ceph/my-ceph-storage.keyring
|
||||
# Edit on just one node (shared on all)
|
||||
vim /etc/pve/storage.cfg
|
||||
|
||||
# Do this instead of my-ceph-storage.keyring
|
||||
# Edit on one node:
|
||||
vim /etc/pve/ceph.conf
|
||||
auth cluster required = none
|
||||
auth service required = none
|
||||
auth client required = none
|
||||
# restart stuff
|
||||
systemctl stop ceph\*.service ceph\*.target
|
||||
mkdir /etc/pve/priv/ceph/old
|
||||
mv /etc/pve/priv/ceph/*keyring /etc/pve/priv/ceph/old/
|
||||
#===================== XXX best way? XXX ====================
|
@ -0,0 +1,393 @@
|
||||
#!/bin/bash
|
||||
# forksand-bootstrap-truck
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
# Sets up Proxmox.
|
||||
# IPv6 is left enabled.
|
||||
# Firewalling is done through Proxmox.
|
||||
# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
|
||||
|
||||
# XXX set up hostname
|
||||
|
||||
# XXX set network to auto not hotplug XXX
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-truck.log) 2>/root/bootstrap-truck.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "debian"
|
||||
git config --global user.email git@localhost
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch truck server.'
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
cpufrequtils \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# Speed up
|
||||
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
||||
/etc/init.d/cpufrequtils restart
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
|
||||
# Proxmox
|
||||
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
||||
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
||||
#EOF
|
||||
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
||||
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
||||
EOF
|
||||
|
||||
# Add Proxmox enterprise key XXX Add key
|
||||
#cat > /etc/apt/auth.conf<<EOF
|
||||
#machine enterprise.proxmox.com
|
||||
# login pve2s-0000000000
|
||||
# password 00000000000000000000000000000000
|
||||
#EOF
|
||||
|
||||
# XXX crufty add proxmox apt key
|
||||
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
||||
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
apt-get -y \
|
||||
install \
|
||||
ksm-control-daemon \
|
||||
proxmox-ve
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
# Run this on workstation:
|
||||
# ssh -N -C -L 8008:localhost:8006 truck
|
||||
# firefox https://localhost:8008
|
||||
# Login as root user via PAM
|
||||
# Set up Enterprise Key, if used
|
||||
# Data Center --> Permissions --> Users
|
||||
# Add user with Realm Proxmox VE authentication server.
|
||||
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
|
||||
# Path: / User: j Role: Administrator
|
||||
# XXX Or create admin group, add perms to that...
|
||||
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
|
||||
#
|
||||
# Enable firewall.
|
||||
# Datacenter --> truck (host) --> Firewall --> Add.
|
||||
# Open up for SSH and SSH alt port.
|
||||
# Enable firewall for datacenter:
|
||||
# Datacenter --> Firewall --> Options --> Firewall --> Yes
|
||||
# Enable firewall for truck:
|
||||
# Open up for SSH and SSH alt port.
|
||||
# REJECT everything coming in. (then DROP)
|
||||
# Reorder to ACCEPT SSH at top
|
||||
#
|
||||
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
|
||||
#
|
||||
# Reboot! truck (host) --> Restart
|
||||
#
|
||||
# XXX
|
||||
# Datacenter --> Firewall --> Add.
|
||||
# REJECT any in
|
||||
#
|
||||
# Storage
|
||||
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
|
||||
#
|
||||
# XXX postfix
|
||||
#
|
||||
# DNS
|
||||
# truck (host) --> System --> DNS
|
||||
# Add servers:
|
||||
# 208.67.222.222 208.67.220.220 37.235.1.174
|
||||
#
|
||||
# Netwok
|
||||
# truck (host) --> System --> Network
|
||||
# Fix subnet mask, IP in web gui.
|
||||
# Create --> Linux Bridge:
|
||||
# vmbr0
|
||||
# XXX best way for this server? No subnet.
|
||||
#
|
||||
|
||||
# rebootz
|
||||
#
|
||||
# Set up templates
|
||||
|
||||
# XXX TOTAL MEH XXX
|
||||
# add this to the workstation:
|
||||
# 127.0.0.1 localhost truck-tun
|
||||
# Run:
|
||||
# ssh -N -C -L 8020:localhost:8006 truck
|
||||
# Then use URLs
|
||||
# https://truck-tun:8020
|
||||
# Or you can only be logged into one at a time.
|
||||
# XXX find better workaround
|
||||
|
||||
# Cluster Corosync
|
||||
exit 0
|
||||
echo "10.8.8.88 truck-coro" >> /etc/hosts
|
||||
echo "10.8.8.90 swutch-coro" >> /etc/hosts
|
||||
echo "10.8.8.87 wall-coro" >> /etc/hosts
|
||||
echo "10.111.111.88 truck-fs" >> /etc/hosts
|
||||
echo "10.111.111.90 swutch-fs" >> /etc/hosts
|
||||
echo "10.111.111.87 wall-fs" >> /etc/hosts
|
||||
|
||||
# Test cluster ping
|
||||
for i in truck-coro swutch-coro wall-coro
|
||||
do ping -q -c1 $i
|
||||
done
|
||||
|
||||
# more stuff
|
||||
apt install postfix
|
||||
|
||||
apt remove os-prober
|
||||
|
||||
# Disable enp3s0 (Autostart no)
|
||||
# set up vmbr0 to the main IP, gateway, etc.
|
||||
# Create Linux Bridge in web interface
|
||||
# vmbr0
|
||||
# 192.168.55.88
|
||||
# 255.255.255.0
|
||||
# Autostart
|
||||
# VLAN Aware
|
||||
# Bridge: enp3s0
|
||||
# Comment Main bridge
|
||||
|
||||
# Test flood multicast on private interface
|
||||
omping -c 10000 -i 0.001 -F -q swutch-coro truck-coro wall-coro
|
||||
# Ten minute test:
|
||||
omping -c 600 -i 1 -q swutch-coro truck-coro wall-coro
|
||||
|
||||
# Set up ssh as root to/from all nodes
|
||||
# Best way to do this ... XXX
|
||||
echo "fookey" >> /root/.ssh/authorized_keys
|
||||
for i in swutch-coro truck-coro wall-coro
|
||||
do ssh $i hostname
|
||||
done
|
||||
|
||||
# Run just on truck:
|
||||
pvecm create red --bindnet0_addr 10.8.8.88 --ring0_addr truck-coro
|
||||
|
||||
# Run on wall:
|
||||
pvecm add 10.8.8.88 --ring0_addr wall-coro
|
||||
|
||||
# Run on swutch:
|
||||
pvecm add 10.8.8.88 --ring0_addr swutch-coro
|
||||
|
||||
# If `tcpdump -vvv -i enp10s0` show bad udp checksums, run this:
|
||||
# XXX ok on truck, wall, swutch
|
||||
ethtool -K enp10s0 gso off
|
||||
ethtool --offload enp10s0 rx off tx off
|
||||
|
||||
# Setup 10.99.99.0/24 addresses for Ceph on enp16s0
|
||||
|
||||
# Run on all nodes:
|
||||
pveceph install --version luminous
|
||||
|
||||
# Run just on one node (truck):
|
||||
pveceph init --network 10.99.99.0/24
|
||||
pveceph createmon
|
||||
|
||||
# Then run on remaining nodes (or via GUI)
|
||||
pveceph createmon
|
||||
|
||||
# On all nodes:
|
||||
pveceph createmr
|
||||
|
||||
# XXX missing ZFS tools
|
||||
apt install zfsutils-linux
|
||||
modprobe zfs
|
||||
|
||||
# Add USB drive to swutch and run on it:
|
||||
# Create a GPT disklabel with fdisk
|
||||
fdisk /dev/sdb
|
||||
# g
|
||||
# w
|
||||
pveceph createosd /dev/sdb
|
||||
|
||||
# XXX actually, remove this and do no auth since it is private network.
|
||||
mkdir /etc/pve/priv/ceph
|
||||
cp -p /etc/pve/priv/ceph.client.admin.keyring /etc/pve/priv/ceph/my-ceph-storage.keyring
|
||||
# Edit on just one node (shared on all)
|
||||
vim /etc/pve/storage.cfg
|
||||
|
||||
# Do this instead of my-ceph-storage.keyring
|
||||
# Edit on one node:
|
||||
vim /etc/pve/ceph.conf
|
||||
auth cluster required = none
|
||||
auth service required = none
|
||||
auth client required = none
|
||||
# restart stuff
|
||||
systemctl stop ceph\*.service ceph\*.target
|
||||
mkdir /etc/pve/priv/ceph/old
|
||||
mv /etc/pve/priv/ceph/*keyring /etc/pve/priv/ceph/old/
|
||||
|
@ -0,0 +1,151 @@
|
||||
Deploy the Ansible roles
|
||||
- Create a requirements.yml file and indicate there the git repos to source the Ansible roles from. See http://docs.ansible.com/ansible/latest/galaxy.html#installing-roles
|
||||
|
||||
host> nano requirements.yml
|
||||
|
||||
# from GitHub
|
||||
- name: ansible-odoo
|
||||
src: https://github.com/osiell/ansible-odoo
|
||||
version: origin/master
|
||||
|
||||
- name: postgresql
|
||||
src: https://github.com/ANXS/postgresql
|
||||
|
||||
- name: ansible-odoo-nginx
|
||||
src: https://github.com/Eficent/ansible-odoo-nginx
|
||||
|
||||
- name: ansible-role-certbot
|
||||
src: https://github.com/geerlingguy/ansible-role-certbot
|
||||
|
||||
host> sudo ansible-galaxy install -r requirements.yml
|
||||
|
||||
- changing role ansible-odoo from origin/master to origin/master
|
||||
- extracting ansible-odoo to /home/jordi/.ansible/roles/ansible-odoo
|
||||
- ansible-odoo (origin/master) was installed successfully
|
||||
- changing role postgresql from to unspecified
|
||||
- extracting postgresql to /home/jordi/.ansible/roles/postgresql
|
||||
- postgresql was installed successfully
|
||||
- extracting ansible-odoo-nginx to /home/jordi/.ansible/roles/ansible-odoo-nginx
|
||||
- ansible-odoo-nginx was installed successfully
|
||||
- adding dependency: geerlingguy.nginx
|
||||
- extracting ansible-role-certbot to /home/jordi/.ansible/roles/ansible-role-certbot
|
||||
- ansible-role-certbot was installed successfully
|
||||
- downloading role 'nginx', owned by geerlingguy
|
||||
- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/2.5.0.tar.gz
|
||||
- extracting geerlingguy.nginx to /home/jordi/.ansible/roles/geerlingguy.nginx
|
||||
- geerlingguy.nginx (2.5.0) was installed successfully
|
||||
|
||||
|
||||
Note: use --force to ensure that the latest version of the roles is installed.
|
||||
|
||||
Install LXC Container
|
||||
This is only to test locally the execution of the ansible playbook on a target host.
|
||||
|
||||
Create the LXC container:
|
||||
|
||||
host> sudo lxc-create -t debian -n odoo10
|
||||
|
||||
Start the LXC container:
|
||||
|
||||
host> sudo lxc-start -n odoo10 -d
|
||||
|
||||
Check that the container is up
|
||||
|
||||
host> sudo lxc-ls -f
|
||||
|
||||
NAME STATE AUTOSTART GROUPS IPV4 IPV6
|
||||
|
||||
odoo10 RUNNING 0 - 10.0.3.217 -
|
||||
|
||||
Attach to the container
|
||||
|
||||
host> sudo lxc-attach -n odoo10
|
||||
|
||||
Install nano:
|
||||
|
||||
container> apt-get install nano
|
||||
|
||||
Install python
|
||||
|
||||
container> apt-get install python
|
||||
|
||||
Allow root to connect over ssh:
|
||||
|
||||
container> nano /etc/ssh/sshd_config
|
||||
|
||||
FROM:
|
||||
|
||||
PermitRootLogin without-password TO:
|
||||
|
||||
PermitRootLogin yes
|
||||
|
||||
Restart ssh
|
||||
|
||||
container> /etc/init.d/ssh restart
|
||||
|
||||
Provide a password to root:
|
||||
|
||||
container> passwd
|
||||
|
||||
|
||||
|
||||
Exit from the container and try to ssh into it with the new user
|
||||
|
||||
container>exit
|
||||
|
||||
host> ssh root@10.0.3.217
|
||||
|
||||
|
||||
Create Hosts Inventory File
|
||||
|
||||
Create a project folder under home dir.
|
||||
|
||||
host> mdir ansible-test && cd ansible-test
|
||||
|
||||
host> nano inventory
|
||||
|
||||
odoo10 ansible_ssh_host=10.0.3.217
|
||||
|
||||
|
||||
|
||||
Create Playbook File
|
||||
|
||||
host/ansible-test> nano ./playbook.yml
|
||||
|
||||
- name: Odoo 10
|
||||
|
||||
hosts: odoo10
|
||||
|
||||
roles:
|
||||
|
||||
- postgresql
|
||||
|
||||
- ansible-odoo
|
||||
|
||||
vars:
|
||||
|
||||
# [postgresql]
|
||||
|
||||
- postgresql_version: 9.3
|
||||
|
||||
# [odoo]
|
||||
|
||||
- odoo_version: 11.0
|
||||
|
||||
- odoo_install_type: pip
|
||||
|
||||
- odoo_config_unaccent: True
|
||||
|
||||
- odoo_pip_requirements_url: https://raw.githubusercontent.com/Eficent/sample-oca-pip-requirements/11.0/requirements.txt
|
||||
|
||||
- odoo_config_admin_passwd: SuPerPassWorD
|
||||
|
||||
- odoo_config_addons_path: ""
|
||||
|
||||
environment:
|
||||
|
||||
LC_ALL: en_US.UTF-8
|
||||
|
||||
Deploy the Playbook to the container
|
||||
|
||||
host> ansible-playbook -i inventory playbook.yml -e "ansible_ssh_user=root" -k -v
|
@ -0,0 +1 @@
|
||||
odoo11 ansible_host=oca.forksand.com ansible_port=28208 ansible_user=jballester
|
@ -0,0 +1,31 @@
|
||||
- name: Odoo 11
|
||||
hosts: odoo11
|
||||
remote_user: root
|
||||
become: yes
|
||||
roles:
|
||||
- postgresql
|
||||
- ansible-odoo
|
||||
- ansible-odoo-nginx
|
||||
- ansible-role-certbot
|
||||
vars:
|
||||
# [postgresql]
|
||||
- postgresql_version: 9.6
|
||||
# [odoo]
|
||||
- odoo_version: 11.0
|
||||
- odoo_install_type: pip
|
||||
- odoo_pip_requirements_url: https://raw.githubusercontent.com/Eficent/sample-oca-pip-requirements/11.0/requirements.txt
|
||||
- odoo_config_unaccent: True
|
||||
- odoo_config_admin_passwd: SuPerPassWorD
|
||||
- odoo_config_data_dir: "home/odoo/data"
|
||||
# [ridingbytes_nginx]
|
||||
- nginx_odoo_server: "oca.forksand.com"
|
||||
- ssl_certificate: /etc/letsencrypt/live/oca.forksand.com/fullchain.pem
|
||||
- ssl_certificate_key: /etc/letsencrypt/live/oca.forksand.com/privkey.pem
|
||||
# [certbot]
|
||||
- certbot_create_if_missing: yes
|
||||
- certbot_certs:
|
||||
- domains:
|
||||
- oca.forksand.com
|
||||
environment:
|
||||
LC_ALL: en_US.UTF-8
|
||||
|
@ -0,0 +1,14 @@
|
||||
# from GitHub
|
||||
- name: ansible-odoo
|
||||
src: https://github.com/osiell/ansible-odoo
|
||||
version: origin/master-odoo_config_data_dir
|
||||
|
||||
- name: postgresql
|
||||
src: https://github.com/ANXS/postgresql
|
||||
|
||||
- name: ansible-odoo-nginx
|
||||
src: https://github.com/Eficent/ansible-odoo-nginx
|
||||
|
||||
- name: ansible-role-certbot
|
||||
src: https://github.com/geerlingguy/ansible-role-certbot
|
||||
|
After Width: | Height: | Size: 162 KiB |
After Width: | Height: | Size: 57 KiB |
After Width: | Height: | Size: 58 KiB |
After Width: | Height: | Size: 106 KiB |
After Width: | Height: | Size: 103 KiB |
After Width: | Height: | Size: 106 KiB |
After Width: | Height: | Size: 122 KiB |
After Width: | Height: | Size: 122 KiB |
After Width: | Height: | Size: 138 KiB |
After Width: | Height: | Size: 132 KiB |
After Width: | Height: | Size: 171 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 179 KiB |
After Width: | Height: | Size: 179 KiB |
After Width: | Height: | Size: 176 KiB |
After Width: | Height: | Size: 180 KiB |
After Width: | Height: | Size: 181 KiB |
After Width: | Height: | Size: 181 KiB |
After Width: | Height: | Size: 178 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 183 KiB |
After Width: | Height: | Size: 135 KiB |
After Width: | Height: | Size: 130 KiB |
After Width: | Height: | Size: 86 KiB |
After Width: | Height: | Size: 137 KiB |
After Width: | Height: | Size: 133 KiB |
After Width: | Height: | Size: 138 KiB |
After Width: | Height: | Size: 137 KiB |
After Width: | Height: | Size: 123 KiB |
After Width: | Height: | Size: 122 KiB |
After Width: | Height: | Size: 138 KiB |
After Width: | Height: | Size: 132 KiB |
After Width: | Height: | Size: 171 KiB |
After Width: | Height: | Size: 181 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 179 KiB |
After Width: | Height: | Size: 179 KiB |
After Width: | Height: | Size: 180 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 181 KiB |
After Width: | Height: | Size: 178 KiB |
After Width: | Height: | Size: 182 KiB |
After Width: | Height: | Size: 184 KiB |
After Width: | Height: | Size: 135 KiB |
After Width: | Height: | Size: 131 KiB |
After Width: | Height: | Size: 172 KiB |
After Width: | Height: | Size: 120 KiB |
After Width: | Height: | Size: 215 KiB |
After Width: | Height: | Size: 202 KiB |
After Width: | Height: | Size: 206 KiB |
After Width: | Height: | Size: 250 KiB |
After Width: | Height: | Size: 261 KiB |
After Width: | Height: | Size: 280 KiB |
After Width: | Height: | Size: 264 KiB |
After Width: | Height: | Size: 404 KiB |
After Width: | Height: | Size: 391 KiB |
After Width: | Height: | Size: 415 KiB |
After Width: | Height: | Size: 376 KiB |
After Width: | Height: | Size: 386 KiB |
After Width: | Height: | Size: 181 KiB |
After Width: | Height: | Size: 383 KiB |
After Width: | Height: | Size: 394 KiB |
After Width: | Height: | Size: 434 KiB |
After Width: | Height: | Size: 170 KiB |
After Width: | Height: | Size: 83 KiB |
After Width: | Height: | Size: 202 KiB |