SDN/DNS
### Шаг 1. Настройка SDN в Proxmox и создание шаблона
Зайди в свой Proxmox -> Datacenter -> SDN.
Создай Зону (Zone): тип simple, имя cloudzon.
Создай VNet: имя cloudnet, зона cloudzon.
Создай Подсеть (Subnet): внутри cloudnet пропиши сеть 192.168.0.0/24, SNAT, Default Gateway 192.168.0.254
Не забудь нажать Apply, чтобы настройки вступили в силу.
ОБЯЗАТЕЛЬНО: Зайти в Hardware виртуалки adm-pc и поменять сетевой мост (Bridge) на cloudnet.
2. Подготовка диска в консоли Proxmox:
find /var/lib/vz --name "alt-p11-cloud-x86_64.qcow2"
qm importdisk nomer_vm /var/lib/vz/import/alt-p11-cloud-x86_64.qcow2 local --format qcow2
3. Настройка Hardware (В веб-интерфейсе шаблона):
Два раза кликни по unused disk, нажми Add.
qm resize 116 scsi0 +7G
qm set 116 --name alt-p11-cloud-template --memory 1024 --cores 1
Добавление устройства Cloud-Init: Перейди в раздел Hardware (Оборудование). Нажми кнопку Add (Добавить) -> CloudInit Drive. Выбери хранилище и нажми Create.
4. Настройка параметров (раздел Cloud-Init):
User (Пользователь): altlinux.
Password (Пароль): P@ssw0rd.
SSH public key: Если у тебя уже есть публичный ключ (например, с твоего рабочего ПК), вставь его сюда. Это позволит тебе заходить на серверы без пароля сразу после их создания.
IP Config (Network):
Фиксация настроек: Нажми кнопку Regenerate Image (Перегенерировать образ) в верхней панели этого раздела.
5. Порядок загрузки (Boot Order):
Перейди в раздел Options (Параметры). Выбери Boot Order.
ide2 off, scsi0 on и на первое место
6. Обязательная настройка на всех созданных ВМ:
sudo -i
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
sudo apt-get update
sudo apt-get install nano
nano /etc/openssh/sshd_config
PasswordAuthentication yes
systemctl restart sshd
### Шаг 2. Развертывание infra-srv1 (FreeIPA, DNS, LDAP)
ssh 192.168.0.101
sudo hostnamectl set-hostname infra-srv1.au-team.cloud && sudo apt-get install -y freeipa-server freeipa-server-dns && sudo sed -i '/infra-srv1/d' /etc/hosts && echo "192.168.0.101 infra-srv1.au-team.cloud infra-srv1" | sudo tee -a /etc/hosts
sudo ipa-server-install --setup-dns --forwarder=8.8.8.8 -U -r AU-TEAM.CLOUD -p P@ssw0rd -a P@ssw0rd --hostname=infra-srv1.au-team.cloud --ip-address=192.168.0.101 --domain=au-team.cloud --no-ntp
kinit admin
ipa group-add admins --desc="Cloud Administrators"
ipa group-add developers --desc="Cloud Developers"
ipa user-add dev01 --first=Dev --last=User --password
# (вводим пароль P@ssw0rd)
ipa user-add admin01 --first=Admin --last=User --password
# (вводим пароль P@ssw0rd)
ipa group-add-member admins --users=admin01
ipa group-add-member developers --users=dev01
ipa hbacrule-disable allow_all
ipa hbacrule-add admins_access
ipa hbacrule-mod admins_access --hostcat=all
ipa hbacrule-mod admins_access --servicecat=all
ipa hbacrule-add-user admins_access --groups=admins
ipa hbacrule-add devs_access
ipa hbacrule-add-user devs_access --groups=developers
ipa hbacrule-add-service devs_access --hbacsvcs=sshd
ipa hbacrule-add-service devs_access --hbacsvcs=sudo
ipa hbacrule-add-service devs_access --hbacsvcs=sudo-i
ipa sudocmd-add /bin/cat
ipa sudocmd-add /bin/ls
ipa sudorule-add admins_sudo
ipa sudorule-add-user admins_sudo --groups=admins
ipa sudorule-mod admins_sudo --hostcat=all
ipa sudorule-mod admins_sudo --cmdcat=all
ipa sudorule-remove-runasuser admins_sudo --users=root
ipa sudorule-mod admins_sudo --runasusercat=all
ipa sudorule-add-option admins_sudo --sudooption='!authenticate'
ipa sudorule-add devs_sudo
ipa sudorule-add-user devs_sudo --groups=developers
ipa sudorule-mod devs_sudo --hostcat=""
ipa host-add infra-srv2.au-team.cloud --force
ipa host-add infra-srv3.au-team.cloud --force
ipa hbacrule-add-host devs_access --hosts=infra-srv2.au-team.cloud
ipa hbacrule-add-host devs_access --hosts=infra-srv3.au-team.cloud
ipa sudorule-add-host devs_sudo --hosts=infra-srv2.au-team.cloud
ipa sudorule-add-host devs_sudo --hosts=infra-srv3.au-team.cloud
ipa sudorule-add-runasuser devs_sudo --users=root
ipa sudorule-add-allow-command devs_sudo --sudocmds=/bin/cat
ipa sudorule-add-allow-command devs_sudo --sudocmds=/bin/ls
ipa sudorule-add-host devs_sudo --hosts=infra-srv2.au-team.cloud --hosts=infra-srv3.au-team.cloud
ipa dnsconfig-mod --forwarder=8.8.8.8 --forwarder=1.1.1.1
ipa dnsrecord-add au-team.cloud gitea --a-rec=192.168.0.102
ipa host-add gitea.au-team.cloud --force
ipa service-add HTTP/gitea.au-team.cloud --force
ipa service-add-host HTTP/gitea.au-team.cloud --hosts=infra-srv2.au-team.cloud
ipa dnsrecord-add au-team.cloud grafana --a-rec=192.168.0.103
ipa host-add grafana.au-team.cloud --force
ipa service-add HTTP/grafana.au-team.cloud --force
ipa service-add-host HTTP/grafana.au-team.cloud --hosts=infra-srv3.au-team.cloud
ipa dnszone-add au-team.cloud
ipa dnszone-add 0.168.192.in-addr.arpa
ipa user-mod dev01 --setattr krbPasswordExpiration=20300101000000Z
ipa dnsrecord-add 0.168.192.in-addr.arpa. 101 --ptr-rec=infra-srv1.au-team.cloud.
ipa dnsrecord-add 0.168.192.in-addr.arpa. 102 --ptr-rec=infra-srv2.au-team.cloud.
exit
### Шаг 3. Подготовка adm-pc
echo "nameserver 192.168.0.101" | sudo tee /etc/resolv.conf && sudo apt-get update && sudo apt-get install -y freeipa-client && sudo hostnamectl set-hostname adm-pc.au-team.cloud && echo "192.168.0.1 adm-pc.au-team.cloud adm-pc" | sudo tee -a /etc/hosts
sudo ipa-client-install --mkhomedir -p admin -w P@ssw0rd --domain=au-team.cloud --server=infra-srv1.au-team.cloud --realm=AU-TEAM.CLOUD -U --no-ntp
mkdir -p ~/.ssh && ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ed25519
cat <<EOF > ~/.ssh/config
Host infra-srv* k8s-srv*
User altlinux
StrictHostKeyChecking accept-new
Host infra-srv1
HostName 192.168.0.101
Host infra-srv2
HostName 192.168.0.102
Host infra-srv3
HostName 192.168.0.103
EOF
chmod 600 ~/.ssh/config && ssh-copy-id infra-srv1 && ssh-copy-id infra-srv2 && ssh-copy-id infra-srv3
kinit admin01
ssh admin01@localhost
su - admin01
### Шаг 4. Установка Gitea (infra-srv2)
ssh altlinux@192.168.0.102
sudo hostnamectl set-hostname infra-srv2.au-team.cloud && echo "nameserver 192.168.0.101" | sudo tee /etc/resolv.conf && echo "192.168.0.102 infra-srv2.au-team.cloud infra-srv2" | sudo tee -a /etc/hosts
sudo apt-get update && sudo apt-get install -y freeipa-client
sudo ipa-client-install --mkhomedir -p admin -w P@ssw0rd --domain=au-team.cloud --server=infra-srv1.au-team.cloud --realm=AU-TEAM.CLOUD -U --no-ntp
sudo apt-get update && sudo apt-get install -y mariadb-server && sudo systemctl enable --now mariadb
sudo nano /etc/my.cnf.d/server.cnf
# [mysqld]
bind-address = 127.0.0.1
# Если есть строка skip-networking, поставь перед ней #
# skip-networking
sudo systemctl restart mariadb
sudo ss -tulpn | grep 3306
sudo mysql
CREATE DATABASE gitea CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_general_ci';
CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'P@ssw0rd';
GRANT ALL PRIVILEGES ON gitea.* TO 'gitea'@'localhost';
FLUSH PRIVILEGES;
EXIT;
sudo apt-get install -y gitea nginx && sudo systemctl enable --now gitea nginx && sudo mkdir -p /etc/pki/tls/certs /etc/pki/tls/private && sudo chmod 700 /etc/pki/tls/private
sudo ipa-getcert request -r \
-f /etc/pki/tls/certs/gitea.crt \
-k /etc/pki/tls/private/gitea.key \
-N CN=gitea.au-team.cloud \
-K HTTP/gitea.au-team.cloud@AU-TEAM.CLOUD \
-D gitea.au-team.cloud
sudo nano /etc/nginx/sites-available.d/gitea.conf
server {
listen 80;
server_name gitea.au-team.cloud;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name gitea.au-team.cloud;
ssl_certificate /etc/pki/tls/certs/gitea.crt;
ssl_certificate_key /etc/pki/tls/private/gitea.key;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
sudo ln -s /etc/nginx/sites-available.d/gitea.conf /etc/nginx/sites-enabled.d/ && sudo systemctl restart nginx && sudo sed -i 's|ROOT_URL.*|ROOT_URL = https://gitea.au-team.cloud/|g' /etc/gitea/app.ini && sudo systemctl restart gitea
infra-srv1: Если сертификат не выдается, первым делом проверяй сервер. Статус служб: sudo ipactl status. Если pki-tomcatd в статусе STOPPED поднимай всё через sudo ipactl start. Системные сертификаты: sudo getcert list. Убедись, что системные сертификаты не просрочены.
infra-srv2: Kerberos капризный к именам. В /etc/hosts убери имя хоста из строки 127.0.0.1. Оно должно быть привязано только к реальному IP. В /etc/krb5.conf добавь в секцию [libdefaults]: dns_canonicalize_hostname = false, rdns = false. Обновление прав: sudo kinit -k, kinit admin.
Ошибка 3009 (Invalid CSR) возникает, если просишь сертификат на одно имя, а представляешься другим. Важно: -N CN=... — Имя в сертификате. -K ... — Имя принципала в базе IPA. -D ... — DNS-имя для SAN.
После запроса проверяй sudo getcert list. Ждем статус MONITORING. Принудительный «пинок»: sudo getcert resubmit -i <ID_запроса>.
Новое окно CMD: ssh -L 3000:localhost:3000 root@172.30.27.187 и ssh -L 3000:localhost:3000 altlinux@192.168.0.102.
В браузере http://localhost:3000/. Базовый URL: Вместо http://localhost:3000/ напиши http://infra-srv2.au-team.cloud:3000/.
БД: Хост: 127.0.0.1:3306, Имя пользователя: gitea, Пароль: P@ssw0rd, База: gitea.
Создай админа: Пользователь: gitadmin, Пароль: P@ssw0rd, Почта: admin@au-team.cloud.
Интеграция LDAP:** Иконка профиля -> Панель управления -> Идентификация и доступ -> Аутентификация -> Добавить новый источник.
Имя аутентификации: FreeIPA
Сервер: 192.168.0.101, Порт: 389.
Bind DN: uid=admin,cn=users,cn=accounts,dc=au-team,dc=cloud.
Привязать пароль: P@ssw0rd.
База для поиска пользователя: cn=users,cn=accounts,dc=au-team,dc=cloud.
Фильтр пользователя: (&(objectClass=posixAccount)(uid=%s)).
Атрибуты Username: uid, First Name: givenName, Surname: sn, Email: mail. Жми «Добавить новый источник».
Тест логина: Зайди под dev01 (пароль P@ssw0rd).
Войди под admin01 (пароль P@ssw0rd). «+» -> Новый репозиторий. Имя: cloud-infra-iac. Сделать приватным. Не ставь галочку «Инициализировать репозиторий».
### Шаг 5. Настройка NFS
1. На infra-srv3 (Сервер):
ssh altlinux@192.168.0.103
sudo hostnamectl set-hostname infra-srv3.au-team.cloud && echo "nameserver 192.168.0.101" | sudo tee /etc/resolv.conf && echo "192.168.0.103 infra-srv3.au-team.cloud infra-srv3" | sudo tee -a /etc/hosts && sudo apt-get update && sudo apt-get install -y freeipa-client nfs-server && sudo ipa-client-install --mkhomedir -p admin -w P@ssw0rd --domain=au-team.cloud --server=infra-srv1.au-team.cloud --realm=AU-TEAM.CLOUD -U --no-ntp
sudo mkdir -p /srv/nfs/backups && sudo chmod 777 /srv/nfs/backups && echo "/srv/nfs/backups 192.168.0.0/24(rw,sync,no_root_squash,no_subtree_check)" | sudo tee -a /etc/exports && sudo exportfs -a && sudo systemctl enable --now rpcbind nfs-server
2. На infra-srv2 (Клиент):
ssh altlinux@192.168.0.102
sudo apt-get install -y nfs-clients && sudo mkdir -p /mnt/backups && sudo mount -t nfs 192.168.0.103:/srv/nfs/backups /mnt/backups && echo "192.168.0.103:/srv/nfs/backups /mnt/backups nfs defaults 0 0" | sudo tee -a /etc/fstab
sudo touch /mnt/backups/hello_from_gitea.txt && ls -l /mnt/backups/
### Шаг 6. Инструменты IaC на adm-pc
ssh 192.168.0.1
sudo apt-get update && sudo apt-get install -y git unzip wget python3-module-pip codium
# Если Terraform качали на Windows:
# scp -J <пользователь_джампа>@<IP_джампа> E:\pfuheprb\terraform_1.14.5_linux_amd64.zip altlinux@192.168.0.1:/home/altlinux/
unzip terraform_1.14.5_linux_amd64.zip && sudo mv terraform /usr/local/bin/ && terraform -v
su - admin01
mkdir -p ~/infra/{terraform,ansible,kubernetes}
cd ~/infra
git init && git config --global user.name "admin01" && git config --global user.email "admin01@au-team.cloud"
echo "venv/" > .gitignore && echo ".terraform/" >> .gitignore && echo "*.tfstate*" >> .gitignore && echo "*.tfvars" >> .gitignore && echo "*.key" >> .gitignore && echo "*.pem" >> .gitignore && git add . && git commit -m "Initial infrastructure commit"
git remote add origin https://gitea.au-team.cloud/admin01/cloud-infra-iac.git && git push -u origin master
Username for 'https://gitea.au-team.cloud': admin01
Password for 'https://admin01@gitea.au-team.cloud': P@ssw0rd
3. Подготовка Ansible:
cd ~/infra/ansible && python3 -m venv venv/ansible && source venv/ansible/bin/activate && sudo bash -c 'echo "nameserver 8.8.8.8" > /etc/resolv.conf' && pip install ansible && mkdir -p ~/infra/ansible/inventories/production
cat <<EOF > ~/infra/ansible/inventories/production/hosts
all:
vars:
ansible_user: altlinux
ansible_ssh_private_key_file: ~/.ssh/id_ed25519
ansible_become: yes
ansible_become_method: sudo
ansible_become_password: P@ssw0rd
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
children:
production:
hosts:
infra-srv1.au-team.cloud:
ansible_host: 192.168.0.101
infra-srv2.au-team.cloud:
ansible_host: 192.168.0.102
infra-srv3.au-team.cloud:
ansible_host: 192.168.0.103
EOF
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ed25519
ssh-copy-id altlinux@192.168.0.101 && ssh-copy-id altlinux@192.168.0.102 && ssh-copy-id altlinux@192.168.0.103
ansible -i ~/infra/ansible/inventories/production/hosts -m ping all
**4. Подготовка провайдеров Terraform:**
mkdir -p ~/.terraform.d/plugins/registry.terraform.io/bpg/proxmox/0.89.1/linux_amd64 && mkdir -p ~/.terraform.d/plugins/registry.terraform.io/camptocamp/freeipa/1.0.0/linux_amd64
https://github.com/bpg/terraform-provider-proxmox/releases/download/v0.89.1/terraform-provider-proxmox_0.89.1_linux_amd64.zip
https://github.com/camptocamp/terraform-provider-freeipa/releases/download/v1.0.0/terraform-provider-freeipa_1.0.0_linux_amd64.zip
scp -J root@172.30.27.187 E:\pfuheprb\terraform-provider-proxmox_0.89.1_linux_amd64.zip altlinux@192.168.0.1:/home/altlinux
scp -J root@172.30.27.187 E:\pfuheprb\terraform-provider-freeipa_1.0.0_linux_amd64.zip altlinux@192.168.0.1:/home/altlinux
cd ~/.terraform.d/plugins/registry.terraform.io/bpg/proxmox/0.89.1/linux_amd64/ && sudo cp "/home/altlinux/terraform-provider-proxmox_0.89.1_linux_amd64.zip" . && sudo chown admin01:admin01 *.zip && unzip "terraform-provider-proxmox_0.89.1_linux_amd64.zip" && rm -f *.zip && chmod +x *
cd ~/.terraform.d/plugins/registry.terraform.io/camptocamp/freeipa/1.0.0/linux_amd64/ && sudo cp /home/altlinux/terraform-provider-freeipa_1.0.0_linux_amd64.zip . && sudo chown admin01:admin01 *.zip && unzip terraform-provider-freeipa_1.0.0_linux_amd64.zip && rm -f *.zip && chmod +x *
cat <<EOF > ~/.terraformrc
provider_installation {
filesystem_mirror {
path = "/home/admin01/.terraform.d/plugins"
include = ["registry.terraform.io/*/*"]
}
direct {
exclude = ["registry.terraform.io/*/*"]
}
}
EOF
### Шаг 7. Развертывание Staging (Terraform)
1. Конфигурация в ~/infra/terraform:
nano ~/infra/terraform/providers.tf
terraform {
required_providers {
proxmox = {
source = "bpg/proxmox"
version = "0.89.1"
}
freeipa = {
source = "camptocamp/freeipa"
version = "1.0.0"
}
}
}
provider "proxmox" {
endpoint = "https://172.30.27.187:8006/"
username = "root@pam"
password = "wersdfxcv"
insecure = true
}
provider "freeipa" {
host = "infra-srv1.au-team.cloud"
username = "admin"
password = "P@ssw0rd"
insecure = true
}
cat ~/.ssh/id_ed25519.pub
nano ~/infra/terraform/main.tf
locals {
nodes = {
"k8s-srv1" = "201"
"k8s-srv2" = "202"
"k8s-srv3" = "203"
"k8s-srv4" = "204"
"k8s-srv5" = "205"
}
}
resource "freeipa_dns_record" "a_records" {
for_each = local.nodes
dnszoneidnsname = "au-team.cloud"
idnsname = each.key
type = "A"
records = ["192.168.0.${each.value}"]
}
resource "freeipa_dns_record" "ptr_records" {
for_each = local.nodes
dnszoneidnsname = "0.168.192.in-addr.arpa."
idnsname = each.value
type = "PTR"
records = ["${each.key}.au-team.cloud."]
}
resource "proxmox_virtual_environment_vm" "k8s_nodes" {
for_each = local.nodes
name = each.key
node_name = "pve"
clone {
vm_id = id_vm
full = true
}
agent {
enabled = false
}
cpu {
cores = 2
type = "qemu64"
}
memory {
dedicated = 2048
}
disk {
datastore_id = "OBL-RT"
interface = "scsi0"
size = 15
}
initialization {
datastore_id = "OBL-RT"
ip_config {
ipv4 {
address = "192.168.0.${each.value}/24"
gateway = "192.168.0.254"
}
}
user_account {
username = "altlinux"
keys = ["cat ~/.ssh/id_ed25519.pub"]
}
dns {
servers = ["192.168.0.101"] # Исправлено на plural (servers)
domain = "au-team.cloud"
}
}
network_device {
bridge = "cloudnet"
}
}
**2. Запуск:**
sudo bash -c 'echo "192.168.0.101 infra-srv1.au-team.cloud infra-srv1" >> /etc/hosts' && sudo bash -c 'echo "nameserver 192.168.0.101" > /etc/resolv.conf' && cd ~/infra/terraform && terraform init && terraform plan && terraform apply -parallelism=1
# yes
3. Проверка и обновление ssh config:
sudo bash -c 'cat <<EOF > /etc/resolv.conf
search au-team.cloud au-team.cloud
nameserver 192.168.0.101
nameserver 8.8.8.8
EOF'
cat <<EOF >> ~/.ssh/config
Host k8s-srv*
User altlinux
StrictHostKeyChecking accept-new
ProxyJump infra-srv2
EOF
# Проверяем, что имена разрешаются в IP
nslookup k8s-srv1.au-team.cloud && nslookup k8s-srv5.au-team.cloud && nslookup 192.168.0.201
cd ~/infra/ansible && mkdir -p inventories/staging
### Шаг 8. Настройка Staging-окружения (Ansible)
cat << 'EOF' > inventories/staging/hosts
all:
vars:
ansible_user: altlinux
ansible_ssh_private_key_file: ~/.ssh/id_ed25519
ansible_become: yes
ansible_become_method: sudo
ansible_become_password: P@ssw0rd
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
children:
k8s_nodes:
hosts:
k8s-srv1.au-team.cloud:
ansible_host: 192.168.0.201
k8s-srv2.au-team.cloud:
ansible_host: 192.168.0.202
k8s-srv3.au-team.cloud:
ansible_host: 192.168.0.203
k8s-srv4.au-team.cloud:
ansible_host: 192.168.0.204
k8s-srv5.au-team.cloud:
ansible_host: 192.168.0.205
EOF
2. Плейбук базы playbook1_base_package.yml:
cat << 'EOF' > playbook1_base_package.yml
---
- name: Install base packages on staging hosts
hosts: all
become: yes
tasks:
- name: Update apt cache
shell: apt-get update
changed_when: false
- name: Install required base packages
shell: apt-get install -y bash-completion vim-console chrony wget curl tzdata apt-repo
register: apt_install
changed_when: "'is already the newest version' not in apt_install.stdout"
EOF
3. Плейбук домена playbook2_enter_in_domain.yml:
cat << 'EOF' > playbook2_enter_in_domain.yml
---
- name: Join hosts to au-team.cloud domain
hosts: all
become: yes
tasks:
- name: Check if host is already joined to FreeIPA
stat:
path: /etc/ipa/default.conf
register: ipa_conf
- name: Install freeipa-client package
shell: apt-get install -y freeipa-client
register: ipa_pkg
changed_when: "'is already the newest version' not in ipa_pkg.stdout"
when: not ipa_conf.stat.exists
- name: Join to domain au-team.cloud
shell: ipa-client-install --unattended --server=infra-srv1.au-team.cloud --domain=au-team.cloud --realm=AU-TEAM.CLOUD --principal=admin --password="{{ freeipa_admin_password }}" --mkhomedir --no-ntp
when: not ipa_conf.stat.exists
EOF
4. Запуск:
bash
cd ~/infra/ansible
ansible-playbook -i inventories/staging/hosts playbook1_base_package.yml
ansible-playbook -i inventories/staging/hosts playbook2_enter_in_domain.yml -e "freeipa_admin_password=P@ssw0rd"
### Шаг 9. Установка и настройка системы мониторинга (infra-srv3)
ansible all -i inventories/staging/hosts -m shell -a "echo 'nameserver 8.8.8.8' > /etc/resolv.conf && apt-get update && apt-get install -y prometheus-node_exporter && systemctl enable --now prometheus-node_exporter; echo 'nameserver 192.168.0.101' > /etc/resolv.conf" -b
ansible all -i inventories/staging/hosts -m shell -a "apt-get update && apt-get install -y prometheus-node_exporter && systemctl enable --now prometheus-node_exporter" -b
ssh altlinux@192.168.0.101 "sudo apt-get update && sudo apt-get install -y prometheus-node_exporter && sudo systemctl enable --now prometheus-node_exporter"
ssh altlinux@192.168.0.102 "sudo apt-get update && sudo apt-get install -y prometheus-node_exporter && sudo systemctl enable --now prometheus-node_exporter"
2. Развертывание Docker, Nginx, Grafana (infra-srv3):
ssh altlinux@192.168.0.103
sudo apt-get update && sudo apt-get install -y docker-engine docker-compose-v2 nginx prometheus-node_exporter && sudo systemctl enable --now docker nginx prometheus-node_exporter
sudo mkdir -p /etc/pki/tls/certs /etc/pki/tls/private && sudo chmod 700 /etc/pki/tls/private && sudo bash -c 'echo "nameserver 192.168.0.101" > /etc/resolv.conf' && ping -c 2 infra-srv1.au-team.cloud
sudo ipa-getcert request -r \
-f /etc/pki/tls/certs/grafana.crt \
-k /etc/pki/tls/private/grafana.key \
-N CN=grafana.au-team.cloud \
-D grafana.au-team.cloud \
-K HTTP/grafana.au-team.cloud@AU-TEAM.CLOUD
mkdir -p ~/monitoring && cd ~/monitoring
cat <<EOF > prometheus.yml
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'node_exporter'
static_configs:
- targets:
- '192.168.0.101:9100'
- '192.168.0.102:9100'
- '192.168.0.103:9100'
- '192.168.0.201:9100'
- '192.168.0.202:9100'
- '192.168.0.203:9100'
- '192.168.0.204:9100'
- '192.168.0.205:9100'
EOF
cat <<EOF > docker-compose.yml
version: '3.8'
services:
prometheus:
image: prom/prometheus:latest
container_name: prometheus
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
network_mode: "host"
restart: unless-stopped
grafana:
image: grafana/grafana:latest
container_name: grafana
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD=P@ssw0rd
network_mode: "host"
restart: unless-stopped
EOF
sudo docker compose up -d
sudo tee /etc/nginx/sites-available.d/grafana.conf > /dev/null << 'EOF'
server {
listen 80;
server_name grafana.au-team.cloud;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name grafana.au-team.cloud;
ssl_certificate /etc/pki/tls/certs/grafana.crt;
ssl_certificate_key /etc/pki/tls/private/grafana.key;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
EOF
sudo ln -s /etc/nginx/sites-available.d/grafana.conf /etc/nginx/sites-enabled.d/ && sudo systemctl restart nginx
3. Настройка Grafana в веб-интерфейсе:**
В hosts Windows добавь 127.0.0.1 grafana.au-team.cloud.
Проброс портов: ssh -J root@172.30.27.187 -L 443:192.168.0.103:443 altlinux@192.168.0.1.
Браузер: https://grafana.au-team.cloud (логин admin, пароль P@ssw0rd).
В левом меню жми Connections -> Data Sources -> Add data source.
Выбери Prometheus. URL: http://127.0.0.1:9090 -> Save & test.
Dashboards -> New -> Import. ID: 1860. Выбери Prometheus -> Import.
exit
ansible all -i inventories/production/hosts -m shell -a "echo -e 'search au-team.cloud\nnameserver 192.168.0.101' > /etc/resolv.conf" -b
ansible all -i inventories/staging/hosts -m shell -a "echo -e 'search au-team.cloud\nnameserver 192.168.0.101' > /etc/resolv.conf" -b
cat << 'EOF' > ~/.ssh/config
Host infra-srv* k8s-srv*
User altlinux
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking accept-new
Host k8s-srv*
ProxyJump infra-srv2
EOF
1. Исправление SSH-доступа (Ключи)
echo "P@ssw0rd" | kinit admin01
sudo apt-get install -y sshpass
ansible all -i inventories/staging/hosts -m authorized_key -a "user=altlinux key='{{ lookup('file', '~/.ssh/id_ed25519.pub') }}'" -k
ansible all -i inventories/production/hosts -m authorized_key -a "user=altlinux key='{{ lookup('file', '~/.ssh/id_ed25519.pub') }}'" -k
ipa user-mod admin01 --sshpubkey="$(cat ~/.ssh/id_ed25519.pub)"
for i in {1..5}; do
cat ~/.ssh/id_ed25519.pub | ssh admin01@k8s-srv$i "sudo tee -a /home/altlinux/.ssh/authorized_keys > /dev/null"
done
2. Настройка Sudo NOPASSWD (Для админов)
ansible all -i inventories/production/hosts -m shell -a "sss_cache -E && systemctl restart sssd" -b
5. Работа с Git (Смена веток)
Переименование и пуш:
git branch -M main
git push origin main
Git: git push origin main (проверить, что в Gitea всё есть).
Sudo: ssh admin01@infra-srv1 "sudo id" (проверить, что не просит пароль).
DNS: nslookup 192.168.0.101 && nslookup 192.168.0.201 (проверить обе зоны).
Monitoring: Зайти в Grafana и убедиться, что на дашборде все 8 графиков показывают данные.
HBAC: ssh dev01@infra-srv1 (убедиться, что доступ запрещен).
