├── dns ├── etc_resolv.dnsmasq ├── etc_dnsmasq.hosts ├── docker-compose.yml └── etc_dnsmasq.conf ├── .gitignore ├── nexus ├── mirror_conf.d │ ├── pip.conf │ ├── epel.repo │ └── CentOS-Base.repo └── docker-compose.yml ├── jira ├── mysql │ ├── mysql-connector-java-5.1.48.jar │ └── mysqld_jira.cnf └── docker-compose.yml ├── confluence ├── mysql │ ├── mysql-connector-java-5.1.48.jar │ └── mysqld_confluence.cnf └── docker-compose.yml ├── nginx ├── conf.d │ ├── timeout.conf │ ├── static80.conf.template │ ├── proxy80.conf.template │ ├── static443.conf.template │ └── proxy443.conf.template ├── www │ └── pac │ │ ├── gen-pac.sh │ │ ├── whitelist │ │ └── index.html ├── docker-compose.yml └── ssl │ └── gencert.sh ├── proxy ├── ss-client.json.template └── docker-compose.yml ├── gitlab └── docker-compose.yml ├── sonarqube └── docker-compose.yml ├── ldap └── docker-compose.yaml └── README.md /dns/etc_resolv.dnsmasq: -------------------------------------------------------------------------------- 1 | nameserver 114.114.114.114 2 | nameserver 8.8.8.8 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | ss-client.json 3 | nginx/ssl/ 4 | ldap/ssl/ 5 | nginx/conf.d/*.conf 6 | -------------------------------------------------------------------------------- /nexus/mirror_conf.d/pip.conf: -------------------------------------------------------------------------------- 1 | [global] 2 | index-url = http://pypi.example.com/simple 3 | trusted-host = pypi.example.com 4 | -------------------------------------------------------------------------------- /jira/mysql/mysql-connector-java-5.1.48.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kangeek/infra-docker-compose/HEAD/jira/mysql/mysql-connector-java-5.1.48.jar -------------------------------------------------------------------------------- /confluence/mysql/mysql-connector-java-5.1.48.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kangeek/infra-docker-compose/HEAD/confluence/mysql/mysql-connector-java-5.1.48.jar -------------------------------------------------------------------------------- /nginx/conf.d/timeout.conf: -------------------------------------------------------------------------------- 1 | proxy_connect_timeout 600; 2 | proxy_send_timeout 600; 3 | proxy_read_timeout 600; 4 | send_timeout 600; 5 | -------------------------------------------------------------------------------- /dns/etc_dnsmasq.hosts: -------------------------------------------------------------------------------- 1 | # 由于使用的nginx做反向代理,所以全部都在一个IP上,也就是nginx所在主机的IP 2 | 172.31.0.254 dns.example.com proxy.example.com jira.example.com docs.example.com ldap.example.com git.example.com registry.example.com #... 3 | -------------------------------------------------------------------------------- /nginx/conf.d/static80.conf.template: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | 4 | server_name abc.example.com; 5 | 6 | location / { 7 | root /var/www/abc.example.com; 8 | index index.html; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /proxy/ss-client.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "server":"xxx.xxx.xxx.xxx", 3 | "server_port":xxxxx, 4 | "local_port":1080, 5 | "password":"xxxxxx", 6 | "method":"rc4-md5", 7 | "fast_open":false, 8 | "timeout":180 9 | } 10 | -------------------------------------------------------------------------------- /jira/mysql/mysqld_jira.cnf: -------------------------------------------------------------------------------- 1 | [client] 2 | default-character-set = utf8mb4 3 | 4 | [mysql] 5 | default-character-set = utf8mb4 6 | 7 | [mysqld] 8 | character-set-client-handshake = FALSE 9 | character-set-server = utf8mb4 10 | collation-server = utf8mb4_bin 11 | -------------------------------------------------------------------------------- /nginx/conf.d/proxy80.conf.template: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | 4 | server_name abc.example.com; 5 | 6 | location / { 7 | proxy_pass http://proxied.server; 8 | proxy_set_header X-Forwarded-For $remote_addr; 9 | proxy_set_header Host $host; 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /nginx/www/pac/gen-pac.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export http_proxy=http://127.0.0.1:8118 4 | export https_proxy=http://127.0.0.1:8118 5 | 6 | basepath=$(cd `dirname $0`; pwd) 7 | 8 | cd $basepath 9 | 10 | genpac --format=pac --pac-compress --pac-proxy "SOCKS5 127.0.0.1:1080" --user-rule-from="${basepath}/whitelist" --output="${basepath}/index.html" 11 | -------------------------------------------------------------------------------- /confluence/mysql/mysqld_confluence.cnf: -------------------------------------------------------------------------------- 1 | [client] 2 | default-character-set = utf8 3 | 4 | [mysql] 5 | default-character-set = utf8 6 | 7 | [mysqld] 8 | transaction-isolation = READ-COMMITTED 9 | max_allowed_packet = 256M 10 | innodb_log_file_size = 2G 11 | default-storage-engine = INNODB 12 | binlog_format = row 13 | character-set-client-handshake = FALSE 14 | character-set-server = utf8 15 | collation-server = utf8_bin 16 | -------------------------------------------------------------------------------- /proxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | proxy: 5 | image: sgrio/alpine-sslocalproxy 6 | container_name: proxy 7 | hostname: proxy 8 | networks: 9 | - devops 10 | privileged: true 11 | ports: 12 | - "1080:1080" 13 | - "8118:8118" 14 | volumes: 15 | - ./ss-client.json:/etc/shadowsocks-libev/config.json 16 | 17 | networks: 18 | devops: 19 | name: devops 20 | -------------------------------------------------------------------------------- /dns/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | dns: 5 | image: andyshinn/dnsmasq 6 | container_name: dns 7 | privileged: true 8 | cap_add: 9 | - NET_ADMIN 10 | networks: 11 | - devops 12 | ports: 13 | - "53:53" 14 | - "53:53/udp" 15 | volumes: 16 | - './etc_dnsmasq.conf:/etc/dnsmasq.conf' 17 | - './etc_resolv.dnsmasq:/etc/resolv.dnsmasq' 18 | - './etc_dnsmasq.hosts:/etc/dnsmasq.hosts' 19 | 20 | networks: 21 | devops: 22 | name: devops 23 | -------------------------------------------------------------------------------- /nginx/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | nginx: 5 | image: nginx 6 | container_name: nginx 7 | hostname: nginx 8 | networks: 9 | - devops 10 | privileged: true 11 | ports: 12 | - "80:80" 13 | - "443:443" 14 | volumes: 15 | - ./conf.d:/etc/nginx/conf.d 16 | - ./www:/var/www 17 | - ./ssl:/etc/nginx/ssl 18 | logging: 19 | driver: "json-file" 20 | options: 21 | max-size: "200k" 22 | max-file: "10" 23 | 24 | networks: 25 | devops: 26 | name: devops 27 | external: true 28 | -------------------------------------------------------------------------------- /nginx/www/pac/whitelist: -------------------------------------------------------------------------------- 1 | atlassian.com| 2 | citrix.com| 3 | cloudfoundry.com| 4 | cloudfront.net| 5 | codedellemc.com| 6 | commonaccord.org| 7 | coursera.org| 8 | docker.com| 9 | get.k8s.io| 10 | githubapp.com| 11 | github.com| 12 | githubusercontent.com| 13 | gnome-look.org| 14 | golanger.com| 15 | google-analytics.com| 16 | gradle.org| 17 | hashicorp.com| 18 | jetbrains.com| 19 | kubernetes.io| 20 | live.com| 21 | live.net| 22 | maven.apache.org| 23 | openshift.com| 24 | openshift.org| 25 | quay.io| 26 | spring.io| 27 | textnow.com| 28 | travis-ci.org| 29 | udemy.com| 30 | vagrantcloud.com| 31 | vagrantup.com| 32 | vagrantup.io| 33 | -------------------------------------------------------------------------------- /nginx/conf.d/static443.conf.template: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl; 3 | 4 | server_name abc.example.com; 5 | 6 | ssl_certificate /etc/nginx/ssl/abc.example.com.crt; 7 | ssl_certificate_key /etc/nginx/ssl/abc.example.com.key; 8 | 9 | ssl_session_timeout 5m; 10 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 11 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 12 | ssl_prefer_server_ciphers on; 13 | 14 | location / { 15 | root /var/www/abc.exampel.com; 16 | index index.html; 17 | } 18 | } 19 | server { 20 | listen 80; 21 | server_name abc.example.com; 22 | rewrite ^(.*)$ https://$host$1 permanent; 23 | } 24 | -------------------------------------------------------------------------------- /nginx/conf.d/proxy443.conf.template: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name abc.example.com; 4 | rewrite ^(.*)$ https://$host$1 permanent; 5 | } 6 | server { 7 | listen 443 ssl; 8 | 9 | server_name abc.example.com; 10 | 11 | ssl_certificate /etc/nginx/ssl/abc.example.com.crt; 12 | ssl_certificate_key /etc/nginx/ssl/abc.example.com.key; 13 | 14 | ssl_session_timeout 5m; 15 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 16 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 17 | ssl_prefer_server_ciphers on; 18 | 19 | location / { 20 | proxy_pass https://proxied.server; 21 | proxy_set_header X-Forwarded-For $remote_addr; 22 | proxy_set_header Host $host; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /nexus/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | nexus: 5 | image: sonatype/nexus3 6 | container_name: nexus 7 | hostname: nexus 8 | networks: 9 | - devops 10 | ports: 11 | - "8081:8081" 12 | volumes: 13 | - nexus-data:/nexus-data 14 | 15 | registry: 16 | image: registry:2 17 | container_name: registry 18 | networks: 19 | - devops 20 | ports: 21 | - 5000:5000 22 | environment: 23 | - REGISTRY_PROXY_REMOTEURL="https://docker.mirrors.ustc.edu.cn" 24 | volumes: 25 | - registry:/var/lib/registry 26 | 27 | volumes: 28 | nexus-data: 29 | name: nexus-data 30 | registry: 31 | name: registry 32 | 33 | networks: 34 | devops: 35 | name: devops 36 | external: true 37 | -------------------------------------------------------------------------------- /nexus/mirror_conf.d/epel.repo: -------------------------------------------------------------------------------- 1 | [epel] 2 | name=Extra Packages for Enterprise Linux 7 - $basearch 3 | baseurl=http://nexus.example.com/repository/epel/7/$basearch 4 | failovermethod=priority 5 | enabled=1 6 | gpgcheck=1 7 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 8 | 9 | [epel-debuginfo] 10 | name=Extra Packages for Enterprise Linux 7 - $basearch - Debug 11 | baseurl=http://nexus.example.com/repository/epel/7/$basearch/debug 12 | failovermethod=priority 13 | enabled=0 14 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 15 | gpgcheck=1 16 | 17 | [epel-source] 18 | name=Extra Packages for Enterprise Linux 7 - $basearch - Source 19 | baseurl=http://nexus.example.com/repository/epel/7/SRPMS 20 | failovermethod=priority 21 | enabled=0 22 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 23 | gpgcheck=1 24 | -------------------------------------------------------------------------------- /gitlab/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | gitlab: 5 | image: gitlab/gitlab-ce 6 | container_name: gitlab 7 | hostname: gitlab 8 | environment: 9 | GITLAB_OMNIBUS_CONFIG: | 10 | external_url 'https://gitlab.example.com' 11 | nginx['redirect_http_to_https'] = true 12 | ports: 13 | - "2222:22" 14 | - "8080:80" 15 | - "8443:443" 16 | networks: 17 | - devops 18 | volumes: 19 | - gitlab-config:/etc/gitlab 20 | - gitlab-logs:/var/log/gitlab 21 | - gitlab-data:/var/opt/gitlab 22 | logging: 23 | driver: "json-file" 24 | options: 25 | max-size: "200k" 26 | max-file: "10" 27 | 28 | networks: 29 | devops: 30 | name: devops 31 | external: true 32 | 33 | volumes: 34 | gitlab-config: 35 | name: gitlab-config 36 | gitlab-logs: 37 | name: gitlab-logs 38 | gitlab-data: 39 | name: gitlab-data 40 | -------------------------------------------------------------------------------- /nginx/ssl/gencert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # create self-signed server certificate: 4 | 5 | read -p "Enter your domain [xxx.peony.dev]: " DOMAIN 6 | 7 | echo "Create server key..." 8 | 9 | openssl genrsa -des3 -out $DOMAIN.key 1024 10 | 11 | echo "Create server certificate signing request..." 12 | 13 | SUBJECT="/C=CN/ST=ShanDong/L=Jinan/O=Peony/OU=TechDept/CN=$DOMAIN" 14 | 15 | openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr 16 | 17 | echo "Remove password..." 18 | 19 | mv $DOMAIN.key $DOMAIN.origin.key 20 | openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key 21 | 22 | echo "Sign SSL certificate..." 23 | 24 | openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt 25 | 26 | echo "TODO:" 27 | #echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt" 28 | #echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key" 29 | echo "Add configuration in nginx:" 30 | echo "server {" 31 | echo " ..." 32 | echo " listen 443 ssl;" 33 | echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;" 34 | echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;" 35 | echo "}" 36 | echo "Then restart nginx container." 37 | -------------------------------------------------------------------------------- /nexus/mirror_conf.d/CentOS-Base.repo: -------------------------------------------------------------------------------- 1 | # CentOS-Base.repo 2 | # 3 | # The mirror system uses the connecting IP address of the client and the 4 | # update status of each mirror to pick mirrors that are updated to and 5 | # geographically close to the client. You should use this for CentOS updates 6 | # unless you are manually picking other mirrors. 7 | # 8 | # If the mirrorlist= does not work for you, as a fall back you can try the 9 | # remarked out baseurl= line instead. 10 | # 11 | # 12 | 13 | [base] 14 | name=CentOS-$releasever - Base 15 | baseurl=http://nexus.example.com/repository/centos-base//$releasever/os/$basearch/ 16 | gpgcheck=1 17 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 18 | 19 | #released updates 20 | [updates] 21 | name=CentOS-$releasever - Updates 22 | baseurl=http://nexus.example.com/repository/centos-base//$releasever/updates/$basearch/ 23 | gpgcheck=1 24 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 25 | 26 | #additional packages that may be useful 27 | [extras] 28 | name=CentOS-$releasever - Extras 29 | baseurl=http://nexus.example.com/repository/centos-base//$releasever/extras/$basearch/ 30 | gpgcheck=1 31 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 32 | 33 | #additional packages that extend functionality of existing packages 34 | [centosplus] 35 | name=CentOS-$releasever - Plus 36 | baseurl=http://nexus.example.com/repository/centos-base//$releasever/centosplus/$basearch/ 37 | gpgcheck=1 38 | enabled=0 39 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 40 | -------------------------------------------------------------------------------- /jira/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | services: 3 | mysql-jira: 4 | image: mysql:5.7 5 | container_name: mysql-jira 6 | environment: 7 | - MYSQL_ROOT_PASSWORD=devops 8 | - MYSQL_DATABASE=jiradb 9 | - MYSQL_USER=jira 10 | - MYSQL_PASSWORD=devops 11 | networks: 12 | - devops 13 | volumes: 14 | - ./mysql/mysqld_jira.cnf:/etc/mysql/conf.d/mysqld_jira.cnf 15 | - mysql-jira:/var/lib/mysql 16 | logging: 17 | driver: "json-file" 18 | options: 19 | max-size: "200k" 20 | max-file: "10" 21 | 22 | jira: 23 | image: atlassian/jira-software 24 | container_name: jira 25 | hostname: jira 26 | depends_on: 27 | - mysql-jira 28 | ports: 29 | - "8081:8080" 30 | environment: 31 | - JVM_MINIMUM_MEMORY=512m 32 | - JVM_MAXIMUM_MEMORY=2048m 33 | - ATL_PROXY_NAME=jira.example.com 34 | - ATL_PROXY_PORT=443 35 | - ATL_TOMCAT_SCHEME=https 36 | - ATL_TOMCAT_SECURE=true 37 | networks: 38 | - devops 39 | volumes: 40 | - ./mysql/mysql-connector-java-5.1.48.jar:/opt/atlassian/jira/lib/mysql-connector-java-5.1.48.jar 41 | - jira:/var/atlassian/application-data/jira 42 | logging: 43 | driver: "json-file" 44 | options: 45 | max-size: "200k" 46 | max-file: "10" 47 | 48 | networks: 49 | devops: 50 | name: devops 51 | external: true 52 | 53 | volumes: 54 | mysql-jira: 55 | name: mysql-jira 56 | jira: 57 | name: jira 58 | -------------------------------------------------------------------------------- /confluence/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | 5 | mysql-confluence: 6 | image: mysql:5.7 7 | container_name: mysql-confluence 8 | environment: 9 | - MYSQL_ROOT_PASSWORD=devops 10 | - MYSQL_DATABASE=confluencedb 11 | - MYSQL_USER=confluence 12 | - MYSQL_PASSWORD=devops 13 | networks: 14 | - devops 15 | volumes: 16 | - ./mysql/mysqld_confluence.cnf:/etc/mysql/conf.d/mysqld_confluence.cnf 17 | - mysql-confluence:/var/lib/mysql 18 | command: ["--transaction-isolation=READ-COMMITTED"] 19 | 20 | confluence: 21 | image: atlassian/confluence-server 22 | container_name: confluence 23 | hostname: confluence 24 | depends_on: 25 | - mysql-confluence 26 | ports: 27 | - "8701:8090" 28 | - "8702:8091" 29 | networks: 30 | - devops 31 | environment: 32 | - JVM_MINIMUM_MEMORY=512m # 384m 33 | - JVM_MAXIMUM_MEMORY=2048m # 768m 34 | - ATL_PROXY_NAME=docs.example.com 35 | - ATL_PROXY_PORT=443 36 | - ATL_TOMCAT_SCHEME=https 37 | - ATL_TOMCAT_SECURE=true 38 | volumes: 39 | - ./mysql/mysql-connector-java-5.1.48.jar:/opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-java-5.1.48.jar 40 | - confluence:/var/atlassian/application-data/confluence 41 | logging: 42 | driver: "json-file" 43 | options: 44 | max-size: "200k" 45 | max-file: "10" 46 | 47 | networks: 48 | devops: 49 | name: devops 50 | external: true 51 | 52 | volumes: 53 | mysql-confluence: 54 | name: mysql-confluence 55 | confluence: 56 | name: confluence 57 | -------------------------------------------------------------------------------- /sonarqube/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | 5 | postgres-sonar: 6 | image: postgres 7 | container_name: postgres-sonar 8 | networks: 9 | - devops 10 | environment: 11 | - POSTGRES_USER=sonar 12 | - POSTGRES_PASSWORD=devops 13 | volumes: 14 | - postgres-sonar:/var/lib/postgresql 15 | # This needs explicit mapping due to https://github.com/docker-library/postgres/blob/4e48e3228a30763913ece952c611e5e9b95c8759/Dockerfile.template#L52 16 | - postgres-sonar-data:/var/lib/postgresql/data 17 | 18 | sonarqube: 19 | image: sonarqube 20 | container_name: sonarqube 21 | hostname: sonarqube 22 | depends_on: 23 | - postgres-sonar 24 | ports: 25 | - "9000:9000" 26 | environment: 27 | - sonar.jdbc.url=jdbc:postgresql://postgres-sonar:5432/sonar 28 | - sonar.jdbc.username=sonar 29 | - sonar.jdbc.password=devops 30 | networks: 31 | - devops 32 | volumes: 33 | - sonar-conf:/opt/sonarqube/conf 34 | - sonar-data:/opt/sonarqube/data 35 | - sonar-logs:/opt/sonarqube/logs 36 | - sonar-extensions:/opt/sonarqube/extensions 37 | logging: 38 | driver: "json-file" 39 | options: 40 | max-size: "200k" 41 | max-file: "10" 42 | 43 | networks: 44 | devops: 45 | name: devops 46 | external: true 47 | 48 | volumes: 49 | sonar-conf: 50 | name: sonar-conf 51 | sonar-data: 52 | name: sonar-data 53 | sonar-logs: 54 | name: sonar-logs 55 | sonar-extensions: 56 | name: sonar-extensions 57 | postgres-sonar: 58 | name: postgres-sonar 59 | postgres-sonar-data: 60 | name: postgress-sonar-data 61 | -------------------------------------------------------------------------------- /ldap/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | ldap: 5 | image: osixia/openldap 6 | container_name: ldap 7 | hostname: ldap 8 | networks: 9 | - devops 10 | ports: 11 | - "389:389" 12 | - "636:636" 13 | environment: 14 | - LDAP_ORGANISATION=Kang 15 | - LDAP_DOMAIN=example.com 16 | - LDAP_ADMIN_PASSWORD=passwd 17 | - LDAP_READONLY_USER=true 18 | - LDAP_READONLY_USER_USERNAME=readonly 19 | - LDAP_READONLY_USER_PASSWORD=passwd 20 | - LDAP_TLS_CRT_FILENAME=ldap.example.com.crt 21 | - LDAP_TLS_KEY_FILENAME=ldap.example.com.key 22 | - LDAP_TLS_CA_CRT_FILENAME=root.example.com.crt 23 | volumes: 24 | - ./ssl:/container/service/slapd/assets/certs 25 | - ldap-var:/var/lib/ldap 26 | - ldap-etc:/etc/ldap/slapd.d 27 | logging: 28 | driver: "json-file" 29 | options: 30 | max-size: "200k" 31 | max-file: "10" 32 | 33 | ldap-admin: 34 | image: osixia/phpldapadmin 35 | container_name: ldap-admin 36 | hostname: ldap-admin 37 | depends_on: 38 | - ldap 39 | networks: 40 | - devops 41 | # If nginx not on the same "devops" network, uncomment the following two lines. 42 | # ports: 43 | # - "8701:80" 44 | # - "8443:443" 45 | environment: 46 | - PHPLDAPADMIN_LDAP_HOSTS=ldap 47 | - PHPLDAPADMIN_HTTPS_CRT_FILENAME=ldap.example.com.crt 48 | - PHPLDAPADMIN_HTTPS_KEY_FILENAME=ldap.example.com.key 49 | - PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=root.example.com.crt 50 | volumes: 51 | - ./ssl:/container/service/phpldapadmin/assets/apache2/certs 52 | - ldap-admin:/var/www/phpldapadmin 53 | logging: 54 | driver: "json-file" 55 | options: 56 | max-size: "200k" 57 | max-file: "10" 58 | 59 | volumes: 60 | ldap-var: 61 | name: ldap-var 62 | ldap-etc: 63 | name: ldap-etc 64 | ldap-admin: 65 | name: ldap-admin 66 | 67 | networks: 68 | devops: 69 | name: devops 70 | external: true 71 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [TOC] 2 | 3 | 目前的方案主要是围绕Gitlab及其自带的gitlab-runner在搭建,如图。 4 | 5 | ![](https://tva1.sinaimg.cn/large/006tNbRwly1gaia7y8na7j31f60nijwo.jpg) 6 | 7 | 如果要查看基于Gerrit和Jenkins的部署方式,请切换到v0.1分支(其中各组件版本可能有点旧了,请自行使用镜像最新版本的镜像)。 8 | 9 | 以下工具基于 Docker & Docker Compose 来部署,其中的配置全部基于“example.com”,具体部署前可根据实际情况进行批量替换。 10 | 11 | # 0 准备 12 | 13 | ## 0.1 安装docker 14 | 15 | ``` 16 | curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun 17 | ``` 18 | 19 | 并根据需要配置国内源。 20 | 21 | ## 0.2 下载docker-compose 22 | 23 | 参考[文档](https://docs.docker.com/compose/install/). 24 | 25 | ``` 26 | sudo curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose 27 | sudo chmod +x /usr/local/bin/docker-compose 28 | ``` 29 | 30 | ## 0.2 开启IPv4 IP forward(不配置似乎也没事,待验证) 31 | 32 | 容器要想访问外部网络,需要本地系统的转发支持。编辑`/etc/sysctl.conf`,添加或修改: 33 | 34 | ``` 35 | net.ipv4.ip_forward=1 36 | ``` 37 | 38 | 然后重启网络和docker。 39 | 40 | ``` 41 | systemctl restart network 42 | systemctl restart docker 43 | ``` 44 | 45 | ## 0.4 挂载目录的SELinux权限 46 | 47 | 这一版,容器数据的持久化数据的挂载有限使用命名卷,而不是直接将主机目录挂载到容器里。以便避免权限等问题导致的坑。 48 | 49 | 如果开启SELinux,并且采用目录挂载挂载的方式,需要配置SELinux权限。如挂载主机目录为`/srv/mysql`,则执行: 50 | 51 | ``` 52 | chcon -Rt svirt_sandbox_file_t /srv/mysql 53 | ``` 54 | 55 | ## 0.4 防火墙方面 56 | 57 | **iptables增加端口** 58 | 59 | 配置iptable规则:`vi /etc/sysconfig/iptables` 60 | 61 | ``` 62 | # 增加一行(如增加UDP 123端口) 63 | -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT 64 | ``` 65 | 66 | **firewalld开通端口** 67 | 68 | ``` 69 | firewall-cmd --zone=public --add-port=80/tcp --permanent 70 | systemctl restart firewalld 71 | ``` 72 | 73 | # 1 部署节点 74 | 75 | ## 1.1 研发内网域名解析 76 | 77 | 研发内用的DNS有dnsmasq来提供,由nginx进行反向代理。DNS的docker-compose.yml如下: 78 | 79 | ``` 80 | services: 81 | dns: 82 | image: andyshinn/dnsmasq 83 | container_name: dns 84 | hostname: dns 85 | networks: 86 | - devops 87 | privileged: true 88 | cap_add: 89 | - NET_ADMIN 90 | ports: 91 | - "53:53" 92 | - "53:53/udp" 93 | volumes: 94 | - './etc_dnsmasq.conf:/etc/dnsmasq.conf' 95 | - './etc_resolv.dnsmasq:/etc/resolv.dnsmasq' 96 | - './etc_dnsmasq.hosts:/etc/dnsmasq.hosts' 97 | ``` 98 | 99 | 容器的三个配置文件通过volume的方式与主机当前目录下的配置文件共享。 100 | 101 | DNS服务使用的是dnsmasq。其中, 102 | 103 | * `/etc/dnsmasq.conf`是主配置文件,主要内容有两行: 104 | 105 | ``` 106 | # 指定配置外网DNS地址的resolv文件 107 | resolv-file=/etc/resolv.dnsmasq 108 | # 指定配置内网域名解析关系的文件 109 | addn-hosts=/etc/dnsmasq.hosts 110 | ``` 111 | 112 | * `/etc/resolv.dnsmasq`,配置外网DNS地址,内容如下: 113 | 114 | ``` 115 | nameserver 114.114.114.114 116 | nameserver 202.106.0.20 117 | ``` 118 | 119 | * `/etc/dnsmasq.hosts`,配置内网域名解析,内容如下: 120 | 121 | ``` 122 | # ops 123 | 172.31.0.254 dns ntp dns.example.com ntp.example.com 124 | 172.31.0.253 nas nas.example.com 125 | 172.31.3.101 vcenter vcenter.example.com 126 | 127 | 172.23.0.100 ldap ldap.example.com 128 | 172.23.0.101 jira jira.example.com 129 | 130 | ... ... 131 | ``` 132 | 133 | 134 | 135 | ## 1.2 反向代理 136 | 137 | 平台由多个组件构成,涉及多个不同的IP和端口号,为了方便记忆,采用域名+反向代理的配置方式。反向代理用Nginx提供,`docker-compose.yml`如下: 138 | 139 | ``` 140 | services: 141 | nginx: 142 | image: nginx 143 | container_name: nginx 144 | hostname: nginx 145 | networks: 146 | - devops 147 | # dns: 148 | # - 172.31.0.254 149 | privileged: true 150 | ports: 151 | - "80:80" 152 | - "443:443" 153 | volumes: 154 | - ./conf.d:/etc/nginx/conf.d # 1 155 | - ./www:/var/www # 2 156 | - ./ssl:/etc/nginx/ssl # 3 157 | ``` 158 | 159 | 1. 所有的反向代理配置放在`conf.d`目录下,随着下面各个组件的介绍会继续补充; 160 | 2. 静态页面放在`www`目录下; 161 | 3. 证书放在`ssl`下。 162 | 163 | ## 1.3 LDAP 164 | 165 | LDAP使用OpenLDAP进行维护,使用phpldapadmin管理界面。这一版的LDAP增加了SSL支持,因此需要提供证书。docker-compose.yml如下: 166 | 167 | ``` 168 | services: 169 | ldap: 170 | image: osixia/openldap 171 | container_name: ldap 172 | hostname: ldap 173 | networks: 174 | - devops 175 | ports: 176 | - "389:389" 177 | - "636:636" 178 | environment: 179 | - LDAP_ORGANISATION=ExampleCom 180 | - LDAP_DOMAIN=example.com 181 | - LDAP_ADMIN_PASSWORD=passwd 182 | - LDAP_READONLY_USER=true 183 | - LDAP_READONLY_USER_USERNAME=readonly 184 | - LDAP_READONLY_USER_PASSWORD=passwd 185 | - LDAP_TLS_CRT_FILENAME=ldap.example.com.crt #1 186 | - LDAP_TLS_KEY_FILENAME=ldap.example.com.key #1 187 | - LDAP_TLS_CA_CRT_FILENAME=root.example.com.crt #1 188 | volumes: 189 | - ./ssl:/container/service/slapd/assets/certs #1 190 | - ldap-var:/var/lib/ldap 191 | - ldap-etc:/etc/ldap/slapd.d 192 | logging: 193 | driver: "json-file" 194 | options: 195 | max-size: "200k" 196 | max-file: "10" 197 | 198 | ldap-admin: 199 | image: osixia/phpldapadmin 200 | container_name: ldap-admin 201 | hostname: ldap-admin 202 | depends_on: 203 | - ldap 204 | networks: 205 | - devops 206 | # If nginx not on the same "devops" network, uncomment the following two lines. 207 | # ports: 208 | # - "8080:80" 209 | # - "8443:443" 210 | environment: 211 | - PHPLDAPADMIN_LDAP_HOSTS=ldap 212 | - PHPLDAPADMIN_HTTPS_CRT_FILENAME=ldap.example.com.crt #1 213 | - PHPLDAPADMIN_HTTPS_KEY_FILENAME=ldap.example.com.key #1 214 | - PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=root.example.com.crt #1 215 | volumes: 216 | - ./ssl:/container/service/phpldapadmin/assets/apache2/certs #1 217 | - ldap-admin:/var/www/phpldapadmin 218 | logging: 219 | driver: "json-file" 220 | options: 221 | max-size: "200k" 222 | max-file: "10" 223 | ``` 224 | 225 | 1. 证书文件通过卷挂载,并使用环境变量进行指定。 226 | 227 | ## 1.4 JIRA & Confluence 228 | 229 | 以Jira为例,docker-compose.yml如下: 230 | 231 | ``` 232 | version: '3' 233 | 234 | services: 235 | mysql-jira: 236 | image: mysql:5.7 237 | container_name: mysql-jira 238 | environment: 239 | - MYSQL_ROOT_PASSWORD=devops 240 | - MYSQL_DATABASE=jiradb #1 241 | - MYSQL_USER=jira #1 242 | - MYSQL_PASSWORD=devops #1 243 | networks: 244 | - devops 245 | volumes: 246 | - ./mysql/mysqld_jira.cnf:/etc/mysql/conf.d/mysqld_jira.cnf #3 247 | - mysql-jira:/var/lib/mysql 248 | logging: 249 | driver: "json-file" 250 | options: 251 | max-size: "200k" 252 | max-file: "10" 253 | jira: 254 | image: atlassian/jira-software 255 | container_name: jira 256 | hostname: jira 257 | depends_on: 258 | - mysql-jira 259 | ports: 260 | - "8081:8080" 261 | environment: 262 | - JVM_MINIMUM_MEMORY=512m 263 | - JVM_MAXIMUM_MEMORY=2048m 264 | - ATL_PROXY_NAME=jira.example.com #2 265 | - ATL_PROXY_PORT=443 #2 266 | - ATL_TOMCAT_SCHEME=https #2 267 | - ATL_TOMCAT_SECURE=true #2 268 | networks: 269 | - devops 270 | volumes: 271 | - ./mysql/mysql-connector-java-5.1.48.jar:/opt/atlassian/jira/lib/mysql-connector-java-5.1.48.jar #3 272 | - jira:/var/atlassian/application-data/jira 273 | ``` 274 | 275 | 1. 启动MySQL的时候即初始化好数据库和用户; 276 | 2. Jira前方经过反向代理,而反向代理配置了SSL; 277 | 3. Jira对数据库有编码的要求,`./mysql/mysqld_jira.cnf`中可见: 278 | 279 | ``` 280 | [client] 281 | default-character-set = utf8mb4 282 | 283 | [mysql] 284 | default-character-set = utf8mb4 285 | 286 | [mysqld] 287 | character-set-client-handshake = FALSE 288 | character-set-server = utf8mb4 289 | collation-server = utf8mb4_bin 290 | ``` 291 | 292 | > [Jira和Confluence的破解方法](https://blog.csdn.net/get_set/article/details/80856922),仅用于学习,企业用户请购买正版。 293 | 294 | ## 1.5 Gitlab 295 | 296 | ### 1.5.1 让出22端口 297 | 298 | 注意,由于gitlab的SSH默认使用的是22端口,因此主机的sshd建议修改为其他端口。编辑`/etc/ssh/sshd_config`增加2222端口: 299 | 300 | ``` 301 | #Port 22 302 | Port 2222 303 | ``` 304 | 305 | 然后执行如下命令为SELinux开启2222端口: 306 | 307 | ``` 308 | semanage port -a -t ssh_port_t -p tcp 2222 309 | ``` 310 | 311 | 然后执行如下命令让防火墙通过2222端口: 312 | 313 | ``` 314 | firewall-cmd --permanent --add-port=2222/tcp 315 | systemctl restart firewalld.service 316 | ``` 317 | 318 | ### 1.5.2 启动gitlab 319 | 320 | 使用gitlab官方docker镜像,docker-compose.yml文件如下: 321 | 322 | ``` 323 | services: 324 | gitlab: 325 | image: gitlab/gitlab-ce 326 | container_name: gitlab 327 | hostname: gitlab 328 | environment: 329 | GITLAB_OMNIBUS_CONFIG: | 330 | external_url 'https://gitlab.example.com' #1 331 | nginx['redirect_http_to_https'] = true #1 332 | ports: 333 | - "2222:22" 334 | - "8080:80" 335 | - "8443:443" 336 | networks: 337 | - devops 338 | volumes: 339 | - gitlab-config:/etc/gitlab #2 340 | - gitlab-logs:/var/log/gitlab #2 341 | - gitlab-data:/var/opt/gitlab #2 342 | logging: 343 | driver: "json-file" 344 | options: 345 | max-size: "200k" 346 | max-file: "10" 347 | 348 | ``` 349 | 350 | 1. 由于gitlab前方有支持SSL的反向代理,external_url为用户使用的地址;此处`GITLAB_OMNIBUS_CONFIG`环境变量可用于提前给出任意`gitlab.rb`中的配置。 351 | 352 | 挂载目录如下: 353 | 354 | | 主机目录 | 容器目录 | 内容 | 355 | | --- | --- | --- | 356 | | gitlab-data | /var/opt/gitlab | 应用数据 | 357 | | gitlab-logs | /var/log/gitlab | 日志 | 358 | | gitlab-config | /etc/gitlab | GitLab配置文件 | 359 | 360 | ### 1.5.3 gitlab与LDAP的集成 361 | 362 | 由于配置文件已经共享到宿主机,因此可以通过编辑`gitlab-config`卷中的`gitlab.rb`配置gitlab: 363 | 364 | ``` 365 | ###! **remember to close this block with 'EOS' below** 366 | gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' 367 | main: # 'main' is the GitLab 'provider ID' of this LDAP server 368 | label: 'LDAP' 369 | host: 'ldap.example.com' 370 | port: 389 371 | uid: 'cn' 372 | bind_dn: 'cn=admin,dc=example,dc=com' 373 | password: '' 374 | encryption: 'plain' # "start_tls" or "simple_tls" or "plain" 375 | verify_certificates: true 376 | active_directory: false 377 | allow_username_or_email_login: true 378 | lowercase_usernames: true 379 | block_auto_created_users: false 380 | base: 'dc=example,dc=com' 381 | user_filter: '' 382 | ## EE only 383 | group_base: '' 384 | admin_group: '' 385 | sync_ssh_keys: false 386 | EOS 387 | ``` 388 | 389 | 然后执行如下命令使gitlab配置生效: 390 | 391 | ``` 392 | docker exec -it gitlab gitlab-ctl reconfigure 393 | ``` 394 | 395 | ## 1.6 SonarQube 396 | 397 | Sonarqube没有太多可解释的,与Jira或Confluence类似,就是典型的一个数据库+一个应用的部署方式,数据库启动时自动创建database和相应的用户的密码;SonarQube为官方镜像。 398 | 399 | SonarQube中用到的插件可以到[SonarQube插件库](https://docs.sonarqube.org/display/PLUG/Plugin+Library)下载,并复制到`sonar-extensions`卷的`plugins`目录下,并重启使其生效。 400 | 401 | ## 1.7 Nexus 402 | 403 | 仍然采用容器的部署方式,采用官方镜像`sonatype/nexus3`。 404 | 405 | 使用`nginx`进行反向代理,将不同的域名映射到不同的nexus端口或路径。 406 | 407 | 因此`docker-compose.yml`文件内容如下: 408 | 409 | ``` 410 | services: 411 | nexus: 412 | image: sonatype/nexus3 413 | container_name: nexus 414 | hostname: nexus 415 | networks: 416 | - devops 417 | ports: 418 | - "8081:8081" 419 | volumes: 420 | - nexus-data:/nexus-data 421 | 422 | registry: 423 | image: registry:2 424 | container_name: registry 425 | networks: 426 | - devops 427 | ports: 428 | - 5000:5000 429 | environment: 430 | - REGISTRY_PROXY_REMOTEURL="https://docker.mirrors.ustc.edu.cn" 431 | volumes: 432 | - registry:/var/lib/registry 433 | ``` 434 | 435 | ## 1.8 上网代理 436 | 437 | 由于研发人员经常需要上Google,或查询各种技术官网资料,因此一个统一的上网代理还是有必要的。 438 | 439 | 这里使用SOCKS5来做外网的代理,支持PAC模式和全局代理模式。 440 | 441 | 1. 代理使用sslocal,代理服务器的配置通过json文件传给该命令,端口为1080; 442 | 2. sslocal的代理为socks协议,因此使用privoxy转为http协议,端口为8118,该代理地址可用于全局代理模式的配置; 443 | 3. PAC代理模式维护一个list,只有list中的网址是走代理的,通过一个pac文件来维护,同时指定了SOCKS代理的地址,将该pac文件用http服务提供出来,使用者直接配置该pac文件的http地址即可使用PAC方式上网。 444 | 445 | 以上,第1,2由`sgrio/alpine-sslocalproxy`容器提供;第3条就起一个`httpd`容器,将pac文件用http访问即可。docker-compose.yml如下: 446 | 447 | ``` 448 | services: 449 | proxy: 450 | image: sgrio/alpine-sslocalproxy 451 | container_name: proxy 452 | hostname: proxy 453 | networks: 454 | - devops 455 | privileged: true 456 | ports: 457 | - "1080:1080" 458 | - "8118:8118" 459 | volumes: 460 | - './ss-client.json:/etc/shadowsocks-libev/config.json' # 1 461 | ``` 462 | 463 | 1. 代理服务器的配置通过volume挂载[`ss-client.json`]()文件实现。 464 | 465 | ### PAC的支持 466 | 467 | pac的内容放在`nginx/www/pac`中通过挂载到nginx的目录下,从而可以直接通过地址`proxy.example.com/pac`访问。 468 | 469 | pac的生成通过[`gen-pac.sh`](http://gitlab.example.com/infra/infra-docker-compose/blob/master/infra/gen-pac.sh)命令生成,该命令会从`gfwlist`拉取一份常用的代理网站地址list,另外还会加上`whitelist`中自定义的list,生成pac文件`index.html`。 470 | 471 | > 代码中的代理配置信息(`infra/ss-client.json`)无效。 472 | 473 | ## -------------------------------------------------------------------------------- /dns/etc_dnsmasq.conf: -------------------------------------------------------------------------------- 1 | # Configuration file for dnsmasq. 2 | # 3 | # Format is one option per line, legal options are the same 4 | # as the long options legal on the command line. See 5 | # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. 6 | 7 | # Listen on this specific port instead of the standard DNS port 8 | # (53). Setting this to zero completely disables DNS function, 9 | # leaving only DHCP and/or TFTP. 10 | #port=5353 11 | 12 | # The following two options make you a better netizen, since they 13 | # tell dnsmasq to filter out queries which the public DNS cannot 14 | # answer, and which load the servers (especially the root servers) 15 | # unnecessarily. If you have a dial-on-demand link they also stop 16 | # these requests from bringing up the link unnecessarily. 17 | 18 | # Never forward plain names (without a dot or domain part) 19 | #domain-needed 20 | # Never forward addresses in the non-routed address spaces. 21 | #bogus-priv 22 | 23 | # Uncomment these to enable DNSSEC validation and caching: 24 | # (Requires dnsmasq to be built with DNSSEC option.) 25 | #conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf 26 | #dnssec 27 | 28 | # Replies which are not DNSSEC signed may be legitimate, because the domain 29 | # is unsigned, or may be forgeries. Setting this option tells dnsmasq to 30 | # check that an unsigned reply is OK, by finding a secure proof that a DS 31 | # record somewhere between the root and the domain does not exist. 32 | # The cost of setting this is that even queries in unsigned domains will need 33 | # one or more extra DNS queries to verify. 34 | #dnssec-check-unsigned 35 | 36 | # Uncomment this to filter useless windows-originated DNS requests 37 | # which can trigger dial-on-demand links needlessly. 38 | # Note that (amongst other things) this blocks all SRV requests, 39 | # so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. 40 | # This option only affects forwarding, SRV records originating for 41 | # dnsmasq (via srv-host= lines) are not suppressed by it. 42 | #filterwin2k 43 | 44 | # Change this line if you want dns to get its upstream servers from 45 | # somewhere other that /etc/resolv.conf 46 | #resolv-file= 47 | resolv-file=/etc/resolv.dnsmasq 48 | 49 | # By default, dnsmasq will send queries to any of the upstream 50 | # servers it knows about and tries to favour servers to are known 51 | # to be up. Uncommenting this forces dnsmasq to try each query 52 | # with each server strictly in the order they appear in 53 | # /etc/resolv.conf 54 | #strict-order 55 | 56 | # If you don't want dnsmasq to read /etc/resolv.conf or any other 57 | # file, getting its servers from this file instead (see below), then 58 | # uncomment this. 59 | #no-resolv 60 | 61 | # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv 62 | # files for changes and re-read them then uncomment this. 63 | #no-poll 64 | 65 | # Add other name servers here, with domain specs if they are for 66 | # non-public domains. 67 | #server=/localnet/192.168.0.1 68 | 69 | # Example of routing PTR queries to nameservers: this will send all 70 | # address->name queries for 192.168.3/24 to nameserver 10.1.2.3 71 | #server=/3.168.192.in-addr.arpa/10.1.2.3 72 | 73 | # Add local-only domains here, queries in these domains are answered 74 | # from /etc/hosts or DHCP only. 75 | #local=/localnet/ 76 | 77 | # Add domains which you want to force to an IP address here. 78 | # The example below send any host in double-click.net to a local 79 | # web-server. 80 | #address=/double-click.net/127.0.0.1 81 | 82 | # --address (and --server) work with IPv6 addresses too. 83 | #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 84 | 85 | # Add the IPs of all queries to yahoo.com, google.com, and their 86 | # subdomains to the vpn and search ipsets: 87 | #ipset=/yahoo.com/google.com/vpn,search 88 | 89 | # You can control how dnsmasq talks to a server: this forces 90 | # queries to 10.1.2.3 to be routed via eth1 91 | # server=10.1.2.3@eth1 92 | 93 | # and this sets the source (ie local) address used to talk to 94 | # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that 95 | # IP on the machine, obviously). 96 | # server=10.1.2.3@192.168.1.1#55 97 | 98 | # If you want dnsmasq to change uid and gid to something other 99 | # than the default, edit the following lines. 100 | #user= 101 | #group= 102 | 103 | # If you want dnsmasq to listen for DHCP and DNS requests only on 104 | # specified interfaces (and the loopback) give the name of the 105 | # interface (eg eth0) here. 106 | # Repeat the line for more than one interface. 107 | #interface= 108 | # Or you can specify which interface _not_ to listen on 109 | #except-interface= 110 | # Or which to listen on by address (remember to include 127.0.0.1 if 111 | # you use this.) 112 | #listen-address= 113 | # If you want dnsmasq to provide only DNS service on an interface, 114 | # configure it as shown above, and then use the following line to 115 | # disable DHCP and TFTP on it. 116 | #no-dhcp-interface= 117 | 118 | # On systems which support it, dnsmasq binds the wildcard address, 119 | # even when it is listening on only some interfaces. It then discards 120 | # requests that it shouldn't reply to. This has the advantage of 121 | # working even when interfaces come and go and change address. If you 122 | # want dnsmasq to really bind only the interfaces it is listening on, 123 | # uncomment this option. About the only time you may need this is when 124 | # running another nameserver on the same machine. 125 | #bind-interfaces 126 | 127 | # If you don't want dnsmasq to read /etc/hosts, uncomment the 128 | # following line. 129 | #no-hosts 130 | # or if you want it to read another file, as well as /etc/hosts, use 131 | # this. 132 | #addn-hosts=/etc/banner_add_hosts 133 | addn-hosts=/etc/dnsmasq.hosts 134 | 135 | # Set this (and domain: see below) if you want to have a domain 136 | # automatically added to simple names in a hosts-file. 137 | #expand-hosts 138 | 139 | # Set the domain for dnsmasq. this is optional, but if it is set, it 140 | # does the following things. 141 | # 1) Allows DHCP hosts to have fully qualified domain names, as long 142 | # as the domain part matches this setting. 143 | # 2) Sets the "domain" DHCP option thereby potentially setting the 144 | # domain of all systems configured by DHCP 145 | # 3) Provides the domain part for "expand-hosts" 146 | #domain=thekelleys.org.uk 147 | 148 | # Set a different domain for a particular subnet 149 | #domain=wireless.thekelleys.org.uk,192.168.2.0/24 150 | 151 | # Same idea, but range rather then subnet 152 | #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 153 | 154 | # Uncomment this to enable the integrated DHCP server, you need 155 | # to supply the range of addresses available for lease and optionally 156 | # a lease time. If you have more than one network, you will need to 157 | # repeat this for each network on which you want to supply DHCP 158 | # service. 159 | #dhcp-range=192.168.0.50,192.168.0.150,12h 160 | 161 | # This is an example of a DHCP range where the netmask is given. This 162 | # is needed for networks we reach the dnsmasq DHCP server via a relay 163 | # agent. If you don't know what a DHCP relay agent is, you probably 164 | # don't need to worry about this. 165 | #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h 166 | 167 | # This is an example of a DHCP range which sets a tag, so that 168 | # some DHCP options may be set only for this network. 169 | #dhcp-range=set:red,192.168.0.50,192.168.0.150 170 | 171 | # Use this DHCP range only when the tag "green" is set. 172 | #dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h 173 | 174 | # Specify a subnet which can't be used for dynamic address allocation, 175 | # is available for hosts with matching --dhcp-host lines. Note that 176 | # dhcp-host declarations will be ignored unless there is a dhcp-range 177 | # of some type for the subnet in question. 178 | # In this case the netmask is implied (it comes from the network 179 | # configuration on the machine running dnsmasq) it is possible to give 180 | # an explicit netmask instead. 181 | #dhcp-range=192.168.0.0,static 182 | 183 | # Enable DHCPv6. Note that the prefix-length does not need to be specified 184 | # and defaults to 64 if missing/ 185 | #dhcp-range=1234::2, 1234::500, 64, 12h 186 | 187 | # Do Router Advertisements, BUT NOT DHCP for this subnet. 188 | #dhcp-range=1234::, ra-only 189 | 190 | # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and 191 | # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 192 | # hosts. Use the DHCPv4 lease to derive the name, network segment and 193 | # MAC address and assume that the host will also have an 194 | # IPv6 address calculated using the SLAAC algorithm. 195 | #dhcp-range=1234::, ra-names 196 | 197 | # Do Router Advertisements, BUT NOT DHCP for this subnet. 198 | # Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) 199 | #dhcp-range=1234::, ra-only, 48h 200 | 201 | # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA 202 | # so that clients can use SLAAC addresses as well as DHCP ones. 203 | #dhcp-range=1234::2, 1234::500, slaac 204 | 205 | # Do Router Advertisements and stateless DHCP for this subnet. Clients will 206 | # not get addresses from DHCP, but they will get other configuration information. 207 | # They will use SLAAC for addresses. 208 | #dhcp-range=1234::, ra-stateless 209 | 210 | # Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses 211 | # from DHCPv4 leases. 212 | #dhcp-range=1234::, ra-stateless, ra-names 213 | 214 | # Do router advertisements for all subnets where we're doing DHCPv6 215 | # Unless overridden by ra-stateless, ra-names, et al, the router 216 | # advertisements will have the M and O bits set, so that the clients 217 | # get addresses and configuration from DHCPv6, and the A bit reset, so the 218 | # clients don't use SLAAC addresses. 219 | #enable-ra 220 | 221 | # Supply parameters for specified hosts using DHCP. There are lots 222 | # of valid alternatives, so we will give examples of each. Note that 223 | # IP addresses DO NOT have to be in the range given above, they just 224 | # need to be on the same network. The order of the parameters in these 225 | # do not matter, it's permissible to give name, address and MAC in any 226 | # order. 227 | 228 | # Always allocate the host with Ethernet address 11:22:33:44:55:66 229 | # The IP address 192.168.0.60 230 | #dhcp-host=11:22:33:44:55:66,192.168.0.60 231 | 232 | # Always set the name of the host with hardware address 233 | # 11:22:33:44:55:66 to be "fred" 234 | #dhcp-host=11:22:33:44:55:66,fred 235 | 236 | # Always give the host with Ethernet address 11:22:33:44:55:66 237 | # the name fred and IP address 192.168.0.60 and lease time 45 minutes 238 | #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m 239 | 240 | # Give a host with Ethernet address 11:22:33:44:55:66 or 241 | # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume 242 | # that these two Ethernet interfaces will never be in use at the same 243 | # time, and give the IP address to the second, even if it is already 244 | # in use by the first. Useful for laptops with wired and wireless 245 | # addresses. 246 | #dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 247 | 248 | # Give the machine which says its name is "bert" IP address 249 | # 192.168.0.70 and an infinite lease 250 | #dhcp-host=bert,192.168.0.70,infinite 251 | 252 | # Always give the host with client identifier 01:02:02:04 253 | # the IP address 192.168.0.60 254 | #dhcp-host=id:01:02:02:04,192.168.0.60 255 | 256 | # Always give the InfiniBand interface with hardware address 257 | # 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the 258 | # ip address 192.168.0.61. The client id is derived from the prefix 259 | # ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of 260 | # hex digits of the hardware address. 261 | #dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 262 | 263 | # Always give the host with client identifier "marjorie" 264 | # the IP address 192.168.0.60 265 | #dhcp-host=id:marjorie,192.168.0.60 266 | 267 | # Enable the address given for "judge" in /etc/hosts 268 | # to be given to a machine presenting the name "judge" when 269 | # it asks for a DHCP lease. 270 | #dhcp-host=judge 271 | 272 | # Never offer DHCP service to a machine whose Ethernet 273 | # address is 11:22:33:44:55:66 274 | #dhcp-host=11:22:33:44:55:66,ignore 275 | 276 | # Ignore any client-id presented by the machine with Ethernet 277 | # address 11:22:33:44:55:66. This is useful to prevent a machine 278 | # being treated differently when running under different OS's or 279 | # between PXE boot and OS boot. 280 | #dhcp-host=11:22:33:44:55:66,id:* 281 | 282 | # Send extra options which are tagged as "red" to 283 | # the machine with Ethernet address 11:22:33:44:55:66 284 | #dhcp-host=11:22:33:44:55:66,set:red 285 | 286 | # Send extra options which are tagged as "red" to 287 | # any machine with Ethernet address starting 11:22:33: 288 | #dhcp-host=11:22:33:*:*:*,set:red 289 | 290 | # Give a fixed IPv6 address and name to client with 291 | # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 292 | # Note the MAC addresses CANNOT be used to identify DHCPv6 clients. 293 | # Note also the they [] around the IPv6 address are obligatory. 294 | #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 295 | 296 | # Ignore any clients which are not specified in dhcp-host lines 297 | # or /etc/ethers. Equivalent to ISC "deny unknown-clients". 298 | # This relies on the special "known" tag which is set when 299 | # a host is matched. 300 | #dhcp-ignore=tag:!known 301 | 302 | # Send extra options which are tagged as "red" to any machine whose 303 | # DHCP vendorclass string includes the substring "Linux" 304 | #dhcp-vendorclass=set:red,Linux 305 | 306 | # Send extra options which are tagged as "red" to any machine one 307 | # of whose DHCP userclass strings includes the substring "accounts" 308 | #dhcp-userclass=set:red,accounts 309 | 310 | # Send extra options which are tagged as "red" to any machine whose 311 | # MAC address matches the pattern. 312 | #dhcp-mac=set:red,00:60:8C:*:*:* 313 | 314 | # If this line is uncommented, dnsmasq will read /etc/ethers and act 315 | # on the ethernet-address/IP pairs found there just as if they had 316 | # been given as --dhcp-host options. Useful if you keep 317 | # MAC-address/host mappings there for other purposes. 318 | #read-ethers 319 | 320 | # Send options to hosts which ask for a DHCP lease. 321 | # See RFC 2132 for details of available options. 322 | # Common options can be given to dnsmasq by name: 323 | # run "dnsmasq --help dhcp" to get a list. 324 | # Note that all the common settings, such as netmask and 325 | # broadcast address, DNS server and default route, are given 326 | # sane defaults by dnsmasq. You very likely will not need 327 | # any dhcp-options. If you use Windows clients and Samba, there 328 | # are some options which are recommended, they are detailed at the 329 | # end of this section. 330 | 331 | # Override the default route supplied by dnsmasq, which assumes the 332 | # router is the same machine as the one running dnsmasq. 333 | #dhcp-option=3,1.2.3.4 334 | 335 | # Do the same thing, but using the option name 336 | #dhcp-option=option:router,1.2.3.4 337 | 338 | # Override the default route supplied by dnsmasq and send no default 339 | # route at all. Note that this only works for the options sent by 340 | # default (1, 3, 6, 12, 28) the same line will send a zero-length option 341 | # for all other option numbers. 342 | #dhcp-option=3 343 | 344 | # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 345 | #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 346 | 347 | # Send DHCPv6 option. Note [] around IPv6 addresses. 348 | #dhcp-option=option6:dns-server,[1234::77],[1234::88] 349 | 350 | # Send DHCPv6 option for namservers as the machine running 351 | # dnsmasq and another. 352 | #dhcp-option=option6:dns-server,[::],[1234::88] 353 | 354 | # Ask client to poll for option changes every six hours. (RFC4242) 355 | #dhcp-option=option6:information-refresh-time,6h 356 | 357 | # Set option 58 client renewal time (T1). Defaults to half of the 358 | # lease time if not specified. (RFC2132) 359 | #dhcp-option=option:T1:1m 360 | 361 | # Set option 59 rebinding time (T2). Defaults to 7/8 of the 362 | # lease time if not specified. (RFC2132) 363 | #dhcp-option=option:T2:2m 364 | 365 | # Set the NTP time server address to be the same machine as 366 | # is running dnsmasq 367 | #dhcp-option=42,0.0.0.0 368 | 369 | # Set the NIS domain name to "welly" 370 | #dhcp-option=40,welly 371 | 372 | # Set the default time-to-live to 50 373 | #dhcp-option=23,50 374 | 375 | # Set the "all subnets are local" flag 376 | #dhcp-option=27,1 377 | 378 | # Send the etherboot magic flag and then etherboot options (a string). 379 | #dhcp-option=128,e4:45:74:68:00:00 380 | #dhcp-option=129,NIC=eepro100 381 | 382 | # Specify an option which will only be sent to the "red" network 383 | # (see dhcp-range for the declaration of the "red" network) 384 | # Note that the tag: part must precede the option: part. 385 | #dhcp-option = tag:red, option:ntp-server, 192.168.1.1 386 | 387 | # The following DHCP options set up dnsmasq in the same way as is specified 388 | # for the ISC dhcpcd in 389 | # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt 390 | # adapted for a typical dnsmasq installation where the host running 391 | # dnsmasq is also the host running samba. 392 | # you may want to uncomment some or all of them if you use 393 | # Windows clients and Samba. 394 | #dhcp-option=19,0 # option ip-forwarding off 395 | #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) 396 | #dhcp-option=45,0.0.0.0 # netbios datagram distribution server 397 | #dhcp-option=46,8 # netbios node type 398 | 399 | # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. 400 | #dhcp-option=252,"\n" 401 | 402 | # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client 403 | # probably doesn't support this...... 404 | #dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com 405 | 406 | # Send RFC-3442 classless static routes (note the netmask encoding) 407 | #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 408 | 409 | # Send vendor-class specific options encapsulated in DHCP option 43. 410 | # The meaning of the options is defined by the vendor-class so 411 | # options are sent only when the client supplied vendor class 412 | # matches the class given here. (A substring match is OK, so "MSFT" 413 | # matches "MSFT" and "MSFT 5.0"). This example sets the 414 | # mtftp address to 0.0.0.0 for PXEClients. 415 | #dhcp-option=vendor:PXEClient,1,0.0.0.0 416 | 417 | # Send microsoft-specific option to tell windows to release the DHCP lease 418 | # when it shuts down. Note the "i" flag, to tell dnsmasq to send the 419 | # value as a four-byte integer - that's what microsoft wants. See 420 | # http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true 421 | #dhcp-option=vendor:MSFT,2,1i 422 | 423 | # Send the Encapsulated-vendor-class ID needed by some configurations of 424 | # Etherboot to allow is to recognise the DHCP server. 425 | #dhcp-option=vendor:Etherboot,60,"Etherboot" 426 | 427 | # Send options to PXELinux. Note that we need to send the options even 428 | # though they don't appear in the parameter request list, so we need 429 | # to use dhcp-option-force here. 430 | # See http://syslinux.zytor.com/pxe.php#special for details. 431 | # Magic number - needed before anything else is recognised 432 | #dhcp-option-force=208,f1:00:74:7e 433 | # Configuration file name 434 | #dhcp-option-force=209,configs/common 435 | # Path prefix 436 | #dhcp-option-force=210,/tftpboot/pxelinux/files/ 437 | # Reboot time. (Note 'i' to send 32-bit value) 438 | #dhcp-option-force=211,30i 439 | 440 | # Set the boot filename for netboot/PXE. You will only need 441 | # this is you want to boot machines over the network and you will need 442 | # a TFTP server; either dnsmasq's built in TFTP server or an 443 | # external one. (See below for how to enable the TFTP server.) 444 | #dhcp-boot=pxelinux.0 445 | 446 | # The same as above, but use custom tftp-server instead machine running dnsmasq 447 | #dhcp-boot=pxelinux,server.name,192.168.1.100 448 | 449 | # Boot for Etherboot gPXE. The idea is to send two different 450 | # filenames, the first loads gPXE, and the second tells gPXE what to 451 | # load. The dhcp-match sets the gpxe tag for requests from gPXE. 452 | #dhcp-match=set:gpxe,175 # gPXE sends a 175 option. 453 | #dhcp-boot=tag:!gpxe,undionly.kpxe 454 | #dhcp-boot=mybootimage 455 | 456 | # Encapsulated options for Etherboot gPXE. All the options are 457 | # encapsulated within option 175 458 | #dhcp-option=encap:175, 1, 5b # priority code 459 | #dhcp-option=encap:175, 176, 1b # no-proxydhcp 460 | #dhcp-option=encap:175, 177, string # bus-id 461 | #dhcp-option=encap:175, 189, 1b # BIOS drive code 462 | #dhcp-option=encap:175, 190, user # iSCSI username 463 | #dhcp-option=encap:175, 191, pass # iSCSI password 464 | 465 | # Test for the architecture of a netboot client. PXE clients are 466 | # supposed to send their architecture as option 93. (See RFC 4578) 467 | #dhcp-match=peecees, option:client-arch, 0 #x86-32 468 | #dhcp-match=itanics, option:client-arch, 2 #IA64 469 | #dhcp-match=hammers, option:client-arch, 6 #x86-64 470 | #dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 471 | 472 | # Do real PXE, rather than just booting a single file, this is an 473 | # alternative to dhcp-boot. 474 | #pxe-prompt="What system shall I netboot?" 475 | # or with timeout before first available action is taken: 476 | #pxe-prompt="Press F8 for menu.", 60 477 | 478 | # Available boot services. for PXE. 479 | #pxe-service=x86PC, "Boot from local disk" 480 | 481 | # Loads /pxelinux.0 from dnsmasq TFTP server. 482 | #pxe-service=x86PC, "Install Linux", pxelinux 483 | 484 | # Loads /pxelinux.0 from TFTP server at 1.2.3.4. 485 | # Beware this fails on old PXE ROMS. 486 | #pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 487 | 488 | # Use bootserver on network, found my multicast or broadcast. 489 | #pxe-service=x86PC, "Install windows from RIS server", 1 490 | 491 | # Use bootserver at a known IP address. 492 | #pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 493 | 494 | # If you have multicast-FTP available, 495 | # information for that can be passed in a similar way using options 1 496 | # to 5. See page 19 of 497 | # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf 498 | 499 | 500 | # Enable dnsmasq's built-in TFTP server 501 | #enable-tftp 502 | 503 | # Set the root directory for files available via FTP. 504 | #tftp-root=/var/ftpd 505 | 506 | # Do not abort if the tftp-root is unavailable 507 | #tftp-no-fail 508 | 509 | # Make the TFTP server more secure: with this set, only files owned by 510 | # the user dnsmasq is running as will be send over the net. 511 | #tftp-secure 512 | 513 | # This option stops dnsmasq from negotiating a larger blocksize for TFTP 514 | # transfers. It will slow things down, but may rescue some broken TFTP 515 | # clients. 516 | #tftp-no-blocksize 517 | 518 | # Set the boot file name only when the "red" tag is set. 519 | #dhcp-boot=tag:red,pxelinux.red-net 520 | 521 | # An example of dhcp-boot with an external TFTP server: the name and IP 522 | # address of the server are given after the filename. 523 | # Can fail with old PXE ROMS. Overridden by --pxe-service. 524 | #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 525 | 526 | # If there are multiple external tftp servers having a same name 527 | # (using /etc/hosts) then that name can be specified as the 528 | # tftp_servername (the third option to dhcp-boot) and in that 529 | # case dnsmasq resolves this name and returns the resultant IP 530 | # addresses in round robin fashion. This facility can be used to 531 | # load balance the tftp load among a set of servers. 532 | #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name 533 | 534 | # Set the limit on DHCP leases, the default is 150 535 | #dhcp-lease-max=150 536 | 537 | # The DHCP server needs somewhere on disk to keep its lease database. 538 | # This defaults to a sane location, but if you want to change it, use 539 | # the line below. 540 | #dhcp-leasefile=/var/lib/misc/dnsmasq.leases 541 | 542 | # Set the DHCP server to authoritative mode. In this mode it will barge in 543 | # and take over the lease for any client which broadcasts on the network, 544 | # whether it has a record of the lease or not. This avoids long timeouts 545 | # when a machine wakes up on a new network. DO NOT enable this if there's 546 | # the slightest chance that you might end up accidentally configuring a DHCP 547 | # server for your campus/company accidentally. The ISC server uses 548 | # the same option, and this URL provides more information: 549 | # http://www.isc.org/files/auth.html 550 | #dhcp-authoritative 551 | 552 | # Run an executable when a DHCP lease is created or destroyed. 553 | # The arguments sent to the script are "add" or "del", 554 | # then the MAC address, the IP address and finally the hostname 555 | # if there is one. 556 | #dhcp-script=/bin/echo 557 | 558 | # Set the cachesize here. 559 | #cache-size=150 560 | 561 | # If you want to disable negative caching, uncomment this. 562 | #no-negcache 563 | 564 | # Normally responses which come from /etc/hosts and the DHCP lease 565 | # file have Time-To-Live set as zero, which conventionally means 566 | # do not cache further. If you are happy to trade lower load on the 567 | # server for potentially stale date, you can set a time-to-live (in 568 | # seconds) here. 569 | #local-ttl= 570 | 571 | # If you want dnsmasq to detect attempts by Verisign to send queries 572 | # to unregistered .com and .net hosts to its sitefinder service and 573 | # have dnsmasq instead return the correct NXDOMAIN response, uncomment 574 | # this line. You can add similar lines to do the same for other 575 | # registries which have implemented wildcard A records. 576 | #bogus-nxdomain=64.94.110.11 577 | 578 | # If you want to fix up DNS results from upstream servers, use the 579 | # alias option. This only works for IPv4. 580 | # This alias makes a result of 1.2.3.4 appear as 5.6.7.8 581 | #alias=1.2.3.4,5.6.7.8 582 | # and this maps 1.2.3.x to 5.6.7.x 583 | #alias=1.2.3.0,5.6.7.0,255.255.255.0 584 | # and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 585 | #alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 586 | 587 | # Change these lines if you want dnsmasq to serve MX records. 588 | 589 | # Return an MX record named "maildomain.com" with target 590 | # servermachine.com and preference 50 591 | #mx-host=maildomain.com,servermachine.com,50 592 | 593 | # Set the default target for MX records created using the localmx option. 594 | #mx-target=servermachine.com 595 | 596 | # Return an MX record pointing to the mx-target for all local 597 | # machines. 598 | #localmx 599 | 600 | # Return an MX record pointing to itself for all local machines. 601 | #selfmx 602 | 603 | # Change the following lines if you want dnsmasq to serve SRV 604 | # records. These are useful if you want to serve ldap requests for 605 | # Active Directory and other windows-originated DNS requests. 606 | # See RFC 2782. 607 | # You may add multiple srv-host lines. 608 | # The fields are ,,,, 609 | # If the domain part if missing from the name (so that is just has the 610 | # service and protocol sections) then the domain given by the domain= 611 | # config option is used. (Note that expand-hosts does not need to be 612 | # set for this to work.) 613 | 614 | # A SRV record sending LDAP for the example.com domain to 615 | # ldapserver.example.com port 389 616 | #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 617 | 618 | # A SRV record sending LDAP for the example.com domain to 619 | # ldapserver.example.com port 389 (using domain=) 620 | #domain=example.com 621 | #srv-host=_ldap._tcp,ldapserver.example.com,389 622 | 623 | # Two SRV records for LDAP, each with different priorities 624 | #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 625 | #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 626 | 627 | # A SRV record indicating that there is no LDAP server for the domain 628 | # example.com 629 | #srv-host=_ldap._tcp.example.com 630 | 631 | # The following line shows how to make dnsmasq serve an arbitrary PTR 632 | # record. This is useful for DNS-SD. (Note that the 633 | # domain-name expansion done for SRV records _does_not 634 | # occur for PTR records.) 635 | #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" 636 | 637 | # Change the following lines to enable dnsmasq to serve TXT records. 638 | # These are used for things like SPF and zeroconf. (Note that the 639 | # domain-name expansion done for SRV records _does_not 640 | # occur for TXT records.) 641 | 642 | #Example SPF. 643 | #txt-record=example.com,"v=spf1 a -all" 644 | 645 | #Example zeroconf 646 | #txt-record=_http._tcp.example.com,name=value,paper=A4 647 | 648 | # Provide an alias for a "local" DNS name. Note that this _only_ works 649 | # for targets which are names from DHCP or /etc/hosts. Give host 650 | # "bert" another name, bertrand 651 | #cname=bertand,bert 652 | 653 | # For debugging purposes, log each DNS query as it passes through 654 | # dnsmasq. 655 | #log-queries 656 | 657 | # Log lots of extra information about DHCP transactions. 658 | #log-dhcp 659 | 660 | # Include another lot of configuration options. 661 | #conf-file=/etc/dnsmasq.more.conf 662 | #conf-dir=/etc/dnsmasq.d 663 | 664 | # Include all the files in a directory except those ending in .bak 665 | #conf-dir=/etc/dnsmasq.d,.bak 666 | 667 | # Include all files in a directory which end in .conf 668 | conf-dir=/etc/dnsmasq.d/,*.conf 669 | -------------------------------------------------------------------------------- /nginx/www/pac/index.html: -------------------------------------------------------------------------------- 1 | /*! genpac 2.1.0 https://github.com/JinnLynn/genpac */ 2 | function FindProxyForURL(t,r){for(var e=0;ee.length)&&(r=e.length),r-=t.length;var n=e.indexOf(t,r);return-1!==n&&n===r}); 3 | //! Generated: 2020-01-03 12:30:50 4 | //! GFWList: 2019-11-05 00:21:47 From online[https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt] 5 | --------------------------------------------------------------------------------