SSH:

ISP: ssh 172.16.1.1

HQ-RTR: ssh 172.16.1.2

BR-RTR: ssh 172.16.2.2

HQ-SRV: ssh -p 2026 sshuser@192.168.100.2 (MODULE 2-3)

BR-SRV: ssh -p 2026 sshuser@192.168.200.2 (MODULE 2-3)

HQ-SRV: ssh 192.168.100.2 (MODULE 1)

BR-SRV: ssh 192.168.200.2 (MODULE 1)

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


MODULE 1


.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

1)HQ-SRV, BR-SRV:

useradd -u 2026 -m -s /bin/bash sshuser

passwd sshuser

echo "sshuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

2)HQ-RTR, BR-RTR:

useradd -m -s /bin/bash net_admin

passwd net_admin

echo "net_admin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

3)HQ-SRV, BR-SRV:

apt update && apt install -y openssh-server openssh-client

nano /etc/ssh/sshd_config

Port 2026

AllowUsers sshuser
MaxAuthTries 2
Banner /etc/issue.net

echo "Authorized access only" > /etc/issue.net

systemctl restart sshd

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

4)HQ-RTR, BR-RTR, HQ-SRV, BR-SRV:

nano /etc/resolv.conf

nameserver 192.168.100.2

apt update

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

5)HQ-CLI:

timedatectl set-timezone Asia/Yekaterinburg && timedatectl status

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


MODULE 2


.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

6)BR-SRV:

apt update && apt install -y samba* krb5* winbind smbclient && apt install -y ansible && apt install -y chrony && apt install -y curl && apt install -y dos2unix

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

7)HQ-CLI:

apt-get update && apt-get remove -y alterator-datetime && apt-get install -y task-auth-ad-sssd && apt-get install -y admc && apt-get install -y openssh-server && apt-get install -y chrony && apt-get install -y yandex-browser-stable

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

8)HQ-RTR:

apt update && apt install -y curl && apt install -y dos2unix

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

9)ISP, BR-RTR, HQ-SRV:

apt update && apt install -y chrony && apt install -y curl && apt install -y dos2unix

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

10)BR-SRV:

hostname && domainname au-team.irpo && rm -f /etc/samba/smb.conf && rm -rf /var/lib/samba/ && rm -rf /var/cache/samba/ && mkdir -p /var/lib/samba/sysvol

sudo shutdown -r now

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

11)BR-SRV:

samba-tool domain provision

sudo shutdown -r now

samba-tool domain info 127.0.0.1

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

12)HQ-CLI:

cat /etc/resolv.conf && host au-team.irpo

!!! restart !!!

kinit Administrator

id && klist && admc

nano /etc/sudoers

%hq ALL=(ALL) NOPASSWD: /bin/cat, /bin/grep, /usr/bin/id

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

13)HQ-SRV:

lsblk

apt update && apt install -y mdadm

sudo mdadm --create --verbose /dev/md0 -l 0 -n 2 /dev/sdb /dev/sdc

lsblk

sudo mdadm --detail --scan --verbose | tee -a /etc/mdadm.conf

sudo mkfs.ext4 /dev/md0

mkdir -p /raid0

nano /etc/fstab

/dev/md0 /raid0 ext4 defaults 0 0

sudo mount -av && sudo df -h

apt-get update && apt-get install -y nfs-server cifs-utils

mkdir /raid0/nfs && chmod 777 /raid0/nfs

nano /etc/exports

/raid0/nfs 192.168.10.0/28(rw,no_root_squash)

sudo exportfs -arv

sudo update-initramfs -u

systemctl enable --now nfs-server

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

14)HQ-CLI:

apt-get update && apt-get install -y nfs-utils nfs-clients

mkdir /mnt/nfs && chmod 777 /mnt/nfs

nano /etc/fstab

192.168.100.2:raid0/nfs /mnt/nfs nfs defaults 0 0

mount -av && df -h

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

15)CHRONY:ISP:

apt update && apt install -y chrony

nano /etc/chrony/chrony.conf

server 127.0.0.1 iburst prefer
hwtimestamp *
local stratum 5
allow 0/0

systemctl enable --now chrony && systemctl restart chrony

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

16)CHRONY:BR-RTR, HQ-SRV, BR-SRV:

apt update && apt install -y chrony

nano /etc/chrony/chrony.conf

server 172.16.1.1 iburst prefer

systemctl enable --now chrony && systemctl restart chrony

chronyc sources

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

17)CHRONY:HQ-CLI:

apt-get update && apt-get  install -y chrony

nano /etc/chrony.conf

server 172.16.1.1 iburst prefer

systemctl enable --now chronyd && systemctl restart chronyd

chronyc sources

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

18)CHRONY:ISP:

chronyc clients

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

19)BR-SRV:

!!! HQ-CLI --> systemctl restart sshd !!!

apt update && apt install -y ansible

mkdir -p /etc/ansible

curl -o /etc/ansible/hosts https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/hosts.file && dos2unix /etc/ansible/hosts

nano /etc/ansible/hosts

ssh-keygen -t rsa -b 2048

ssh-copy-id hq-rtr.au-team.irpo

ssh-copy-id br-rtr.au-team.irpo

ssh-copy-id hq-cli.au-team.irpo

ssh-copy-id -p 2026 sshuser@hq-srv.au-team.irpo

ansible all -m ping

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

20)BR-SRV:

apt update && apt install -y docker.io docker-compose && systemctl enable --now docker.service && mount /dev/sr0 /mnt/ && docker load < /mnt/docker/site_latest.tar && docker load < /mnt/docker/mariadb_latest.tar && docker image ls && curl -o ~/compose.yaml https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/compose.yaml

!!! --> BR-SRV !!!

HQ-CLI --> 192.168.200.2:8080

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

21)HQ-SRV:

apt update && apt install -y apache* && apt install -y php php8.2 php-curl php-zip php-xml libapache2-mod-php php-mysql php-mbstring php-gd php-intl php-soap && apt install -y mariadb-* && systemctl enable --now mariadb && systemctl enable --now apache2 && mount /dev/sr0 /mnt/ && cp /mnt/web/index.php /var/www/html && cp /mnt/web/logo.png /var/www/html

!!! --> HQ-SRV !!!

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

22)HQ-SRV:nano /var/www/html/index.php:

<?php
$servername = "localhost";
$username = "webc";
$password = "P@ssw0rd";
$dbname = "webdb";

!!! --> HQ-SRV !!!

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

23)HQ-SRV:

mariadb -u webc -p -D webdb < ~/dump.sql

rm /var/www/html/index.html && systemctl enable --now apache2 && systemctl restart apache2

HQ-CLI --> 192.168.100.2

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

24)NFTABLES:HQ-RTR:

curl -o /etc/nftables.conf https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/hq-rtr/nftables.conf && dos2unix /etc/nftables.conf

nano /etc/nftables.conf

systemctl restart nftables && systemctl enable --now nftables && /etc/nftables.conf

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

25)NFTABLES:BR-RTR:

curl -o /etc/nftables.conf https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/br-rtr/nftables.conf && dos2unix /etc/nftables.conf

nano /etc/nftables.conf

systemctl restart nftables && systemctl enable --now nftables && /etc/nftables.conf

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

26)ISP:

apt update && apt-get install -y nginx && systemctl start nginx && systemctl enable nginx && curl -o /etc/nginx/sites-available/default https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/reverse-proxy.conf && curl -o /etc/nginx/sites-available/reverse-proxy.conf https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/reverse-proxy.conf && dos2unix /etc/nginx/sites-available/default && dos2unix /etc/nginx/sites-available/reverse-proxy.conf

nano /etc/nginx/sites-available/reverse-proxy.conf

ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/

nginx -t && systemctl enable --now nginx

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

27)HQ-CLI:

nano /etc/hosts

172.16.1.1 web.au-team.irpo
172.16.2.1 docker.au-team.irpo
192.168.100.2 hq-srv.au-team.irpo hq-srv

http://web.au-team.irpo/

http://docker.au-team.irpo/

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

28)ISP:

apt update && apt install -y apache2

!!! --> ISP !!!

nano /etc/nginx/sites-available/default

nginx -t && systemctl restart nginx

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


MODULE 3


.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

29)BR-SRV:

cp /mnt/Users.csv /opt/ && curl -o /opt/import_users.sh https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/import_users.sh && dos2unix /opt/import_users.sh && ls /opt

nano /opt/import_users.sh

chmod +x /opt/import_users.sh

!!! BR-SRV --> /opt/import_users.sh !!!

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

30)HQ-SRV:

apt update && apt install -y openssl ca-certificates

mkdir -p /etc/pki/CA/{private,certs,newcerts,crl} && touch /etc/pki/CA/index.txt && echo 1000 > /etc/pki/CA/serial && chmod 700 /etc/pki/CA/private

openssl req -x509 -new -nodes -keyout /etc/pki/CA/private/ca.key -out /etc/pki/CA/certs/ca.crt -days 3650 -sha256 -subj "/CN=AU-TEAM Root CA" && openssl genrsa -out /etc/pki/CA/private/web.au-team.irpo.key 2048 && openssl req -new -key /etc/pki/CA/private/web.au-team.irpo.key -out /etc/pki/CA/web.au-team.irpo.csr -subj "/CN=web.au-team.irpo" && openssl genrsa -out /etc/pki/CA/private/docker.au-team.irpo.key 2048 && openssl req -new -key /etc/pki/CA/private/docker.au-team.irpo.key -out /etc/pki/CA/docker.au-team.irpo.csr -subj "/CN=docker.au-team.irpo"

curl -o /etc/ssl/openssl-ca.cnf https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/openssl-gost.cnf

nano /etc/ssl/openssl-ca.cnf

openssl ca -config /etc/ssl/openssl-ca.cnf -in /etc/pki/CA/web.au-team.irpo.csr -out /etc/pki/CA/certs/web.au-team.irpo.crt -extensions server_cert -days 30 -batch && openssl ca -config /etc/ssl/openssl-ca.cnf -in /etc/pki/CA/docker.au-team.irpo.csr -out /etc/pki/CA/certs/docker.au-team.irpo.crt -extensions server_cert -days 30 -batch

!!! --> HQ-SRV !!!

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

31)HQ-CLI:

cp /mnt/nfs/ca.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

32)HQ-SRV:

nano /etc/ssh/sshd_config

systemctl restart sshd

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

33)ISP:

curl -o /etc/nginx/sites-available/default https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/reverse-proxy-ssl.conf

mkdir -p /etc/nginx/ssl

scp -P 2026 root@172.16.1.2:/etc/pki/CA/certs/web.au-team.irpo.crt /etc/nginx/ssl/ && scp -P 2026 root@172.16.1.2:/etc/pki/CA/private/web.au-team.irpo.key /etc/nginx/ssl/ && scp -P 2026 root@172.16.1.2:/etc/pki/CA/certs/docker.au-team.irpo.crt /etc/nginx/ssl/ && scp -P 2026 root@172.16.1.2:/etc/pki/CA/private/docker.au-team.irpo.key /etc/nginx/ssl/

chown root:root /etc/nginx/ssl/* && chmod 600 /etc/nginx/ssl/*.key && nginx -t && systemctl reload nginx

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

34)HQ-CLI:

https://docker.au-team.irpo/

https://web.au-team.irpo/

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

35)HQ-RTR:

!!! HQ-SRV --> nano /etc/ssh/sshd_config --> systemctl restart sshd !!!

apt update && apt install -y strongswan

nano /etc/ipsec.conf

conn  gre-tunnel
	auto=start
	left=172.16.1.2
	leftsubnet=0.0.0.0/0
	leftprotoport=47
	right=172.16.2.2
	rightsubnet=0.0.0.0/0
	rightprotoport=47
	authby=secret

nano /etc/ipsec.secrets

172.16.1.2 172.16.2.2 : PSK "123qweR%"

nano /etc/strongswan.d/charon.conf

!!! "Ctrl" + "Shift" + "-" = 133 !!!

ipsec restart

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

36)BR-RTR:

apt update && apt install -y strongswan

nano /etc/ipsec.conf

conn  gre-tunnel
	auto=start
	left=172.16.2.2
	leftsubnet=0.0.0.0/0
	leftprotoport=47
	right=172.16.1.2
	rightsubnet=0.0.0.0/0
	rightprotoport=47
	authby=secret

nano /etc/ipsec.secrets

172.16.2.2 172.16.1.2 : PSK "123qweR%"

nano /etc/strongswan.d/charon.conf

!!! "Ctrl" + "Shift" + "-" = 133 !!!

ipsec restart

apt update && apt install -y tcpdump

!!! BR-RTR --> tcpdump -i ens18 -n -p esp !!!

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

37)HQ-RTR:

!!! HQ-RTR --> ping 192.168.200.2 !!!

ipsec status

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

38)HQ-CLI:

ping 192.168.200.2

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

39)HQ-SRV:

apt update && apt install -y cups cups-pdf

systemctl enable --now cups 

sudo cupsctl --share-printers --remote-any

systemctl restart cups

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

40)HQ-CLI:

apt-get update && apt-get install -y cups system-config-printer

nano /etc/hosts

192.168.100.2 hq-srv.au-team.irpo hq-srv

http://192.168.100.2:631/printers/PDF

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

41)HQ-SRV:

apt update && apt install -y rsyslog

nano /etc/rsyslog.conf

$template RemoteLogs, "/opt/%HOSTNAME%/rsyslog.txt"
*.* ?RemoteLogs
& stop

systemctl enable rsyslog && systemctl restart rsyslog

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

42)HQ-RTR:

apt update && apt install -y rsyslog

nano /etc/rsyslog.conf

module(load="imjournal")

*.* @@hq-srv.au-team.irpo:514

*.warning @@192.168.100.2:514

systemctl restart rsyslog

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

43)BR-RTR:

apt update && apt install -y rsyslog

nano /etc/rsyslog.conf

module(load="imjournal")

*.* @@hq-srv.au-team.irpo:514

*.warning @@192.168.100.2:514

systemctl restart rsyslog

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

44)BR-SRV:

apt update && apt install -y rsyslog

nano /etc/rsyslog.conf

module(load="imjournal")

*.warning @@192.168.100.2:514

systemctl enable rsyslog && systemctl restart rsyslog

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

45)HQ-SRV:

ls /opt/

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

46)BR-SRV:

logger -p user.info "Test info" && logger -p user.warning "Test warning" && logger -p user.error "Test error"

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

47)HQ-SRV:

sudo cat /opt/br-srv/rsyslog.txt

nano /etc/logrotate.d/rsyslog

/opt/*/rsyslog.txt {
	weekly
	minsize 10M
	compress
	missingok
	notifempty
	create 0644 root root
	rotate 4
}

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

48)HQ-SRV:

wget https://repo.zabbix.com/zabbix/7.4/release/debian/pool/main/z/zabbix-release/zabbix-release_7.4-0.2+debian12_all.deb

sudo dpkg -i zabbix-release_7.4-0.2+debian12_all.deb

sudo apt update && sudo apt install -y zabbix-server-mysql zabbix-frontend-php zabbix-agent php php-mysql php-bcmath php-mbstring zabbix-sql-scripts zabbix-apache-conf mariadb-server

!!! --> HQ-SRV !!!

zcat /usr/share/zabbix/sql-scripts/mysql/server.sql.gz | sudo mysql -u zabbix -p zabbix

sudo nano /etc/zabbix/zabbix_server.conf

!!! "Ctrl" + "Shift" + "-" = 100, 116, 124 !!!

sudo systemctl enable --now zabbix-server

ln -s /usr/share/zabbix /var/www/html/mon

sudo nano /etc/php/8.2/apache2/php.ini

!!! "Ctrl" + "Shift" + "-" = 409, 419, 703 !!!

systemctl restart apache2

sudo rm -rf /etc/apache2/sites-available/000-default.conf

ln -s /etc/apache2/sites-available/zabbix.conf /etc/apache2/sites-enabled/

sudo systemctl restart apache2

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

49)HQ-SRV:

nano /etc/dnsmasq.conf

host-record=web.au-team.irpo,172.16.1.2
host-record=docker.au-team.irpo,172.16.2.2

cname=mon.au-team.irpo,hq-srv.au-team.irpo

systemctl restart dnsmasq

HQ-CLI --> http://mon.au-team.irpo/zabbix

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

50)BR-SRV:

wget https://repo.zabbix.com/zabbix/7.4/release/debian/pool/main/z/zabbix-release/zabbix-release_7.4-0.2+debian12_all.deb

sudo dpkg -i zabbix-release_7.4-0.2+debian12_all.deb

sudo apt update && apt install -y zabbix-agent

nano /etc/zabbix/zabbix_agentd.conf

!!! "Ctrl" + "Shift" + "-" = 117 - Server=192.168.100.2 !!!

!!! "Ctrl" + "Shift" + "-" = 173 - ServerActive=192.168.100.2 !!!

!!! "Ctrl" + "Shift" + "-" = 184 - Hostname=br-srv !!!

systemctl restart zabbix-agent.service

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

51)HQ-CLI:

Monitoring --> Hosts --> Create host

Host name=br-srv

Templates=Linux by Zabbix agent

Host groups=Linux servers, Zabbix servers

Add --> Agent --> IP address=192.168.200.2, DNS name=br-srv.au-team.irpo

Add

Dashboards --> Edit dashboard --> +Add

Type=Graph

host patterns --> Select --> Host group=Zabbix servers --> br-srv --> Select

item patterns --> Select --> Host=br-srv --> Available memory in %, Free swap space, Load average (1m avg) --> Select

Add

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

52)BR-SRV:

mkdir /etc/ansible/PC_INFO

curl -o /etc/ansible/inventory.yml https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/inventory.yml && dos2unix /etc/ansible/inventory.yml

nano /etc/ansible/inventory.yml

ansible-playbook /etc/ansible/inventory.yml

ls -la /etc/ansible/PC_INFO

cat /etc/ansible/PC_INFO/hq-cli.yml

cat /etc/ansible/PC_INFO/hq-srv.yml

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

53)BR-SRV:

mkdir /etc/ansible/NETWORK_INFO

curl -o /etc/ansible/backup.yml https://raw.githubusercontent.com/shiraorie/demo2026-1/main/files/backup.yml && dos2unix /etc/ansible/backup.yml

nano /etc/ansible/backup.yml

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

54)HQ-RTR, BR-RTR:

apt update && apt install -y sudo

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

55)BR-SRV:

ansible-playbook /etc/ansible/backup.yml

ls -la /etc/ansible/NETWORK_INFO

ls -la /etc/ansible/NETWORK_INFO/HQ-RTR

ls -la /etc/ansible/NETWORK_INFO/BR-RTR

cat /etc/ansible/NETWORK_INFO/HQ-RTR/interfaces

.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................