Building a Virtual Sandbox (Part II) – Initial Server/Workstation

This first system will have several duties:

  • Workstation
  • Git Server
  • Ansible
  • DNS
  • and possibly other services as we move along.

For this system, we’re using Ubuntu 20.04 Desktop.  The settings used for this systems is 2G memory, 20G disk with the basic workstation install. We’ll give this an IP of 10.13.13.10, and place it on the internal network we configured in the prior article.  The hostname is “ubuntu-ws”.  I’ll also create the user “mascio” as an administrative user. Don’t forget to boot the OpenBSD firewall from earlier.

Why is a CentOS/RedHat guy choosing Ubuntu? Several reasons: (1) with the recent shakeup of CentOS, CentOS 8 may not work well for me in the long run, (2) I get plenty of CentOS practice at work. Don’t worry there will be plenty of other CentOS stuff here over time. I’m not leaving CentOS/RedHat. Refreshing skills and knowledge from time to time is a good idea.

And just because I like the functionality better, let’s install aptitude:

sudo apt-get install aptitude

Let’s start by installing Ansible:

sudo aptitude update
sudo aptitude upgrade -y
sudo aptitude install openssh-server net-tools sshpass tree python python-pip python-setuptools ansible -y

We’ll come back to configuring Ansible.

Since I’ve already decided the Ansible playbooks need to be under source code control, we’ll install git and GitLab:

sudo aptitude install -y git-all curl openssh-server ca-certificates tzdata postfix mailutils
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

Since this is a lab, and the external infrastructure is not yet in place, use “Local only” for your Postfix configuration. If you have a smart host or other infrastructure in place, configure as you see fit.

And now bind:

sudo aptitude install bind9 bind9utils bind9-doc

We should be done with installing for now. Let’s get bind set up. Since we’re not using IPv6 and only IPv4, let’s set it to only serve only the latter:

sudo vi /etc/default/named

And add “-4” to the OPTIONS line:

OPTIONS="-u bind -4"

Now restart bind:

systemctl restart bind9

Normally, you would set up your trusted hosts here, but we only have a primary right now, so we’ll come back to that step later when we have servers to worry about.

Now, we need to add some extra lines to /etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        #allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on { 10.13.13.10; };   # private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

        forwarders {
                1.1.1.1;
                1.0.0.1;
                8.8.8.8;
                8.8.4.4;
        };

Next, edit /etc/named.conf.local and adjust domain/IP as necessary:

zone "dining.k5ryu.com" {
        type master;
        file "/etc/bind/zones/db.dining.k5ryu.com"; # zone file path
        #allow-transfer { 10.13.13.12; }; # secondary private IP address - place holder
};

zone "13.13.10.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.10.13.13";  # 10.13.13.0/24 subnet
     #allow-transfer { 10.13.13.12; }; # secondary private IP address - place holder
};

Now that, we have the zones defined, both forward and reverse, let’s create the data files needed:

sudo mkdir /etc/bind/zones

Edit /etc/bind/zones/db.dining.k5ryu.com and add:

$TTL    300
@       IN      SOA     localhost. root.ws.dining.k5ryu.com. (
                       20122400         ; Serial
                            300         ; Refresh
                            300         ; Retry
                            300         ; Expire
                            300)       ; Negative Cache TTL
;

; name servers - NS records
                       IN      NS     ns1.dining.k5ryu.com.

; name server A records
ns1.dining.k5ryu.com.  IN      A      10.13.13.10

; host A records
gw.dining.k5ryu.com.   IN      A      10.13.13.3
ws.dining.k5ryu.com.   IN      A      10.13.13.10

A quick note on my serial value, it is in the format of YYMMDDHHmm. So this reads I updated on Dec 24, 2020, once. Also, all of my values are small, which for a lab is probably OK, but for Internet production usage, you’ll want to adjust those for performance.

Edit /etc/bind/zones/db.10.13.13 and add:

$TTL    300
@       IN      SOA     localhost. root.ws.dining.k5ryu.com. (
                       20122400         ; Serial
                            300         ; Refresh
                            300         ; Retry
                            300         ; Expire
                            300 )       ; Negative Cache TTL

; name servers
      IN      NS      ns1.dining.k5ryu.com.

; PTR Records
10   IN      PTR     ns1.dining.k5ryu.com.    ; 10.13.13.10
;10   IN      PTR      ws.dining.k5ryu.com.    ; 10.13.13.10

And to be sure everything is good, run:

sudo named-checkconf

If all is well, restart BIND:

sudo systemctl restart bind9