Skip to content
Snippets Groups Projects
new-machine.mdwn 4.38 KiB
Installation
============

This document assumes the machine is already installed with a Debian
operating system. We preferably install stable or, when close to the
release, testing. Here are site-specific installs:

* [[new-machine-hetzner-cloud]]
* [[new-machine-hetzner-robot]]

Configuration procedure
=======================

All commands to be run as root unless otherwise noted.

* set a hostname - pick an unused one from the [[doc/naming-scheme]]

* set new root password, and document it

* swap and tmp

        grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab

        ! grep swap /etc/fstab && \
        dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \
        chmod 0 /swapfile && \
        mkswap /swapfile && \
        echo '/swapfile none swap sw 0 0' >> /etc/fstab && \
        swapon -a

* sanitize DNS configuration:

        # grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf
        grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf
        vi /etc/hosts # make sure the local host is there with both FQDN and just hostname

* add to ldap on `alberti` using:

        ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"

  To generate the LDAP block, you can use the
  `tor-install-generate-ldap` script in `tsa-misc`. Make sure you
  review all fields, in particular `location` (`l`), `physicalHost`,
  `description` and `purpose` which do not have good defaults.

  See also the [ldapvi manual](http://www.lichteblau.com/ldapvi/manual/) for more
  information.

* then:
  * on alberti:
  
        sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t

  * on nevii:

        sudo -H ud-replicate

* set up puppet:
  * on pauli:

        ( puppet agent -t --environment=production || true ) && \
        ud-replicate && \
        sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install

  * on new machine:

        me=$(hostname -f) && \
        [ "$me" != "${me%torproject.org}" ] && \
        apt-get update && \
        apt-get install -y --no-install-recommends puppet lsb-release && \
        service puppet stop && \
        systemctl mask puppet.service && \
        (puppet agent -t || true ) && \
        cd /var/lib/puppet/ssl/certificate_requests && \
        echo sha256sum output: && \
        echo && \
        sha256sum $me.pem && \
        echo && \
        echo && \
        cd /

  * on pauli:

        echo "paste sha256sum output now:" && \
        read sha256 filename && \
        cd /var/lib/puppet/ssl/ca/requests && \
        ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \
        echo "$sha256  $filename" | sha256sum -c && \
        puppet ca sign $(basename "$filename" .pem) && \
        echo && \
        echo "--- 8< --- CUT HERE --- 8< ---" && \
        echo && \
        echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \
        cat /var/lib/puppet/ssl/certs/ca.pem && \
        echo 'EOF' && \
        echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \
        cat /var/lib/puppet/ssl/ca/signed/$filename && \
        echo 'EOF' && \
        echo 'puppet agent --enable' && \
        echo 'puppet agent -t --pluginsync' && \
        echo 'puppet agent -t --pluginsync' && \
        echo && \
        echo "--- 8< --- CUT HERE --- 8< ---" && \
        echo && \
        cd /

* copy paste the thing between `CUT HERE` from `pauli` into a root
  shell on the new host

* do more puppet runs, and run a ud-replicate to get ldap users, then
  more puppet runs since we now have more users:

        puppet agent -t
        ud-replicate
        puppet agent -t
        puppet agent -t

* get rid of unneeded network services (only needed if we did not install this
  from a minbase but from somebody else's install/image):

        dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
        userdel -r Debian-exim

* fix `/etc/aliases`:

        ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
        sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases

* add to [[nagios]], in `tor-nagios/config/nagios-master.cfg`

* document the machine in the [Nextcloud spreadsheet](https://nc.riseup.net/remote.php/webdav/tpa/Tor%20VM%20Hosts.xlsx)