-
Peter Palfrader authoredPeter Palfrader authored
new-machine.mdwn 4.38 KiB
Installation
============
This document assumes the machine is already installed with a Debian
operating system. We preferably install stable or, when close to the
release, testing. Here are site-specific installs:
* [[new-machine-hetzner-cloud]]
* [[new-machine-hetzner-robot]]
Configuration procedure
=======================
All commands to be run as root unless otherwise noted.
* set a hostname - pick an unused one from the [[doc/naming-scheme]]
* set new root password, and document it
* swap and tmp
grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
! grep swap /etc/fstab && \
dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \
chmod 0 /swapfile && \
mkswap /swapfile && \
echo '/swapfile none swap sw 0 0' >> /etc/fstab && \
swapon -a
* sanitize DNS configuration:
# grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf
vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
* add to ldap on `alberti` using:
ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"
To generate the LDAP block, you can use the
`tor-install-generate-ldap` script in `tsa-misc`. Make sure you
review all fields, in particular `location` (`l`), `physicalHost`,
`description` and `purpose` which do not have good defaults.
See also the [ldapvi manual](http://www.lichteblau.com/ldapvi/manual/) for more
information.
* then:
* on alberti:
sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t
* on nevii:
sudo -H ud-replicate
* set up puppet:
* on pauli:
( puppet agent -t --environment=production || true ) && \
ud-replicate && \
sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
* on new machine:
me=$(hostname -f) && \
[ "$me" != "${me%torproject.org}" ] && \
apt-get update && \
apt-get install -y --no-install-recommends puppet lsb-release && \
service puppet stop && \
systemctl mask puppet.service && \
(puppet agent -t || true ) && \
cd /var/lib/puppet/ssl/certificate_requests && \
echo sha256sum output: && \
echo && \
sha256sum $me.pem && \
echo && \
echo && \
cd /
* on pauli:
echo "paste sha256sum output now:" && \
read sha256 filename && \
cd /var/lib/puppet/ssl/ca/requests && \
( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \
echo "$sha256 $filename" | sha256sum -c && \
puppet ca sign $(basename "$filename" .pem) && \
echo && \
echo "--- 8< --- CUT HERE --- 8< ---" && \
echo && \
echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \
cat /var/lib/puppet/ssl/certs/ca.pem && \
echo 'EOF' && \
echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \
cat /var/lib/puppet/ssl/ca/signed/$filename && \
echo 'EOF' && \
echo 'puppet agent --enable' && \
echo 'puppet agent -t --pluginsync' && \
echo 'puppet agent -t --pluginsync' && \
echo && \
echo "--- 8< --- CUT HERE --- 8< ---" && \
echo && \
cd /
* copy paste the thing between `CUT HERE` from `pauli` into a root
shell on the new host
* do more puppet runs, and run a ud-replicate to get ldap users, then
more puppet runs since we now have more users:
puppet agent -t
ud-replicate
puppet agent -t
puppet agent -t
* get rid of unneeded network services (only needed if we did not install this
from a minbase but from somebody else's install/image):
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
userdel -r Debian-exim
* fix `/etc/aliases`:
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
* add to [[nagios]], in `tor-nagios/config/nagios-master.cfg`
* document the machine in the [Nextcloud spreadsheet](https://nc.riseup.net/remote.php/webdav/tpa/Tor%20VM%20Hosts.xlsx)