Skip to content
Snippets Groups Projects
Unverified Commit 644e0fd0 authored by anarcat's avatar anarcat
Browse files

properly format new-machine as markdown, no functional change

parent 24a2f126
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
tsa/howto/new-machine.mdwn
+ 77
62
View file @ 644e0fd0
......@@ -3,90 +3,105 @@
* set a hostname - pick an unused one from the [[doc/naming-scheme]]
* sane base setup
grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
* sanitize DNS configuration:
* add to ldap on alberti. To generate the ssh host key block, use:
for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
echo "sshRSAHostKey: `cat $i`"; done
grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
* add to ldap on `alberti` using `ldapvi`. To generate the ssh host key block, use:
for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
echo "sshRSAHostKey: `cat $i`"
done
* then:
: on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t
: on nevii : && sudo -H ud-replicate
* on alberti:
sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t
* on nevii:
sudo -H ud-replicate
* set up puppet:
: on pauli : &&
( puppet agent -t --environment=production || true ) &&
ud-replicate &&
* on pauli:
( puppet agent -t --environment=production || true ) && \
ud-replicate && \
sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
: on new machine : &&
me=$(hostname -f) &&
[ "$me" != "${me%torproject.org}" ] &&
apt-get update &&
apt-get install -y --no-install-recommends puppet lsb-release &&
service puppet stop &&
systemctl mask puppet.service &&
(puppet agent -t || true ) &&
cd /var/lib/puppet/ssl/certificate_requests &&
echo sha256sum output: &&
echo &&
sha256sum $me.pem &&
echo &&
echo &&
* on new machine:
me=$(hostname -f) && \
[ "$me" != "${me%torproject.org}" ] && \
apt-get update && \
apt-get install -y --no-install-recommends puppet lsb-release && \
service puppet stop && \
systemctl mask puppet.service && \
(puppet agent -t || true ) && \
cd /var/lib/puppet/ssl/certificate_requests && \
echo sha256sum output: && \
echo && \
sha256sum $me.pem && \
echo && \
echo && \
cd /
: on pauli: &&
echo "paste sha256sum output now:" &&
read sha256 filename &&
cd /var/lib/puppet/ssl/ca/requests &&
( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
echo -e "$sha256 $filename" | sha256sum -c &&
puppet ca sign $(basename "$filename" .pem) &&
echo &&
echo &&
echo &&
echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
cat /var/lib/puppet/ssl/ca/signed/$filename &&
echo 'EOF' &&
echo 'puppet agent --enable' &&
echo 'puppet agent -t --pluginsync' &&
echo 'puppet agent -t --pluginsync' &&
* on pauli:
echo "paste sha256sum output now:" && \
read sha256 filename && \
cd /var/lib/puppet/ssl/ca/requests && \
( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \
echo -e "$sha256 $filename" | sha256sum -c && \
puppet ca sign $(basename "$filename" .pem) && \
echo && \
echo && \
echo && \
echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \
cat /var/lib/puppet/ssl/certs/ca.pem && \
echo 'EOF' && \
echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \
cat /var/lib/puppet/ssl/ca/signed/$filename && \
echo 'EOF' && \
echo 'puppet agent --enable' && \
echo 'puppet agent -t --pluginsync' && \
echo 'puppet agent -t --pluginsync' && \
cd /
* copy paste the thing you just created on pauli into a root shell on the new host
* do more puppet runs, and run a ud-replicate to get ldap users, then more puppet runs since we now have more users
puppet agent -t
ud-replicate
puppet agent -t
puppet agent -t
* do more puppet runs, and run a ud-replicate to get ldap users, then
more puppet runs since we now have more users:
puppet agent -t
ud-replicate
puppet agent -t
puppet agent -t
* get rid of unneeded network services (only needed if we did not install this
from a minbase but from somebody else's install/image):
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
userdel -r Debian-exim
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
userdel -r Debian-exim
* fix `/etc/aliases`:
* fix etc/aliases
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
* set new root password, and document it
* swap and tmp
grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
! grep swap /etc/fstab &&
dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&
chmod 0 /swapfile &&
mkswap /swapfile &&
echo '/swapfile none swap sw 0 0' >> /etc/fstab &&
swapon -a
grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
! grep swap /etc/fstab && \
dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \
chmod 0 /swapfile && \
mkswap /swapfile && \
echo '/swapfile none swap sw 0 0' >> /etc/fstab && \
swapon -a
* add to nagios
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment