Loading tsa/howto/new-machine-hetzner-robot.mdwn +80 −1 Original line number Diff line number Diff line Loading @@ -54,7 +54,86 @@ which we'll use below. perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"' 2. magic. 2. Partition disks. This might vary wildly between hosts, but in general, we want: * GPT partitionning, with space for a 8MB grub partition and cleartext `/boot` * software RAID (RAID-1 for two drives, RAID-5 for 3, RAID-10 for 4) * crypto (LUKS) * LVM, with separate volume groups for different medium (SSD vs HDD) This can be done with the `tor-install-format-disks` in the `tsa-misc` repository, which should be carefully checked and configured before running. 3. Install the system. This can be done with `grml-debootstrap` which will also configure grub, a root password and so on. This should get you started, assuming the formatted root disk is mounted on `/mnt`: ROOTPASSWORD=\$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 30) \ grml-debootstrap --grub /dev/sda --target /mnt \ --hostname $hostname \--release buster \ --mirror https://mirror.hetzner.de/debian/packages/ \ --remove-configs --defaultinterfaces 4. Once the bootstrapping is complete, you still need to make sure the system can boot as, the above doesn't (unfortunately) configure everything for you. First, fix the mountpoints: editor /mnt/etc/fstab For example: /dev/mapper/archive01-hdd / ext4 defaults,errors=remount-ro 0 1 UUID=aef7c53c-ed2e-4b9e-b23a-b70a701a2dcb /boot ext4 defaults 0 2 /dev/mapper/archive01-swap none swap defaults 0 0 proc /proc proc defaults 0 0 5. Review the crypto configuration: editor /mnt/etc/crypttab 6. Do the same with the RAID configuration, probably with something like: chroot /mnt sh -c "/usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf" 7. Review the network configuration: editor /mnt/etc/network/interfaces An example safe configuration is: iface lo inet loopback allow-hotplug eth0 iface eth0 inet dhcp 8. Copy paste your key into the root's authorized keys, just to make sure you can login: cat > /mnt/root/.ssh/authorized_keys 9. If any of those latter things changed, you need to regenerate the initramfs: for fs in dev proc run sys ; do mount -o bind /$fs /mnt/$fs done chroot /mnt update-initramfs -u chroot /mnt update-grub for fs in dev proc run sys ; do umount /mnt/$fs done 10. Document the LUKS passphrase and root password in `tor-passwords` 11. Cross fingers and reboot: reboot Configuration ------------- Loading tsa/howto/new-machine.mdwn +5 −2 Original line number Diff line number Diff line All commands to be run as root unless otherwise noted. Installation ============ This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs: * [[new-machine-hetzner-cloud]] * [[new-machine-hetzner-robot]] Configuration procedure ======================= All commands to be run as root unless otherwise noted. * set a hostname - pick an unused one from the [[doc/naming-scheme]] * sanitize DNS configuration: Loading Loading
tsa/howto/new-machine-hetzner-robot.mdwn +80 −1 Original line number Diff line number Diff line Loading @@ -54,7 +54,86 @@ which we'll use below. perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"' 2. magic. 2. Partition disks. This might vary wildly between hosts, but in general, we want: * GPT partitionning, with space for a 8MB grub partition and cleartext `/boot` * software RAID (RAID-1 for two drives, RAID-5 for 3, RAID-10 for 4) * crypto (LUKS) * LVM, with separate volume groups for different medium (SSD vs HDD) This can be done with the `tor-install-format-disks` in the `tsa-misc` repository, which should be carefully checked and configured before running. 3. Install the system. This can be done with `grml-debootstrap` which will also configure grub, a root password and so on. This should get you started, assuming the formatted root disk is mounted on `/mnt`: ROOTPASSWORD=\$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 30) \ grml-debootstrap --grub /dev/sda --target /mnt \ --hostname $hostname \--release buster \ --mirror https://mirror.hetzner.de/debian/packages/ \ --remove-configs --defaultinterfaces 4. Once the bootstrapping is complete, you still need to make sure the system can boot as, the above doesn't (unfortunately) configure everything for you. First, fix the mountpoints: editor /mnt/etc/fstab For example: /dev/mapper/archive01-hdd / ext4 defaults,errors=remount-ro 0 1 UUID=aef7c53c-ed2e-4b9e-b23a-b70a701a2dcb /boot ext4 defaults 0 2 /dev/mapper/archive01-swap none swap defaults 0 0 proc /proc proc defaults 0 0 5. Review the crypto configuration: editor /mnt/etc/crypttab 6. Do the same with the RAID configuration, probably with something like: chroot /mnt sh -c "/usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf" 7. Review the network configuration: editor /mnt/etc/network/interfaces An example safe configuration is: iface lo inet loopback allow-hotplug eth0 iface eth0 inet dhcp 8. Copy paste your key into the root's authorized keys, just to make sure you can login: cat > /mnt/root/.ssh/authorized_keys 9. If any of those latter things changed, you need to regenerate the initramfs: for fs in dev proc run sys ; do mount -o bind /$fs /mnt/$fs done chroot /mnt update-initramfs -u chroot /mnt update-grub for fs in dev proc run sys ; do umount /mnt/$fs done 10. Document the LUKS passphrase and root password in `tor-passwords` 11. Cross fingers and reboot: reboot Configuration ------------- Loading
tsa/howto/new-machine.mdwn +5 −2 Original line number Diff line number Diff line All commands to be run as root unless otherwise noted. Installation ============ This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs: * [[new-machine-hetzner-cloud]] * [[new-machine-hetzner-robot]] Configuration procedure ======================= All commands to be run as root unless otherwise noted. * set a hostname - pick an unused one from the [[doc/naming-scheme]] * sanitize DNS configuration: Loading
