merge new-machine-hetzner-cloud into new-machine

ac9a98b9 · anarcat · bb40cc9f · ac9a98b9 · ac9a98b9
Unverified Commit ac9a98b9 authored 6 years ago by anarcat
--- a/tsa/old/new-machine-hetzner-cloud.mdwn
+++ b/tsa/old/new-machine-hetzner-cloud.mdwn
+Go to the [Heztner console](https://console.hetzner.cloud/) and clikety on the web interface to get
+a new instance. Credentials should be in tor-passwords.git.

-    cat /dev/null > /etc/default/locale
-    echo 'domain torproject.org' >>  /etc/resolv.conf
-    vi /etc/hosts
-
-* add to ldap on alberti
-    for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
-      echo "sshRSAHostKey: `cat $i`"; done
-
-* then:
-  : on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
-  : on nevii : && sudo -H ud-replicate
-
-* set up puppet:
-  : on pauli : &&
-        ( puppet agent -t --environment=production || true ) &&
-        ud-replicate &&
-        sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
-
-  : on new machine : &&
-        me=$(hostname -f) &&
-        [ "$me" != "${me%torproject.org}" ] &&
-        apt-get update &&
-        apt-get install -y --no-install-recommends puppet lsb-release &&
-        service puppet stop &&
-        systemctl mask puppet.service &&
-        (puppet agent -t || true ) &&
-        cd /var/lib/puppet/ssl/certificate_requests &&
-        echo sha256sum output: &&
-        echo &&
-        sha256sum $me.pem &&
-        echo &&
-        echo &&
-        cd /
-
-  : on pauli: &&
-        echo "paste sha256sum output now:" &&
-        read sha256 filename &&
-        cd /var/lib/puppet/ssl/ca/requests &&
-        ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
-        echo -e "$sha256  $filename" | sha256sum -c &&
-        puppet ca sign $(basename "$filename" .pem) &&
-        echo &&
-        echo &&
-        echo &&
-        echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
-        cat /var/lib/puppet/ssl/certs/ca.pem &&
-        echo 'EOF' &&
-        echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
-        cat /var/lib/puppet/ssl/ca/signed/$filename &&
-        echo 'EOF' &&
-        echo 'puppet agent --enable' &&
-        echo 'puppet agent -t --pluginsync' &&
-        echo 'puppet agent -t --pluginsync' &&
-        cd /
-
-* copy paste the thing you just created on pauli into a root shell on the new host
-
-* fix nsswitch for ud fu.  (you might have to restart sshd here)
-    sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd:         compat db/;
-              s/^group:[[:space:]]\+compat$/group:          db compat/;
-              s/^shadow:[[:space:]]\+compat$/shadow:         compat db/' \
-        /etc/nsswitch.conf
-    (cd / && service ssh restart)
-
-* do one ud-replicate:
-  puppet agent -t
-  echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7,2620:0:6b0:b:1a1a:0:26e5:4806 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAW1UewATLaASMo4mJoH+L8AgN1sJUIk/87z6OdrQNL9fDseLhFSPNg1LsL2Ep1ZbE22ieERHcaS4Mm8QrX9Y2VrUmFWK3jwz3+enhZkEzq7K+YKGKhUwSu+Cr+gKD1olKnw8COsZ4v5xkLh5Or854ZNJKRB84IF99P9TZ+0l/LyJCE3RVY/wV5FyhrweGmVUQVqsi7xv815uRNWjsiBWvizZddny8xaKsNTD7guo+nN9h9gjKzv6ktj/U9nbmBsBiLs4zZj7/6rfgXK020xOp63LXz8jRnDiISgHw+ERFYlmUYs04JXVrcI21jdnhzNCpLwSwBITQLSVPEaXJqO9v root@alberti > /etc/ssh/ssh_known_hosts &&
-  ud-replicate
-
-* get rid of unneeded network services:
-
-  dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
-  userdel -r Debian-exim
-
-* fix etc/aliases
-   ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
-    sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
-
-* set new root password, and document it
-
-* run puppet a couple times 'til it converges:
-
-  puppet agent -t ; puppet agent -t ; puppet agent -t ; puppet agent -t ;
-
-* add more software
-  apt-get install fail2ban
-
-* swap and tmp
-    grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
-
-  ! grep swap /etc/fstab &&
-  dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&
-  chmod 0 /swapfile &&
-  mkswap /swapfile &&
-  echo '/swapfile none swap sw 0 0' >> /etc/fstab &&
-  swapon -a
-
-* add to nagios
+Then follow [[new-machine]].
--- a/tsa/old/new-machine.mdwn
+++ b/tsa/old/new-machine.mdwn
@@ -7,7 +7,7 @@
    cat /dev/null > /etc/default/locale
    # cat /etc/resolv.conf   # and ensure it has domain torproject.org in it.
    grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf
-    cat /etc/hosts
+    vi /etc/hosts

 * add to ldap on alberti
    for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
@@ -73,6 +73,11 @@
  puppet agent -t
  puppet agent -t

+* do on ud-replicate:
+  puppet agent -t
+  echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7,2620:0:6b0:b:1a1a:0:26e5:4806 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAW1UewATLaASMo4mJoH+L8AgN1sJUIk/87z6OdrQNL9fDseLhFSPNg1LsL2Ep1ZbE22ieERHcaS4Mm8QrX9Y2VrUmFWK3jwz3+enhZkEzq7K+YKGKhUwSu+Cr+gKD1olKnw8COsZ4v5xkLh5Or854ZNJKRB84IF99P9TZ+0l/LyJCE3RVY/wV5FyhrweGmVUQVqsi7xv815uRNWjsiBWvizZddny8xaKsNTD7guo+nN9h9gjKzv6ktj/U9nbmBsBiLs4zZj7/6rfgXK020xOp63LXz8jRnDiISgHw+ERFYlmUYs04JXVrcI21jdnhzNCpLwSwBITQLSVPEaXJqO9v root@alberti > /etc/ssh/ssh_known_hosts &&
+  ud-replicate
+
 * get rid of unneeded network services:

  dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light