1 == setup/integrate a new machine ==
3 Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup]]. If stuff breaks fix it.
6 * install ssh if it isn't there already
16 * sane locales: (make sure there is _no_ locale defined in /etc/environment and /etc/default/locale)
18 echo -n > /etc/environment
19 echo -n > /etc/default/locale
22 * make debconf the same on every host: - dialog, - high
24 apt-get install dialog &&
25 echo "debconf debconf/priority select high" | debconf-set-selections &&
26 echo "debconf debconf/frontend select Dialog" | debconf-set-selections
29 * unless we want to keep it:
31 dpkg -l postfix | grep '^ii postfix' && (dpkg --purge postfix && rm /etc/aliases)
34 * setup [[puppet|howto/puppet-setup]] (run the puppet client two or three times until things converge.)
36 * on draghi, add the host to /home/sshdist/.ssh/authorized_keys
37 (you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
39 : :: draghi :: && sudo vi /home/sshdist/.ssh/authorized_keys
41 * use ud-host to add the new host to LDAP
42 * run generate, or wait until cron runs it for you
44 : :: draghi :: && sudo -u sshdist ud-generate
47 * fix nsswitch for ud fu. (you might have to restart sshd here)
49 sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
50 s/^group:\[[:space:]]\+compat$/group: db compat/;
51 s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
53 (cd / && env -i /etc/init.d/ssh restart)
56 * install userdir-ldap
58 apt-get update && apt-get install userdir-ldap
61 * on the host, run ud-replicate
63 echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts &&
72 * install debian.org which brings you shells and much other fun
74 apt-get install debian.org debian.org-recommended
77 * in /etc/ssh/sshd_config:
78 ** disable the DSA hostkey, so that it only does RSA
79 ** remove old host keys:
80 ** disable X11 forwarding
81 ** Tell it to use alternate authorized_keys locations
82 ** maybe link root's auth key there:
84 #| HostKey /etc/ssh/ssh_host_rsa_key
86 #| AuthorizedKeysFile /etc/ssh/userkeys/%u
87 #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
89 cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
90 mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
91 sed -i -e 's/^HostKey.*_dsa_key/# &/;
92 s/^X11Forwarding yes/X11Forwarding no/;
93 $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
94 $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
95 (cd / && env -i /etc/init.d/ssh restart)
98 * try to login using your user and ssh key. you should get a homedir.
100 * try to become root using sudo.
102 * disable password auth with ssh (again: once you verified you can log in and become root using keys.)
104 #vi /etc/ssh/sshd_config
105 # | PasswordAuthentication no
107 sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
108 (cd / && env -i /etc/init.d/ssh restart)
111 * make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
113 echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
114 sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
115 dpkg-reconfigure ca-certificates
118 * Add debian-admin@debian.org to root in /etc/aliases
120 if ! egrep '^root:' /etc/aliases > /dev/null; then
121 echo "root: debian-admin@debian.org" >> /etc/aliases
122 elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
123 sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases
128 * add to munin on spohr
130 : :: spohr :: && sudo vi /etc/munin/munin.conf
133 * if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]]
135 * edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml
139 -- weasel, Wed, 04 Jun 2008 20:52:56 +0200