X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fnew-machine.creole;h=241fd5ed6c16cd68a293ea430d3cd601485acadb;hb=d8f2ea8fb167de09f0da8c88425645d890523014;hp=2c51741fb0056a5dc4822a88ff0ba8d6f7feccb1;hpb=18c3ee1cb00437d1ffc6d056072676ea26d56ab7;p=mirror%2Fdsa-wiki.git
diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole
index 2c51741..241fd5e 100644
--- a/input/howto/new-machine.creole
+++ b/input/howto/new-machine.creole
@@ -1,217 +1,58 @@
-== setup/integrate a new machine ==
+= how to add a new machine =
-Note: this is partially obsolete now that we have [[puppet-setup|puppet]]. We should probably update/rework some parts.
+Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup]]. If stuff breaks fix it.
-* install ssh if it isn't there already
-{{{
- apt-get install ssh
-}}}
-
-* make apt sane
-{{{
- echo 'Acquire::PDiffs "false";' > /etc/apt/apt.conf.d/local-pdiff
- echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends
-}}}
-
-* sane locales:
- make sure there is _no_ locale defined in /etc/environment and /etc/default/locale
-
-* make debconf the same on every host: - dialog, - high
+* some initial stuff:
{{{
- dpkg-reconfigure debconf
+ apt-get install --no-install-recommends ssh vim &&
+ apt-get install --no-install-recommends dialog &&
+ echo "debconf debconf/priority select high" | debconf-set-selections &&
+ echo "debconf debconf/frontend select Dialog" | debconf-set-selections
}}}
-* add db.d.o to sources.list:
+* unless we want to keep it:
{{{
- cat > /etc/apt/sources.list.d/debian.org.list << EOF
-deb http://db.debian.org/debian-admin lenny main
-deb-src http://db.debian.org/debian-admin lenny main
-EOF
-
- apt-key add - << EOF
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.6 (GNU/Linux)
-
-mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
-9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
-picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
-SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
-CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
-H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
-VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
-k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
-gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
-Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYFAkf4BP0CGwMFCQHhM4AGCwkI
-BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRC+p88QvSsO4JZLAJ4slp2uRZHtzMXK8oTB
-DV1XiztTZwCfQD7Y2mKDaMsmE4AmwOOTw2fmcZo=
-=+jlJ
------END PGP PUBLIC KEY BLOCK-----
-EOF
-}}}
-
-* in /etc/ssh/sshd_config:
-** disable the DSA hostkey, so that it only does RSA
-** remove old host keys:
{{{
- cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub
+ dpkg -l postfix | grep '^ii postfix' && (dpkg --purge postfix && rm /etc/aliases)
}}}
-** disable X11 forwarding
-** Tell it to use alternate authorized_keys locations
-{{{
- | HostKey /etc/ssh/ssh_host_rsa_key
- | X11Forwarding no
- | AuthorizedKeysFile /etc/ssh/userkeys/%u
- | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
- vi /etc/ssh/sshd_config
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
+* on draghi, add the host to the ldap using ud-host. Set the ssh key and the IP Address attributes.
- * maybe link root's auth key there:
+* run generate, or wait until cron runs it for you. Update DNS.
{{{
- mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root
+ : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo -H puppet agent -t
+ : :: denis :: && sudo -H ud-replicate
}}}
+* setup [[puppet|howto/puppet-setup]] (run the puppet client two or three times until things converge.)
-* install userdir-ldap
+* on the host, run ud-replicate and check if it worked
{{{
- apt-get update && apt-get install userdir-ldap
-}}}
-
-
-* on samosa, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
-(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
-{{{
- :: samosa :: && sudo vi /home/sshdist/.ssh/authorized_keys
- :: samosa :: && sudo vi /etc/userdir-ldap/generate.conf
-}}}
-* run generate, or wait until cron runs it for you
-{{{
- :: samosa :: && sudo -u sshdist ud-generate
-}}}
-
-* fix nsswitch for ud fu.
-{{{
- sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
- s/^group:[[:space:]]\+compat$/group: db compat/;
- s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
- /etc/nsswitch.conf
-}}}
-
-(you might have to restart sshd here:
-{{{
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
-)
-
-* on the host, run ud-replicate
-{{{
- mkdir -p /root/.ssh &&
- echo db,db.debian.org,192.25.206.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAph3LozYmcwHwgnxfKia1lg1AXNuJiEroi/GpPztbcqxmFOYBZbMgYDj+kM+usoXF2diT9OQWqg1yx19CeEoghHYz4/yZa0PYdLgPj9Si4PScekVaE051GrLM63osfK0j3wIfpgLJv2/zs42NbXjkKPdjInEaWPn8W1fe88M3JDE= root@newsamosa >> /root/.ssh/known_hosts &&
+ apt-get update;
+ puppet agent -t; puppet agent -t; puppet agent -t
ud-replicate
+ puppet agent -t; puppet agent -t; puppet agent -t
}}}
-* check if it worked:
-{{{
- id weasel
-}}}
-
-* add pam_mkhomedir to common-session:
+* install security updates etc.
{{{
- grep pam_mkhomedir /etc/pam.d/common-session || \
- echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session
+ apt-get update && apt-get dist-upgrade && apt-get clean
}}}
-* install debian.org which brings you shells and much other fun
+* install samhain and get puppet to configure it
{{{
- apt-get install debian.org
+ apt-get install -y samhain &&
+ ( puppet agent -t || true ) &&
+ service samhain stop &&
+ rm -f /var/state/samhain/samhain_file /var/lib/samhain/samhain_file &&
+ samhain --foreground -t init -p none -s none -l none -m none &&
+ service samhain start
}}}
-* try to login using your user and ssh key. you should get a homedir.
+* if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]]
-* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
-{{{
- sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
- dpkg-reconfigure ca-certificates
-}}}
-
-* exim setup:
-{{{
- :: now obsolete :: &&
- apt-get install git-core curl &&
- ! [ -d /etc/exim4.bak ] &&
- /etc/init.d/exim4 stop &&
- mv /etc/exim4 /etc/exim4.bak &&
- mkdir /etc/exim4 &&
- cd /etc/exim4 &&
- git clone https://db.debian.org/git/dsa-exim.git Git &&
- ./Git/bin/update &&
- (cd / && /etc/init.d/exim4 start)
-}}}
- ** Add debian-admin@debian.org to root in /etc/aliases
-
-* sane default editor
-{{{
- apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
-}}}
-
-* setup sudo
-{{{
- grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers
- grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none' >> /etc/sudoers
-
- apt-get install libpam-pwdfile
- cat > /etc/pam.d/sudo << EOF
-#%PAM-1.0
-
-auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
-auth required pam_unix.so nullok_secure try_first_pass
-#@include common-auth
-@include common-account
-
-session required pam_permit.so
-session required pam_limits.so
-EOF
-}}}
-
-* OPEN A NEW SHELL - DO _NOT_ LOG OUT OF THIS ONE:
- test that the dedicated sudo password works. if not, undo the pam sudo config.
- (comment out the auth lines and include common-auth again)
-
-* setup ldap.conf:
-{{{
- grep '^URI.*db.debian.org' /etc/ldap/ldap.conf || cat >> /etc/ldap/ldap.conf << EOF
-
-URI ldap://db.debian.org
-BASE dc=debian,dc=org
-
-TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem
-TLS_REQCERT hard
-EOF
-}}}
-
-* munin setup:
-* grant access to spohr
-{{{
- sed -i -e '/^allow/d; $ a \allow ^192\\\.25\\\.206\\\.57$\nallow ^192\\\.25\\\.206\\\.33$' /etc/munin/munin-node.conf
- ( cd / && env -i /etc/init.d/munin-node restart )
-}}}
-* add to munin on spohr
-{{{
- :: spohr :: && sudo vi /etc/munin/munin.conf
-}}}
-
-
-* add host to nagios config
-
-* disable password auth with ssh, once you verified you can log in
- and become root using keys.
-{{{
- vi /etc/ssh/sshd_config
- | PasswordAuthentication no
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
+* edit dedication into in $DSA-PUPPET/modules/debian_org/files/misc/local.yaml
-* if it is a HP Proliant, or has other management fu, read setup-oob
+* add to nagios
-- weasel, Wed, 04 Jun 2008 20:52:56 +0200