X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fnew-machine.creole;h=edaad0a00fd50124ad876fad8ca902256a4f0380;hb=48c4da775783b3a16293b3b0a77bd5a8e43333c6;hp=2c51741fb0056a5dc4822a88ff0ba8d6f7feccb1;hpb=18c3ee1cb00437d1ffc6d056072676ea26d56ab7;p=mirror%2Fdsa-wiki.git diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole index 2c51741..edaad0a 100644 --- a/input/howto/new-machine.creole +++ b/input/howto/new-machine.creole @@ -1,6 +1,6 @@ == setup/integrate a new machine == -Note: this is partially obsolete now that we have [[puppet-setup|puppet]]. We should probably update/rework some parts. +Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]]. We should probably update/rework some parts. * install ssh if it isn't there already {{{ @@ -17,9 +17,16 @@ Note: this is partially obsolete now that we have [[puppet-setup|puppet]]. We s make sure there is _no_ locale defined in /etc/environment and /etc/default/locale +{{{ + echo -n > /etc/environment + echo -n > /etc/default/locale +}}} + * make debconf the same on every host: - dialog, - high {{{ - dpkg-reconfigure debconf + apt-get install dialog && + echo "debconf debconf/priority select high" | debconf-set-selections && + echo "debconf debconf/frontend select Dialog" | debconf-set-selections }}} * add db.d.o to sources.list: @@ -31,7 +38,7 @@ EOF apt-key add - << EOF -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.6 (GNU/Linux) +Version: GnuPG v1.4.9 (GNU/Linux) mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug 9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g @@ -42,35 +49,35 @@ H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu -Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYFAkf4BP0CGwMFCQHhM4AGCwkI -BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRC+p88QvSsO4JZLAJ4slp2uRZHtzMXK8oTB -DV1XiztTZwCfQD7Y2mKDaMsmE4AmwOOTw2fmcZo= -=+jlJ +Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID +AQIeAQIXgAUCSdlA9AUJA8JvcwAKCRC+p88QvSsO4AoeAJ0dY+rDwxNVR6HPs8JZ +xLceOYU/hgCeNW1KkOXrSt2Lv8PVWXnr5jHNZSo= +=4LFD -----END PGP PUBLIC KEY BLOCK----- EOF }}} * in /etc/ssh/sshd_config: ** disable the DSA hostkey, so that it only does RSA -** remove old host keys:
{{{ - cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub -}}} +** remove old host keys: ** disable X11 forwarding ** Tell it to use alternate authorized_keys locations -{{{ - | HostKey /etc/ssh/ssh_host_rsa_key - | X11Forwarding no - | AuthorizedKeysFile /etc/ssh/userkeys/%u - | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u - - vi /etc/ssh/sshd_config +** maybe link root's auth key there: +{{{ + #| HostKey /etc/ssh/ssh_host_rsa_key + #| X11Forwarding no + #| AuthorizedKeysFile /etc/ssh/userkeys/%u + #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u + + cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub && + mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root && + sed -i -e 's/^HostKey.*_dsa_key/# &/; + s/^X11Forwarding yes/X11Forwarding no/; + $ a AuthorizedKeysFile /etc/ssh/userkeys/%u + $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config && (cd / && env -i /etc/init.d/ssh restart) }}} - * maybe link root's auth key there: -{{{ - mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root -}}} * install userdir-ldap @@ -79,22 +86,22 @@ EOF }}} -* on samosa, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf +* on draghi, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf (you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}}) {{{ - :: samosa :: && sudo vi /home/sshdist/.ssh/authorized_keys - :: samosa :: && sudo vi /etc/userdir-ldap/generate.conf + : :: draghi :: && sudo vi /home/sshdist/.ssh/authorized_keys + : :: draghi :: && sudo vi /etc/userdir-ldap/generate.conf }}} * run generate, or wait until cron runs it for you {{{ - :: samosa :: && sudo -u sshdist ud-generate + : :: draghi :: && sudo -u sshdist ud-generate }}} * fix nsswitch for ud fu. {{{ - sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/; - s/^group:[[:space:]]\+compat$/group: db compat/; - s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \ + sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/; + s/^group:\[[:space:]]\+compat$/group: db compat/; + s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \ /etc/nsswitch.conf }}} @@ -106,8 +113,7 @@ EOF * on the host, run ud-replicate {{{ - mkdir -p /root/.ssh && - echo db,db.debian.org,192.25.206.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAph3LozYmcwHwgnxfKia1lg1AXNuJiEroi/GpPztbcqxmFOYBZbMgYDj+kM+usoXF2diT9OQWqg1yx19CeEoghHYz4/yZa0PYdLgPj9Si4PScekVaE051GrLM63osfK0j3wIfpgLJv2/zs42NbXjkKPdjInEaWPn8W1fe88M3JDE= root@newsamosa >> /root/.ssh/known_hosts && + echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts && ud-replicate }}} @@ -131,24 +137,20 @@ EOF * make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated) {{{ + echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf dpkg-reconfigure ca-certificates }}} -* exim setup: +* Add debian-admin@debian.org to root in /etc/aliases {{{ - :: now obsolete :: && - apt-get install git-core curl && - ! [ -d /etc/exim4.bak ] && - /etc/init.d/exim4 stop && - mv /etc/exim4 /etc/exim4.bak && - mkdir /etc/exim4 && - cd /etc/exim4 && - git clone https://db.debian.org/git/dsa-exim.git Git && - ./Git/bin/update && - (cd / && /etc/init.d/exim4 start) + if ! egrep '^root:' /etc/aliases > /dev/null; then + echo "root: debian-admin@debian.org" >> /etc/aliases + elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then + sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases + fi + newaliases }}} - ** Add debian-admin@debian.org to root in /etc/aliases * sane default editor {{{ @@ -178,40 +180,30 @@ EOF test that the dedicated sudo password works. if not, undo the pam sudo config. (comment out the auth lines and include common-auth again) -* setup ldap.conf: -{{{ - grep '^URI.*db.debian.org' /etc/ldap/ldap.conf || cat >> /etc/ldap/ldap.conf << EOF - -URI ldap://db.debian.org -BASE dc=debian,dc=org - -TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem -TLS_REQCERT hard -EOF -}}} - -* munin setup: -* grant access to spohr -{{{ - sed -i -e '/^allow/d; $ a \allow ^192\\\.25\\\.206\\\.57$\nallow ^192\\\.25\\\.206\\\.33$' /etc/munin/munin-node.conf - ( cd / && env -i /etc/init.d/munin-node restart ) -}}} * add to munin on spohr {{{ - :: spohr :: && sudo vi /etc/munin/munin.conf + : :: spohr :: && sudo vi /etc/munin/munin.conf }}} -* add host to nagios config - * disable password auth with ssh, once you verified you can log in and become root using keys. {{{ - vi /etc/ssh/sshd_config - | PasswordAuthentication no + #vi /etc/ssh/sshd_config + # | PasswordAuthentication no + + sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && (cd / && env -i /etc/init.d/ssh restart) }}} -* if it is a HP Proliant, or has other management fu, read setup-oob +* if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]] + +* setup [[puppet|howto/puppet-setup]] + +* edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml + +* add to nagios + +* add host to ldap: ud-host -a $USER -h .... -- weasel, Wed, 04 Jun 2008 20:52:56 +0200