1 == setup/integrate a new machine ==
3 Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup]]. If stuff breaks fix it.
6 * install ssh if it isn't there already
11 * sane locales: (make sure there is _no_ locale defined in /etc/environment and /etc/default/locale)
13 echo -n > /etc/environment
14 echo -n > /etc/default/locale
17 * make debconf the same on every host: - dialog, - high
19 apt-get install dialog &&
20 echo "debconf debconf/priority select high" | debconf-set-selections &&
21 echo "debconf debconf/frontend select Dialog" | debconf-set-selections
24 * unless we want to keep it:
26 dpkg -l postfix | grep '^ii postfix' && (dpkg --purge postfix && rm /etc/aliases)
29 * on draghi, add the host to the ldap using ud-host. Set the ssh key and the IP Address attributes.
31 * run generate, or wait until cron runs it for you
33 : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate
36 * setup [[puppet|howto/puppet-setup]] (run the puppet client two or three times until things converge.)
39 * fix nsswitch for ud fu. (you might have to restart sshd here)
41 sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
42 s/^group:\[[:space:]]\+compat$/group: db compat/;
43 s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
45 (cd / && env -i /etc/init.d/ssh restart)
48 * install userdir-ldap
50 apt-get update && apt-get install userdir-ldap
53 * on the host, run ud-replicate
55 echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts &&
64 * install debian.org which brings you shells and much other fun
66 apt-get install debian.org debian.org-recommended
69 * in /etc/ssh/sshd_config:
70 ** disable the DSA hostkey, so that it only does RSA
71 ** remove old host keys:
72 ** disable X11 forwarding
73 ** Tell it to use alternate authorized_keys locations
74 ** maybe link root's auth key there:
76 #| HostKey /etc/ssh/ssh_host_rsa_key
78 #| AuthorizedKeysFile /etc/ssh/userkeys/%u
79 #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
81 cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
82 mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
83 sed -i -e 's/^HostKey.*_dsa_key/# &/;
84 s/^X11Forwarding yes/X11Forwarding no/;
85 $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
86 $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
87 (cd / && env -i /etc/init.d/ssh restart)
90 * try to login using your user and ssh key. you should get a homedir.
92 * try to become root using sudo.
94 * disable password auth with ssh (again: once you verified you can log in and become root using keys.)
96 #vi /etc/ssh/sshd_config
97 # | PasswordAuthentication no
99 sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
100 (cd / && env -i /etc/init.d/ssh restart)
103 * make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
105 echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
106 sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
107 dpkg-reconfigure ca-certificates
110 * Add debian-admin@debian.org to root in /etc/aliases
112 if ! egrep '^root:' /etc/aliases > /dev/null; then
113 echo "root: debian-admin@debian.org" >> /etc/aliases
114 elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
115 sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases
120 * sane default editor
122 apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
125 * add to munin on spohr
127 : :: spohr :: && sudo vi /etc/munin/munin.conf
130 * if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]]
132 * edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml
136 -- weasel, Wed, 04 Jun 2008 20:52:56 +0200