--- /dev/null
+== setup/integrate a new machine ==
+
+Note: this is partially obsolete now that we have [[puppet-setup|puppet]]. We should probably update/rework some parts.
+
+* install ssh if it isn't there already
+{{{
+ apt-get install ssh
+}}}
+
+* make apt sane
+{{{
+ echo 'Acquire::PDiffs "false";' > /etc/apt/apt.conf.d/local-pdiff
+ echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends
+}}}
+
+* sane locales:
+
+ make sure there is _no_ locale defined in /etc/environment and /etc/default/locale
+
+* make debconf the same on every host: - dialog, - high
+{{{
+ dpkg-reconfigure debconf
+}}}
+
+* add db.d.o to sources.list:
+{{{
+ cat > /etc/apt/sources.list.d/debian.org.list << EOF
+deb http://db.debian.org/debian-admin lenny main
+deb-src http://db.debian.org/debian-admin lenny main
+EOF
+
+ apt-key add - << EOF
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.6 (GNU/Linux)
+
+mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
+9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
+picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
+SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
+CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
+H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
+VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
+k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
+gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
+Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYFAkf4BP0CGwMFCQHhM4AGCwkI
+BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRC+p88QvSsO4JZLAJ4slp2uRZHtzMXK8oTB
+DV1XiztTZwCfQD7Y2mKDaMsmE4AmwOOTw2fmcZo=
+=+jlJ
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+}}}
+
+* in /etc/ssh/sshd_config:
+** disable the DSA hostkey, so that it only does RSA
+** remove old host keys: <BR>{{{
+ cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub
+}}}
+** disable X11 forwarding
+** Tell it to use alternate authorized_keys locations
+{{{
+ | HostKey /etc/ssh/ssh_host_rsa_key
+ | X11Forwarding no
+ | AuthorizedKeysFile /etc/ssh/userkeys/%u
+ | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
+
+ vi /etc/ssh/sshd_config
+ (cd / && env -i /etc/init.d/ssh restart)
+}}}
+
+ * maybe link root's auth key there:
+{{{
+ mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root
+}}}
+
+
+* install userdir-ldap
+{{{
+ apt-get update && apt-get install userdir-ldap
+}}}
+
+
+* on samosa, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
+(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
+{{{
+ :: samosa :: && sudo vi /home/sshdist/.ssh/authorized_keys
+ :: samosa :: && sudo vi /etc/userdir-ldap/generate.conf
+}}}
+* run generate, or wait until cron runs it for you
+{{{
+ :: samosa :: && sudo -u sshdist ud-generate
+}}}
+
+* fix nsswitch for ud fu.
+{{{
+ sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
+ s/^group:[[:space:]]\+compat$/group: db compat/;
+ s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
+ /etc/nsswitch.conf
+}}}
+
+(you might have to restart sshd here:
+{{{
+ (cd / && env -i /etc/init.d/ssh restart)
+}}}
+)
+
+* on the host, run ud-replicate
+{{{
+ mkdir -p /root/.ssh &&
+ echo db,db.debian.org,192.25.206.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAph3LozYmcwHwgnxfKia1lg1AXNuJiEroi/GpPztbcqxmFOYBZbMgYDj+kM+usoXF2diT9OQWqg1yx19CeEoghHYz4/yZa0PYdLgPj9Si4PScekVaE051GrLM63osfK0j3wIfpgLJv2/zs42NbXjkKPdjInEaWPn8W1fe88M3JDE= root@newsamosa >> /root/.ssh/known_hosts &&
+ ud-replicate
+}}}
+
+* check if it worked:
+{{{
+ id weasel
+}}}
+
+* add pam_mkhomedir to common-session:
+{{{
+ grep pam_mkhomedir /etc/pam.d/common-session || \
+ echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session
+}}}
+
+* install debian.org which brings you shells and much other fun
+{{{
+ apt-get install debian.org
+}}}
+
+* try to login using your user and ssh key. you should get a homedir.
+
+* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
+{{{
+ sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
+ dpkg-reconfigure ca-certificates
+}}}
+
+* exim setup:
+{{{{
+ :: now obsolete :: &&
+ apt-get install git-core curl &&
+ ! [ -d /etc/exim4.bak ] &&
+ /etc/init.d/exim4 stop &&
+ mv /etc/exim4 /etc/exim4.bak &&
+ mkdir /etc/exim4 &&
+ cd /etc/exim4 &&
+ git clone https://db.debian.org/git/dsa-exim.git Git &&
+ ./Git/bin/update &&
+ (cd / && /etc/init.d/exim4 start)
+}}}
+ ** Add debian-admin@debian.org to root in /etc/aliases
+
+* sane default editor
+{{{
+ apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
+}}}
+
+* setup sudo
+{{{
+ grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers
+ grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none' >> /etc/sudoers
+
+ apt-get install libpam-pwdfile
+ cat > /etc/pam.d/sudo << EOF
+#%PAM-1.0
+
+auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
+auth required pam_unix.so nullok_secure try_first_pass
+#@include common-auth
+@include common-account
+
+session required pam_permit.so
+session required pam_limits.so
+EOF
+}}}
+
+* OPEN A NEW SHELL - DO _NOT_ LOG OUT OF THIS ONE:<BR>
+ test that the dedicated sudo password works. if not, undo the pam sudo config.
+ (comment out the auth lines and include common-auth again)
+
+* setup ldap.conf:
+{{{
+ grep '^URI.*db.debian.org' /etc/ldap/ldap.conf || cat >> /etc/ldap/ldap.conf << EOF
+
+URI ldap://db.debian.org
+BASE dc=debian,dc=org
+
+TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem
+TLS_REQCERT hard
+EOF
+}}}
+
+* munin setup:
+* grant access to spohr
+{{{
+ sed -i -e '/^allow/d; $ a \allow ^192\\\.25\\\.206\\\.57$\nallow ^192\\\.25\\\.206\\\.33$' /etc/munin/munin-node.conf
+ ( cd / && env -i /etc/init.d/munin-node restart )
+}}}
+* add to munin on spohr
+{{{
+ :: spohr :: && sudo vi /etc/munin/munin.conf
+}}}
+
+
+* add host to nagios config
+
+* disable password auth with ssh, once you verified you can log in
+ and become root using keys.
+{{{
+ vi /etc/ssh/sshd_config
+ | PasswordAuthentication no
+ (cd / && env -i /etc/init.d/ssh restart)
+}}}
+
+* if it is a HP Proliant, or has other management fu, read setup-oob
+
+-- weasel, Wed, 04 Jun 2008 20:52:56 +0200
projects / mirror / dsa-wiki.git / commitdiff