Installation
This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs:
Configuration procedure
All commands to be run as root unless otherwise noted.
set a hostname - pick an unused one from the naming-scheme
set new root password, and document it
swap and tmp
grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab ! grep swap /etc/fstab && \ dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \ chmod 0 /swapfile && \ mkswap /swapfile && \ echo '/swapfile none swap sw 0 0' >> /etc/fstab && \ swapon -asanitize DNS configuration:
# grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf vi /etc/hosts # make sure the local host is there with both FQDN and just hostnameadd to ldap on
albertiusing:ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"To generate the LDAP block, you can use the
tor-install-generate-ldapscript intsa-misc. Make sure you review all fields, in particularlocation(l),physicalHost,descriptionandpurposewhich do not have good defaults.See also the ldapvi manual for more information.
then:
on alberti:
sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -ton nevii:
sudo -H ud-replicate
set up puppet:
on pauli:
( puppet agent -t --environment=production || true ) && \ ud-replicate && \ sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca installon new machine:
me=$(hostname -f) && \ [ "$me" != "${me%torproject.org}" ] && \ apt-get update && \ apt-get install -y --no-install-recommends puppet lsb-release && \ service puppet stop && \ systemctl mask puppet.service && \ (puppet agent -t || true ) && \ cd /var/lib/puppet/ssl/certificate_requests && \ echo sha256sum output: && \ echo && \ sha256sum $me.pem && \ echo && \ echo && \ cd /on pauli:
echo "paste sha256sum output now:" && \ read sha256 filename && \ cd /var/lib/puppet/ssl/ca/requests && \ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \ echo "$sha256 $filename" | sha256sum -c && \ puppet ca sign $(basename "$filename" .pem) && \ echo && \ echo "--- 8< --- CUT HERE --- 8< ---" && \ echo && \ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \ cat /var/lib/puppet/ssl/certs/ca.pem && \ echo 'EOF' && \ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \ cat /var/lib/puppet/ssl/ca/signed/$filename && \ echo 'EOF' && \ echo 'puppet agent --enable' && \ echo 'puppet agent -t --pluginsync' && \ echo 'puppet agent -t --pluginsync' && \ echo && \ echo "--- 8< --- CUT HERE --- 8< ---" && \ echo && \ cd /
copy paste the thing between
CUT HEREfrompauliinto a root shell on the new hostdo more puppet runs, and run a ud-replicate to get ldap users, then more puppet runs since we now have more users:
puppet agent -t ud-replicate puppet agent -t puppet agent -tdo an upgrade in case there has been one recently
apt update && apt dist-upgrade && apt cleanget rid of unneeded network services (only needed if we did not install this from a minbase but from somebody else's install/image):
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light userdel -r Debian-eximfix
/etc/aliases:( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) && sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliasesadd to nagios, in
tor-nagios/config/nagios-master.cfgdocument the machine in the Nextcloud spreadsheet, and the services page, if it's a new service