Installation

This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs:

Configuration procedure

All commands to be run as root unless otherwise noted.

  • set a hostname - pick an unused one from the naming-scheme

  • set new root password, and document it

  • swap and tmp

      grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
    
      ! grep swap /etc/fstab && \
      dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \
      chmod 0 /swapfile && \
      mkswap /swapfile && \
      echo '/swapfile none swap sw 0 0' >> /etc/fstab && \
      swapon -a
    
  • sanitize DNS configuration:

      # grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf
      grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf
      vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
    
  • add to ldap on alberti using:

      ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"
    

    To generate the LDAP block, you can use the tor-install-generate-ldap script in tsa-misc. Make sure you review all fields, in particular location (l), physicalHost, description and purpose which do not have good defaults.

    See also the ldapvi manual for more information.

  • then:

    • on alberti:

      sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t
      
    • on nevii:

      sudo -H ud-replicate
      
  • set up puppet:

    • on pauli:

      ( puppet agent -t --environment=production || true ) && \
      ud-replicate && \
      sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
      
    • on new machine:

      me=$(hostname -f) && \
      [ "$me" != "${me%torproject.org}" ] && \
      apt-get update && \
      apt-get install -y --no-install-recommends puppet lsb-release && \
      service puppet stop && \
      systemctl mask puppet.service && \
      (puppet agent -t || true ) && \
      cd /var/lib/puppet/ssl/certificate_requests && \
      echo sha256sum output: && \
      echo && \
      sha256sum $me.pem && \
      echo && \
      echo && \
      cd /
      
    • on pauli:

      echo "paste sha256sum output now:" && \
      read sha256 filename && \
      cd /var/lib/puppet/ssl/ca/requests && \
      ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \
      echo "$sha256  $filename" | sha256sum -c && \
      puppet ca sign $(basename "$filename" .pem) && \
      echo && \
      echo "--- 8< --- CUT HERE --- 8< ---" && \
      echo && \
      echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \
      cat /var/lib/puppet/ssl/certs/ca.pem && \
      echo 'EOF' && \
      echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \
      cat /var/lib/puppet/ssl/ca/signed/$filename && \
      echo 'EOF' && \
      echo 'puppet agent --enable' && \
      echo 'puppet agent -t --pluginsync' && \
      echo 'puppet agent -t --pluginsync' && \
      echo && \
      echo "--- 8< --- CUT HERE --- 8< ---" && \
      echo && \
      cd /
      
  • copy paste the thing between CUT HERE from pauli into a root shell on the new host

  • do more puppet runs, and run a ud-replicate to get ldap users, then more puppet runs since we now have more users:

      puppet agent -t
      ud-replicate
      puppet agent -t
      puppet agent -t
    
  • do an upgrade in case there has been one recently

      apt update && apt dist-upgrade && apt clean
    
  • get rid of unneeded network services (only needed if we did not install this from a minbase but from somebody else's install/image):

      dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
      userdel -r Debian-exim
    
  • fix /etc/aliases:

      ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
      sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
    
  • add to nagios, in tor-nagios/config/nagios-master.cfg

  • document the machine in the Nextcloud spreadsheet, and the services page, if it's a new service