Installation
This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs:
- new-machine-hetzner-cloud
- new-machine-hetzner-robot
- for a new machine in the ganeti cluster, see the ganeti configuration, "Adding a new instance" section
Configuration procedure
All commands to be run as root unless otherwise noted.
set a hostname - pick an unused one from the naming-scheme
allocate and document the machine in the Nextcloud spreadsheet, and the services page, if it's a new service
set new root password, and document it
swap and tmp
grep -q tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab ! grep -q swap /etc/fstab && \ dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \ chmod 0 /swapfile && \ mkswap /swapfile && \ echo '/swapfile none swap sw 0 0' >> /etc/fstab && \ swapon -a
sanitize DNS configuration:
# grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
add to ldap on
alberti
using:ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"
To generate the LDAP block, you can use the
tor-install-generate-ldap
script intsa-misc
. Make sure you review all fields, in particularlocation
(l
),physicalHost
,description
andpurpose
which do not have good defaults.See the upgrades section for information about the
rebootPolicy
field.See also the ldapvi manual for more information.
then:
on alberti:
sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t
on nevii:
sudo -H ud-replicate
set up puppet:
on pauli:
( puppet agent -t --environment=production || true ) && \ ud-replicate && \ sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
on new machine:
me=$(hostname -f) && \ [ "$me" != "${me%torproject.org}" ] && \ apt-get update && \ apt-get install -y --no-install-recommends puppet lsb-release && \ service puppet stop && \ systemctl mask puppet.service && \ (puppet agent -t || true ) && \ cd /var/lib/puppet/ssl/certificate_requests && \ echo sha256sum output: && \ echo && \ sha256sum $me.pem && \ echo && \ echo && \ cd /
on pauli:
echo "paste sha256sum output now:" && \ read sha256 filename && \ cd /var/lib/puppet/ssl/ca/requests && \ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \ echo "$sha256 $filename" | sha256sum -c && \ puppet ca sign $(basename "$filename" .pem) && \ echo && \ echo "--- 8< --- CUT HERE --- 8< ---" && \ echo && \ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \ cat /var/lib/puppet/ssl/certs/ca.pem && \ echo 'EOF' && \ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \ cat /var/lib/puppet/ssl/ca/signed/$filename && \ echo 'EOF' && \ echo 'puppet agent --enable' && \ echo 'puppet agent -t --pluginsync' && \ echo 'puppet agent -t --pluginsync' && \ echo && \ echo "--- 8< --- CUT HERE --- 8< ---" && \ echo && \ cd /
copy paste the thing between
CUT HERE
frompauli
into a root shell on the new hostdo more puppet runs, and run a ud-replicate to get ldap users, then more puppet runs since we now have more users:
puppet agent -t ud-replicate puppet agent -t puppet agent -t
follow security upgrades:
apt update && apt dist-upgrade && apt clean
get rid of unneeded network services (only needed if we did not install this from a minbase but from somebody else's install/image):
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light userdel -r Debian-exim
fix
/etc/aliases
:( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) && sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
reboot to make sure that still works:
reboot
add to nagios, in
tor-nagios/config/nagios-master.cfg
if the machine is handling mail, add it to dnswl.org (password in tor-passwords,
hosts-extra-info
)