Installation

This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs:

• new-machine-hetzner-cloud
• new-machine-hetzner-robot
• for a new machine in the ganeti cluster, see the ganeti configuration, "Adding a new instance" section

Configuration procedure

All commands to be run as root unless otherwise noted.

• set a hostname - pick an unused one from the naming-scheme

• allocate and document the machine in the Nextcloud spreadsheet, and the services page, if it's a new service

• set new root password, and document it

• swap and tmp

    grep -q tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
  
    ! grep -q swap /etc/fstab && \
    dd if=/dev/zero bs=1024k count=1024 of=/swapfile && \
    chmod 0 /swapfile && \
    mkswap /swapfile && \
    echo '/swapfile none swap sw 0 0' >> /etc/fstab && \
    swapon -a
  

• sanitize DNS configuration:

    # grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf
    grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf
    vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
  

• add to ldap on alberti using:

    ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"
  

  To generate the LDAP block, you can use the tor-install-generate-ldap script in tsa-misc. Make sure you review all fields, in particular location (l), physicalHost, description and purpose which do not have good defaults.

  See the upgrades section for information about the rebootPolicy field.

  See also the ldapvi manual for more information.

• then:

  • on alberti:

    sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo puppet agent -t
    

  • on nevii:

    sudo -H ud-replicate
    

• set up puppet:

  • on pauli:

    ( puppet agent -t --environment=production || true ) && \
    ud-replicate && \
    sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
    

  • on new machine:

    me=$(hostname -f) && \
    [ "$me" != "${me%torproject.org}" ] && \
    apt-get update && \
    apt-get install -y --no-install-recommends puppet lsb-release && \
    service puppet stop && \
    systemctl mask puppet.service && \
    (puppet agent -t || true ) && \
    cd /var/lib/puppet/ssl/certificate_requests && \
    echo sha256sum output: && \
    echo && \
    sha256sum $me.pem && \
    echo && \
    echo && \
    cd /
    

  • on pauli:

    echo "paste sha256sum output now:" && \
    read sha256 filename && \
    cd /var/lib/puppet/ssl/ca/requests && \
    ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && \
    echo "$sha256  $filename" | sha256sum -c && \
    puppet ca sign $(basename "$filename" .pem) && \
    echo && \
    echo "--- 8< --- CUT HERE --- 8< ---" && \
    echo && \
    echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && \
    cat /var/lib/puppet/ssl/certs/ca.pem && \
    echo 'EOF' && \
    echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && \
    cat /var/lib/puppet/ssl/ca/signed/$filename && \
    echo 'EOF' && \
    echo 'puppet agent --enable' && \
    echo 'puppet agent -t --pluginsync' && \
    echo 'puppet agent -t --pluginsync' && \
    echo && \
    echo "--- 8< --- CUT HERE --- 8< ---" && \
    echo && \
    cd /
    

• copy paste the thing between CUT HERE from pauli into a root shell on the new host

• do more puppet runs, and run a ud-replicate to get ldap users, then more puppet runs since we now have more users:

    puppet agent -t
    ud-replicate
    puppet agent -t
    puppet agent -t
  

• follow security upgrades:

    apt update && apt dist-upgrade && apt clean
  

• get rid of unneeded network services (only needed if we did not install this from a minbase but from somebody else's install/image):

    dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
    userdel -r Debian-exim
  

• fix /etc/aliases:

    ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
    sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
  

• reboot to make sure that still works:

    reboot
  

• add to nagios, in tor-nagios/config/nagios-master.cfg

• if the machine is handling mail, add it to dnswl.org (password in tor-passwords, hosts-extra-info)