-
Notifications
You must be signed in to change notification settings - Fork 3
/
install.jarvis.ubuntu.20.04
370 lines (217 loc) · 10.1 KB
/
install.jarvis.ubuntu.20.04
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
**Note:** This is an install of 16.04, upgraded to 18.04, upgraded to 20.04. It may not be completely accurate.
## Base install and configs:
1. Install Ubuntu server as normal from an Ubuntu install CD.
Partition as follows:
Disks 1 and 2:
- BIOS compat boot partition (`grub_bios`) - 100MB
- /`boot` - 1GB (physical RAID)
- rest (physical RAID)
- Make this RAID LVM, partitioned as follows:
/ - 50GB
/tmp - 50GB
/var - 50GB
swap - 4GB
/home - rest
Disks 3 and 4:
- whole disk (physical RAID)
- Make this RAID LVM, partitioned as follows:
/mnt/home2 - 5TB
/mnt/shared - 1TB
When it asks for what to install, select "standard system utilities"
and "OpenSSH server" and leave everything else blank.
Networking is already set up with a reserved DHCP lease on the
router. It is accessible as `jarvis`. No need for a static IP.
1. After machine is up, edit `/etc/apt/sources.list` and make sure the following are enabled:
- focal restricted main
- focal-updates restricted main
- focal universe
- focal-updates universe
- focal multiverse
- focal-updates multiverse
- focal-backports multiverse universe restricted main
- focal partner
- focal-security restricted main
- focal-security multiverse
- focal-security universe
(or just grab sources.list from some reasonable machine)
1. Do:
apt update
apt dist-upgrade
1. Install more useful things
sudo apt install tree unison atop nmap iotop emacs emacs-goodies-el elpa-go-mode elpa-rust-mode elpa-f elpa-let-alist elpa-markdown-mode elpa-yaml-mode elpa-flycheck lm-sensors ntp ssmtp gdisk git gitk iftop mailutils ppa-purge xsltproc smartmontools wakeonlan
1. Add any necessary accounts
1. Make ssh work:
1. For an old machine, use the old keys - you did save /etc, didn't you?
1. For a new machine, use the new keys generated by the distro.
- make sure to add to the firewall
sudo ufw allow ssh
- edit `/etc/ssh/sshd_config` and set:
PermitRootLogin no
- once you've set up public key auth, turn off password access - edit ` /etc/ssh/sshd_config` and set
PasswordAuthentication no
- restart ssh to apply changes
sudo service ssh restart
1. Set up samba
sudo apt install cifs-utils samba
and either set up a config file or copy one from `~/system_stuff/samba` (I have several machine specific ones in there)
sudo ufw allow from 192.168.9.0/24 to any port bootps
sudo ufw allow from 192.168.9.0/24 to any port netbios-ns
sudo ufw allow from 192.168.9.0/24 to any port netbios-dgm
sudo ufw allow from 192.168.9.0/24 to any port netbios-ssn
sudo ufw allow from 192.168.9.0/24 to any port microsoft-ds
and set Samba to start on boot:
sudo systemctl enable smbd
sudo systemctl enable nmbd
and restart them all now:
sudo service smbd restart
sudo service nmbd restart
and, for this server, we do not need the AD DC server:
sudo systemctl disable samba-ad-dc
sudo service samba-ad-dc stop
Make sure to add accounts with:
smbpasswd -a
for each user
1. Enable firewall (after allowing some other things through)
sudo ufw allow from 192.168.9.0/24 to any port mdns
Disable firewally logging (it can be quite verbose on a busy network), then turn on the firewall.
sudo ufw logging off
sudo ufw enable
1. Fix up avahi's publishing of addresses:
Some services suck at IPv6, and, for some reason, the IPv4 multicast
propagation is very laggy. This leads to unreliable lookups of
hostnames via mDNS (you can check with `avahi-resolve-host-name -4
machine.local` and it will likely timeout). Anyway, this can just make
for a bad user experience, so have the server publish its IPv4 info in
the multicast packets.
edit /etc/avahi/avahi-daemon.conf and set "publish-a-on-ipv6=yes"
1. Add dashpodder to my crontab
crontab -e
Then add a line like this:
@daily /home/matt/workspace/code/dashpodder/dashpodder.sh -v -c /home/matt/workspace/code/dashpodder/mp.conf
1. Set up email backups (backs up my email from linode to here)
sudo apt install offlineimap libexpect-perl
crontab -e
then add:
@hourly /home/matt/bin/offlineimap_helper
so it will sync email hourly
Of course, this is only half of it - it snapshots email, but doesn't
really do an archive. For that, we do an rsnapshot
sudo apt install rsnapshot
and then set up crontab:
0 */1 * * * /usr/bin/rsnapshot -c /home/matt/.rsnapshot.conf hourly
30 3 * * * /usr/bin/rsnapshot -c /home/matt/.rsnapshot.conf daily
0 3 * * 1 /usr/bin/rsnapshot -c /home/matt/.rsnapshot.conf weekly
30 2 1 * * /usr/bin/rsnapshot -c /home/matt/.rsnapshot.conf monthly
1. Set up sensors for ASROCK E350
add the following to /etc/modules:
w83627ehf
1. Set up ssmtp
cd /etc/ssmtp
mv ssmtp.conf ssmtp.conf.old
cp ~/system_stuff/ssmtp/ssmtp.conf .
chgrp mail ssmtp.conf
1. Add fstab line for external backup drive (because there's no automounter)
/dev/sde1 /mnt/external_backup ext4 defaults,noauto 0 0
Make sure to make the mountpoint:
sudo mkdir /mnt/external_backup
1. Add UPS monitoring
From [http://blog.shadypixel.com/monitoring-a-ups-with-nut-on-debian-or-ubuntu-linux/](http://blog.shadypixel.com/monitoring-a-ups-with-nut-on-debian-or-ubuntu-linux/)
The first bit, with GNOME, works for desktops, not server. Anyway, install things:
sudo apt install nut
Edit `/etc/nut/ups.conf` and add the following at the bottom:
[ups]
driver = usbhid-ups
port = auto
There's only one UPS hooked to this guy, so we don't need to worry about disambiguation.
Also, if you just installed nut, but the UPS is already plugged in, you'll need to unplug and replug it to fire the notplug events.
Start it:
sudo upsdrvctl start
Add the following to /etc/nut/upsd.conf
ACL all 0.0.0.0/0
ACL localhost 127.0.0.1/32
ACCEPT localhost
REJECT all
This will reject all nonlocal traffic
Add the following to `/etc/nut/upsd.users`
[local_mon]
password = PASSWORD_HERE
allowfrom = localhost
upsmon master
Obviously, make PASSWORD_HERE some random password
Add the following to `/etc/nut/upsmon.conf`, at the bottom of the `MONITOR` section:
MONITOR ups@localhost 1 local_mon PASSWORD_HERE master
Edit `/etc/nut/nut.conf` and set
MODE=standalone
Enable and start it:
sudo systemctl enable nut-server
sudo systemctl restart nut-server
sudo systemctl enable nut-client
sudo systemctl restart nut-client
You can print statistics via:
upsc ups
1. Set up linode backups
make target dir
mkdir ~/attic/backup/linode
on the remote server, you need to add the public key to authorized_keys, with the:
command=rsync --server --sender -vlHogDtprRze.iLsf . /etc /home /var/lib/mysql /var/lib/syma
in front of it.
add to cron
@daily /home/matt/bin/linode_backup
add to my rsnapshot config:
backup /home/matt/attic/backup/linode/ localhost/
1. Add monitoring (sortof):
make sure landscape is installed (to get landscape-sysinfo):
sudo apt install landscape-common
Then add the following to my crontab:
@daily /usr/bin/ntpq -p; echo; df -lh; echo; cat /proc/mdstat; landscape-sysinfo
1. Make common shared bind mounts:
sudo mkdir /home/matt/shared
sudo mkdir /home/liz/shared
Add remount lines:
/mnt/shared /home/matt/shared/ none bind 0 0
/mnt/shared /home/liz/shared/ none bind 0 0
Then remount:
sudo mount -a
And we want guests to *actually* be able to write to it, so we need to fix those perms:
sudo chmod o+w /mnt/shared
But we don't want random users deleting things, so set the sticky bit for a modicum of security:
sudo chmod +t /mnt/shared
And we want the users group to be able to manipulate things:
sudo chmod g+s /mnt/shared
1. Set up time machine (again)
- Ref: https://www.grizzly-hills.com/2019/11/02/ubuntu-19-10-setting-up-time-machine/
1. Install things:
sudo apt install netatalk avahi-daemon
1. Edit the config file:
sudo -e /etc/netatalk/afp.conf
1. Add a section for time machine:
[Liz's Time Machine]
path = /home/liz/time-machine
time machine = yes
1. Make the directory
sudo mkdir -p /home/liz/time-machine
sudo chown -R liz:liz /home/liz/time-machine
1. Restart it
sudo service netatalk restart
1. Make sure all the ports are OpenSSH
sudo ufw allow afpovertcp
sudo ufw allow mdns
sudo ufw allow svrloc
sudo ufw allow from any to any port 201 comment at-rtmp
sudo ufw allow from any to any port 202 comment at-nbp
sudo ufw allow from any to any port 204 comment at-echo
sudo ufw allow from any to any port 206 comment at-zis
sudo ufw allow from any to any port 1900 comment ssdp
## APPENDIX:
1. Backup scripts
To run a backup, insert the external drive in to the cradle and run:
sudo ~/bin/server_backup
1. To set up a new drive for the above:
1. Partition
sudo gdisk /dev/sde
(gdisk because MBR tops out at 2TB)
create one big partition for the whole drive. No need to split it.
1. make the filesystem
sudo mkfs.ext4 -m 0 -L external_backup /dev/sde1
-m 0 => no reserved blocks; it's a backup drive.
-L external_backup = volume label. This is to make it consistent with the mount point.