The institute administrator opened an account at Digital Ocean,
registered an ssh key, and used a Digital Ocean control panel to
create a new machine (again, one of the cheapest, smallest available)
-with Debian 13 installed. Once created, the machine and its IP
-address (~159.65.75.60~) appeared on the panel. Using that
-address, the administrator logged into the new machine with ~ssh~.
+with Debian 13 installed, named ~small.example.org~. Once created,
+the machine and its IP address (~159.65.75.60~) appeared on the panel.
+Using that address, the administrator logged into the new machine with
+~ssh~.
+
+Droplets named with a domain name are automatically provided ~PTR~ DNS
+records associating their IP address(es) with the domain name. A
+replacement droplet would be built with a different name and renamed
+during the hand-off.
The freshly created Digital Ocean droplet came with just one account,
~root~, but the small institute avoids remote access to the "super
: The authenticity of host '159.65.75.60' can't be established.
: ....
: Are you sure you want to continue connecting (...)? yes
-: root@front# adduser sysadm
+: root@small# adduser sysadm
: ...
: New password: givitysticangout
: Retype new password: givitysticangout
: Full Name []: System Administrator
: ...
: Is the information correct? [Y/n]
-: root@front# adduser sysadm sudo
-: root@front# logout
+: root@small# adduser sysadm sudo
+: root@small# logout
: notebook$
After creating the ~sysadm~ account on the droplet, the administrator
: notebook_ > admin_keys
: notebook$ scp admin_keys root@$H:
: notebook$ ssh root@$H
-: root@front# mkdir ~sysadm/.ssh
-: root@front# mv admin_keys ~sysadm/.ssh/authorized_keys
-: root@front# chmod -R g=,o= ~sysadm/.ssh
-: root@front# chown -R sysadm:sysadm ~sysadm/.ssh
-: root@front# logout
+: root@small# mkdir ~sysadm/.ssh
+: root@small# mv admin_keys ~sysadm/.ssh/authorized_keys
+: root@small# chmod -R g=,o= ~sysadm/.ssh
+: root@small# chown -R sysadm:sysadm ~sysadm/.ssh
+: root@small# logout
: notebook$ rm admin_keys
: notebook$
that they were indeed denied.
: notebook$ ssh sysadm@$H
-: sysadm@front$ sudo rm -r /root/.ssh
-: sysadm@front$ logout
+: sysadm@small$ sudo rm -r /root/.ssh
+: sysadm@small$ logout
: notebook$ ssh root@$H
: root@159.65.75.60: Permission denied (publickey).
: notebook$
# That list should be kept in sync with this list!
: notebook$ ssh sysadm@$H
-: sysadm@front$ sudo apt update
-: sysadm@front$ sudo apt full-upgrade --autoremove
-: sysadm@front$ sudo apt install wireguard systemd-resolved \
+: sysadm@small$ sudo apt update
+: sysadm@small$ sudo apt full-upgrade --autoremove
+: sysadm@small$ sudo apt install wireguard systemd-resolved \
: unattended-upgrades postfix dovecot-imapd rsync apache2 kamailio
-: sysadm@front$
+: sysadm@small$
Manual installation of Postfix prompted for configuration type and
mail name. The answers given are listed here.
With WireGuard™ installed, the following commands generated a new
private key, and displayed its public key.
-: sysadm@front$ umask 077
-: susadm@front$ wg genkey \
-: sysadm@front_ | sudo tee /etc/wireguard/private-key \
-: sysadm@front_ | wg pubkey
+: sysadm@small$ umask 077
+: susadm@small$ wg genkey \
+: sysadm@small_ | sudo tee /etc/wireguard/private-key \
+: sysadm@small_ | wg pubkey
: S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
-: sysadm@front$ logout
+: sysadm@small$ logout
: notebook$
The public key is copied and pasted into [[file:private/vars.yml][=private/vars.yml=]] as the
projects / Institute / commitdiff