From 77204b2d366ac105e927f2a02d06cb6486106438 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Mon, 22 Dec 2025 08:58:30 -0700 Subject: [PATCH] Updated the instructions for preparing a new Droplet with Debian 13. --- README.org | 137 +++++++++++++++++++++++++++++------------------------ 1 file changed, 76 insertions(+), 61 deletions(-) diff --git a/README.org b/README.org index b4e49bf..d8e3511 100644 --- a/README.org +++ b/README.org @@ -758,6 +758,7 @@ rather than domain names, and one of the most important for secure and reliable operation is Front's public IP address known to the world by the institute's Internet domain name. +#+NAME: front-addr #+CAPTION: [[file:public/vars.yml][=public/vars.yml=]] #+BEGIN_SRC conf :tangle public/vars.yml front_addr: 192.168.15.4 @@ -810,33 +811,49 @@ Front is the small institute's public facing server, a virtual machine on the Internets. It needs only as much disk as required by the institute's public web site. Often the cheapest offering (4GB RAM, 1 core, 20GB disk) is sufficient. The provider should make it easy and -fast to (re)initialize the machine to a factory fresh Debian Server, +fast to (re)initialize the machine to a factory fresh Debian Server and install additional Debian software packages. Indeed it should be possible to quickly re-provision a new Front machine from a frontier Internet café using just the administrator's notebook. *** A Digital Ocean Droplet -The following example prepared a new front on a Digital Ocean droplet. +The following example prepared a Digital Ocean droplet to be Front. The institute administrator opened an account at Digital Ocean, registered an ssh key, and used a Digital Ocean control panel to create a new machine (again, one of the cheapest, smallest available) -with Ubuntu Server 20.04LTS installed. Once created, the machine and -its IP address (~159.65.75.60~) appeared on the panel. Using that +with Debian 13 installed. Once created, the machine and its IP +address (~159.65.75.60~) appeared on the panel. Using that address, the administrator logged into the new machine with ~ssh~. -On the administrator's notebook (in a terminal): - -: notebook$ ssh root@159.65.75.60 -: root@ubuntu# - The freshly created Digital Ocean droplet came with just one account, ~root~, but the small institute avoids remote access to the "super user" account (per the policy in [[*The Administration Accounts][The Administration Accounts]]), so the -administrator created a ~sysadm~ account with the ability to request -escalated privileges via the ~sudo~ command. +first thing the administrator did was to create a ~sysadm~ account. + +The password for the ~sysadm~ account was generated by ~gpw~, saved in +the administrator's password keep, and added to [[file:Secret/become.yml][=Secret/become.yml=]] as +shown below. (Producing a working Ansible configuration with +[[file:Secret/become.yml][=Secret/become.yml=]] file is described in [[*The Ansible Configuration][The Ansible Configuration]].) + +: notebook$ gpw 1 16 +: givitysticangout +: notebook$ echo -n "become_front: " >>Secret/become.yml +: notebook$ ansible-vault encrypt_string givitysticangout \ +: notebook_ >>Secret/become.yml +: notebook$ + +With the new ~sysadm~ password saved, the administrator logged in as +~root~, created the ~sysadm~ account, and authorized it to request +elevated privileges via the ~sudo~ command. -: root@ubuntu# adduser sysadm +On the administrator's notebook (in a terminal): +: notebook$ H=159.65.75.60 +: notebook$ ssh root@$H +: The authenticity of host '159.65.75.60' can't be established. +: .... +: Are you sure you want to continue connecting (...)? yes +: root@front# adduser sysadm : ... : New password: givitysticangout : Retype new password: givitysticangout @@ -844,21 +861,10 @@ escalated privileges via the ~sudo~ command. : Full Name []: System Administrator : ... : Is the information correct? [Y/n] -: root@ubuntu# adduser sysadm sudo -: root@ubuntu# logout +: root@front# adduser sysadm sudo +: root@front# logout : notebook$ -The password was generated by ~gpw~, saved in the administrator's -password keep, and later added to [[file:Secret/become.yml][=Secret/become.yml=]] as shown below. -(Producing a working Ansible configuration with [[file:Secret/become.yml][=Secret/become.yml=]] -file is described in [[*The Ansible Configuration][The Ansible Configuration]].) - -: notebook$ gpw 1 16 -: givitysticangout -: notebook$ echo -n "become_front: " >>Secret/become.yml -: notebook$ ansible-vault encrypt_string givitysticangout \ -: notebook_ >>Secret/become.yml - After creating the ~sysadm~ account on the droplet, the administrator concatenated a personal public ssh key and the key found in [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The CA Command][The CA Command]]) into an =admin_keys= @@ -868,21 +874,26 @@ file, copied it to the droplet, and installed it as the : notebook$ cat ~/.ssh/id_ed25519.pub \ : notebook_ Secret/ssh_admin/id_ed25519.pub \ : notebook_ > admin_keys -: notebook$ scp admin_keys sysadm@159.65.75.60: -: The authenticity of host '159.65.75.60' can't be established. -: .... -: Are you sure you want to continue connecting (...)? yes -: ... -: sysadm@159.65.75.60's password: givitysticangout -: notebook$ ssh sysadm@159.65.75.60 -: sysadm@159.65.75.60's password: givitysticangout -: sysadm@ubuntu$ ( umask 077; mkdir .ssh; \ -: sysadm@ubuntu_ cp admin_keys .ssh/authorized_keys; \ -: sysadm@ubuntu_ rm admin_keys ) -: sysadm@ubuntu$ logout +: notebook$ scp admin_keys root@$H: +: notebook$ ssh root@$H +: root@front# mkdir ~sysadm/.ssh +: root@front# mv admin_keys ~sysadm/.ssh/authorized_keys +: root@front# chmod -R g=,o= ~sysadm/.ssh +: root@front# chown -R sysadm:sysadm ~sysadm/.ssh +: root@front# logout : notebook$ rm admin_keys : notebook$ +After installing authorized keys, the administrator verified that +password-less ssh logins work, then disabled root logins and tested +that they were indeed denied. + +: notebook$ ssh sysadm@$H +: sysadm@front$ sudo rm -r /root/.ssh +: sysadm@front$ logout +: notebook$ ssh root@$H +: root@159.65.75.60: Permission denied (publickey). +: notebook$ The Droplet needed a couple additional software packages immediately. The ~wireguard~ package was needed to generate the Droplet's private @@ -895,31 +906,37 @@ described in [[* The Test Front Machine][The Test Front Machine]]. # A similar list of packages is installed on "The Test Front Machine". # That list should be kept in sync with this list! -: notebook$ ssh sysadm@159.65.75.60 -: sysadm@ubuntu$ sudo apt install wireguard systemd-resolved \ +: notebook$ ssh sysadm@$H +: sysadm@front$ sudo apt update +: sysadm@front$ sudo apt full-upgrade --autoremove +: sysadm@front$ sudo apt install wireguard systemd-resolved \ : unattended-upgrades postfix dovecot-imapd rsync apache2 kamailio +: sysadm@front$ + +Manual installation of Postfix prompted for configuration type and +mail name. The answers given are listed here. + +- General type of mail configuration: 2 (Internet Site) +- System mail name: small.example.org (i.e. ~domain_name~) With WireGuard™ installed, the following commands generated a new private key, and displayed its public key. -: sysadm@ubuntu$ umask 077 -: susadm@ubuntu$ wg genkey \ -: sysadm@ubuntu_ | sudo tee /etc/wireguard/private-key \ -: sysadm@ubuntu_ | wg pubkey +: sysadm@front$ umask 077 +: susadm@front$ wg genkey \ +: sysadm@front_ | sudo tee /etc/wireguard/private-key \ +: sysadm@front_ | wg pubkey : S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= +: sysadm@front$ logout +: notebook$ The public key is copied and pasted into [[file:private/vars.yml][=private/vars.yml=]] as the value of ~front_wg_pubkey~ (as in the example [[pubkeys][here]]). -/After/ collecting Front's public key, the administrator disabled root -logins on the droplet. The last command below tested that root logins -were indeed denied. +The prospective IP address (~159.65.75.60~) is also pasted into +[[file:public/vars.yml][=public/vars.yml=]] as the value of ~front_addr~ (as in the example +[[front-addr][here]]). -: sysadm@ubuntu$ sudo rm -r /root/.ssh -: sysadm@ubuntu# logout -: notebook$ ssh root@159.65.75.60 -: root@159.65.75.60: Permission denied (publickey). -: notebook$ Finally, the new machine's ssh public host is copied to =private/front_ed25519_key.pub=. @@ -927,10 +944,8 @@ Finally, the new machine's ssh public host is copied to : notebook_ private/front_ed25519_key.pub : notebook$ -At this point the droplet was ready for configuration by Ansible. -Later, provisioned with all of Front's services /and/ tested, the -institute's domain name was changed, making ~159.65.75.60~ its new -address. +At this point Front was prepared for provisioning with Ansible (and +Ansible prepared for the droplet!). ** The Core Machine @@ -1055,7 +1070,7 @@ code. : sysadm@core$ sudo ip address add 10.227.248.1 dev enp82s0 : sysadm@core$ sudo ip route add default via 10.227.248.2 dev enp82s0 -At this point Core was ready for provisioning with Ansible. +At this point Core was prepared for provisioning with Ansible. ** The Gate Machine @@ -1205,7 +1220,7 @@ variables (~gate_lan_mac~, ~gate_wild_mac~, and ~gate_isp_mac~ in dongles. (For more information, see the tasks in section [[Configure Gate NetworkD]].) -At this point Gate was ready for provisioning with Ansible. +At this point Gate was prepared for provisioning with Ansible. * The All Role @@ -5675,7 +5690,7 @@ variables defined in [[file:Secret/become.yml][=Secret/become.yml=]], which is l line. #+CAPTION: [[file:Secret/become.yml][=Secret/become.yml=]] -#+BEGIN_SRC conf :tangle Secret/become.yml :tangle-mode u=rw,g=,o= +#+BEGIN_SRC conf :tangle Secret/become.yml :mkdirp yes :tangle-mode u=rw,g=,o= become_front: !vault | $ANSIBLE_VAULT;1.1;AES256 3563626131333733666466393166323135383838666338666131336335326 @@ -5749,7 +5764,7 @@ example password matches the example encryptions above. #+NAME: vault-password #+CAPTION: [[file:Secret/vault-password][=Secret/vault-password=]] -#+BEGIN_SRC conf :tangle Secret/vault-password :mkdirp yes :tangle-mode u=rw,g=,o= +#+BEGIN_SRC conf :tangle Secret/vault-password :tangle-mode u=rw,g=,o= alitysortstagess #+END_SRC @@ -6112,8 +6127,8 @@ the named host. Example command lines: : ./inst config : ./inst config -n -: ./inst config HOST -: ./inst config -n HOST +: ./inst config LIMIT +: ./inst config -n LIMIT #+CAPTION: [[file:inst][=inst=]] #+BEGIN_SRC perl :tangle inst -- 2.47.3