From 9eaa5d740d6b25d04b556182f7739bfb9fdaf5b4 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Thu, 8 Jan 2026 15:41:16 -0700 Subject: [PATCH] Note importance of a droplet's name. Pretend the example/test files were generated on a correctly named droplet. --- README.org | 50 ++++++++++++---------- private/front_ssh/ssh_host_ecdsa_key.pub | 2 +- private/front_ssh/ssh_host_ed25519_key.pub | 2 +- private/front_ssh/ssh_host_rsa_key.pub | 2 +- 4 files changed, 31 insertions(+), 25 deletions(-) diff --git a/README.org b/README.org index 1ed715d..f9d5a3a 100644 --- a/README.org +++ b/README.org @@ -823,9 +823,15 @@ The following example prepared a Digital Ocean droplet to be Front. The institute administrator opened an account at Digital Ocean, registered an ssh key, and used a Digital Ocean control panel to create a new machine (again, one of the cheapest, smallest available) -with Debian 13 installed. Once created, the machine and its IP -address (~159.65.75.60~) appeared on the panel. Using that -address, the administrator logged into the new machine with ~ssh~. +with Debian 13 installed, named ~small.example.org~. Once created, +the machine and its IP address (~159.65.75.60~) appeared on the panel. +Using that address, the administrator logged into the new machine with +~ssh~. + +Droplets named with a domain name are automatically provided ~PTR~ DNS +records associating their IP address(es) with the domain name. A +replacement droplet would be built with a different name and renamed +during the hand-off. The freshly created Digital Ocean droplet came with just one account, ~root~, but the small institute avoids remote access to the "super @@ -854,7 +860,7 @@ On the administrator's notebook (in a terminal): : The authenticity of host '159.65.75.60' can't be established. : .... : Are you sure you want to continue connecting (...)? yes -: root@front# adduser sysadm +: root@small# adduser sysadm : ... : New password: givitysticangout : Retype new password: givitysticangout @@ -862,8 +868,8 @@ On the administrator's notebook (in a terminal): : Full Name []: System Administrator : ... : Is the information correct? [Y/n] -: root@front# adduser sysadm sudo -: root@front# logout +: root@small# adduser sysadm sudo +: root@small# logout : notebook$ After creating the ~sysadm~ account on the droplet, the administrator @@ -877,11 +883,11 @@ file, copied it to the droplet, and installed it as the : notebook_ > admin_keys : notebook$ scp admin_keys root@$H: : notebook$ ssh root@$H -: root@front# mkdir ~sysadm/.ssh -: root@front# mv admin_keys ~sysadm/.ssh/authorized_keys -: root@front# chmod -R g=,o= ~sysadm/.ssh -: root@front# chown -R sysadm:sysadm ~sysadm/.ssh -: root@front# logout +: root@small# mkdir ~sysadm/.ssh +: root@small# mv admin_keys ~sysadm/.ssh/authorized_keys +: root@small# chmod -R g=,o= ~sysadm/.ssh +: root@small# chown -R sysadm:sysadm ~sysadm/.ssh +: root@small# logout : notebook$ rm admin_keys : notebook$ @@ -890,8 +896,8 @@ password-less ssh logins work, then disabled root logins and tested that they were indeed denied. : notebook$ ssh sysadm@$H -: sysadm@front$ sudo rm -r /root/.ssh -: sysadm@front$ logout +: sysadm@small$ sudo rm -r /root/.ssh +: sysadm@small$ logout : notebook$ ssh root@$H : root@159.65.75.60: Permission denied (publickey). : notebook$ @@ -908,11 +914,11 @@ described in [[* The Test Front Machine][The Test Front Machine]]. # That list should be kept in sync with this list! : notebook$ ssh sysadm@$H -: sysadm@front$ sudo apt update -: sysadm@front$ sudo apt full-upgrade --autoremove -: sysadm@front$ sudo apt install wireguard systemd-resolved \ +: sysadm@small$ sudo apt update +: sysadm@small$ sudo apt full-upgrade --autoremove +: sysadm@small$ sudo apt install wireguard systemd-resolved \ : unattended-upgrades postfix dovecot-imapd rsync apache2 kamailio -: sysadm@front$ +: sysadm@small$ Manual installation of Postfix prompted for configuration type and mail name. The answers given are listed here. @@ -923,12 +929,12 @@ mail name. The answers given are listed here. With WireGuard™ installed, the following commands generated a new private key, and displayed its public key. -: sysadm@front$ umask 077 -: susadm@front$ wg genkey \ -: sysadm@front_ | sudo tee /etc/wireguard/private-key \ -: sysadm@front_ | wg pubkey +: sysadm@small$ umask 077 +: susadm@small$ wg genkey \ +: sysadm@small_ | sudo tee /etc/wireguard/private-key \ +: sysadm@small_ | wg pubkey : S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= -: sysadm@front$ logout +: sysadm@small$ logout : notebook$ The public key is copied and pasted into [[file:private/vars.yml][=private/vars.yml=]] as the diff --git a/private/front_ssh/ssh_host_ecdsa_key.pub b/private/front_ssh/ssh_host_ecdsa_key.pub index d6cfeed..904deae 100644 --- a/private/front_ssh/ssh_host_ecdsa_key.pub +++ b/private/front_ssh/ssh_host_ecdsa_key.pub @@ -1 +1 @@ -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLMu3t54MHdxE6al05JK7rCwFZ4YJIIJk44jUIR1aelwXwWA561fD57tPM6v925WLdm+YckW7o6BKBGNxMZXUF8= root@front +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLMu3t54MHdxE6al05JK7rCwFZ4YJIIJk44jUIR1aelwXwWA561fD57tPM6v925WLdm+YckW7o6BKBGNxMZXUF8= root@small.example.org diff --git a/private/front_ssh/ssh_host_ed25519_key.pub b/private/front_ssh/ssh_host_ed25519_key.pub index db7cc73..8e9fad7 100644 --- a/private/front_ssh/ssh_host_ed25519_key.pub +++ b/private/front_ssh/ssh_host_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0IGxm5IneS7bi0DPl6C0o4nBGomKQIMJRvLEyCz7TT root@front +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0IGxm5IneS7bi0DPl6C0o4nBGomKQIMJRvLEyCz7TT root@small.example.org diff --git a/private/front_ssh/ssh_host_rsa_key.pub b/private/front_ssh/ssh_host_rsa_key.pub index 2e3afab..7e72e48 100644 --- a/private/front_ssh/ssh_host_rsa_key.pub +++ b/private/front_ssh/ssh_host_rsa_key.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDuNiMmRQ+aGlj/Jw7xg0CzeuBqR6KLt0V0OQ73UFA403+eu6rMB3gPKk7GpoBJct6vaZYrDHejNNmnhmsYrpzoxrZmSQECqau2cygsZkkTuRLJLJRiYvxGy6DwhsHrOa+kvRdon9stM7iJiNjKtxZXF5G3ZKDOj8ckn7QO3z9dzKStRzAW4TVLk3cjwjzgyKECnjnoblMayLmZnSSyUKLxf5ScyCRZ1Ikduccm4qGUHZ767+N7JeO8e9Ift8W/hGx9Sep1VdKhgFNV/MC8p02lB+k8ZD3Gy+y83cz/4RNm4f9udt8xy9R4SgxZTHVnzeIJk9HjKHGAHev7Pu5Zj0N91Ei6I6EGs4IM5F27GHiljLsZpY6pDj7mklxgzcaFujLkqzo+VbARyugxKUn+hrmwjMDfVuHVhHo2jbdEyoWqvM8STbU6XkZTpKbk8prfUQG52RCEm9txahu2O5gb8wmmqwXf98fqs6zjCqaNWc8GBCnofM3FMPVGA0YXipKxNDM= root@front +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDuNiMmRQ+aGlj/Jw7xg0CzeuBqR6KLt0V0OQ73UFA403+eu6rMB3gPKk7GpoBJct6vaZYrDHejNNmnhmsYrpzoxrZmSQECqau2cygsZkkTuRLJLJRiYvxGy6DwhsHrOa+kvRdon9stM7iJiNjKtxZXF5G3ZKDOj8ckn7QO3z9dzKStRzAW4TVLk3cjwjzgyKECnjnoblMayLmZnSSyUKLxf5ScyCRZ1Ikduccm4qGUHZ767+N7JeO8e9Ift8W/hGx9Sep1VdKhgFNV/MC8p02lB+k8ZD3Gy+y83cz/4RNm4f9udt8xy9R4SgxZTHVnzeIJk9HjKHGAHev7Pu5Zj0N91Ei6I6EGs4IM5F27GHiljLsZpY6pDj7mklxgzcaFujLkqzo+VbARyugxKUn+hrmwjMDfVuHVhHo2jbdEyoWqvM8STbU6XkZTpKbk8prfUQG52RCEm9txahu2O5gb8wmmqwXf98fqs6zjCqaNWc8GBCnofM3FMPVGA0YXipKxNDM= root@small.example.org -- 2.47.3