From cc1f507ac2c3626cc4af8e049be5f8c8fde745c0 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Mon, 12 Aug 2024 18:38:10 +0200 Subject: [PATCH 01/16] More additions to testing setup. --- testing/setup_scripts/setup_desktop.sh | 2 +- testing/setup_scripts/setup_home.sh | 108 +++++++++++++++++++++++++ 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100755 testing/setup_scripts/setup_home.sh diff --git a/testing/setup_scripts/setup_desktop.sh b/testing/setup_scripts/setup_desktop.sh index df8c81c..1947321 100755 --- a/testing/setup_scripts/setup_desktop.sh +++ b/testing/setup_scripts/setup_desktop.sh @@ -7,7 +7,7 @@ get_system_name_arg "$1" # Set up system without user environment. cd "${setup_scripts_dir}" -if [ "$system_name" = "w530" || "$system_name" = "x220"]; then +if [ "$system_name" = "w530" ] || [ "$system_name" = "x220" ]; then ./_setup.sh "${system_name}" "" user desktop thinkpad "${system_name}" else ./_setup.sh "${system_name}" "" user desktop "${system_name}" diff --git a/testing/setup_scripts/setup_home.sh b/testing/setup_scripts/setup_home.sh new file mode 100755 index 0000000..130bbad --- /dev/null +++ b/testing/setup_scripts/setup_home.sh @@ -0,0 +1,108 @@ +#!/bin/sh +set -e +. ./misc.sh + +expect_n_args 1 "(system name)" "$@" +get_system_name_arg "$1" + +cd $setup_scripts_dir +./copy_dirtree.sh "${config_tree_prefix}/home_files" "${HOME}" minimal user "${system_name}" + +# secrets_dev="sdb" +# source_dir_secrets="/media/${secrets_dev}/to_usb" +# target_dir_secrets="${HOME}/tmp_secrets" +# echo "Put secrets drive into slot for /dev/${secrets_dev}." +# while [ ! -e /dev/"${secrets_dev}" ]; do +# sleep 1 +# done +# stty -echo +# printf "Secrets passphrase: " +# read SECRETS_PASS +# stty echo +# echo "" # newline so user knows their input return was accepted +# sudo -v +# echo "${SECRETS_PASS}" | sudo pmount /dev/"${secrets_dev}" +# cp -a "${source_dir_secrets}" "${target_dir_secrets}" +# sudo chown -R plom:plom "${target_dir_secrets}" +# sudo pumount "${secrets_dev}" +# echo "You can remove /dev/${secrets_dev} now." + +# Set up iniitial non-public parts of infrastructure: SSH authentication. +ssh_dir=~/.ssh +cd "${target_dir_secrets}" +mkdir -p "${ssh_dir}" +echo "Setting up .ssh" +cp id_rsa ~/.ssh +stty -echo +ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub +stty echo +eval $(ssh-agent) +ssh-add +ssh-keyscan -H "plomlompom.com" >> ~/.ssh/known_hosts + +# Fill ~/public_repos. +public_repos_dir="${HOME}/public_repos" +repos_list_file="${public_repos_dir}/repos" +mkdir -p "${public_repos_dir}" +cat "${repos_list_file}" | while read line; do + first_char=$(echo "${line}" | cut -c1) + if [ "${first_char}" = "#" ]; then + continue + fi + repo_name="${line}" + if [ ! -d "${public_repos_dir}/${repo_name}" ]; then + cd "${public_repos_dir}" + git clone plom@plomlompom.com:/var/repos/${repo_name} + fi +done + +# Remove redundant config repo copy. +config_tree_prefix="${public_repos_dir}/config/${debian_version}" +rm -rf ~/config + +# # Set up native messenger for tridactyl. +# version='ef9f02d0da258f68d7faf8898707f6d83d90d07a' +# curl -fsSl "https://raw.githubusercontent.com/tridactyl/tridactyl/${version}/native/install.sh" | bash + +# Set up further non-public parts of infrastructure. +cd "${target_dir_secrets}" +script -c 'gpg --import secret_keys.asc' /dev/null +path_borgscript="${config_tree_prefix}//borg.sh" + +# # borg setup +# borgkeys_dir=~/.config/borg/keys +# borgrepos_file=~/.borgrepos +# tar xf borg_keyfiles.tar +# mkdir -p "${borgkeys_dir}" +# mv borg_keyfiles/* "${borgkeys_dir}" +# # Sync org dir via borgbackup. For this we need the borgbackup servers +# # in our .ssh/known_hosts file. +# cat "${borgrepos_file}" | while read line; do +# first_char=$(echo "${line}" | cut -c1) +# if [ "${first_char}" = "#" ]; then +# continue +# fi +# server=$(echo "${line}" | sed 's/.*@//') +# ssh-keyscan "${server}" >> "${ssh_dir}"/known_hosts +# done +# BORG_PASSPHRASE="${SECRETS_PASS}" "${path_borgscript}" orgpull +# +# # .authinfo may not be present on every secrets drive yet +# authinfo_file=.authinfo +# if [ -f "${authinfo_file}" ]; then +# cp "${authinfo_file}" ~ +# fi +# cd +# +# maildir=~/mail/maildir +# # # Set up e-mail system. Note that we only do mbsync if the imap pass file +# # # is found. It may not be present on every secrets drive yet, so we have to +# # # deal with the possibility of it being absent at this point. +# mkdir -p "${maildir}" # expected by mbsync/isync +# if [ -f "${HOME}/${authinfo_file}" ]; then +# mbsync -a +# notmuch new +# fi + +# # Final note on how to integrate tridactyl. +# echo "TODO: As tridactyl user, don't forget to do :source on the first Firefox run, wait a little while (Tridactyl needs to walk through all commands in the .tridactylrc) and then re-start." -- 2.30.2 From c9e6b52836b55f141dd3dc53bffb4940a8ce990e Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Mon, 12 Aug 2024 19:41:39 +0200 Subject: [PATCH 02/16] Improve h610m testing nvidia setup. --- testing/apt-mark/h610m | 6 +- testing/setup_scripts/setup_desktop.sh | 27 +++----- testing/setup_scripts/setup_home.sh | 86 +++++++++++++------------- 3 files changed, 53 insertions(+), 66 deletions(-) diff --git a/testing/apt-mark/h610m b/testing/apt-mark/h610m index fac5b05..645086f 100644 --- a/testing/apt-mark/h610m +++ b/testing/apt-mark/h610m @@ -1,10 +1,10 @@ # for X to start at all linux-headers-amd64 -#nvidia-driver -#firmware-misc-nonfree +nvidia-driver +firmware-misc-nonfree # X input: keyboard xserver-xorg-input-evdev -# CUDA +## CUDA #nvidia-cuda-dev #nvidia-cuda-toolkit diff --git a/testing/setup_scripts/setup_desktop.sh b/testing/setup_scripts/setup_desktop.sh index 1947321..b9eba61 100755 --- a/testing/setup_scripts/setup_desktop.sh +++ b/testing/setup_scripts/setup_desktop.sh @@ -13,26 +13,13 @@ else ./_setup.sh "${system_name}" "" user desktop "${system_name}" fi -# # Set up NVIDIA eGPU config. -# if [ "$system_name" = "w530" ]; then -# cd -# git clone https://github.com/NVIDIA/open-gpu-kernel-modules -# cd open-gpu-kernel-modules -# git checkout 337e28e -# # git checkout 4c29105335610933e744f4ab2524ea63fc39edaf -# make modules -j$(nproc) -# make modules_install -# cd -# driver_version=535.86.05 -# # driver_version=545.29.06 -# runscript=NVIDIA-Linux-x86_64-${driver_version}.run -# wget https://us.download.nvidia.com/XFree86/Linux-x86_64/${driver_version}/${runscript} -# rmmod nouveau -# chmod u+x ${runscript} -# ./${runscript} --no-kernel-modules --silent -# depmod -# # TODO I suspect that the GPU falling of the bus may be mildened by running nvidia-persistenced, check https://github.com/NVIDIA/nvidia-persistenced/tree/main/init -# fi +# Upgrade to testing, but hold kernel known to work with nvidia-drivers. +sed -i 's/bookworm/testing/g' /etc/apt/sources.list +if [ "$system_name" = "h610m" ]; then + apt-mark hold linux-image-amd64 linux-headers-amd64 +fi +apt update +apt dist-upgrade # Set up user environments. cd "${setup_scripts_dir}" diff --git a/testing/setup_scripts/setup_home.sh b/testing/setup_scripts/setup_home.sh index 130bbad..592573a 100755 --- a/testing/setup_scripts/setup_home.sh +++ b/testing/setup_scripts/setup_home.sh @@ -26,49 +26,49 @@ cd $setup_scripts_dir # sudo chown -R plom:plom "${target_dir_secrets}" # sudo pumount "${secrets_dev}" # echo "You can remove /dev/${secrets_dev} now." - -# Set up iniitial non-public parts of infrastructure: SSH authentication. -ssh_dir=~/.ssh -cd "${target_dir_secrets}" -mkdir -p "${ssh_dir}" -echo "Setting up .ssh" -cp id_rsa ~/.ssh -stty -echo -ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub -stty echo -eval $(ssh-agent) -ssh-add -ssh-keyscan -H "plomlompom.com" >> ~/.ssh/known_hosts - -# Fill ~/public_repos. -public_repos_dir="${HOME}/public_repos" -repos_list_file="${public_repos_dir}/repos" -mkdir -p "${public_repos_dir}" -cat "${repos_list_file}" | while read line; do - first_char=$(echo "${line}" | cut -c1) - if [ "${first_char}" = "#" ]; then - continue - fi - repo_name="${line}" - if [ ! -d "${public_repos_dir}/${repo_name}" ]; then - cd "${public_repos_dir}" - git clone plom@plomlompom.com:/var/repos/${repo_name} - fi -done - -# Remove redundant config repo copy. -config_tree_prefix="${public_repos_dir}/config/${debian_version}" -rm -rf ~/config - +# +# # Set up iniitial non-public parts of infrastructure: SSH authentication. +# ssh_dir=~/.ssh +# cd "${target_dir_secrets}" +# mkdir -p "${ssh_dir}" +# echo "Setting up .ssh" +# cp id_rsa ~/.ssh +# stty -echo +# ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub +# stty echo +# eval $(ssh-agent) +# ssh-add +# ssh-keyscan -H "plomlompom.com" >> ~/.ssh/known_hosts +# +# # Fill ~/public_repos. +# public_repos_dir="${HOME}/public_repos" +# repos_list_file="${public_repos_dir}/repos" +# mkdir -p "${public_repos_dir}" +# cat "${repos_list_file}" | while read line; do +# first_char=$(echo "${line}" | cut -c1) +# if [ "${first_char}" = "#" ]; then +# continue +# fi +# repo_name="${line}" +# if [ ! -d "${public_repos_dir}/${repo_name}" ]; then +# cd "${public_repos_dir}" +# git clone plom@plomlompom.com:/var/repos/${repo_name} +# fi +# done +# +# # Remove redundant config repo copy. +# config_tree_prefix="${public_repos_dir}/config/${debian_version}" +# rm -rf ~/config +# # # Set up native messenger for tridactyl. # version='ef9f02d0da258f68d7faf8898707f6d83d90d07a' # curl -fsSl "https://raw.githubusercontent.com/tridactyl/tridactyl/${version}/native/install.sh" | bash - -# Set up further non-public parts of infrastructure. -cd "${target_dir_secrets}" -script -c 'gpg --import secret_keys.asc' /dev/null -path_borgscript="${config_tree_prefix}//borg.sh" - +# +# # Set up further non-public parts of infrastructure. +# cd "${target_dir_secrets}" +# script -c 'gpg --import secret_keys.asc' /dev/null +# path_borgscript="${config_tree_prefix}//borg.sh" +# # # borg setup # borgkeys_dir=~/.config/borg/keys # borgrepos_file=~/.borgrepos @@ -103,6 +103,6 @@ path_borgscript="${config_tree_prefix}//borg.sh" # mbsync -a # notmuch new # fi - -# # Final note on how to integrate tridactyl. -# echo "TODO: As tridactyl user, don't forget to do :source on the first Firefox run, wait a little while (Tridactyl needs to walk through all commands in the .tridactylrc) and then re-start." +# +# # # Final note on how to integrate tridactyl. +# # echo "TODO: As tridactyl user, don't forget to do :source on the first Firefox run, wait a little while (Tridactyl needs to walk through all commands in the .tridactylrc) and then re-start." -- 2.30.2 From 207374ccd0944ec606823c4590bbe4b565af0cee Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Thu, 5 Sep 2024 21:40:40 +0200 Subject: [PATCH 03/16] Update Firefox. --- bookworm/setup_scripts/setup_firefox.sh | 2 +- testing/apt-mark/user | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/bookworm/setup_scripts/setup_firefox.sh b/bookworm/setup_scripts/setup_firefox.sh index 2e92f8d..5dc3f4a 100755 --- a/bookworm/setup_scripts/setup_firefox.sh +++ b/bookworm/setup_scripts/setup_firefox.sh @@ -3,7 +3,7 @@ set -e . ./misc.sh # Install Firefox directly from Mozilla. -firefox_release="115.14.0esr" +firefox_release="115.15.0esr" firefox_filename="firefox-${firefox_release}.tar.bz2" url_firefox="https://ftp.mozilla.org/pub/firefox/releases/${firefox_release}/linux-x86_64/en-US/${firefox_filename}" wget "${url_firefox}" diff --git a/testing/apt-mark/user b/testing/apt-mark/user index 1a6301d..c390f17 100644 --- a/testing/apt-mark/user +++ b/testing/apt-mark/user @@ -25,12 +25,9 @@ less man-db manpages procps -## firefox install dependencies -#wget -#bzip2 -## firefox running dependencies -#libgtk-3-0 -#libdbus-glib-1-2 +# browsers +firefox-esr +chromium # tridactyl install recommendations vim-gtk3 curl -- 2.30.2 From 1afd2ea2e4407705d914eed7d1f96e06dc5ab421 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 25 Sep 2024 04:01:40 +0200 Subject: [PATCH 04/16] Some more updates. --- bookworm/setup_scripts/_setup.sh | 1 + bookworm/setup_scripts/copy_dirtree.sh | 1 + .../init_user_and_keybased_login.sh | 51 +++++++++++++++++++ bookworm/setup_scripts/init_user_login.sh | 11 ++-- bookworm/setup_scripts/migrate_borg.sh | 1 + bookworm/setup_scripts/mirror_dir.sh | 1 + bookworm/setup_scripts/misc.sh | 10 ---- .../setup_scripts/prepare_to_meet_server.sh | 1 + .../setup_scripts/set_hostname_and_fqdn.sh | 1 + bookworm/setup_scripts/setup_desktop.sh | 1 + bookworm/setup_scripts/setup_home.sh | 1 + bookworm/setup_scripts/setup_nvidia.sh | 24 +++++++++ bookworm/setup_scripts/setup_server.sh | 1 + .../setup_scripts/setup_static_website.sh | 1 + bookworm/setup_scripts/setup_web.sh | 1 + .../setup_scripts/upgrade_from_bullseye.sh | 11 ++++ .../init_user_and_keybased_login.sh | 18 +++---- bullseye/setup_scripts/init_user_login.sh | 20 +++----- misc.sh | 16 ++++++ 19 files changed, 129 insertions(+), 43 deletions(-) create mode 100755 bookworm/setup_scripts/init_user_and_keybased_login.sh create mode 100755 bookworm/setup_scripts/setup_nvidia.sh create mode 100644 bookworm/setup_scripts/upgrade_from_bullseye.sh create mode 100644 misc.sh diff --git a/bookworm/setup_scripts/_setup.sh b/bookworm/setup_scripts/_setup.sh index 0c28d60..1b8cae2 100755 --- a/bookworm/setup_scripts/_setup.sh +++ b/bookworm/setup_scripts/_setup.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e . ./misc.sh +. ./../misc.sh expect_n_args 2 "(hostname, FQDN)" "$@" hostname="$1" diff --git a/bookworm/setup_scripts/copy_dirtree.sh b/bookworm/setup_scripts/copy_dirtree.sh index 2c385f0..387ba39 100755 --- a/bookworm/setup_scripts/copy_dirtree.sh +++ b/bookworm/setup_scripts/copy_dirtree.sh @@ -9,6 +9,7 @@ # CAUTION: This removes original files at the affected paths. set -e . ./misc.sh +. ./../misc.sh expect_n_args 3 "(source root, target root, modules)" "$@" diff --git a/bookworm/setup_scripts/init_user_and_keybased_login.sh b/bookworm/setup_scripts/init_user_and_keybased_login.sh new file mode 100755 index 0000000..3f73562 --- /dev/null +++ b/bookworm/setup_scripts/init_user_and_keybased_login.sh @@ -0,0 +1,51 @@ +#!/bin/sh +# This script turns a fresh server with password-based root access into +# one of only key-based access and only to new non-root account plom. +# +# CAUTION: This is optimized for a *fresh* setup. It will overwrite any +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. +# +# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly +# configured sshd_config file in reach. +set -e +. ./misc.sh +. ../../misc.sh + +expect_n_args 1 "(server)" "$@" +server="$1" +linkable_files_dir="${config_tree_prefix}/etc_files/server" +system_path_sshd_config='/etc/ssh/sshd_config' +# has "PermitRootLogin no" and "PasswordAuthentication no". +local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" + +# This will be used to log-in as root from plom account. +echo 'First, enter the old root password; then enter new password twice.' +ssh root@"${server}" "passwd" + +# Save root password for sshpass +stty -echo +printf "Re-enter new server root password: " +read PW_ROOT +stty echo +printf "\n" +export SSHPASS="${PW_ROOT}" + +# Create user plom, and his ~/.ssh/authorized_keys based on the local +# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and +# ownerships. Then disable root and pw login by copying over the +# sshd_config and restart ssh daemon. +# +# This could be a line or two shorter by using ssh-copy-id, but that +# would require setting a password for user plom otherwise not needed. +sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys +sshpass -e ssh root@"${server}" \ + 'useradd -m plom && '\ + 'mkdir /home/plom/.ssh && '\ + 'chown plom:plom /home/plom/.ssh && '\ + 'chown plom:plom /tmp/authorized_keys && '\ + 'chmod u=rw,go= /tmp/authorized_keys && '\ + 'mv /tmp/authorized_keys /home/plom/.ssh/' +sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" +sshpass -e ssh root@"${server}" 'service ssh restart' diff --git a/bookworm/setup_scripts/init_user_login.sh b/bookworm/setup_scripts/init_user_login.sh index 820b5ab..a0652eb 100755 --- a/bookworm/setup_scripts/init_user_login.sh +++ b/bookworm/setup_scripts/init_user_login.sh @@ -1,6 +1,4 @@ #!/bin/sh -# This script assumes a server with key-based root access into one of -# key-based access only to a new non-root account plom. # # CAUTION: This is optimized for a *fresh* setup. It will overwrite any # old /etc/ssh/sshd_config. @@ -8,16 +6,15 @@ # Dependencies: ssh, scp, properly configured sshd_config file in reach. set -e . ./misc.sh +. ../../misc.sh -# Location of an sshd_config with "PermitRootLogin no" and -# "PasswordAuthentication no". +expect_n_args 1 "(server)" "$@" +server="$1" linkable_files_dir="${config_tree_prefix}/etc_files/server" system_path_sshd_config='/etc/ssh/sshd_config' +# has "PermitRootLogin no" and "PasswordAuthentication no". local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" -expect_n_args 1 "(server)" "$@" -server="$1" - # If we already knew that host … ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" diff --git a/bookworm/setup_scripts/migrate_borg.sh b/bookworm/setup_scripts/migrate_borg.sh index 4409c86..65ae67d 100755 --- a/bookworm/setup_scripts/migrate_borg.sh +++ b/bookworm/setup_scripts/migrate_borg.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e . ./misc.sh +. ./../misc.sh expect_n_args 1 "(old server IP)" "$@" old_server="$1" diff --git a/bookworm/setup_scripts/mirror_dir.sh b/bookworm/setup_scripts/mirror_dir.sh index 0660142..aef69f1 100755 --- a/bookworm/setup_scripts/mirror_dir.sh +++ b/bookworm/setup_scripts/mirror_dir.sh @@ -2,6 +2,7 @@ # Mirror directory tree from remote to local server, keeping the path. set -e . ./misc.sh +. ./../misc.sh expect_n_args 2 "(server, directory)" "$@" server=$1 diff --git a/bookworm/setup_scripts/misc.sh b/bookworm/setup_scripts/misc.sh index 4aad4a4..30f8e8c 100644 --- a/bookworm/setup_scripts/misc.sh +++ b/bookworm/setup_scripts/misc.sh @@ -9,16 +9,6 @@ fi setup_scripts_dir="${config_tree_prefix}/setup_scripts" aptmark_dir="${config_tree_prefix}/apt-mark" -expect_n_args() { - min_args="$1" - explainer="$2" - shift 2 - if [ "$#" -lt "${min_args}" ]; then - echo "Need at least ${1} arguments … ${explainer}" - false - fi -} - expect_setup_finished_file() { filename="$1" setup_script="$2" diff --git a/bookworm/setup_scripts/prepare_to_meet_server.sh b/bookworm/setup_scripts/prepare_to_meet_server.sh index d8e4e83..5f55362 100755 --- a/bookworm/setup_scripts/prepare_to_meet_server.sh +++ b/bookworm/setup_scripts/prepare_to_meet_server.sh @@ -2,6 +2,7 @@ # Do some of the steps necessary to SSH (key-based) with another server. set -e . ./misc.sh +. ./../misc.sh expect_n_args 1 "(server IP)" "$@" target="$1" diff --git a/bookworm/setup_scripts/set_hostname_and_fqdn.sh b/bookworm/setup_scripts/set_hostname_and_fqdn.sh index b367906..bcf3d9d 100755 --- a/bookworm/setup_scripts/set_hostname_and_fqdn.sh +++ b/bookworm/setup_scripts/set_hostname_and_fqdn.sh @@ -14,6 +14,7 @@ # Ignores IPv6s. set -e . ./misc.sh +. ./../misc.sh expect_n_args 1 "(hostname, fqdn)" "$@" diff --git a/bookworm/setup_scripts/setup_desktop.sh b/bookworm/setup_scripts/setup_desktop.sh index a617e0e..2eb19b3 100755 --- a/bookworm/setup_scripts/setup_desktop.sh +++ b/bookworm/setup_scripts/setup_desktop.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e . ./misc.sh +. ./../misc.sh expect_n_args 1 "(system name)" "$@" get_system_name_arg "$1" diff --git a/bookworm/setup_scripts/setup_home.sh b/bookworm/setup_scripts/setup_home.sh index 6467ef9..a065bd4 100755 --- a/bookworm/setup_scripts/setup_home.sh +++ b/bookworm/setup_scripts/setup_home.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e . ./misc.sh +. ./../misc.sh expect_n_args 1 "(system name)" "$@" get_system_name_arg "$1" diff --git a/bookworm/setup_scripts/setup_nvidia.sh b/bookworm/setup_scripts/setup_nvidia.sh new file mode 100755 index 0000000..d05c8d1 --- /dev/null +++ b/bookworm/setup_scripts/setup_nvidia.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e +. ./misc.sh + +# Set up NVIDIA eGPU config. +cd +# git clone https://github.com/NVIDIA/open-gpu-kernel-modules +# cd open-gpu-kernel-modules +# git checkout 337e28e +# # git checkout 4c29105335610933e744f4ab2524ea63fc39edaf +# make modules -j$(nproc) +# make modules_install +# cd +driver_version=535.86.05 +# driver_version=545.29.06 +runscript=NVIDIA-Linux-x86_64-${driver_version}.run +# wget https://us.download.nvidia.com/XFree86/Linux-x86_64/${driver_version}/${runscript} +set +e +rmmod nouveau +set -e +chmod u+x ${runscript} +./${runscript} --no-kernel-modules --silent +depmod +# TODO I suspect that the GPU falling of the bus may be mildened by running nvidia-persistenced, check https://github.com/NVIDIA/nvidia-persistenced/tree/main/init diff --git a/bookworm/setup_scripts/setup_server.sh b/bookworm/setup_scripts/setup_server.sh index e77d17f..43d5cc0 100755 --- a/bookworm/setup_scripts/setup_server.sh +++ b/bookworm/setup_scripts/setup_server.sh @@ -3,6 +3,7 @@ # the outside via ./init_user_login.sh. set -e . ./misc.sh +. ./../misc.sh expect_n_args 2 "(hostname, FQDN)" "$@" hostname="$1" diff --git a/bookworm/setup_scripts/setup_static_website.sh b/bookworm/setup_scripts/setup_static_website.sh index 1ab6a18..bdfb7d3 100755 --- a/bookworm/setup_scripts/setup_static_website.sh +++ b/bookworm/setup_scripts/setup_static_website.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e . ./misc.sh +. ../../misc.sh expect_setup_finished_file setup_web_has_been_run setup_web.sh diff --git a/bookworm/setup_scripts/setup_web.sh b/bookworm/setup_scripts/setup_web.sh index c9cc0ac..d7c651f 100755 --- a/bookworm/setup_scripts/setup_web.sh +++ b/bookworm/setup_scripts/setup_web.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e . ./misc.sh +. ./../misc.sh expect_setup_finished_file setup_server_has_been_run setup_server.sh diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh new file mode 100644 index 0000000..2349b30 --- /dev/null +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -0,0 +1,11 @@ +#!/bin/sh +apt update +apt -y upgrade +apt -y full-upgrade +path_sources_list="/etc/apt/sources.list" +cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" +apt clean +apt update +apt -y upgrade +apt --force-yes full-upgrade +apt -y autoremove diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh index f237a84..a70c3ee 100755 --- a/bullseye/setup_scripts/init_user_and_keybased_login.sh +++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh @@ -10,21 +10,15 @@ # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly # configured sshd_config file in reach. set -e +. ./misc.sh +. ../../misc.sh -# Location of an sshd_config with "PermitRootLogin no" and -# "PasswordAuthentication no". -config_tree_prefix="${HOME}/public_repos/config/bullseye" -linkable_files_dir="${config_tree_prefix}/etc_files/server" -system_path_sshd_config='/etc/ssh/sshd_config' -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" - -# Ensure we have a server name as argument. -if [ $# -eq 0 ]; then - echo "Need server as argument." - false -fi +expect_n_args 1 "(server)" "$@" server="$1" +# If we already knew that host … +ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" + # This will be used to log-in as root from plom account. echo 'First, enter the old root password; then enter new password twice.' ssh root@"${server}" "passwd" diff --git a/bullseye/setup_scripts/init_user_login.sh b/bullseye/setup_scripts/init_user_login.sh index 21a8062..35abb90 100755 --- a/bullseye/setup_scripts/init_user_login.sh +++ b/bullseye/setup_scripts/init_user_login.sh @@ -1,27 +1,19 @@ #!/bin/sh -# This script assumes a server with key-based root access into one of -# key-based access only to a new non-root account plom. # # CAUTION: This is optimized for a *fresh* setup. It will overwrite any # old /etc/ssh/sshd_config. # # Dependencies: ssh, scp, properly configured sshd_config file in reach. set -e +. ./misc.sh +. ../../misc.sh -# Location of an sshd_config with "PermitRootLogin no" and -# "PasswordAuthentication no". -config_tree_prefix="${HOME}/public_repos/config/bullseye" -linkable_files_dir="${config_tree_prefix}/etc_files/server" -system_path_sshd_config='/etc/ssh/sshd_config' -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" - -# Ensure we have a server name as argument. -if [ $# -eq 0 ]; then - echo "Need server as argument." - false -fi +expect_n_args 1 "(server)" "$@" server="$1" +# If we already knew that host … +ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" + # So we're only asked once … eval $(ssh-agent) ssh-add diff --git a/misc.sh b/misc.sh new file mode 100644 index 0000000..adf8e1b --- /dev/null +++ b/misc.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +linkable_files_dir="${config_tree_prefix}/etc_files/server" +system_path_sshd_config='/etc/ssh/sshd_config' +local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" + +expect_n_args() { + min_args="$1" + explainer="$2" + shift 2 + if [ "$#" -lt "${min_args}" ]; then + echo "Need at least ${min_args} arguments … ${explainer}" + false + fi +} + -- 2.30.2 From 58a708602244994e622bf719a41158403c80325a Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 25 Sep 2024 04:07:53 +0200 Subject: [PATCH 05/16] Update. --- bookworm/setup_scripts/upgrade_from_bullseye.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) mode change 100644 => 100755 bookworm/setup_scripts/upgrade_from_bullseye.sh diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh old mode 100644 new mode 100755 index 2349b30..6a006e0 --- a/bookworm/setup_scripts/upgrade_from_bullseye.sh +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -1,7 +1,8 @@ #!/bin/sh +. ./misc.sh apt update apt -y upgrade -apt -y full-upgrade +apt --force-yes full-upgrade path_sources_list="/etc/apt/sources.list" cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" apt clean -- 2.30.2 From 211392e1a65fd72fd93c9061296d17d6ea48c54b Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 25 Sep 2024 04:16:14 +0200 Subject: [PATCH 06/16] Update. --- .../setup_scripts/init_user_and_keybased_login.sh | 12 ++++++------ bookworm/setup_scripts/init_user_login.sh | 14 ++++++++------ bookworm/setup_scripts/upgrade_from_bullseye.sh | 4 ++-- .../setup_scripts/init_user_and_keybased_login.sh | 4 ++-- bullseye/setup_scripts/init_user_login.sh | 9 +++++++-- 5 files changed, 25 insertions(+), 18 deletions(-) diff --git a/bookworm/setup_scripts/init_user_and_keybased_login.sh b/bookworm/setup_scripts/init_user_and_keybased_login.sh index 3f73562..ad45834 100755 --- a/bookworm/setup_scripts/init_user_and_keybased_login.sh +++ b/bookworm/setup_scripts/init_user_and_keybased_login.sh @@ -8,20 +8,19 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in reach. +# configured sshd_config file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh expect_n_args 1 "(server)" "$@" server="$1" -linkable_files_dir="${config_tree_prefix}/etc_files/server" -system_path_sshd_config='/etc/ssh/sshd_config' -# has "PermitRootLogin no" and "PasswordAuthentication no". -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" + +# If we already knew that host … +ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. -echo 'First, enter the old root password; then enter new password twice.' +echo 'First, enter the old root password; then enter new password three times.' ssh root@"${server}" "passwd" # Save root password for sshpass @@ -49,3 +48,4 @@ sshpass -e ssh root@"${server}" \ 'mv /tmp/authorized_keys /home/plom/.ssh/' sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" sshpass -e ssh root@"${server}" 'service ssh restart' + diff --git a/bookworm/setup_scripts/init_user_login.sh b/bookworm/setup_scripts/init_user_login.sh index a0652eb..a36a5bd 100755 --- a/bookworm/setup_scripts/init_user_login.sh +++ b/bookworm/setup_scripts/init_user_login.sh @@ -1,19 +1,20 @@ #!/bin/sh +# This script turns a fresh server with password-based root access into +# one of only key-based access and only to new non-root account plom. # # CAUTION: This is optimized for a *fresh* setup. It will overwrite any -# old /etc/ssh/sshd_config. +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. # -# Dependencies: ssh, scp, properly configured sshd_config file in reach. +# Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config +# file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh expect_n_args 1 "(server)" "$@" server="$1" -linkable_files_dir="${config_tree_prefix}/etc_files/server" -system_path_sshd_config='/etc/ssh/sshd_config' -# has "PermitRootLogin no" and "PasswordAuthentication no". -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" # If we already knew that host … ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" @@ -36,3 +37,4 @@ ssh root@"${server}" 'chown plom:plom /home/plom/.ssh/authorized_keys' # Set up SSH config and remove direct SSH login to root. scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" ssh root@"${server}" 'rm -rf /root/.ssh && service ssh restart' + diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh index 6a006e0..d7c07bd 100755 --- a/bookworm/setup_scripts/upgrade_from_bullseye.sh +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -2,11 +2,11 @@ . ./misc.sh apt update apt -y upgrade -apt --force-yes full-upgrade +apt -y full-upgrade path_sources_list="/etc/apt/sources.list" cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" apt clean apt update apt -y upgrade -apt --force-yes full-upgrade +apt -y -o Dpkg::Options::="--force-confnew" full-upgrade apt -y autoremove diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh index a70c3ee..4fcc062 100755 --- a/bullseye/setup_scripts/init_user_and_keybased_login.sh +++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh @@ -8,7 +8,7 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in reach. +# configured sshd_config file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh @@ -20,7 +20,7 @@ server="$1" ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. -echo 'First, enter the old root password; then enter new password twice.' +echo 'First, enter the old root password; then enter new password three times.' ssh root@"${server}" "passwd" # Save root password for sshpass diff --git a/bullseye/setup_scripts/init_user_login.sh b/bullseye/setup_scripts/init_user_login.sh index 35abb90..b63d0d8 100755 --- a/bullseye/setup_scripts/init_user_login.sh +++ b/bullseye/setup_scripts/init_user_login.sh @@ -1,9 +1,14 @@ #!/bin/sh +# This script turns a fresh server with password-based root access into +# one of only key-based access and only to new non-root account plom. # # CAUTION: This is optimized for a *fresh* setup. It will overwrite any -# old /etc/ssh/sshd_config. +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. # -# Dependencies: ssh, scp, properly configured sshd_config file in reach. +# Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config +# file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh -- 2.30.2 From aba79b11a72b5352f7dacf0db5b2b1d81d531b34 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 25 Sep 2024 04:17:24 +0200 Subject: [PATCH 07/16] Update. --- bookworm/setup_scripts/upgrade_from_bullseye.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh index d7c07bd..7c51c0d 100755 --- a/bookworm/setup_scripts/upgrade_from_bullseye.sh +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -1,4 +1,7 @@ #!/bin/sh + +# as per https://wiki.debian.org/DebianUpgrade +set -e . ./misc.sh apt update apt -y upgrade -- 2.30.2 From cc988979cafd6453756a53a00da5a05a9d93e204 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 25 Sep 2024 04:41:10 +0200 Subject: [PATCH 08/16] Update. --- bookworm/etc_files/server/etc/ssh/sshd_config | 5 +++-- bookworm/setup_scripts/setup_server.sh | 2 +- bookworm/setup_scripts/upgrade_from_bullseye.sh | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bookworm/etc_files/server/etc/ssh/sshd_config b/bookworm/etc_files/server/etc/ssh/sshd_config index 94363eb..e952cb3 100644 --- a/bookworm/etc_files/server/etc/ssh/sshd_config +++ b/bookworm/etc_files/server/etc/ssh/sshd_config @@ -30,7 +30,8 @@ Include /etc/ssh/sshd_config.d/*.conf # Authentication: #LoginGraceTime 2m -PermitRootLogin no +#PermitRootLogin prohibit-password +PermitRootLogin no # plomlompom's security rule #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 @@ -54,7 +55,7 @@ PermitRootLogin no #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no +PasswordAuthentication no #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with diff --git a/bookworm/setup_scripts/setup_server.sh b/bookworm/setup_scripts/setup_server.sh index 43d5cc0..93bfa1c 100755 --- a/bookworm/setup_scripts/setup_server.sh +++ b/bookworm/setup_scripts/setup_server.sh @@ -1,6 +1,6 @@ #!/bin/sh # Next setup steps for a server whose login policy has just been set from -# the outside via ./init_user_login.sh. +# the outside via ./init_user_login.sh or ./init_user_and_keybased_login.sh set -e . ./misc.sh . ./../misc.sh diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh index 7c51c0d..6db4f2e 100755 --- a/bookworm/setup_scripts/upgrade_from_bullseye.sh +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -4,7 +4,7 @@ set -e . ./misc.sh apt update -apt -y upgrade +apt -y -o Dpkg::Options::="--force-confnew" upgrade apt -y full-upgrade path_sources_list="/etc/apt/sources.list" cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" -- 2.30.2 From 96232db450bb7bad167361abc461516b048edf66 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 25 Sep 2024 06:22:02 +0200 Subject: [PATCH 09/16] Various fixes. --- bookworm/setup_scripts/copy_dirtree.sh | 2 +- bookworm/setup_scripts/migrate_borg.sh | 2 +- bookworm/setup_scripts/mirror_dir.sh | 2 +- bookworm/setup_scripts/prepare_to_meet_server.sh | 2 +- bookworm/setup_scripts/set_hostname_and_fqdn.sh | 2 +- bookworm/setup_scripts/setup_desktop.sh | 2 +- bookworm/setup_scripts/setup_home.sh | 2 +- bookworm/setup_scripts/setup_server.sh | 2 +- bookworm/setup_scripts/setup_web.sh | 2 +- bookworm/setup_scripts/upgrade_from_bullseye.sh | 10 +++++++--- bullseye/etc_files/server/etc/ssh/sshd_config | 4 ++-- bullseye/setup_scripts/init_user_and_keybased_login.sh | 4 ++-- 12 files changed, 20 insertions(+), 16 deletions(-) diff --git a/bookworm/setup_scripts/copy_dirtree.sh b/bookworm/setup_scripts/copy_dirtree.sh index 387ba39..fbc3d9d 100755 --- a/bookworm/setup_scripts/copy_dirtree.sh +++ b/bookworm/setup_scripts/copy_dirtree.sh @@ -9,7 +9,7 @@ # CAUTION: This removes original files at the affected paths. set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 3 "(source root, target root, modules)" "$@" diff --git a/bookworm/setup_scripts/migrate_borg.sh b/bookworm/setup_scripts/migrate_borg.sh index 65ae67d..b08cf2d 100755 --- a/bookworm/setup_scripts/migrate_borg.sh +++ b/bookworm/setup_scripts/migrate_borg.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 1 "(old server IP)" "$@" old_server="$1" diff --git a/bookworm/setup_scripts/mirror_dir.sh b/bookworm/setup_scripts/mirror_dir.sh index aef69f1..d650165 100755 --- a/bookworm/setup_scripts/mirror_dir.sh +++ b/bookworm/setup_scripts/mirror_dir.sh @@ -2,7 +2,7 @@ # Mirror directory tree from remote to local server, keeping the path. set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 2 "(server, directory)" "$@" server=$1 diff --git a/bookworm/setup_scripts/prepare_to_meet_server.sh b/bookworm/setup_scripts/prepare_to_meet_server.sh index 5f55362..8e54ca5 100755 --- a/bookworm/setup_scripts/prepare_to_meet_server.sh +++ b/bookworm/setup_scripts/prepare_to_meet_server.sh @@ -2,7 +2,7 @@ # Do some of the steps necessary to SSH (key-based) with another server. set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 1 "(server IP)" "$@" target="$1" diff --git a/bookworm/setup_scripts/set_hostname_and_fqdn.sh b/bookworm/setup_scripts/set_hostname_and_fqdn.sh index bcf3d9d..929d8bc 100755 --- a/bookworm/setup_scripts/set_hostname_and_fqdn.sh +++ b/bookworm/setup_scripts/set_hostname_and_fqdn.sh @@ -14,7 +14,7 @@ # Ignores IPv6s. set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 1 "(hostname, fqdn)" "$@" diff --git a/bookworm/setup_scripts/setup_desktop.sh b/bookworm/setup_scripts/setup_desktop.sh index 2eb19b3..fe11b83 100755 --- a/bookworm/setup_scripts/setup_desktop.sh +++ b/bookworm/setup_scripts/setup_desktop.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 1 "(system name)" "$@" get_system_name_arg "$1" diff --git a/bookworm/setup_scripts/setup_home.sh b/bookworm/setup_scripts/setup_home.sh index a065bd4..54f0db1 100755 --- a/bookworm/setup_scripts/setup_home.sh +++ b/bookworm/setup_scripts/setup_home.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 1 "(system name)" "$@" get_system_name_arg "$1" diff --git a/bookworm/setup_scripts/setup_server.sh b/bookworm/setup_scripts/setup_server.sh index 93bfa1c..c854b95 100755 --- a/bookworm/setup_scripts/setup_server.sh +++ b/bookworm/setup_scripts/setup_server.sh @@ -3,7 +3,7 @@ # the outside via ./init_user_login.sh or ./init_user_and_keybased_login.sh set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 2 "(hostname, FQDN)" "$@" hostname="$1" diff --git a/bookworm/setup_scripts/setup_web.sh b/bookworm/setup_scripts/setup_web.sh index d7c651f..4807e8a 100755 --- a/bookworm/setup_scripts/setup_web.sh +++ b/bookworm/setup_scripts/setup_web.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_setup_finished_file setup_server_has_been_run setup_server.sh diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh index 6db4f2e..ed246e1 100755 --- a/bookworm/setup_scripts/upgrade_from_bullseye.sh +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -1,11 +1,15 @@ #!/bin/sh -# as per https://wiki.debian.org/DebianUpgrade +# Upgrade a fresh (!) system to Bookworm, as per [1]. Fresh, because: Don't +# expect any customized config files to survive this. If you run this on a +# remote machine, take care not to loose anything you need to re-connect, e.g. +# any relevant adaptations you did to /etc/ssh/sshd_config … + set -e . ./misc.sh apt update -apt -y -o Dpkg::Options::="--force-confnew" upgrade -apt -y full-upgrade +apt -y upgrade +apt -y -o Dpkg::Options::="--force-confnew" full-upgrade path_sources_list="/etc/apt/sources.list" cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" apt clean diff --git a/bullseye/etc_files/server/etc/ssh/sshd_config b/bullseye/etc_files/server/etc/ssh/sshd_config index 8effa74..811e93a 100644 --- a/bullseye/etc_files/server/etc/ssh/sshd_config +++ b/bullseye/etc_files/server/etc/ssh/sshd_config @@ -79,7 +79,7 @@ ChallengeResponseAuthentication no # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin yes +# the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -121,4 +121,4 @@ Subsystem sftp /usr/lib/openssh/sftp-server # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server -ClientAliveInterval 120 +ClientAliveInterval 15 diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh index 4fcc062..475b12f 100755 --- a/bullseye/setup_scripts/init_user_and_keybased_login.sh +++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh @@ -21,7 +21,8 @@ ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. echo 'First, enter the old root password; then enter new password three times.' -ssh root@"${server}" "passwd" +#ssh root@"${server}" "passwd" +ssh root@"${server}" "ls" # Save root password for sshpass stty -echo @@ -40,7 +41,6 @@ export SSHPASS="${PW_ROOT}" # would require setting a password for user plom otherwise not needed. sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys sshpass -e ssh root@"${server}" \ - 'useradd -m plom && '\ 'mkdir /home/plom/.ssh && '\ 'chown plom:plom /home/plom/.ssh && '\ 'chown plom:plom /tmp/authorized_keys && '\ -- 2.30.2 From fd775924eb94791f7efb1f44a7d4935823bf0ee2 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 27 Sep 2024 00:27:39 +0200 Subject: [PATCH 10/16] Various updates. --- bookworm/apt-mark/all | 4 ++++ bookworm/setup_scripts/_setup.sh | 2 +- bookworm/setup_scripts/init_user_and_keybased_login.sh | 4 ++-- ...grade_from_bullseye.sh => upgrade_from_older_release.sh} | 0 bullseye/setup_scripts/init_user_and_keybased_login.sh | 6 +++--- 5 files changed, 10 insertions(+), 6 deletions(-) rename bookworm/setup_scripts/{upgrade_from_bullseye.sh => upgrade_from_older_release.sh} (100%) diff --git a/bookworm/apt-mark/all b/bookworm/apt-mark/all index 617b707..aa1b30d 100644 --- a/bookworm/apt-mark/all +++ b/bookworm/apt-mark/all @@ -10,3 +10,7 @@ locales # extremely useful for basic network debugging; missed these more than once in an emergency netcat-traditional iputils-ping +# what would we do without this … +apt +# not only pull in systemd, but also /sbin/reboot and /sbin/shutdown +systemd-sysv diff --git a/bookworm/setup_scripts/_setup.sh b/bookworm/setup_scripts/_setup.sh index 1b8cae2..5f4bfda 100755 --- a/bookworm/setup_scripts/_setup.sh +++ b/bookworm/setup_scripts/_setup.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e . ./misc.sh -. ./../misc.sh +. ../../misc.sh expect_n_args 2 "(hostname, FQDN)" "$@" hostname="$1" diff --git a/bookworm/setup_scripts/init_user_and_keybased_login.sh b/bookworm/setup_scripts/init_user_and_keybased_login.sh index ad45834..ed24e87 100755 --- a/bookworm/setup_scripts/init_user_and_keybased_login.sh +++ b/bookworm/setup_scripts/init_user_and_keybased_login.sh @@ -20,8 +20,8 @@ server="$1" ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. -echo 'First, enter the old root password; then enter new password three times.' -ssh root@"${server}" "passwd" +printf '\nFirst, enter the old root password; then enter new password three times.\n\n' +ssh root@"${server}" 'printf "\n\n" && passwd' # Save root password for sshpass stty -echo diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_older_release.sh similarity index 100% rename from bookworm/setup_scripts/upgrade_from_bullseye.sh rename to bookworm/setup_scripts/upgrade_from_older_release.sh diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh index 475b12f..b69a095 100755 --- a/bullseye/setup_scripts/init_user_and_keybased_login.sh +++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh @@ -20,9 +20,8 @@ server="$1" ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. -echo 'First, enter the old root password; then enter new password three times.' -#ssh root@"${server}" "passwd" -ssh root@"${server}" "ls" +printf '\nFirst, enter the old root password; then enter new password three times.\n\n' +ssh root@"${server}" 'printf "\n\n" && passwd' # Save root password for sshpass stty -echo @@ -41,6 +40,7 @@ export SSHPASS="${PW_ROOT}" # would require setting a password for user plom otherwise not needed. sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys sshpass -e ssh root@"${server}" \ + 'useradd -m plom && '\ 'mkdir /home/plom/.ssh && '\ 'chown plom:plom /home/plom/.ssh && '\ 'chown plom:plom /tmp/authorized_keys && '\ -- 2.30.2 From 74ee1d23b009cbed67c83b4732222bf39ee311be Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 27 Sep 2024 00:27:56 +0200 Subject: [PATCH 11/16] Various updates. --- bullseye/setup_scripts/misc.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 bullseye/setup_scripts/misc.sh diff --git a/bullseye/setup_scripts/misc.sh b/bullseye/setup_scripts/misc.sh new file mode 100644 index 0000000..bf38bf6 --- /dev/null +++ b/bullseye/setup_scripts/misc.sh @@ -0,0 +1,3 @@ +#!/bin/sh +#set -e +config_tree_prefix="${HOME}/public_repos/config/bullseye" -- 2.30.2 From 6284595116e39a3bf5e90b62ed52365de70b312f Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 27 Sep 2024 00:55:46 +0200 Subject: [PATCH 12/16] Various fixes. --- bookworm/apt-mark/all | 2 -- bookworm/apt-mark/server | 2 ++ bookworm/setup_scripts/init_user_and_keybased_login.sh | 2 +- bookworm/setup_scripts/init_user_login.sh | 6 +++--- bookworm/setup_scripts/upgrade_from_older_release.sh | 9 ++++++--- bullseye/setup_scripts/init_user_and_keybased_login.sh | 4 ++-- misc.sh | 4 ++-- 7 files changed, 16 insertions(+), 13 deletions(-) diff --git a/bookworm/apt-mark/all b/bookworm/apt-mark/all index aa1b30d..abd02d6 100644 --- a/bookworm/apt-mark/all +++ b/bookworm/apt-mark/all @@ -12,5 +12,3 @@ netcat-traditional iputils-ping # what would we do without this … apt -# not only pull in systemd, but also /sbin/reboot and /sbin/shutdown -systemd-sysv diff --git a/bookworm/apt-mark/server b/bookworm/apt-mark/server index 2ab22d2..6003591 100644 --- a/bookworm/apt-mark/server +++ b/bookworm/apt-mark/server @@ -4,3 +4,5 @@ openssh-server nftables # We want to be able to use ALL our servers as borg backup destinations. borgbackup +# not only pull in systemd, but also /sbin/reboot and /sbin/shutdown +systemd-sysv diff --git a/bookworm/setup_scripts/init_user_and_keybased_login.sh b/bookworm/setup_scripts/init_user_and_keybased_login.sh index ed24e87..f2d83ee 100755 --- a/bookworm/setup_scripts/init_user_and_keybased_login.sh +++ b/bookworm/setup_scripts/init_user_and_keybased_login.sh @@ -8,7 +8,7 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in misc.sh:$linkable_files_dir +# configured sshd_config file in misc.sh:$local_etc_server set -e . ./misc.sh . ../../misc.sh diff --git a/bookworm/setup_scripts/init_user_login.sh b/bookworm/setup_scripts/init_user_login.sh index a36a5bd..f9733ff 100755 --- a/bookworm/setup_scripts/init_user_login.sh +++ b/bookworm/setup_scripts/init_user_login.sh @@ -8,7 +8,7 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config -# file in misc.sh:$linkable_files_dir +# file in misc.sh:local_etc_server$ set -e . ./misc.sh . ../../misc.sh @@ -24,8 +24,8 @@ eval $(ssh-agent) ssh-add # This will be used to log-in as root from plom account. -echo 'Asking for new root password.' -ssh root@"${server}" "passwd" +printf '\nAsking for new root password.\n\n' +ssh root@"${server}" 'printf "\n\n" && passwd' # Set up plom's ~/.ssh/authorized_keys from root's. ssh root@"${server}" 'useradd -m plom' diff --git a/bookworm/setup_scripts/upgrade_from_older_release.sh b/bookworm/setup_scripts/upgrade_from_older_release.sh index ed246e1..5175547 100755 --- a/bookworm/setup_scripts/upgrade_from_older_release.sh +++ b/bookworm/setup_scripts/upgrade_from_older_release.sh @@ -7,13 +7,16 @@ set -e . ./misc.sh + +path_sources_list="/etc/apt/sources.list" + apt update -apt -y upgrade +apt -y -o Dpkg::Options::="--force-confnew" upgrade apt -y -o Dpkg::Options::="--force-confnew" full-upgrade -path_sources_list="/etc/apt/sources.list" cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" apt clean apt update -apt -y upgrade +apt -y -o Dpkg::Options::="--force-confnew" upgrade apt -y -o Dpkg::Options::="--force-confnew" full-upgrade apt -y autoremove +cp "${locall_path_sshd_config}" "${system_path_sshd_config}" diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh index b69a095..544f3c6 100755 --- a/bullseye/setup_scripts/init_user_and_keybased_login.sh +++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh @@ -8,7 +8,7 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in misc.sh:$linkable_files_dir +# configured sshd_config file in misc.sh:$local_etc_server set -e . ./misc.sh . ../../misc.sh @@ -21,7 +21,7 @@ ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. printf '\nFirst, enter the old root password; then enter new password three times.\n\n' -ssh root@"${server}" 'printf "\n\n" && passwd' +ssh root@"${server}" 'printf "\n" && passwd' # Save root password for sshpass stty -echo diff --git a/misc.sh b/misc.sh index adf8e1b..61ad026 100644 --- a/misc.sh +++ b/misc.sh @@ -1,8 +1,8 @@ #!/bin/sh -linkable_files_dir="${config_tree_prefix}/etc_files/server" +local_etc_server="${config_tree_prefix}/etc_files/server" system_path_sshd_config='/etc/ssh/sshd_config' -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" +local_path_sshd_config="${local_etc_server}${system_path_sshd_config}" expect_n_args() { min_args="$1" -- 2.30.2 From e55b15122444fef74e620b7ae97aa35bd76212a5 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 27 Sep 2024 01:14:44 +0200 Subject: [PATCH 13/16] Various fixes. --- bookworm/setup_scripts/upgrade_from_older_release.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bookworm/setup_scripts/upgrade_from_older_release.sh b/bookworm/setup_scripts/upgrade_from_older_release.sh index 5175547..776bb7a 100755 --- a/bookworm/setup_scripts/upgrade_from_older_release.sh +++ b/bookworm/setup_scripts/upgrade_from_older_release.sh @@ -7,6 +7,7 @@ set -e . ./misc.sh +. ../../misc.sh path_sources_list="/etc/apt/sources.list" @@ -19,4 +20,4 @@ apt update apt -y -o Dpkg::Options::="--force-confnew" upgrade apt -y -o Dpkg::Options::="--force-confnew" full-upgrade apt -y autoremove -cp "${locall_path_sshd_config}" "${system_path_sshd_config}" +cp "${local_path_sshd_config}" "${system_path_sshd_config}" -- 2.30.2 From 9721c6df2320038920e8faf01948c271157f87c1 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Tue, 1 Oct 2024 07:16:29 +0200 Subject: [PATCH 14/16] Add missing deps for server to remain accessible. --- bookworm/apt-mark/server | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bookworm/apt-mark/server b/bookworm/apt-mark/server index 6003591..ecca45d 100644 --- a/bookworm/apt-mark/server +++ b/bookworm/apt-mark/server @@ -6,3 +6,7 @@ nftables borgbackup # not only pull in systemd, but also /sbin/reboot and /sbin/shutdown systemd-sysv +# necessary on _some_ vservers +net-tools +quota + -- 2.30.2 From 136ebc642e9c637fa87222fb5294d5a20221c10d Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Thu, 3 Oct 2024 00:25:13 +0200 Subject: [PATCH 15/16] Add basic bookworm seedbox setup. --- bookworm/apt-mark/seedbox | 5 +++++ bookworm/setup_scripts/purge_nonrequireds.sh | 4 ---- bookworm/setup_scripts/setup_seedbox.sh | 10 ++++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 bookworm/apt-mark/seedbox create mode 100644 bookworm/setup_scripts/setup_seedbox.sh diff --git a/bookworm/apt-mark/seedbox b/bookworm/apt-mark/seedbox new file mode 100644 index 0000000..7129acf --- /dev/null +++ b/bookworm/apt-mark/seedbox @@ -0,0 +1,5 @@ +# needed for torrenting +rtorrent +# needed for torrenting session +screen + diff --git a/bookworm/setup_scripts/purge_nonrequireds.sh b/bookworm/setup_scripts/purge_nonrequireds.sh index 48065fc..95f2897 100755 --- a/bookworm/setup_scripts/purge_nonrequireds.sh +++ b/bookworm/setup_scripts/purge_nonrequireds.sh @@ -24,7 +24,3 @@ comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black apt-mark auto `cat /tmp/list_black` DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black - -# Somehow, auto-mounts get undone by all of this, so re-mount /etc/fstab. -# TODO: Find out why. -mount -a diff --git a/bookworm/setup_scripts/setup_seedbox.sh b/bookworm/setup_scripts/setup_seedbox.sh new file mode 100644 index 0000000..b5f9236 --- /dev/null +++ b/bookworm/setup_scripts/setup_seedbox.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e +. ./misc.sh +. ../../misc.sh + +expect_setup_finished_file setup_server_has_been_run setup_server.sh + +cd "${setup_scripts_dir}" +# ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" seedbox +./install_for_target.sh seedbox -- 2.30.2 From 9a02f12dfeb6e96cb6732f7fe33024e42096bb3c Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Thu, 3 Oct 2024 04:34:19 +0200 Subject: [PATCH 16/16] Improve seedbox setup. --- .../seedbox/etc/systemd/system/rtorrent.service | 17 +++++++++++++++++ bookworm/home_files/seedbox/.rtorrent.rc | 11 +++++++++++ bookworm/setup_scripts/setup_seedbox.sh | 6 +++++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 bookworm/etc_files/seedbox/etc/systemd/system/rtorrent.service create mode 100644 bookworm/home_files/seedbox/.rtorrent.rc mode change 100644 => 100755 bookworm/setup_scripts/setup_seedbox.sh diff --git a/bookworm/etc_files/seedbox/etc/systemd/system/rtorrent.service b/bookworm/etc_files/seedbox/etc/systemd/system/rtorrent.service new file mode 100644 index 0000000..babfd36 --- /dev/null +++ b/bookworm/etc_files/seedbox/etc/systemd/system/rtorrent.service @@ -0,0 +1,17 @@ +[Unit] +Description=rtorrent session +After=network.target + +[Service] +Type=simple +User=plom +Group=plom +WorkingDirectory=/home/plom +ExecStartPre=-/bin/rm -f /home/plom/session/rtorrent.lock +ExecStart=/usr/bin/screen -S rtorrent -Dm /usr/bin/rtorrent +ExecStop=/usr/bin/screen -S rtorrent -X quit +Restart=on-failure +RestartSec=3 + +[Install] +WantedBy=multi-user.target diff --git a/bookworm/home_files/seedbox/.rtorrent.rc b/bookworm/home_files/seedbox/.rtorrent.rc new file mode 100644 index 0000000..2513748 --- /dev/null +++ b/bookworm/home_files/seedbox/.rtorrent.rc @@ -0,0 +1,11 @@ +# where to write downloads into +directory.default.set = ~/downloads + +# rtorrent's memory +session.path.set = ~/session + +# security and paranoia +dht.mode.set = disable +protocol.pex.set = no +protocol.encryption.set = require,require_RC4,allow_incoming,try_outgoing + diff --git a/bookworm/setup_scripts/setup_seedbox.sh b/bookworm/setup_scripts/setup_seedbox.sh old mode 100644 new mode 100755 index b5f9236..7d0cb8b --- a/bookworm/setup_scripts/setup_seedbox.sh +++ b/bookworm/setup_scripts/setup_seedbox.sh @@ -6,5 +6,9 @@ set -e expect_setup_finished_file setup_server_has_been_run setup_server.sh cd "${setup_scripts_dir}" -# ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" seedbox +./copy_dirtree.sh "${config_tree_prefix}/home_files" "" seedbox +./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" seedbox ./install_for_target.sh seedbox +mkdir /home/plom/{downloads|session} +chown plom:plom /home/plom/{downloads|session} +systemctl enable rtorrent.service --now -- 2.30.2