- Install OS
For Raspberry Pi:
- Install latest Ubuntu server LTS.
- Connect with ethernet and SSH to local IP with
ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no ubuntu@<IP>
For Ubuntu Desktops:
- Enable full drive encryption during install. This reduces risk from hardware theft.
- Do not create a user named
woolieas part of setup, instead create a temporary user named 'tmpbootstrap'. This will only be used to run puppet initially and should be removed after. Puppet needs to create thewoolieuser to keep UIDs/GIDs in sync. - Set hostname if asked, following scheme of {model}{increment}.
For desktop1 to auto decrypt and mount the internal SATA HDD:
- Configure auto unlocking of partition:
- Retrieve password from password manager for drive starting UUID=cd5e45c0
- Open GNOME disks.
- Select LUKS partition on drive (not the filesystem).
- Additional partition options > Edit Encryption Options.
- Uncheck "User Session Defaults".
- Check "Unlock at system startup".
- Enter passphrase from manager.
- Configure auto mounting of filesystem:
- Select the filesystem (not the partition) in GNOME disks.
- Additional partition options -> Edit Mount Options.
- Uncheck "User Session Defaults".
- Check "Mount at system startup"
- Set mount point:
/media/woolie/bulkstorage.
- Run puppet
-
If bootstrapping a host that needs a static IP, ensure the router configuration is set as in this README. If changing a hardware used for the same host, update the MAC address in the README/router.
-
Set hostname with
sudo hostnamectl set-hostname "{model}{increment} -
Run the bootstrap script:
wget -q -O - https://raw.github.com/AWooldrige/puppet/master/bootstrap.sh | sudo bash
- Add credentials not managed by Puppet
For workstations:
- Transfer SSH keys from another machine.
For webpi:
- Set
[ddns]in/home/woolie/.aws/credentials - Set
/etc/nginx/secrets/photos.htpasswdcontents from password store - Set
/etc/nginx/secrets/cg.htpasswdcontents from password store - Restore tiddlywiki backup using
/var/ww/tw/ww - Install pihole using instructions from [https://pi-hole.net/]
All lowercase
| Char | Field | Options |
|---|---|---|
| 1-3 | Purpose | (free choice) |
| 4 | Type | d:desktop, s:server |
| 5 | Location | h:home |
| 6 | Unique num | 1 onwards |
Allocated hostnames:
- websh1
| Description | MAC | Reserved IP |
|---|---|---|
| webpi Pi 4 eth0 | dc:a6:32:8b:96:48 | 192.168.50.2 |
| epaperpi Pi 3 eth0 | b8:27:eb:3c:0c:11 | 192.168.50.3 |
| epaperpi Pi 3 wlan0 | b8:27:eb:69:59:44 | 192.168.50.4 |
| boilerpi Pi 2 eth0 | B8:27:EB:6F:AF:69 | 192.168.50.5 |
| boilerpi Pi 2 wlan0 | 80:1f:02:af:5a:81 | 192.168.50.6 |
| websh1 Pi 5 eth0 | 2C:CF:67:27:0C:D7 | 192.168.50.7 |
| websh1 Pi 5 wlan0 | TODO | 192.168.50.8 |
| Description | Protocol | External port | Local port | Local IP |
|---|---|---|---|---|
| SSH (slightly obsfucated) to websh1 | TCP UDP | 3222 | 3222 | 192.168.50.7 |
| HTTP to webpi | TCP UDP | 80 | 80 | 192.168.50.2 |
| HTTPS to webpi | TCP UDP | 443 | 443 | 192.168.50.2 |
Each file should be prepended with the following text.
#########################################################################
## This file is controlled by Puppet - changes will be overwritten ##
#########################################################################
All scripts should log to syslog and to stdout/stderr. This should be managed within the scripts themselves.
To see log output for the main crons:
sudo journalctl -t 'gdpup'sudo journalctl -t 'ddns'
Each machine has one main user, woolie. This user is used for SSH remote
access and local access. The user should always have a password set and should
also require it for sudo (no passwordless sudo, even on remote machines).