- Install OS
For Raspberry Pi:
- Install latest Ubuntu server LTS.
- Connect with ethernet and SSH to local IP with
ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no ubuntu@<IP>
For Ubuntu Desktops:
- Enable full drive encryption during install. This reduces risk from hardware theft.
- Do not create a user named
woolie
as part of setup, instead create a temporary user named 'tmpbootstrap'. This will only be used to run puppet initially and should be removed after. Puppet needs to create thewoolie
user to keep UIDs/GIDs in sync. - Set hostname if asked, following scheme of {model}{increment}.
For desktop1 to auto decrypt and mount the internal SATA HDD:
- Configure auto unlocking of partition:
- Retrieve password from password manager for drive starting UUID=cd5e45c0
- Open GNOME disks.
- Select LUKS partition on drive (not the filesystem).
- Additional partition options > Edit Encryption Options.
- Uncheck "User Session Defaults".
- Check "Unlock at system startup".
- Enter passphrase from manager.
- Configure auto mounting of filesystem:
- Select the filesystem (not the partition) in GNOME disks.
- Additional partition options -> Edit Mount Options.
- Uncheck "User Session Defaults".
- Check "Mount at system startup"
- Set mount point:
/media/woolie/bulkstorage
.
- Run puppet
-
If bootstrapping a host that needs a static IP, ensure the router configuration is set as in this README. If changing a hardware used for the same host, update the MAC address in the README/router.
-
Set hostname with
sudo hostnamectl set-hostname "{model}{increment}
-
Run the bootstrap script:
wget -q -O - https://raw.github.com/AWooldrige/puppet/master/bootstrap.sh | sudo bash
- Add credentials not managed by Puppet
For workstations:
- Transfer SSH keys from another machine.
For webpi:
- Set
[ddns]
in/home/woolie/.aws/credentials
- Set
/etc/nginx/secrets/photos.htpasswd
contents from password store - Set
/etc/nginx/secrets/cg.htpasswd
contents from password store - Restore tiddlywiki backup using
/var/ww/tw/ww
- Install pihole using instructions from [https://pi-hole.net/]
All lowercase
Char | Field | Options |
---|---|---|
1-3 | Purpose | (free choice) |
4 | Type | d:desktop, s:server |
5 | Location | h:home |
6 | Unique num | 1 onwards |
Allocated hostnames:
- websh1
Description | MAC | Reserved IP |
---|---|---|
webpi Pi 4 eth0 | dc:a6:32:8b:96:48 | 192.168.50.2 |
epaperpi Pi 3 eth0 | b8:27:eb:3c:0c:11 | 192.168.50.3 |
epaperpi Pi 3 wlan0 | b8:27:eb:69:59:44 | 192.168.50.4 |
boilerpi Pi 2 eth0 | B8:27:EB:6F:AF:69 | 192.168.50.5 |
boilerpi Pi 2 wlan0 | 80:1f:02:af:5a:81 | 192.168.50.6 |
websh1 Pi 5 eth0 | 2C:CF:67:27:0C:D7 | 192.168.50.7 |
websh1 Pi 5 wlan0 | TODO | 192.168.50.8 |
Description | Protocol | External port | Local port | Local IP |
---|---|---|---|---|
SSH (slightly obsfucated) to websh1 | TCP UDP | 3222 | 3222 | 192.168.50.7 |
HTTP to webpi | TCP UDP | 80 | 80 | 192.168.50.2 |
HTTPS to webpi | TCP UDP | 443 | 443 | 192.168.50.2 |
Each file should be prepended with the following text.
#########################################################################
## This file is controlled by Puppet - changes will be overwritten ##
#########################################################################
All scripts should log to syslog and to stdout/stderr. This should be managed within the scripts themselves.
To see log output for the main crons:
sudo journalctl -t 'gdpup'
sudo journalctl -t 'ddns'
Each machine has one main user, woolie
. This user is used for SSH remote
access and local access. The user should always have a password set and should
also require it for sudo (no passwordless sudo, even on remote machines).