Jafner.net/active projects/homelab/docs/Configure a New Host.md
2024-07-15 15:35:16 -07:00

3.9 KiB

Configure a New Host

Prerequisites

  • Fresh Debian 11+ installation on x86 hardware.
  • SSH access to host.

Create Admin User

  1. Get su perms. Either via sudo, su -, or by logging in as the root user.
  2. adduser admin to create the non-root admin user.
  3. usermod -aG sudo admin to add the new user to the sudo group.
  4. sudo visudo and append this line to the end of the file: admin ALL=(ALL) NOPASSWD:ALL to enable passwordless sudo.

After these, you can sudo su admin to log into the new user account.

https://www.cyberciti.biz/faq/add-new-user-account-with-admin-access-on-linux/
https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/

Set the Hostname

  1. sudo hostnamectl set-hostname <hostname> to set the hostname.
  2. sudo nano /etc/hosts and edit the old value for 127.0.1.1 to use the new hostname.

Configure Secure SSH

  1. mkdir -p /home/admin/.ssh && echo "<insert pubkey here>" >> /home/admin/.ssh/authorized_keys Add pubkey to authorized_keys. Make sure to place the correct SSH pubkey in the command before copying.
  2. sudo apt install libpam-google-authenticator to install the Google 2FA PAM.
  3. google-authenticator to configure the 2FA module. Use the following responses when prompted:
  • Do you want authentication tokens to be time-based? y
  • Do you want me to update your "/home/$USER/.google_authenticator" file? y
  • Do you want to disallow multiple uses of the same authentication token? y
  • Do you want to do so? n (refers to increasing time skew window)
  • Do you want to enable rate-limiting? y We enter our TOTP secret key into our second authentication method and save our one-time backup recovery codes.
  1. sudo nano /etc/pam.d/sshd to edit the PAM configuration, and add this line to the top of the file auth sufficient pam_google_authenticator.so nullok

5a. sudo nano /etc/ssh/sshd_config to open the SSH daemon config for editing. Make sure the following assertions exist:

  • PubkeyAuthentication yes
  • AuthenticationMethods publickey,keyboard-interactive
  • PasswordAuthentication no
  • ChallengeResponseAuthentication yes
  • UsePAM yes

5b. echo $'PubkeyAuthentication yes\nAuthenticationMethods publickey,keyboard-interactive\nPasswordAuthentication no\nChallengeResponseAuthentication yes\nUsePAM yes' | sudo tee /etc/ssh/sshd_config.d/ssh.conf to perform the above as a one-liner. Requires a version of OpenSSH/Linux that supports sourcing sshd config from the /etc/ssh/sshd_config.d/*.conf path.

  1. sudo systemctl restart sshd.service to restart the SSH daemon.

Install Basic Packages

  1. sudo apt install curl nano inxi git htop

Install Docker

  1. curl -fsSL https://get.docker.com | sudo sh This is the most convenient and least safe way to do this. If this script is ever compromised, we'd be fucked.
  2. sudo systemctl enable docker to enable the Docker service.
  3. sudo usermod -aG docker $USER to add the current user (should be non-root admin) to docker group.
  4. logout to relog and apply the new permissions.

Clone the Homelab Repo

  1. Create a new Gitlab personal access token for the device at Personal Access Tokens. Should be named like warlock and have the following scopes: read_api, read_user, read_repository.
  2. mkdir ~/homelab ~/data && cd ~/homelab/ && git init && git config core.sparseCheckout true && git config pull.ff only to init the repository with sparse checkout enabled.
  3. git remote add -f origin https://<pat-name>:<pat-value>@gitlab.jafner.net/Jafner/homelab.git to add the repo with authentication via read-only personal access token. NOTE: Make sure to replace <pat-name> with the name of the personal access token, and replace <pat-value> with the key for the personal access token.
  4. echo "$HOSTNAME/" > .git/info/sparse-checkout to configure sparse checkout for the host.
  5. git checkout main to switch to the main branch with the latest files.