diff --git a/docs/Configure a New Host.md b/docs/Configure a New Host.md new file mode 100644 index 0000000..88a2270 --- /dev/null +++ b/docs/Configure a New Host.md @@ -0,0 +1,68 @@ +# Configure a New Host + +## Prerequisites +- Fresh Debian 11+ installation on x86 hardware. +- SSH access to host. + +## Create Admin User + +1. Get su perms. Either via `sudo`, `su -`, or by logging in as the root user. +2. `adduser admin` to create the non-root admin user. +3. `usermod -aG sudo admin` to add the new user to the sudo group. +4. `sudo visudo` and append this line to the end of the file: `admin ALL=(ALL) NOPASSWD:ALL` to enable passwordless sudo. + +After these, you can `sudo su admin` to log into the new user account. + +https://www.cyberciti.biz/faq/add-new-user-account-with-admin-access-on-linux/ +https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/ + + +## Set the Hostname +1. `sudo hostnamectl set-hostname ` to set the hostname. +2. `sudo nano /etc/hosts` and edit the old value for `127.0.1.1` to use the new hostname. + +## Configure Secure SSH + +1. `mkdir -p /home/admin/.ssh && echo "" >> /home/admin/.ssh/authorized_keys` Add pubkey to authorized_keys. Make sure to place the correct SSH pubkey in the command before copying. +2. `sudo apt install libpam-google-authenticator` to install the Google 2FA PAM. +3. `google-authenticator` to configure the 2FA module. Use the following responses when prompted: + +* Do you want authentication tokens to be time-based? `y` +* Do you want me to update your "/home/$USER/.google_authenticator" file? `y` +* Do you want to disallow multiple uses of the same authentication token? `y` +* Do you want to do so? `n` (refers to increasing time skew window) +* Do you want to enable rate-limiting? `y` We enter our TOTP secret key into our second authentication method and save our one-time backup recovery codes. + +4. `sudo nano /etc/pam.d/sshd` to edit the PAM configuration, and add this line to the top of the file `auth sufficient pam_google_authenticator.so nullok` + +5a. `sudo nano /etc/ssh/sshd_config` to open the SSH daemon config for editing. Make sure the following assertions exist: + +* `PubkeyAuthentication yes` +* `AuthenticationMethods publickey,keyboard-interactive` +* `PasswordAuthentication no` +* `ChallengeResponseAuthentication yes` +* `UsePAM yes` + +5b. `echo $'PubkeyAuthentication yes\nAuthenticationMethods publickey,keyboard-interactive\nPasswordAuthentication no\nChallengeResponseAuthentication yes\nUsePAM yes' | sudo tee /etc/ssh/sshd_config.d/ssh.conf` to perform the above as a one-liner. Requires a version of OpenSSH/Linux that supports sourcing sshd config from the `/etc/ssh/sshd_config.d/*.conf` path. + +6. `sudo systemctl restart sshd.service` to restart the SSH daemon. + +## Install Basic Packages + +1. `sudo apt install curl nano inxi git htop` + +### Install Docker +1. `curl -fsSL https://get.docker.com | sudo sh` This is the most convenient and least safe way to do this. If this script is ever compromised, we'd be fucked. +2. `sudo systemctl enable docker` to enable the Docker service. +3. `sudo usermod -aG docker $USER` to add the current user (should be non-root admin) to docker group. +4. `logout` to relog and apply the new permissions. + +## Clone the Homelab Repo + +1. Create a new Gitlab personal access token for the device at [Personal Access Tokens](https://gitlab.jafner.net/-/profile/personal_access_tokens). Should be named like `warlock` and have the following scopes: `read_api`, `read_user`, `read_repository`. +2. `mkdir ~/homelab ~/data && cd ~/homelab/ && git init && git config core.sparseCheckout true && git config pull.ff only` to init the repository with sparse checkout enabled. +3. `git remote add -f origin https://:@gitlab.jafner.net/Jafner/homelab.git` to add the repo with authentication via read-only personal access token. NOTE: Make sure to replace `` with the name of the personal access token, and replace `` with the key for the personal access token. +4. `echo "$HOSTNAME/" > .git/info/sparse-checkout` to configure sparse checkout for the host. +5. `git checkout main` to switch to the main branch with the latest files. + +