Skip to content

AWooldrige/puppet

master
Switch branches/tags
2 branches 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
manifests
 
 
modules
 
 
.gitignore
 
 
Makefile
 
 
README.markdown
 
 
apply.sh
 
 
bootstrap.sh
 
 
cloudformation-eu-west-1.json
 
 
cloudformation-us-east-1.json
 
 
sync_to_host.sh
 
 
Bootstrapping a system from scratch Router configuration DHCP reservations Port forwarding Puppet config conventions Files Logging Documentation User strategy

README.markdown

Bootstrapping a system from scratch

  1. Install OS

For Raspberry Pi:

  1. Connect with ethernet and SSH to local IP with ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no ubuntu@<IP>

For Ubuntu Desktops:

  1. Enable full drive encryption during install. This reduces risk from hardware theft.
  2. Do not create a user named woolie as part of setup, instead create a temporary user named 'tmpbootstrap'. This will only be used to run puppet initially and should be removed after. Puppet needs to create the woolie user to keep UIDs/GIDs in sync.
  3. Set hostname if asked, following scheme of {model}{increment}.
  1. Run puppet

  1. If bootstrapping a host that needs a static IP, ensure the router configuration is set as in this README. If changing a hardware used for the same host, update the MAC address in the README/router.

  2. Set hostname with sudo hostnamectl set-hostname "{model}{increment}

  3. Copy secure puppet module from password manager to /etc/securepuppet/modules/secure/manifests/init.pp then chmod -R 600 /etc/securepuppet

  4. Run the bootstrap script:

    wget -q -O - https://raw.github.com/AWooldrige/puppet/master/bootstrap.sh | sudo bash

  1. Add credentials not managed by Puppet

For workstations:

  1. Transfer SSH keys from another machine.

For webpi:

  1. Set [ddns] in /home/woolie/.aws/credentials
  2. Set /etc/nginx/secrets/photos.htpasswd contents from password store
  3. Set /etc/nginx/secrets/cg.htpasswd contents from password store
  4. Restore tiddlywiki backup using /var/ww/tw/ww
  5. Install pihole using instructions from [https://pi-hole.net/]

Router configuration

DHCP reservations

Description MAC Reserved IP
webpi Pi 4 eth0 dc:a6:32:8b:96:48 192.168.50.2
epaperpi Pi 3 eth0 b8:27:eb:3c:0c:11 192.168.50.3
epaperpi Pi 3 wlan0 b8:27:eb:69:59:44 192.168.50.4
fridgepi Pi 2 eth0 B8:27:EB:6F:AF:69 192.168.50.5
fridgepi Pi 2 wlan0 80:1f:02:af:5a:81 192.168.50.6

Port forwarding

Description Protocol External port Local port Local IP
SSH (slightly obsfucated) to webpi TCP + UDP 3222 3222 192.168.50.2
HTTP to webpi TCP + UDP 80 80 192.168.50.2
HTTPS to webpi TCP + UDP 443 443 192.168.50.2

Puppet config conventions

Files

Each file should be prepended with the following text.

#########################################################################
##   This file is controlled by Puppet - changes will be overwritten   ##
#########################################################################

Logging

All scripts should log to syslog and to stdout/stderr. This should be managed within the scripts themselves.

To see log output for the main crons:

  • sudo journalctl -t 'gdpup'
  • sudo journalctl -t 'ddns'

Documentation

User strategy

Each machine has one main user, woolie. This user is used for SSH remote access and local access. The user should always have a password set and should also require it for sudo (no passwordless sudo, even on remote machines).

About

No description, website, or topics provided.

Resources

Readme

Stars

6 stars

Watchers

2 watching

Forks

0 forks

Releases

No releases published

Packages

No packages published

Languages