Bootstrapping a system from scratch
- Install OS
For Raspberry Pi:
- Connect with ethernet and SSH to local IP with
ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no ubuntu@<IP>
For Ubuntu Desktops:
- Enable full drive encryption during install. This reduces risk from hardware theft.
- Do not create a user named
woolie
as part of setup, instead create a temporary user named 'tmpbootstrap'. This will only be used to run puppet initially and should be removed after. Puppet needs to create thewoolie
user to keep UIDs/GIDs in sync. - Set hostname if asked, following scheme of {model}{increment}.
- Run puppet
-
If bootstrapping a host that needs a static IP, ensure the router configuration is set as in this README. If changing a hardware used for the same host, update the MAC address in the README/router.
-
Set hostname with
sudo hostnamectl set-hostname "{model}{increment}
-
Copy secure puppet module from password manager to
/etc/securepuppet/modules/secure/manifests/init.pp
thenchmod -R 600 /etc/securepuppet
-
Run the bootstrap script:
wget -q -O - https://raw.github.com/AWooldrige/puppet/master/bootstrap.sh | sudo bash
- Add credentials not managed by Puppet
For workstations:
- Transfer SSH keys from another machine.
For webpi:
- Set
[ddns]
in/home/woolie/.aws/credentials
- Set
/etc/nginx/secrets/photos.htpasswd
contents from password store - Set
/etc/nginx/secrets/cg.htpasswd
contents from password store - Restore tiddlywiki backup using
/var/ww/tw/ww
- Install pihole using instructions from [https://pi-hole.net/]
Router configuration
DHCP reservations
Description | MAC | Reserved IP |
---|---|---|
webpi Pi 4 eth0 | dc:a6:32:8b:96:48 | 192.168.50.2 |
epaperpi Pi 3 eth0 | b8:27:eb:3c:0c:11 | 192.168.50.3 |
epaperpi Pi 3 wlan0 | b8:27:eb:69:59:44 | 192.168.50.4 |
fridgepi Pi 2 eth0 | B8:27:EB:6F:AF:69 | 192.168.50.5 |
fridgepi Pi 2 wlan0 | 80:1f:02:af:5a:81 | 192.168.50.6 |
Port forwarding
Description | Protocol | External port | Local port | Local IP |
---|---|---|---|---|
SSH (slightly obsfucated) to webpi | TCP + UDP | 3222 | 3222 | 192.168.50.2 |
HTTP to webpi | TCP + UDP | 80 | 80 | 192.168.50.2 |
HTTPS to webpi | TCP + UDP | 443 | 443 | 192.168.50.2 |
Puppet config conventions
Files
Each file should be prepended with the following text.
#########################################################################
## This file is controlled by Puppet - changes will be overwritten ##
#########################################################################
Logging
All scripts should log to syslog and to stdout/stderr. This should be managed within the scripts themselves.
To see log output for the main crons:
sudo journalctl -t 'gdpup'
sudo journalctl -t 'ddns'
Documentation
User strategy
Each machine has one main user, woolie
. This user is used for SSH remote
access and local access. The user should always have a password set and should
also require it for sudo (no passwordless sudo, even on remote machines).