diff --git a/README.docker b/DOC/README.docker similarity index 100% rename from README.docker rename to DOC/README.docker diff --git a/DOC/README.fuse b/DOC/README.fuse new file mode 100644 index 0000000..1ec8829 --- /dev/null +++ b/DOC/README.fuse @@ -0,0 +1,4 @@ + +#fuse-overlayfs package installed both on host and inside container +# +lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0 diff --git a/DOC/README.mount_iso b/DOC/README.mount_iso new file mode 100644 index 0000000..bfa251c --- /dev/null +++ b/DOC/README.mount_iso @@ -0,0 +1,22 @@ + +# - LX Container configuration: +# - +lxc.aa_profile = unconfined +lxc.cgroup.devices.allow = b 7:* rwm +lxc.cgroup.devices.allow = c 10:237 rwm + +# - Note! +# - Inside the container, you have to create /dev/loop0 +# - +# - sudo mknod /dev/loop0 b 7 0 + + +# - Verify if it works: +# - +# - $ truncate --size 100M my.img +# - $ mkfs.ext4 -F my.img +# - $ sudo mount -o loop,ro my.img /mnt +# - $ ls /mnt +# - lost+found +# - $ sudo umount /mnt +# - diff --git a/DOC/README.postfix_does_not_start b/DOC/README.postfix_does_not_start new file mode 100644 index 0000000..3ab4fd9 --- /dev/null +++ b/DOC/README.postfix_does_not_start @@ -0,0 +1,16 @@ + +# - After upgrade from jessie to strech systemd seems to "ignore" the Postfix startup. +# - +# - Also "systemctl start postfix" does not work. +# - +# - I found out that I simply have to reload systemd with +# - systemctl daemon-reload +# - +# - But after reboot, again no psotfix daemon is running +# - + +# - Finally the following simple command fixed this problem +# - systemctl enable postfix@- +# - +# - After rebooting, on some systems postfix starts up fine. + diff --git a/DOC/etc_sshd_sshd_config b/DOC/etc_sshd_sshd_config new file mode 100644 index 0000000..1718bff --- /dev/null +++ b/DOC/etc_sshd_sshd_config @@ -0,0 +1,269 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +#----------------------------- +# Daemon +#----------------------------- + +# What ports, IPs and protocols we listen for +Port 22 + +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +#ListenAddress 176.9.117.77 + +# Specifies the protocol versions sshd(8) supports. +# The possible values are ‘1’ , `2' and ‘1,2’. +# The default is ‘2’. +Protocol 2 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +# +# Note: +# Deprecated option KeyRegenerationInterval +# Deprecated option ServerKeyBits +# +#KeyRegenerationInterval 3600 +#ServerKeyBits 768 + +# Specifies the maximum number of concurrent unauthenticated connections +# to the SSH daemon. See sshd_config(5) for specifiing the three colon +# separated values. +# The default is 10. +#MaxStartups 10:30:100 +#MaxStartups 3 +MaxStartups 10:30:100 + +# Specifies the maximum number of authentication attempts permitted per +# connection. +# The default is 6. +MaxAuthTries 3 + +# Specifies the maximum number of open sessions permitted per network +# connection. +# The default is 10. +MaxSessions 10 + + +#----------------------------- +# Authentication +#----------------------------- + +# Specifies whether sshd(8) separates privileges by creating an unprivileged +# child process to deal with incoming network traffic. +# The default is "yes" (for security). +UsePrivilegeSeparation yes + +# The server disconnects after this time if the user has not +# successfully logged in. +# The default is 120 seconds. +LoginGraceTime 120 + +# Specifies whether root can log in using ssh(1). +# The default is "yes". +#PermitRootLogin yes +PermitRootLogin without-password +#PermitRootLogin no + +# Specifies whether sshd(8) should check file modes and ownership of the +# user's files and home directory before accepting login. This is normally +# desirable because novices sometimes accidentally leave their directory or +# files world-writable. Note that this does not apply to ChrootDirectory, +# whose permissions and ownership are checked unconditionally. +# The default is “yes”. +StrictModes yes + +# Specifies whether pure RSA authentication is allowed. This option +# applies to protocol version 1 only. +# The default is “yes”. +# +# Note: +# Deprecated option RSAAuthentication +# +#RSAAuthentication yes + +# Specifies whether public key authentication is allowed. Note that this +# option applies to protocol version 2 only. +# The default is “yes”. +PubkeyAuthentication yes + +# Specifies the file that contains the public keys that can be used for +# user authentication. The format is described in the AUTHORIZED_KEYS FILE +# FORMAT section of sshd(8). +# AuthorizedKeysFile may contain tokens of the form %T which are substituted +# during connection setup. The following tokens are defined: %% is replaced +# by a literal '%', %h is replaced by the home directory of the user being +# authenticated, and %u is replaced by the username of that user. After +# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative +# to the user's home directory. Multiple files may be listed, separated by +# whitespace. +# The default is “.ssh/authorized_keys .ssh/authorized_keys2”. +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Specifies whether password authentication is allowed. +# Change to no to disable tunnelled clear text passwords +# The default is "yes". +#PasswordAuthentication yes +PasswordAuthentication no + +# When password authentication is allowed, it specifies whether the +# server allows login to accounts with empty password strings. +# The default is “no”. +PermitEmptyPasswords no + +# Specifies whether challenge-response authentication is allowed (e.g. via PAM). +# The default is “yes”. +ChallengeResponseAuthentication no + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +# +# Note: +# Deprecated option RhostsRSAAuthentication +# +#RhostsRSAAuthentication no + +# similar for protocol version 2 +HostbasedAuthentication no + +# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts +# during RhostsRSAAuthentication or HostbasedAuthentication. +# The default is “no”. +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# If specified, login is allowed only for user names that match one of +# the patterns. +# The allow/deny directives are processed in the following order: DenyUsers, +# AllowUsers, DenyGroups, and finally AllowGroups. +# By default, login is allowed for all users. +#AllowUsers chris cityslang sysadm + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# Specifies whether login(1) is used for interactive login sessions. +# Note that login(1) is never used for remote command execution. +# Note also, that if this is enabled, X11Forwarding will be disabled +# because login(1) does not know how to handle xauth(1) cookies. If +# UsePrivilegeSeparation is specified, it will be disabled after +# authentication. +# The default is “no”. +#UseLogin no + + +#----------------------------- +# Logging +#----------------------------- + +# Gives the facility code that is used when logging messages from sshd(8). +# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +# The default is AUTH. +SyslogFacility AUTH + +# Gives the verbosity level that is used when logging messages from +# sshd(8). +# The default is INFO. +LogLevel INFO + + +#----------------------------- +# Behavior +#----------------------------- + +# Specifies whether the distribution-specified extra version suffix is included +# during initial protocol handshake. +# The default is "yes". +DebianBanner no + +# The contents of the specified file are sent to the remote user before +# authentication is allowed. +# By default, no banner is displayed. +#Banner /etc/issue.net + +# Specifies whether sshd(8) should print /etc/motd when a user logs in +# interactively. (On some systems it is also printed by the shell, +# /etc/profile, or equivalent.) +# The default is “yes”. +PrintMotd no + +# Specifies what environment variables sent by the client will be copied +# into the session's environ(7). +# The default is not to accept any environment variables. +AcceptEnv LANG LC_* + +# Configures an external subsystem (e.g. file transfer daemon). +# By default no subsystems are defined. +Subsystem sftp /usr/lib/openssh/sftp-server + +# Specifies whether sshd(8) should look up the remote host name and check +# that the resolved host name for the remote IP address maps back to the +# very same IP address. +# The default is “yes”. +UseDNS no + +# Specifies whether X11 forwarding is permitted. The argument must be +# “yes” or “no”. See sshd_config(5) for further expalnation +# The default is “no”. +#X11Forwarding yes + +# Specifies the first display number available for sshd(8)'s X11 +# forwarding. This prevents sshd from interfering with real X11 servers. +# The default is 10. +X11DisplayOffset 10 + +# Specifies whether the system should send TCP keepalive messages to the +# other side. If they are sent, death of the connection or crash of one +# of the machines will be properly noticed. However, this means +# that connections will die if the route is down temporarily, and some +# people find it annoying. On the other hand, if TCP keepalives are not +# sent, sessions may hang indefinitely on the server, leaving “ghost” users +# and consuming server resources. +# +# The default is “yes” (to send TCP keepalive messages), and the server +# will notice if the network goes down or the client host crashes. This +# avoids infinitely hanging sessions. +TCPKeepAlive yes + +#Specifies whether sshd(8) should print the date and time of the last +# user login when a user logs in interactively. +# The default is “yes”. +PrintLastLog yes + + +#----------------------------- +# Kerberos options +#----------------------------- +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + + +#----------------------------- +# GSSAPI options +#----------------------------- + +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + + + + + diff --git a/DOC/install_LXC-buster.txt b/DOC/install_LXC-buster.txt new file mode 100644 index 0000000..c36cd06 --- /dev/null +++ b/DOC/install_LXC-buster.txt @@ -0,0 +1,560 @@ +#!/usr/bin/env bash + + +## - On the host-system install "bridge-utils" +## - +apt-get install bridge-utils + +## - On the host-system install LXC +## - +apt-get install lxc +apt-get install btrfs-tools lua5.3 + + +## - !! Debian stretch related +## - +## - Konfiguration /etc/security/limits.conf seems not be working together +## - with systemd. +## - +## - One possibility is, setting parameter "DefaultLimitNOFILE" in file +## - /etc/systemd/system.conf. This setting is "world wide". +## - +## - At least that allows me to do my work again but it is obviously not the +## - right solution. I just want to change my own user's limits, not the +## - limits of each and everything. +## - +cp -a /etc/systemd/system.conf /etc/systemd/system.conf.ORIG +perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf +systemctl daemon-reload + + +## - Configure your hots-sstem to use a bridge-interface (typically br0) +## - instead of a real one (typically eth0) +## - +## - Replace your network configuration in file /etc/network/interfaces +## - from: +## - +## - auto eth0 +## - iface eth0 inet static +## - address +## - netmask +## - network +## - broadcast +## - gateway +## - +## - to: +## - +## - auto br0 +## - iface br0 inet static +## - bridge-ports eth0 +## - address +## - netmask +## - network +## - broadcast +## - gateway +## - # default route to access subnet +## - #up route add -net netmask gw br0 +## - +cp -a /etc/network/interfaces /etc/network/interfaces.ORIG +vim /etc/network/interfaces + + +## - Restart host-system +## - + + +# --- +# - +# ---- +#LXC_ROOT_DIR=/srv/lxc +LXC_ROOT_DIR=/var/lib/lxc + +LXC_NAME= +LXC_DIST=debian +LXC_RELEASE=stretch + +### Device 1 +IPV4_ADDRESS_1= +IPV4_NETMASK_1= +IPV4_BROADCAST_1= +IPV4_GATEWAY_1= +IPv4_Prefix=24 +## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !! +## - +## - Zufällige MAC Adresse erstellen +## - +## - echo -e "\n\t$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')\n" +## - +#MAC_ADDRESS_1="$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')" +MAC_ADDRESS_1= + +#IPV6_ADDRESS_1= +#IPV6_GATEWAY_1= +#IPv6_Prefix_1= + +### Device 2 +IPV4_ADDRESS_2=83.223.86.202 +IPV4_NETMASK_2=255.255.255.0 +IPV4_BROADCAST_2=83.223.86.255 +IPV4_GATEWAY_2="${IPV4_GATEWAY_1}" +IPv4_Prefix_2=24 +MAC_ADDRESS_2=00:B4:D5:A0:5F:CE + +#IPV6_ADDRESS_2= +#IPV6_GATEWAY_2= +#IPv6_Prefix_2= + + +HOSTNAME=dns0.warenform.de + + +## - ------------------------------------------------------------------------- + + +lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64 + + +cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \ + ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG + +touch /var/lib/lxc/${LXC_NAME}/fstab + +if [[ -z "$IPV4_ADDRESS_2" ]] ; then + cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces + +#----------------------------- +# lo: loopback +#----------------------------- +auto lo +iface lo inet loopback + + +#----------------------------- +# eth0 +#----------------------------- +auto eth0 +iface eth0 inet manual +iface eth0 inet6 manual + +EOF + +else + cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces + +#----------------------------- +# lo: loopback +#----------------------------- +auto lo +iface lo inet loopback + + +#----------------------------- +# eth0 +#----------------------------- +auto eth0 +iface eth0 inet manual + up ip route add default via ${IPV4_GATEWAY_1} dev eth0 table 100 + up ip rule add from ${IPV4_ADDRESS_1} table 100 prio 100 + + + +#----------------------------- +# eth1 +#----------------------------- + +auto eth1 +iface eth1 inet manual + up ip route add default via ${IPV4_GATEWAY_2} dev eth1 table 200 + up ip rule add from ${IPV4_ADDRESS_2} table 200 prio 120 +EOF +fi + +cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG + +cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config +lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs + +# Common configuration +lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf + + +# Container specific configuration +lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab +lxc.utsname = $LXC_NAME +lxc.arch = amd64 +lxc.autodev = 1 +lxc.kmsg = 0 + + +# Network configuration + +### Device 1 +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth0 +lxc.network.hwaddr = $MAC_ADDRESS_1 +# IPv4 +lxc.network.ipv4 = ${IPV4_ADDRESS_1}/$IPv4_Prefix +lxc.network.ipv4.gateway = ${IPV4_GATEWAY_1} +# IPv6 +#lxc.network.ipv6 = ${IPV6_ADDRESS_1}/$IPv6_Prefix_1 +#lxc.network.ipv6.gateway = $IPV6_GATEWAY_1 + +EOF + +if [[ -n "$IPV4_ADDRESS_2" ]]; then + cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config +### Device 2 +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth1 +lxc.network.hwaddr = $MAC_ADDRESS_2 +## IPv4 +lxc.network.ipv4 = ${IPV4_ADDRESS_2}/$IPv4_Prefix +## IPv6 +#lxc.network.ipv6 = ${IPV6_ADDRESS_2}/$IPv6_Prefix + +EOF +fi + +cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config + +# Mount iso file inside LX Container +#lxc.aa_profile = unconfined +#lxc.cgroup.devices.allow = b 7:* rwm +#lxc.cgroup.devices.allow = c 10:237 rwm + + +# Autostart +lxc.start.auto = 1 +lxc.start.delay = 5 +lxc.start.order = 100 +EOF + +## - ------------------------------------------------------------------------- + +lxc-start -d -n $LXC_NAME + +## - Starte eine root shell im neuen Container +## - +lxc-attach -n $LXC_NAME + +## - Alternativ: Starte eine Console im neuen Container +## - +## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der +## - Ausgabe des "lxc-create" Befehls am Ende ist +## - +lxc-console -n $LXC_NAME + +## - ------------------------------------------------------------------------- + +## - apt konfiguroren +## - setze in /etc/apt/sources.list +## - +## - deb http://ftp.de.debian.org/debian stretch main contrib non-free +## - deb-src http://ftp.de.debian.org/debian stretch main contrib non-free +## - +## - deb http://security.debian.org/ stretch/updates main contrib non-free +## - deb-src http://security.debian.org/ stretch/updates main contrib non-free +## - +## - ## - formerly: volatile +## - deb ftp://ftp.de.debian.org/debian stretch-updates main contrib +## - +## - # stretch-backports +## - deb http://ftp.de.debian.org/debian stretch-backports main contrib non-free +## - +cat << EOF > /etc/apt/sources.list + +deb http://ftp.de.debian.org/debian/ stretch main non-free contrib +deb-src http://ftp.de.debian.org/debian/ stretch main non-free contrib + +deb http://security.debian.org/ stretch/updates main contrib non-free +deb-src http://security.debian.org/ stretch/updates main contrib non-free + +# stretch-updates, previously known as 'volatile' +deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free +deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free + +# stretch-backports, previously on backports.debian.org +deb http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free +deb-src http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free + +EOF + +## - Update +## - +apt-get update + +## - Install/Setup locales +## - +apt-get install locales +dpkg-reconfigure locales + +## - take care shadow passwords are enabled +## - +dpkg-reconfigure passwd +/sbin/shadowconfig on + +## - Set password for user root +## - +passwd + +## - configure time-zone +## - +dpkg-reconfigure tzdata + + +## - Upgrade System +## - +apt-get upgrade + + +apt-get -y install openssh-server rssh \ + vim vim-common vim-doc mc screen tmux bc figlet \ + rcconf sudo rsync dselect iputils-ping apt-utils aptitude apt-transport-https \ + zip unzip bzip2 arj \ + locate \ + curl \ + gawk mawk \ + lynx links w3m ctags mime-support \ + file coreutils moreutils less sipcalc psmisc \ + dnsutils rblcheck whois \ + gettext gettext-base gettext-doc \ + debian-keyring \ + patch patchutils \ + recode recode-doc librecode0 librecode-dev sharutils \ + perl perl-modules perl-doc libperl-dev \ + libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \ + libmail-imapclient-perl libtime-duration-perl libtimedate-perl \ + libwww-perl libpcre3 libio-compress-perl \ + re2c util-linux \ + parted lshw gdisk smartmontools \ + tcpdump telnet unhide lsof hdparm groff iproute2 bridge-utils vlan \ + ethtool wipe iperf mtr iptraf \ + wget logrotate rsyslog haveged \ + rdate ntpdate wipe man \ + iptables shellcheck \ + ssl-cert ssl-cert-check \ + git ftp \ + htop \ + net-tools lsb-release \ + attr acl quota quotatool \ + needrestart + + +# - poppler-utils - PDF-Werkzeuge (auf Basis von Poppler) u.a. pdftotxt +# - catdoc - Konvertierungspromm von Word, Excel und PowerPoint zu Klartext +# - +apt-get install catdoc poppler-utils + + + +## - add more users +adduser chris +adduser defa + +## - add user/group back +addgroup --gid 1060 back +adduser --uid 1060 --gid 1060 back + +## - user/group sysadm +## - +## - passwd: gHZu81_p +## - +addgroup --gid 1050 sysadm +adduser --uid 1050 --gid 1050 sysadm + + +## - add new user to group sudo +usermod -a -G sudo chris +usermod -a -G sudo sysadm +usermod -a -G sudo defa + +## - warenform specific +## - +#addgroup --gid 1008 webadmin +#mkdir /var/www +#adduser --uid 1008 --gid 1008 --home /var/www/html webadmin + + +## - Adjust (temporarily) /etc/sshd/sshd_config +## - +## - Set +## - PermitRootLogin yes +## - +cd /etc/ssh +cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG +vim sshd_config +systemctl restart ssh + + +## - Install git repository 'admin-stuff' +## - +mkdir -p /root/bin +cd /root/bin +git clone https://git.oopen.de/script/admin-stuff + + +## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp +## - +hostname= + +users="chris sysadm back" +for user in $users ; do + cp -a /home/${user}/.bashrc /home/${user}/.bashrc.ORIG + cp -a /home/${user}/.profile /home/${user}/.profile.ORIG +done +cp -a /root/.bashrc /root/.bashrc.ORIG +cp -a /root/.profile /root/.profile.ORIG + + +cd /home/chris/O.OPEN/Rechner/templates_home/root +scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}: + +cd /home/chris/O.OPEN/Rechner/templates_home/chris +scp -r .bashrc .profile .ssh .vimrc ${hostname}: +scp -r .bashrc .profile .ssh .vimrc back@${hostname}: +scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}: + +cd ~ +./adduser_defa.sh +./adduser_backup.oopen.sh + +rm adduser_* + +## - Coppy sshd_config +## - +cd ~/merke/install/LXC +scp etc_sshd_sshd_config root@${hostname}:/etc/ssh/sshd_config + + +## - Adjust /etc/resolv.conf +## - +## - search oopen.de +## - nameserver 83.223.66.51 +## - nameserver 212.42.230.1 +## - nameserver 83.223.90.90 +## - +vim /etc/resolv.conf + + +## - configure sudo +## - add lines: +## - +## - back ALL=(root)NOPASSWD:/usr/bin/rsync +## - back ALL=(root)NOPASSWD:/usr/bin/find +## - back ALL=(root)NOPASSWD:/usr/bin/realpath +## - +## - +visudo + + +## - NOTICE!! +## - +## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my +## - scripts doesn't work. so link back to /bin/bash +## - +## - link /bin/sh to /bin/bash +## - +cd /bin +rm sh +ln -s bash sh + + + +## - install subversion +## - +apt-get install -y subversion subversion-tools # smbclient + +## --------------------------------------------------------------- + +## - compiler stuff +## - +apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \ + make automake autoconf libtool flex bison \ + gettext pkg-config gnu-standards \ + libssl-dev libreadline-dev libncurses-dev + +apt-get install -y libsystemd-dev + +## - Packages to build utils-vserver +## - +apt-get install -y libnss3-dev +apt-get install -y python-dev + + +## - packages to build apache webserver with php5/ruby support +## - +apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \ + libneon27-dev + +apt-get -y install libxml2 libxml2-dev \ + curl libcurl4-openssl-dev \ + libqdbm-dev libgdbm-dev libpspell-dev \ + libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev \ + libwmf-dev libtiff-dev libpaper-dev \ + libmagic-dev \ + libmagick-dev libgraphics-magick-perl \ + libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \ + libgraphviz-dev libgd-dev libcroco3-dev libgsf-1-dev libilmbase-dev \ + libvpx-dev vpx-tools \ + libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \ + libatm-dev libexpat-dev \ + imagemagick graphicsmagick \ + exif libexiv2-dev \ + re2c \ + netpbm libnetpbm10-dev \ + libmcrypt-dev mcrypt \ + default-libmysqlclient-dev \ + libpq-dev postgresql-client \ + libreadline-dev libncurses-dev \ + libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \ + libxslt1-dev libpcre3-dev \ + libc-client2007e-dev libc-client-dev \ + libicu-dev \ + libtidy-dev \ + libmm-dev libgmp-dev libkrb5-dev libldap-dev \ + libmhash-dev libgd-dev \ + liblua5.3-dev \ + libapr1-dev libaprutil1-dev \ + libsctp-dev \ + libcrypto++-dev + +## - Hinweis: libjasper-dev nicht mehr verfügbar in debian jessie +## - +## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt + + +## - Create a symlink +## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so +ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so + + +## - if ruby is/will be installed this is needed for rmagick gem +## - +##libmagick++-dev libmagickcore-dev libmagickwand-dev \ + + +## - ffmpeg +## - +apt-get install -y ffmpeg + +## - needed for php extension imagick +## - +apt-get install -y libmagickwand-dev + +## - needed for php extension geoip +## - +apt-get install -y libgeoip-dev + + +## - add some tk/tcl stuff +## - + +## - tcl tcl-dev tk tk-dev tclreadline +## - +apt-get install -y tk-dev tcl-dev tclreadline +apt-get install -y expect expect-dev libexpect-perl + diff --git a/DOC/install_LXC-jessie.txt b/DOC/install_LXC-jessie.txt new file mode 100644 index 0000000..48a52ef --- /dev/null +++ b/DOC/install_LXC-jessie.txt @@ -0,0 +1,435 @@ + + + +## - On the host-system install "bridge-utils" +## - +apt-get install bridge-utils + +## - On the host-system install LXC +## - +apt-get install lxc +apt-get install btrfs-tools lua5.2 + + +## - !! Debian Jessie related +## - +## - Konfiguration /etc/security/limits.conf seems not be working together +## - with systemd. +## - +## - One possibility is, setting parameter "DefaultLimitNOFILE" in file +## - /etc/systemd/system.conf. This setting is "world wide". +## - +## - At least that allows me to do my work again but it is obviously not the +## - right solution. I just want to change my own user's limits, not the +## - limits of each and everything. +## - +perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf +systemctl daemon-reload + + +## - Configure your hots-sstem to use a bridge-interface (typically br0) +## - instead of a real one (typically eth0) +## - +## - Replace your network configuration in file /etc/network/interfaces +## - from: +## - +## - auto eth0 +## - iface eth0 inet static +## - address +## - netmask +## - network +## - broadcast +## - gateway +## - +## - to: +## - +## - auto br0 +## - iface br0 inet static +## - bridge-ports eth0 +## - address +## - netmask +## - network +## - broadcast +## - gateway +## - # default route to access subnet +## - #up route add -net netmask gw br0 +## - +vim /etc/network/interfaces + + +## - Restart host-system +## - + +## - ------------------------------------------------------------------------- + +## - +## - +#LXC_ROOT_DIR=/srv/lxc +LXC_ROOT_DIR=/data/lxc + +LXC_NAME= +LXC_DIST=debian +LXC_RELEASE=jessie +IPV4_ADDRESS= +IPV4_NETMASK= +IPV4_BROADCAST= +IPV4_GATEWAY= +IPv4_Prefix= +## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !! +MAC_ADDRESS=`echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"'` +#MAC_ADDRESS= + +#IPV6_ADDRESS= +#IPV6_GATEWAY= +#IPv6_Prefix= + +HOSTNAME= + + +## - ------------------------------------------------------------------------- + + +lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64 + + +cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \ + ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG + +touch /var/lib/lxc/${LXC_NAME}/fstab + +cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces + +#----------------------------- +# lo: loopback +#----------------------------- +auto lo +iface lo inet loopback + + +#----------------------------- +# eth0 +#----------------------------- +auto eth0 +iface eth0 inet manual +iface eth0 inet6 manual + +EOF + +cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG + +cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config +lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs + +# Common configuration +lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf + +# Container specific configuration +lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab +lxc.utsname = $LXC_NAME +lxc.arch = amd64 +lxc.autodev = 1 +lxc.kmsg = 0 + +# Network configuration +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.hwaddr = $MAC_ADDRESS +# IPv4 +lxc.network.ipv4 = ${IPV4_ADDRESS}/$IPv4_Prefix +lxc.network.ipv4.gateway = ${IPV4_GATEWAY} +# IPv6 +lxc.network.ipv6 = ${IPV6_ADDRESS}/$IPv6_Prefix +lxc.network.ipv6.gateway = $IPV6_GATEWAY + +# Autostart +lxc.start.auto = 1 +lxc.start.delay = 5 +lxc.start.order = 100 +EOF + +## - ------------------------------------------------------------------------- + +lxc-start -d -n $LXC_NAME + +## - Starte eine root shell im neuen Container +## - +lxc-attach -n $LXC_NAME + +## - Alternativ: Starte eine Console im neuen Container +## - +## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der +## - Ausgabe des "lxc-create" Befehls am Ende ist +## - +lxc-console -n $LXC_NAME + +## - ------------------------------------------------------------------------- + +## - apt konfiguroren +## - setze in /etc/apt/sources.list +## - +## - deb http://ftp.de.debian.org/debian jessie main contrib non-free +## - deb-src http://ftp.de.debian.org/debian jessie main contrib non-free +## - +## - deb http://security.debian.org/ jessie/updates main contrib non-free +## - deb-src http://security.debian.org/ jessie/updates main contrib non-free +## - +## - ## - formerly: volatile +## - deb ftp://ftp.de.debian.org/debian jessie-updates main contrib +## - +## - # jessie-backports +## - deb http://ftp.de.debian.org/debian jessie-backports main contrib non-free +## - +cat << EOF > /etc/apt/sources.list + +deb http://ftp.de.debian.org/debian/ jessie main non-free contrib +deb-src http://ftp.de.debian.org/debian/ jessie main non-free contrib + +deb http://security.debian.org/ jessie/updates main contrib non-free +deb-src http://security.debian.org/ jessie/updates main contrib non-free + +# jessie-updates, previously known as 'volatile' +deb http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free +deb-src http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free + +# jessie-backports, previously on backports.debian.org +deb http://ftp.de.debian.org/debian/ jessie-backports main contrib non-free +deb-src http://ftp.de.debian.org/debian/ jessie-backports main contrib non-free + +EOF + +## - Update +## - +apt-get update + +## - Install/Setup locales +## - +apt-get install locales +dpkg-reconfigure locales + + +## - Install os-upgrade.sh +## - +mkdir -p /root/bin +cat << EOF >> /root/bin/os-upgrade.sh +#!/usr/bin/env bash + +apt-get update +apt-get upgrade -y +apt-get clean + +exit 0 +EOF +chmod 700 /root/bin/os-upgrade.sh + + +## - Upgrade System +## - +apt-get upgrade + + +apt-get install -y openssh-server rssh \ + vim vim-common vim-doc mc screen tmux bc \ + rcconf iproute sudo rsync dselect iputils-ping aptitude \ + zip unzip bzip2 arj \ + locate \ + gawk mawk \ + lynx links w3m ctags mime-support \ + file coreutils moreutils less realpath sipcalc psmisc \ + dnsutils rblcheck whois \ + gettext gettext-base gettext-doc \ + debian-keyring \ + patch patchutils \ + recode recode-doc librecode0 librecode-dev sharutils \ + perl perl-modules perl-doc libperl-dev \ + libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \ + libmail-imapclient-perl libtime-duration-perl libtimedate-perl \ + libwww-perl libpcre3 libio-compress-perl \ + re2c util-linux \ + parted lshw gdisk smartmontools \ + tcpdump telnet unhide lsof groff iproute bridge-utils vlan \ + ethtool wipe iperf mtr iptraf \ + wget logrotate rsyslog haveged \ + ntpdate wipe man groff \ + iptables shellcheck \ + git + + +## - take care shadow passwords are enabled +## - +dpkg-reconfigure passwd +/sbin/shadowconfig on + +## - configure time-zone +## - +dpkg-reconfigure tzdata + +## - add more users +adduser chris +adduser defa + +## - add user/group back +addgroup --gid 1020 back +adduser --uid 1020 --gid 1020 back + +## - user/group sysadm +## - +## - passwd: gHZu81_p +## - +addgroup --gid 1050 sysadm +adduser --uid 1050 --gid 1050 sysadm + + +## - add new user tou group (gid) 11 +usermod -a -G sudo chris +usermod -a -G sudo sysadm +usermod -a -G sudo defa + + +## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp +## - +hostname=83.223.86.97 + +cd /home/chris/O.OPEN/Rechner/templates_home/root +scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}: + +cd /home/chris/O.OPEN/Rechner/templates_home/chris +scp -r .bashrc .profile .ssh .vimrc ${hostname}: +scp -r .bashrc .profile .vimrc back@${hostname}: +scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}: + +cd /home/chris/O.OPEN/Rechner/templates_home/root +scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .ssh .vimrc root@sympa.oopen.de: + +cd ~ +./adduser_defa.sh +./adduser_backup.oopen.sh + + +## - Adjust /etc/sudoers +## - +## - back ALL=(root)NOPASSWD:/usr/bin/rsync +## - back ALL=(root)NOPASSWD:/usr/bin/find +## - back ALL=(root)NOPASSWD:/usr/bin/realpath +## - +visudo + + +## - Adjust /etc/resolv.conf +## - +## - search warenform.de +## - nameserver 83.223.66.51 +## - nameserver 212.42.230.1 +## - nameserver 83.223.90.90 +## - +vim /etc/resolv.conf + + +## - NOTICE!! +## - +## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my +## - scripts doesn't work. so link back to /bin/bash +## - +## - link /bin/sh to /bin/bash +## - +cd /bin +rm sh +ln -s bash sh + + + +## - install subversion +## - +apt-get install -y subversion subversion-tools # smbclient + +## - Install git +## - +apt-get install -y git + + +## - if package-version of mysql is needed +## - +apt-get install mysql-client-5.5 mysql-common \ + mysql-server-5.5 mysql-server-core-5.5 + +## --------------------------------------------------------------- + +## - compiler stuff +## - +apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \ + make automake autoconf libtool flex bison \ + gettext pkg-config gnu-standards \ + libssl-dev libreadline-dev libncurses-dev + +apt-get install libsystemd-dev + + +## - packages to build apache webserver with php5/ruby support +## - +apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \ + libneon27-dev + +apt-get install -y libxml2 libxml2-dev \ + curl libcurl4-openssl-dev \ + libqdbm-dev libgdbm-dev libpspell-dev \ + libjpeg-dev libpng12-dev libxpm-dev libfreetype6-dev \ + libwmf-dev libtiff-dev libjasper-dev libpaper-dev \ + libmagic-dev \ + libmagick-dev libgraphics-magick-perl \ + libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \ + libgraphviz-dev libgd2-xpm-dev libcroco3-dev libgsf-1-dev libilmbase-dev \ + libvpx-dev libvpx1 vpx-tools \ + libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \ + libatm-dev libexpat-dev \ + imagemagick graphicsmagick \ + re2c \ + exif libexiv2-dev \ + netpbm libnetpbm10-dev \ + libmcrypt-dev mcrypt \ + libmysqlclient-dev mysql-client \ + libpq-dev postgresql-client \ + libreadline-dev libncurses-dev \ + libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \ + libxslt1-dev libpcre3-dev \ + libc-client2007e-dev libc-client-dev \ + libicu-dev \ + libtidy-dev \ + libmm-dev libgmp-dev libkrb5-dev libldap-dev \ + libmhash-dev libgd-dev \ + libapr1-dev libaprutil1-dev \ + liblua5.1-0 liblua5.1-0-dev \ + libsctp-dev \ + libcrypto++-dev + + +## - So create a symlink +## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so +ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so + + +## - Hinweis: libt1-dev nicht mehr verfügbar in debian jessie + + +## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt + +## - if ruby is/will be installed this is needed for rmagick gem +## - +##libmagick++-dev libmagickcore-dev libmagickwand-dev \ + +## - needed for php extension imagick +## - +apt-get install -y libmagickwand-dev + +## - needed for php extension geoip +## - +apt-get install -y libgeoip-dev + + +## - add some tk/tcl stuff +## - + +## - tcl tcl-dev tk tk-dev tclreadline +## - +apt-get install -y tk-dev tcl-dev tclreadline +apt-get install -y expect expect-dev libexpect-perl + diff --git a/DOC/install_LXC-stretch.txt b/DOC/install_LXC-stretch.txt new file mode 100644 index 0000000..fe11b82 --- /dev/null +++ b/DOC/install_LXC-stretch.txt @@ -0,0 +1,561 @@ +#!/usr/bin/env bash + + +## - On the host-system install "bridge-utils" +## - +apt-get install bridge-utils + +## - On the host-system install LXC +## - +apt-get install lxc +apt-get install btrfs-tools lua5.3 + + +## - !! Debian stretch related +## - +## - Konfiguration /etc/security/limits.conf seems not be working together +## - with systemd. +## - +## - One possibility is, setting parameter "DefaultLimitNOFILE" in file +## - /etc/systemd/system.conf. This setting is "world wide". +## - +## - At least that allows me to do my work again but it is obviously not the +## - right solution. I just want to change my own user's limits, not the +## - limits of each and everything. +## - +cp -a /etc/systemd/system.conf /etc/systemd/system.conf.ORIG +perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf +systemctl daemon-reload + + +## - Configure your hots-sstem to use a bridge-interface (typically br0) +## - instead of a real one (typically eth0) +## - +## - Replace your network configuration in file /etc/network/interfaces +## - from: +## - +## - auto eth0 +## - iface eth0 inet static +## - address +## - netmask +## - network +## - broadcast +## - gateway +## - +## - to: +## - +## - auto br0 +## - iface br0 inet static +## - bridge-ports eth0 +## - address +## - netmask +## - network +## - broadcast +## - gateway +## - # default route to access subnet +## - #up route add -net netmask gw br0 +## - +cp -a /etc/network/interfaces /etc/network/interfaces.ORIG +vim /etc/network/interfaces + + +## - Restart host-system +## - + + +# --- +# - +# ---- +#LXC_ROOT_DIR=/srv/lxc +LXC_ROOT_DIR=/var/lib/lxc + +LXC_NAME= +LXC_DIST=debian +LXC_RELEASE=stretch + +### Device 1 +IPV4_ADDRESS_1= +IPV4_NETMASK_1= +IPV4_BROADCAST_1= +IPV4_GATEWAY_1= +IPv4_Prefix=24 +## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !! +## - +## - Zufällige MAC Adresse erstellen +## - +## - echo -e "\n\t$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')\n" +## - +#MAC_ADDRESS_1="$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')" +MAC_ADDRESS_1= + +#IPV6_ADDRESS_1= +#IPV6_GATEWAY_1= +#IPv6_Prefix_1= + +### Device 2 +IPV4_ADDRESS_2=83.223.86.202 +IPV4_NETMASK_2=255.255.255.0 +IPV4_BROADCAST_2=83.223.86.255 +IPV4_GATEWAY_2="${IPV4_GATEWAY_1}" +IPv4_Prefix_2=24 +MAC_ADDRESS_2=00:B4:D5:A0:5F:CE + +#IPV6_ADDRESS_2= +#IPV6_GATEWAY_2= +#IPv6_Prefix_2= + + +HOSTNAME=dns0.warenform.de + + +## - ------------------------------------------------------------------------- + + +lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64 + + +cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \ + ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG + +touch /var/lib/lxc/${LXC_NAME}/fstab + +if [[ -z "$IPV4_ADDRESS_2" ]] ; then + cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces + +#----------------------------- +# lo: loopback +#----------------------------- +auto lo +iface lo inet loopback + + +#----------------------------- +# eth0 +#----------------------------- +auto eth0 +iface eth0 inet manual +iface eth0 inet6 manual + +EOF + +else + cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces + +#----------------------------- +# lo: loopback +#----------------------------- +auto lo +iface lo inet loopback + + +#----------------------------- +# eth0 +#----------------------------- +auto eth0 +iface eth0 inet manual + up ip route add default via ${IPV4_GATEWAY_1} dev eth0 table 100 + up ip rule add from ${IPV4_ADDRESS_1} table 100 prio 100 + + + +#----------------------------- +# eth1 +#----------------------------- + +auto eth1 +iface eth1 inet manual + up ip route add default via ${IPV4_GATEWAY_2} dev eth1 table 200 + up ip rule add from ${IPV4_ADDRESS_2} table 200 prio 120 +EOF +fi + +cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG + +cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config +lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs + +# Common configuration +lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf + + +# Container specific configuration +lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab +lxc.utsname = $LXC_NAME +lxc.arch = amd64 +lxc.autodev = 1 +lxc.kmsg = 0 + + +# Network configuration + +### Device 1 +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth0 +lxc.network.hwaddr = $MAC_ADDRESS_1 +# IPv4 +lxc.network.ipv4 = ${IPV4_ADDRESS_1}/$IPv4_Prefix +lxc.network.ipv4.gateway = ${IPV4_GATEWAY_1} +# IPv6 +#lxc.network.ipv6 = ${IPV6_ADDRESS_1}/$IPv6_Prefix_1 +#lxc.network.ipv6.gateway = $IPV6_GATEWAY_1 + +EOF + +if [[ -n "$IPV4_ADDRESS_2" ]]; then + cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config +### Device 2 +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth1 +lxc.network.hwaddr = $MAC_ADDRESS_2 +## IPv4 +lxc.network.ipv4 = ${IPV4_ADDRESS_2}/$IPv4_Prefix +## IPv6 +#lxc.network.ipv6 = ${IPV6_ADDRESS_2}/$IPv6_Prefix + +EOF +fi + +cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config + +# Mount iso file inside LX Container +#lxc.aa_profile = unconfined +#lxc.cgroup.devices.allow = b 7:* rwm +#lxc.cgroup.devices.allow = c 10:237 rwm + + +# Autostart +lxc.start.auto = 1 +lxc.start.delay = 5 +lxc.start.order = 100 +EOF + +## - ------------------------------------------------------------------------- + +lxc-start -d -n $LXC_NAME + +## - Starte eine root shell im neuen Container +## - +lxc-attach -n $LXC_NAME + +## - Alternativ: Starte eine Console im neuen Container +## - +## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der +## - Ausgabe des "lxc-create" Befehls am Ende ist +## - +lxc-console -n $LXC_NAME + +## - ------------------------------------------------------------------------- + +## - apt konfiguroren +## - setze in /etc/apt/sources.list +## - +## - deb http://ftp.de.debian.org/debian stretch main contrib non-free +## - deb-src http://ftp.de.debian.org/debian stretch main contrib non-free +## - +## - deb http://security.debian.org/ stretch/updates main contrib non-free +## - deb-src http://security.debian.org/ stretch/updates main contrib non-free +## - +## - ## - formerly: volatile +## - deb ftp://ftp.de.debian.org/debian stretch-updates main contrib +## - +## - # stretch-backports +## - deb http://ftp.de.debian.org/debian stretch-backports main contrib non-free +## - +cat << EOF > /etc/apt/sources.list + +deb http://ftp.de.debian.org/debian/ stretch main non-free contrib +deb-src http://ftp.de.debian.org/debian/ stretch main non-free contrib + +deb http://security.debian.org/ stretch/updates main contrib non-free +deb-src http://security.debian.org/ stretch/updates main contrib non-free + +# stretch-updates, previously known as 'volatile' +deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free +deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free + +# stretch-backports, previously on backports.debian.org +deb http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free +deb-src http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free + +EOF + +## - Update +## - +apt-get update + +## - Install/Setup locales +## - +apt-get install locales +dpkg-reconfigure locales + +## - take care shadow passwords are enabled +## - +dpkg-reconfigure passwd +/sbin/shadowconfig on + +## - Set password for user root +## - +passwd + +## - configure time-zone +## - +dpkg-reconfigure tzdata + + +## - Upgrade System +## - +apt-get upgrade + + +apt-get -y install openssh-server rssh \ + vim vim-common vim-doc mc screen tmux bc figlet \ + rcconf sudo rsync dselect iputils-ping apt-utils aptitude apt-transport-https \ + zip unzip bzip2 arj \ + locate \ + curl \ + gawk mawk \ + lynx links w3m ctags mime-support \ + file coreutils moreutils less realpath sipcalc psmisc \ + dnsutils rblcheck whois \ + gettext gettext-base gettext-doc \ + debian-keyring \ + patch patchutils \ + recode recode-doc librecode0 librecode-dev sharutils \ + perl perl-modules perl-doc libperl-dev \ + libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \ + libmail-imapclient-perl libtime-duration-perl libtimedate-perl \ + libwww-perl libpcre3 libio-compress-perl \ + re2c util-linux \ + parted lshw gdisk smartmontools \ + tcpdump telnet unhide lsof hdparm groff iproute2 bridge-utils vlan \ + ethtool wipe iperf mtr iptraf \ + wget logrotate rsyslog haveged \ + rdate ntpdate wipe man \ + iptables shellcheck \ + ssl-cert ssl-cert-check \ + git ftp \ + htop \ + net-tools lsb-release \ + attr acl quota quotatool \ + needrestart + + +# - poppler-utils - PDF-Werkzeuge (auf Basis von Poppler) u.a. pdftotxt +# - catdoc - Konvertierungspromm von Word, Excel und PowerPoint zu Klartext +# - +apt-get install catdoc poppler-utils + + + +## - add more users +adduser chris +adduser defa + +## - add user/group back +addgroup --gid 1020 back +adduser --uid 1020 --gid 1020 back + +## - user/group sysadm +## - +## - passwd: gHZu81_p +## - +addgroup --gid 1050 sysadm +adduser --uid 1050 --gid 1050 sysadm + + +## - add new user to group sudo +usermod -a -G sudo chris +usermod -a -G sudo sysadm +usermod -a -G sudo defa + +## - warenform specific +## - +#addgroup --gid 1008 webadmin +#mkdir /var/www +#adduser --uid 1008 --gid 1008 --home /var/www/html webadmin + + +## - Adjust (temporarily) /etc/sshd/sshd_config +## - +## - Set +## - PermitRootLogin yes +## - +cd /etc/ssh +cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG +vim sshd_config +systemctl restart ssh + + +## - Install git repository 'admin-stuff' +## - +mkdir -p /root/bin +cd /root/bin +git clone https://git.oopen.de/script/admin-stuff + + +## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp +## - +hostname= + +users="chris sysadm back" +for user in $users ; do + cp -a /home/${user}/.bashrc /home/${user}/.bashrc.ORIG + cp -a /home/${user}/.profile /home/${user}/.profile.ORIG +done +cp -a /root/.bashrc /root/.bashrc.ORIG +cp -a /root/.profile /root/.profile.ORIG + + +cd /home/chris/O.OPEN/Rechner/templates_home/root +scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}: + +cd /home/chris/O.OPEN/Rechner/templates_home/chris +scp -r .bashrc .profile .ssh .vimrc ${hostname}: +scp -r .bashrc .profile .ssh .vimrc back@${hostname}: +scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}: + +cd ~ +./adduser_defa.sh +./adduser_backup.oopen.sh + +rm adduser_* + +## - Coppy sshd_config +## - +cd ~/merke/install/LXC +scp etc_sshd_sshd_config root@${hostname}:/etc/ssh/sshd_config + + +## - Adjust /etc/resolv.conf +## - +## - search oopen.de +## - nameserver 83.223.66.51 +## - nameserver 212.42.230.1 +## - nameserver 83.223.90.90 +## - +vim /etc/resolv.conf + + +## - configure sudo +## - add lines: +## - +## - back ALL=(root)NOPASSWD:/usr/bin/rsync +## - back ALL=(root)NOPASSWD:/usr/bin/find +## - back ALL=(root)NOPASSWD:/usr/bin/realpath +## - +## - +visudo + + +## - NOTICE!! +## - +## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my +## - scripts doesn't work. so link back to /bin/bash +## - +## - link /bin/sh to /bin/bash +## - +cd /bin +rm sh +ln -s bash sh + + + +## - install subversion +## - +apt-get install -y subversion subversion-tools # smbclient + +## --------------------------------------------------------------- + +## - compiler stuff +## - +apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \ + make automake autoconf libtool flex bison \ + gettext pkg-config gnu-standards \ + libssl-dev libreadline-dev libncurses-dev + +apt-get install -y libsystemd-dev + +## - Packages to build utils-vserver +## - +apt-get install -y vlan +apt-get install -y libnss3-dev +apt-get install -y python-dev + + +## - packages to build apache webserver with php5/ruby support +## - +apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \ + libneon27-dev + +apt-get -y install libxml2 libxml2-dev \ + curl libcurl4-openssl-dev \ + libqdbm-dev libgdbm-dev libpspell-dev \ + libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev \ + libwmf-dev libtiff-dev libpaper-dev \ + libmagic-dev \ + libmagick-dev libgraphics-magick-perl \ + libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \ + libgraphviz-dev libgd2-xpm-dev libcroco3-dev libgsf-1-dev libilmbase-dev \ + libvpx-dev vpx-tools \ + libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \ + libatm-dev libexpat-dev \ + imagemagick graphicsmagick \ + exif libexiv2-dev \ + re2c \ + netpbm libnetpbm10-dev \ + libmcrypt-dev mcrypt \ + default-libmysqlclient-dev mysql-client \ + libpq-dev postgresql-client \ + libreadline-dev libncurses-dev \ + libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \ + libxslt1-dev libpcre3-dev \ + libc-client2007e-dev libc-client-dev \ + libicu-dev \ + libtidy-dev \ + libmm-dev libgmp-dev libkrb5-dev libldap-dev \ + libmhash-dev libgd-dev \ + liblua5.3-dev \ + libapr1-dev libaprutil1-dev \ + libsctp-dev \ + libcrypto++-dev + +## - Hinweis: libjasper-dev nicht mehr verfügbar in debian jessie +## - +## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt + + +## - Create a symlink +## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so +ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so + + +## - if ruby is/will be installed this is needed for rmagick gem +## - +##libmagick++-dev libmagickcore-dev libmagickwand-dev \ + + +## - ffmpeg +## - +apt-get install -y ffmpeg + +## - needed for php extension imagick +## - +apt-get install -y libmagickwand-dev + +## - needed for php extension geoip +## - +apt-get install -y libgeoip-dev + + +## - add some tk/tcl stuff +## - + +## - tcl tcl-dev tk tk-dev tclreadline +## - +apt-get install -y tk-dev tcl-dev tclreadline +apt-get install -y expect expect-dev libexpect-perl +