# ad-hoc shell script fragments for setting up a new debian/ubuntu server sudo apt-get install ntp sudo pico /etc/fstab # add noatime option for / # install sudo apt-get install screen rsync shorewall build-essential libtool autoconf gdb libz-dev unzip sudo apt-get install darcs git subversion cvs sudo apt-get install clisp # for the dojo build # sudo apt-get install sun-java6-jdk sudo apt-get install default-jre-headless ### ### mailman ### # defaults are in /usr/lib/mailman/Mailman/Defaults.py # make sure you leave a working root shell before this sudo pico /etc/sudoers.d/mailman sudo chmod 0440 /etc/sudoers.d/mailman # set up the home-service user to be able to run the mailman CGI scripts Cmnd_Alias MAILMAN_CGI = /usr/lib/cgi-bin/mailman/* home-service ALL=(list:www-data)NOPASSWD:MAILMAN_CGI,SETENV:MAILMAN_CGI Cmnd_Alias MAILMAN_ADMIN = /usr/lib/mailman/bin/* %adm ALL=(list:list)NOPASSWD:MAILMAN_ADMIN sudo apt-get install mailman # don't extend /etc/aliases as per output, but read these # /usr/share/doc/mailman/README.Exim4.Debian.gz # /usr/share/doc/exim4-base/README.Debian.gz 2.9. Using more complex deliveries from alias files sudo newaliases sudo update-rc.d apache2 disable sudo -u list -g list /usr/lib/mailman/bin/newlist mailman # to update the url's in the mailing-list list after changing /etc/mailman/mm_cfg.py sudo -u list -g list /usr/lib/mailman/bin/withlist -l -a -r fix_url -- sudo -u list -g list /usr/lib/mailman/bin/mmsitepass sudo pico /etc/mailman/mm_cfg.py DEFAULT_URL_PATTERN = 'http://%s/mailman/' PRIVATE_ARCHIVE_URL = '/mailman/private' IMAGE_LOGOS = 0 # '/mailman/images/' SITE_LINK = No SITE_TEXT = 'Lisp Powered' SITE_URL = 'http://www.dwim.hu/' SITE_LOGO = '/static/hdws/image/about/lisp-logo.trace-amounts-warning.128.png' DEFAULT_CHARSET = 'UTF-8' # checking permissions sudo -u list -g www-data /usr/lib/mailman/bin/check_perms # fixing the errors if any sudo /usr/lib/mailman/bin/check_perms -f ### ### #mail, #smtp, #exim ### sudo apt-get install exim4 sudo dpkg-reconfigure exim4-config # on debian, switch to gnu mail which has a more reasonable command line interface sudo apt-get install mailutils sudo update-alternatives --set mailx /usr/bin/mail.mailutils /etc/aliases root: alendvai attila.lendvai: alendvai lendvai.attila: alendvai # the next rule is for attila@lendvai.name, but i can't configure exim in any better way attila: alendvai levente.meszaros: lmeszaros balint.meszaros: bmeszaros tamas.borbely: tborbely admin: attila.lendvai,levente.meszaros # ssl in file: exim4.conf.localmacros MAIN_TLS_ENABLE=yes REMOTE_SMTP_TLS_CERTIFICATE=/opt/omv/ssl-key/omv-maxxmotion.com.pem REMOTE_SMTP_PRIVATEKEY=/opt/omv/ssl-key/omv-maxxmotion.com.key ### ### cron ### sudo pico /etc/crontab MAILTO=attila.lendvai@gmail.com set daily contjobs to: 58 23 * * *... ### ### screen ### sudo pico /etc/screenrc startup_message off #vbell #vbell_msg ### ### sudo (ubuntu has it) ### sudo addgroup sudo sudo pico /etc/sudoers %sudo ALL=(ALL) ALL ### ### timezone, locale ### dpkg-reconfigure tzdata # mark needed locales to be compiled, especially en_US.UTF-8 sudo dpkg-reconfigure locales ### ### ssh key ### mkdir ~/.ssh chmod og-rwx ~/.ssh/ scp ~/.ssh/id_rsa.pub alendvai@dwim.hu:.ssh/authorized_keys scp ~/.ssh/config alendvai@dwim.hu:.ssh/ ### ### tab completion of symlinks to dirs ### echo "set mark-symlinked-directories on" >~/.inputrc sudo sh -c "echo 'set mark-symlinked-directories on' >/etc/skel/.inputrc" ### ### setup shorewall ### sudo apt-get install shorewall shorewall-doc cd /usr/share/doc/shorewall/examples/one-interface/ cp interfaces policy rules zones /etc/shorewall/ cd - sudo pico /etc/shorewall/rules # this way it's broken, the second rule redirects everything to localhost on the http port, independent from the IP REDIRECT net 8080 tcp http - #REDIRECT $FW 8080 tcp http - REDIRECT net 8443 tcp https - #REDIRECT $FW 8443 tcp https - ACCEPT all $FW tcp ssh ACCEPT all $FW tcp http ACCEPT all $FW tcp https ACCEPT all $FW tcp git ACCEPT all $FW tcp smtp # hu.dwim.number-toss ACCEPT all $FW tcp 8888 #ACCEPT all $FW tcp 9519 sudo pico /etc/default/shorewall ### ### red prompt ### sudo pico /etc/skel/.bashrc pico ~/.bashrc [delete PS1 overwriting in both] sudo pico /etc/bash.bashrc # insert red hostname in prompt for production system PS1='${debian_chroot:+($debian_chroot)}\u@\[\e[1;31m\]\h\[\e[0m\]:\w\$ ' ### ### umask ### sudo apt-get install libpam-modules sudo pico /etc/profile [comment out umask 0022 line] sudo pico /etc/pam.d/common-session # added by attila lendvai session optional pam_umask.so umask=002 ### ### postgres ### sudo apt-get install postgresql ca-certificates sudo pico /etc/sysctl.conf # Added by Attila: increase max shared memory to 4096 MB kernel.shmmax = 4294967296 ### ### users ### sudo adduser alendvai sudo adduser lmeszaros sudo adduser bmeszaros sudo adduser tborbely sudo adduser kdarabi sudo addgroup mwallen sudo adduser alendvai mwallen ... sudo adduser lmeszaros remotelogin # on debian ... sudo adduser alendvai postgres sudo adduser lmeszaros postgres sudo adduser tborbely postgres sudo adduser alendvai adm ... sudo adduser alendvai staff ... sudo adduser alendvai home-service sudo adduser lmeszaros home-service sudo adduser tborbely home-service sudo adduser home-service www-data ### ### repos ### sudo addgroup darcs sudo addgroup git sudo adduser alendvai darcs sudo adduser lmeszaros darcs sudo adduser bmeszaros darcs sudo adduser tborbely darcs sudo adduser kdarabi darcs sudo adduser alendvai git sudo adduser lmeszaros git sudo adduser bmeszaros git sudo adduser tborbely git sudo adduser kdarabi git mkdir /opt/darcs /opt/git chmod g+rwxs,o-rwx /opt/darcs /opt/git sudo chgrp -R darcs /opt/darcs sudo chgrp -R git /opt/git sudo apt-get install git-daemon-run # xinetd sudo adduser gitdaemon home-service sudo adduser gitdaemon git sudo pico /etc/sv/git-daemon/run exec chpst -ugitdaemon:git \ "$(git --exec-path)"/git-daemon --verbose --reuseaddr --base-path=/opt/git --export-all /opt/git # note: git-daemon --group and --user is fucking broken (debian squeeze) less /usr/share/doc/git-daemon-run/README.Debian sudo sv stat git-daemon ### ### gitweb ### cd /tmp apt-get install gitweb nginx-light update-rc.d nginx disable ### ### #backup #rssh ### http://mancoosi.org/~abate/rsync-jail-with-rssh http://mancoosi.org/~abate/rssh-and-suid-mode adduser --disabled-login --no-create-home --home /opt/backup backup mkdir /opt/backup chown backup:adm /opt/backup/ chmod g+rwxs o-rwx /opt/backup/ nano /etc/passwd set backup user's shell to: /usr/bin/rssh sudo apt-get install rssh sudo pico /etc/rssh.conf # also set allowed services user = backup:011:100000:/usr/local/backup-chroot #bah, forget the chroot part below... just a security headache... #sudo pico /etc/rc.local #mount -o ro --bind /var/backups/ /usr/local/backup-chroot/home/backup/data #mount -o remount,ro /usr/local/backup-chroot/home/backup/data ### ### openvpn ### https://help.ubuntu.com/11.10/serverguide/C/openvpn.html