Differenze tra le versioni di "Server/Setup"
| Riga 54: | Riga 54: | ||
read yn | read yn | ||
if [ "$yn" != n ] && [ "$yn" != N ]; then | if [ "$yn" != n ] && [ "$yn" != N ]; then | ||
| − | usermod "$USERNAME" | + | usermod -aG sudo "$USERNAME" |
fi | fi | ||
</pre> | </pre> | ||
Versione delle 15:54, 25 feb 2022
This is a list of things to do when buying a new server for Wikimedia Italia.
Distribution
We usually opt for Debian GNU/Linux stable.
Register codename
Pick a server codename from this page:
You can open a discussion in the talk page.
Do not root, we sudo
We do not enter via root in our servers. This is bad auditing practice.
Create unprivileged users. They can be added in the sudo group.
Configure sudo
Our users are authenticated via SSH keys and they have not any password. So we can remove password authentication from sudo, for sudoers.
Run visudo and do this change:
-%sudo ALL=(ALL:ALL) ALL:ALL +%sudo ALL=(ALL:ALL) NOPASSWD:ALL
Add Unix user with sudo and SSH key
To add an Unix user with sudo and SSH key, just run this script:
add-user.sh
echo "Please type a name-surname"
read USERNAME
echo "Please paste the SSH key"
read KEY
adduser "$USERNAME" --disabled-password
mkdir --parents /home/"$USERNAME"/.ssh
echo "$KEY" >> /home/"$USERNAME"/.ssh/authorized_keys
chown "$USERNAME":"$USERNAME" -R /home/"$USERNAME"/.ssh
chmod 640 /home/"$USERNAME"/.ssh/authorized_keys
chmod 755 /home/"$USERNAME"/.ssh
echo "Give sudo permissions? [Y/n]"
read yn
if [ "$yn" != n ] && [ "$yn" != N ]; then
usermod -aG sudo "$USERNAME"
fi
Version configuration
We hold server configurations in a public repository. Download it in your server:
cd /etc git clone "https://gerrit.wikimedia.org/r/wikimedia-it/wmit-infrastructure"
Then please create some symbolic links pointing to that repository so you can save the history of your changes.
For example, to have /etc/apache2/sites-available pointing to /etc/wmit-infrastructure/servers/FOO/conf/apache2/sites-available or something like that.
NOTE: Remember to do not save passwords or other secrets in this way.
NOTE: Please commit old changes if someone have not committed them.
NOTE: Please commit your changes when you finished.
NOTE: Then push.
NOTE: You will need to be added in the Gerrit wikimedia-it-wmit-infrastructure group to be able to push.
Mirrored source code:
Hardening SSH
From /etc/ssh/sshd_config:
PermitRootLogin no PasswordAuthentication no
Then:
systemctl reload ssh
Hostname
Remember to set an useful hostname:
HOSTNAME=fooooo.wikimedia.it hostname "$HOSTNAME" echo "$HOSTNAME" > /etc/hostname echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
Branding SSH
Feel free to edit /etc/motd with a cowsay with the server code and useful information. E.g.:
___________________________________
< Welcome in intreccio.wikimedia.it >
-----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Info:
https://wiki.wikimedia.it/wiki/Server
You can leave the final newline.
Branding webserver
Be sure that generic requests have a nice userpage.
For example:
Be sure to put an Easter egg somewhere.
Backup
Do on-site backups (backups in your same machine) to fix your mistakes by yourself.
Plan off-site backups (backups in another machine) to fix disasters.
You can use the server ⚙️ horror for backup purposes.
If you think the backups are not enough, discuss about new backups.