Differences between revisions 184 and 280 (spanning 96 versions)
Revision 184 as of 2016-01-11 20:58:40
Size: 23444
Editor: clownfish
Comment:
Revision 280 as of 2023-05-05 00:06:28
Size: 23120
Editor: 2405:3c00:5200:101:cb54:ddf4:f6d6:25c
Comment: Added linux desktop SOE ansible playbook
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be. This page is intended as a guide to set up UCC machines in some sort of standard way. Please update this if you find any problems when installing things (especially if using newer versions than described here).
Line 7: Line 7:
= All Machines =

== Steps to do for installation ==
  * Add forward and reverse DNS entries for the machine. <!>
  *
Add the machine to DHCP. <!>
  *
Make sure all licenses required are on hand
= Before you start =

== Steps to do before installation ==
  * <!> Add forward and reverse DNS entries for the machine.
  *
<!> Add the machine to DHCP.
  *
<!> Make sure all licenses required are on hand (see `/home/wheel/docs/software-license/` on a user server)
Line 16: Line 16:
 * Email tech@ Informing them that it has been set up/re-installed

= Windows Profiles =

Please see WindowsProfiles for more information on how these work / how you should manage them.

= Windows 7 =

== Steps to do before/during installation ==

== During/after installation ==
 * Install Win7 Pro, not the home edition, or you won't be able to add it to the domain
 * Make sure you create at 2 disk partitions (or separate hard drives) - one for windows, one for games/other
 * Enable the Administrator account and set it to use clubroom password. See [[http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/]]
 * nuke the user you created during install
 * Run the registry hack from [[http://wiki.samba.org/index.php/Windows7]] - you won't be able to add the machine to the domain without doing this)
 * Configure it to be part of the domain 'UCCDOMAIN'. (Control Panel, System, Advanced System Settings, Computer Name) ''Ignore the error message'' .
  * Add Winadmins to computer administrators.
 * Add static route for 130.95.13.0/26: at a command prompt type:
{{{
 * Email [email protected] with a summary of what was set up/re-installed

= Dualboot Machines =

'''These instructions relate to Dualbooting Windows 10 and Linux Mint'''. If installing a dualboot machine, always install Windows first where possible.

 1. [[#Windows_10|Install Windows]] following the below. Make note of the following when setting up the disks:
  * Depending on the size of the disk, try to reserve up to 500GB or more for Windows.
  * Linux works fine on anything down to about 100GB but 200GB+ is preferable.
 2. [[#Linux_Desktops|Install Linux]], making sure to use the previously reserved disk space.
  * Use a '''different hostname''' for the Linux installation (eg. `catfish` on Windows, and `catfish-linux` on Linux, or vice-versa)
  * This is necessary so that the machine accounts in AD don't have the same name, otherwise one OS's entry overwrites the other and things get broken.
 3. Set up a scheduled task on Windows to reboot into Linux each day.

= Windows 10 =

All new Windows machines in UCC should be installed with Windows 10 by default. Previous versions are deprecated.

 1. Find a Windows install disk or make a new one. Make sure you select the Professional edition.
  * You can download the latest ISO image [[https://www.microsoft.com/en-au/software-download/windows10ISO|here]] and USB imaging tool [[https://www.microsoft.com/en-us/download/details.aspx?id=56485|here]].
 2. Plug in the install disk and boot from it.
  * Select the US keyboard layout and Australian time/date format.
  * Agree to the license terms etc.
 3. Partition the disks.
  * Delete all existing partitions (if any) on the designated install disk.
  * Select the empty space and click "New" to create a new partition. Enter the desired size or use the whole disk (if not doing dualboot).
 4. Create a dummy user account (call it something like `accmurph`)
 5. Finish the installer. Once it has rebooted into the new Windows system and you have logged in you can continue.
 6. Install software.
  * Software in this list should either be free to download and install, or something that the UCC has a license for.
  * sshd , to automate the rest of the following
    * invoking CMD.EXE ? bash? PowerShell?
  * Open '''Powershell''' as Administrator and run the following: {{{
Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

choco install -y 7zip.install adobereader chocolateygui discord firefox foxitreader freecad gimp git.install googlechrome hwmonitor inkscape javaruntime keepass.install kicad kitty libreoffice lyx miktex notepadplusplus.install opera paint.net python3 teamviewer texstudio tor-browser vivaldi vlc vscode windirstat winscp.install
}}}
   * If Lyx cannot find "Latex.exe", run MikTeX (initexmf --admin --mklinks as admin in cmd) and retry.
  * Install '''Steam''' and '''Battle.net''' to the games drive (if any).
  * Install the corresponding Graphics Driver for your GPU.
    * nVidia graphics drivers can be found here [[https://www.nvidia.com/download/index.aspx]]
    * AMD graphics drivers here [[https://www.amd.com/en/support]].
  * Install the ocsinventory agent from [[https://ocsinventory-ng.org/?lang=en]].
   * This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is https://ocsinventory.ucc.asn.au/ocsinventory and turn off SSL cert verification. No auth is required.
  * https://github.com/da2x/EdgeDeflector/blob/master/README.md ?
 7. Set the Windows computer name - the installer picks a random one automatically and this is bad.
  * Right click on the Start button, select "System", then click "Rename this PC" and enter the desired name.
 7. Configure the system for the UCC network. (type any `commands` below into the Administrator Powershell window you just opened)
  * Delete the dummy user created during install, enable the local Administrator account and set the password: {{{
net user Administrator /active:yes
net user Administrator <Clubroom Password>
}}}
  * DO ABOVE FIRST AND TEST! If you delete accmurph and mess up the admin password, you will need to reset and start again! {{{
net user accmurph /delete
}}}
  * Join the machine to the domain `UCCDOMAYNE` as described in [[ActiveDirectory#Windows]].
  * '''REBOOT.'''
  * You may need to manually set the time if it is out of sync, run Command Prompt (not powershell!) as administrator and use the command `time HH:MM:SS`
  * Force update group policy on the machine (now in the admin Command Prompt window): {{{
gpupdate /force
}}}
   * Once Group Policy has been successfully applied (or before the machine is joined to the domain at all) you can force an NTP time sync with `w32tm /resync /force`
  * Add static route for 130.95.13.0/26: (''This prevents a VPN connection from trying to steal the default route to users home directories.''){{{
Line 38: Line 81:
 . ''This prevents a VPN connection from trying to steal the default route to users home directories.''
* Enable pings (alternatively, follow [http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7]):
{{{
  * Enable pings (alternatively, follow [[http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7|this guide]]):
  . {{{
Line 43: Line 85:
 * Install Chocolatey, and SOE Packages
 * Set up drivers (particularly Graphics)
 * Set up printing.

= Windows 10 =

== Fixing the "No logon servers available" error ==
If accounts are unable to login, and you get the "No logon servers available" error do the following:
 * add the following line to the smb.conf file found at "/usr/local/etc/smb.conf" or uncomment the line if it is there:
{{{
# Be aware, that this setting prevent your clients to use
# newer SMB protocol versions, than SMB1 with this server!
max protocol = NT1
}}}
 * restart the service by typing
{{{
service samba_server restart
}}}
 * restart windows 10
 * log in to an account on the UCCDOMAIN
 * comment out the "max protocol = NT1" line (it should work now without the line)

== Software to install ==
Software in this list should either be free to download and install, or something that the UCC has a license for.

Install the following packages using administrator powershell
using chocolatey. After which install steam and battle.net manually onto the games partition.

{{{
 choco install -y googlechrome firefox flashplayerplugin microsoftsecurityessentials keepass.install notepadplusplus.install 7zip.install javaruntime vlc chocolateygui opera foxitreader paint.net gimp inkscape adobereader libreoffice winscp.install putty miktex texstudio lyx
}}}
 8. Add the UCC printer `blacklight` and set it as the default.

= Linux Desktops =
'''Linux Mint x64 ''Cinnamon'' (not the LMDE / Debian version) is the only Linux installation we support.'''

These instructions have been updated and checked with Linux Mint 21 - please update them to be compatible with any newer versions if you choose to install them.

 1. Find or create an install USB.
  * Download the ISO from [[https://www.linuxmint.com/download.php]] onto an existing Linux system. {{{
wget https://mirror.aarnet.edu.au/pub/linuxmint/stable/21/linuxmint-21-cinnamon-64bit.iso
}}}
  * Plug in the USB and get the device node with `lsblk` (look at the size of each drive)
  * Copy the image to the USB: (this will take a few minutes) {{{
sudo dd if=linuxmint-21-cinnamon-64bit.iso of=/dev/<usb identifier> bs=1M; sync;
}}}
 2. Boot from the USB and run the installer.
 3. Partition the disks. Select "something else" rather than the automagic guided options.
  * If you are setting up dualboot, do NOT delete any Windows-related partitions.
  * Create a new partition for the Linux system. No swap partition is required - mint no longer creates a swap partition by default, and can use a swap file in the root partition if swap space is required.
   * Use as ext4 file system and use `/` as the mount point.
  * Configure a dummy user, for example `accmurph`.
  * Use sensible values for the other options.
 4. Boot into the newly installed system and configure it
  * For maximum automation you can use `https://gitlab.ucc.asn.au/ucc-systems/ucc-ansible-soe/`.
   {{{
cd /tmp/
git clone https://gitlab.ucc.asn.au/ucc-systems/ucc-ansible-soe.git
sudo apt install ansible
cd ucc-ansible-soe
}}}
   * Then edit the `ucc-hosts` file and add the name of the machine (minus the .ucc.asn.au part, that will be done in the playbook), then finally run:{{{
ansible-playbook --connection=local -i ucc-hosts --limit {INSERT_HOSTNAME_HERE} -K clubroom-desktop.yml
}}}
  * Once done, run `ocsinventory-agent` once, set the root password and add wheel keys, and continue from step 6.
 
 If not using the ansible playbook, continue with the instructions below.
  
  * Set up [[ActiveDirectory#Linux|Active Directory]]
  * Ensure wheel group and sprocket group have sudo permission: {{{sudo visudo}}} {{{
%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL
}}}
  * Ensure wheel group and sprocket group have administrative rights in Polkit. Create the file {{{/etc/polkit-1/localauthority.conf.d/90-ucc-desktops.conf}}} with the following contents: {{{
[Configuration]
AdminIdentities=unix-group:wheel;unix-group:sprocket
}}}
  * Modify `/etc/fstab` to mount `/away`. Use something like this (can differ with distro): {{{
away.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,soft,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.requires=network-online.target 0 1
}}}
    * x-systemd.requires=network-online.target is oddly insufficient, but x-systemd.automount is relatively robust, see [[https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/|systemd]] . According to [[https://www.freedesktop.org/software/systemd/man/systemd.mount.html|mount]] , systemd-fstab-generator implicitly defeats retries and continues without "failing" by means of "x-systemd.mount-timeout=infinity,retry=10000,fg,nofail" , so try [[https://www.freedesktop.org/software/systemd/man/systemd.automount.html|automounts]]
  * Network configuration is via DHCP and handled entirely by `NetworkManager`
  * Use a local package repository mirror with `sudo mint-switch-to-local-mirror`
 5. Install software. {{{
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome-stable_current_amd64.deb
wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -
sudo apt install apt-transport-https
echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list
wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub | gpg --dearmor | sudo dd of=/usr/share/keyrings/vivaldi-browser.gpg
echo "deb [signed-by=/usr/share/keyrings/vivaldi-browser.gpg arch=$(dpkg --print-architecture)] https://repo.vivaldi.com/archive/deb/ stable main" | sudo dd of=/etc/apt/sources.list.d/vivaldi-archive.list
sudo apt update
sudo apt install -y arduino blender build-essential cvs chromium-browser etckeeper fish freecad freeglut3-dev geeqie gimp glew-utils gnucash google-chrome-stable gtk2-engines-oxygen inkscape jhead keepassxc kicad ladvd libreoffice mlocate mplayer nasm nfs-common ocsinventory-agent openjdk-11-jdk openssh-server parallel pidgin python3 remmina remmina-plugin-rdp rdesktop subversion thunderbird tig vim-gtk vivaldi-stable vlc zsh lyx texlive torbrowser-launcher xdotool sublime-text
}}}
  * The server hostname for OCSInventory is `https://ocsinventory.ucc.asn.au/ocsinventory`
   * Check everything works by adding `ssl=0` to `/etc/ocsinventory/ocsinventory-agent.cfg` and then running '''ocsinventory-agent''' from the command line and then check https://ocsinventory.ucc.asn.au for an entry
  * Download the discord-x.x.x.deb file from `https://discord.com` and install.
  * <!> Set the root password, then add the UCC root SSH keys: (make sure PermitRootLogin yes in /etc/ssh/sshd_config) add the hostname to `/home/wheel/bin/uccroot/push.sh`, then run that script.
 6. Set up the UCC printer `blacklight`
  * Open the '''Printers''' settings panel
  * Add printer from auto-detection on network, but if that doesn't work...
   * Add printer directly (list its hostname in the insert field)
   * If the definition file cannot be located, download from the manufacturer's website (some googling may be required)
 7. Log in '''as your own user''' (reboot if necessary to do so) and go to login window preferences in the main menu
  * Set theme to elegance
  * Go to options and deselect "automatically select the last logged in user"
  * Also change the default session from "Automatically detected" to "cinnamon"
  * Go to System Settings -> Login Window -> Users and enable "Allow manual login" and "Hide the user list".
  * Reboot.
  * Delete the initial user: {{{ sudo userdel -r accmurph }}} (ignore any errors)
 8. Enable automatic upgrades in the Update Manager (GUI)
  . {{attachment:mintupdates.png|Tick the box "Apply updates automatically" and ignore any warnings about system stability|height=250}}
  . Tick the box "Apply updates automatically" and ignore any warnings about system stability.

=== Proprietary NVidia Drivers ===
NOTE: `nouveau` is preferred if it works, as it integrates with the kernel.

 1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)
  * DON'T DOWNLOAD FROM HERE
  * Remember to select "Linux x64" as the OS
 1. Install the relevant package `sudo apt install nvidia-<VER>`
  * E.g. `nvidia-340` for the GeForce 9600
 1. Reboot
 1. If the graphics don't work (e.g. falls back to software rendering), `sudo apt purge nvidia-<VER>`
= Mac Desktops =
/!\ The following instructions apply to APFS formatted drives (typically beyond and including High Sierra), where Apple made the decision to make the root of the drive read only. Regardless, you will probably want to update to a more recent version anyways (including possible use of [[https://dortania.github.io/OpenCore-Legacy-Patcher/|OpenCore Legacy Patcher]].)
 * At install:
  * Don't need to worry about much, just try to minimise any tracking/analytics.
  * Create a local user (no Apple ID) with username `accmurphy` and the clubroom password.
 * Once logged in:
  * Join to AD:
   * Make sure that you've gotten DNS/DHCP sorted as well as /away/ exported and ready to access. Otherwise you will run into strange issues when you join to AD.
   * Navigate to "Users & Groups" (In System Preferences, or use CMD+Space to open search)
   * Click "Login Options" in the left column.
   * Click "Join..."
   * Enter `ad.ucc.gu.uwa.edu.au` as the server.
   * <!> You will need a wheel member to authenticate into AD.
   * Click OK and let it bind.
  * Configuring AD:
   * Navigate to "Directory Utility" (Use Spotlight Search as before)
   * Click the lock in the bottom left to unlock settings.
   * Select "Active Directory", and then click the pen icon on the bottom left.
   * Select "Show Options" in the dialog that appears.
   * Under "User Experience"
    * Deselect "Create mobile account at login", "Force local directory on startup disk", and "Use UNC path to derive network home location"
    * Change "Default user shell:" to `/bin/zsh`
   * Under "Mappings"
    * Select and map UID to `uidNumber`
    * Select and map user GID to `gidNumber`
    * Select and map group GID to `gidNumber`
   * Under "Administrative":
    * Under "Allow administration by:", add `UCCDOMAYNE\wheel` and `UCCDOMAYNE\sprocket`.
  * Hit "OK" and reauthenticate as needed.
At this point, you will have joined to AD but will not be able to log into any accounts which are not `accmurphy` as we will need to mount home folders manually.
 * Configuring NFS home directories
  * Open up a terminal and `cd /etc/`
  * Configuring `automount`
   * Open `auto_master` with your preferred editor of choice. Remove (or comment out) any lines which are there and add this line:
   .{{{
/System/Volumes/Data/mnt /etc/auto_home
}}}
   * Save and exit.
   * Open `auto_home`. Remove (or comment out) any lines which are there and add this line:
   .{{{
away -rw,tcp away.ucc.asn.au:/space/away/home
}}}
   * You might have to create the mount point manually: `mkdir /System/Volumes/Data/mnt/away`
   * '''RUN `sudo automount -vc` AND CHECK IF `away` MOUNTED SUCCESSFULLY'''
We should now have home directories mounted. One last step remains which is to create a symlink to it from the root of the drive. Normally this would be impossible due to the read-only nature of it, but Apple have generously provided a way to synthesise these at boot via the kernel.
 * Configuring `synthetic.conf`
  * Also in a terminal:
   * Navigate to /etc/ `cd /etc`
   * Create `synthetic.conf` if it doesn't exist `touch synthetic.conf` and then open in your editor of choice.
   * Add this line:
   .{{{
home System/Volumes/Data/mnt/away
}}}
   * Reboot.
If all went well, you should now be able to sign into your AD account and have your home folder dynamically mount from `away`. To finish off, install Chrome, OCSInventory, Discord, and Python.

Additional settings and notes:
 * Allow multiple users to be logged in, with session swapping:
  * Navigate to "Users & Groups" (In System Preferences, or use CMD+Space to open search)
  * Click "Login Options" in the left column.
   * Set "Display login window as:" to "Name and password".
   * Check "Show fast user switching menu as" and set it to "Account Name".
 * A note on `brew`
  * You will probably want to install this, unluckily it isn't great inside a multi-user environment.
  * The most sane workaround is to '''ONLY''' use `brew` from the `accmurphy` account.
  * A nice way to do this is to log in as `accmurphy` (`su accmurphy`) and install as usual...
  * Then add this to your user's shell config: `alias brew='sudo -Hu accmurphy brew'`
 * Keyboards
  * You will also probably want to swap the functionalities (and keycaps) of the Alt and Super keys.
  * The best way to do this is to use [[https://doublecommand.sourceforge.net/index.html|DoubleCommand]], a kernel extension which has numerous options for proper keyboard handling.
   * Install and configure as you see fit. Make sure to save your config as "System" so that new users won't have to configure it themselves.
Line 79: Line 253:
  * Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
  * The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline! 
  * Keep APT sources.list (or software repositories) as minimal as possible, but if you don't:
    *
Beware of copying the apt sources.list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
  * The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
Line 92: Line 267:
  * Only do this once you have DNS set up and working properly   * Only do this once you have DNS set up and working properlyChangeLog#preview
Line 106: Line 281:
 * Set up [[LDAP]]:
  * Install required packages with `apt-get install --no-install-recommends libnss-ldapd libpam-ldapd`
  * Set server to `ldaps://mussel.ucc.gu.uwa.edu.au/ ldaps://motsugo.ucc.gu.uwa.edu.au/` - do not use the ucc.asn.au domain
  * Set search base to `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`
  * Check server SSL certificate: demand
  * `wget -O /etc/ssl/UCC-CA.crt http://ucc.asn.au/UCC-CA.crt` to copy the UCC certificate authority
   * If wget fails with a certificate error, delete the zero-sized /etc/ssh/UCC-CA.crt that has been created and add --no-check-certificate before the -O
  * Edit `/etc/nslcd.conf` and add the line `tls_cacertfile /etc/ssl/UCC-CA.crt`
  * Restart nslcd: `/etc/init.d/nslcd restart`
  * nsswitch controls where the operating system looks for password and group information (amongst other things). Ensure the following lines in /etc/nsswitch.conf are set (leaving the other settings at default):
  . {{{
passwd: compat ldap
group: compat ldap
shadow: compat ldap

services: db files ldap
}}}
  * What the {{{compat ldap}}} bit does is to perform a logical "or" of the local and ldap information sources in order to resolve a user or group. This means that most UCC groups will work without (much) further configuration and you're not mangling the local passwd and group files. The catch? Local information is given preference so you have to go through the /etc/group file and ensure there are no group numbers which conflict with the ldap groups.
   * Explicitly add wheel:x:0: to the top of /etc/group , e.g.
   . {{{
# sed -i '1iwheel:x:0:' /etc/group
# grep :0: /etc/group
wheel:x:0:
root:x:0:
}}}
   * Look out for local group numbers that conflict with ldap group numbers (21, 101, 666 for example) - we may need to change our ldap group numbers to avoid conflicts. In the past we have just deleted the local group, but you can only do this if the local group doesn't already own files on the machine (or if you're so inclined, you can renumber local groups and files).
  * PAM provides authentication for applications and services - don't skip this step! The modules are configured with the files in `/etc/pam.d/` with the most important ones being the common-* files. It's important to note that the rules are checked from '''top to bottom''' and order is '''very''' important. It's best to just take a look at the config files in [[Motsugo]]'s `/etc/pam.d/` and edit your local files to match because there's a lot of small changes to make. Ensure you remove the `minimum_uid=1000` argument out of all the common-* files (just that bit, not the whole line!) because a few UCCans have UIDs below 1000.
  * After you have configured PAM:
   * Test: `id accmurph` should show `uid=666(accmurph) gid=666(winadmin) groups=666(winadmin)` - if so, libnss-ldapd is working.
    * The gotcha: it's common practice to set the initial username on most machines to accmurphy. If this user hasn't been deleted properly it will get in the way of your ldap testing (and similarly if you've used your own username)!
    * The other gotcha: yes, you should `id accmurph` '''not ''' `id accmurphy`
   * Test: `login` and try your username and password - if ok, libpam-ldapd is working.
 * Setup Active Directory. Follow the instructions at [[ActiveDirectory]]
 * Allow wheel members sudo access to the machine by running {{{visudo}}} and adding the following lines:
 . {{{
# Allow wheel members to execute any command
%wheel ALL=(ALL:ALL) ALL
}}}
Line 139: Line 288:
 * Install Phonehome:
  * `apt-get install python-zsi rsync apt-listchanges`
  * On mooneye:
   * Start an ssh-agent using {{{eval `ssh-agent`}}}
   * Authenticate your root key using {{{ssh-add ~<username>/.ssh/id_rsa}}}
   * {{{cd /usr/local/phonehome && ./setup.zsh $HOSTNAME}}}
   * Once finished, kill your ssh-agent using {{{ssh-agent -k}}}
   * Add the machine's address as trusted in {{{/etc/opendispense2/dispsrv.conf}}} on `merlo`, and then restart `dispsrv` with {{{systemctl restart dispsrv}}}
   * For users to be able to dispense, you also need to install {{{oidentd}}}
Line 149: Line 293:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB] ##these are formatted like this so you can paste them straight into the terminal after "apt install", keep them in alphabetical order please. [BOB]
Line 151: Line 295:
alpine apache2 biff build-essential ccache cvs distcc finger fish fortune ircii irssi joe ladvd logwatch molly-guard monotone mosh ncurses-term openbsd-inetd ocsinventory-agent rkhunter rssh screen subversion sudo sun-java6-jdk susv3 strace sxid tig tmux vim wireshark zsh
}}}
  * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
  * For distcc, you will need to copy the config off another server from /etc/default/distcc
alpine apache2 biff etckeeper finger fish joe ladvd logwatch mlocate molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd parallel rkhunter rssh screen subversion sudo strace sxid tig tmux tshark uptimed vim zsh
}}}
Line 159: Line 301:
 * Copy rkhunter.conf, pine.conf, mailname from another server  * Drop the following file into /etc/sysctl.d/50-local-ucc.conf
 {{{
# [msh] 201910..
kernel.dmesg_restrict=0
# [NTU][BOB][MTL] 2020-04-25
# enable Magic SysRequest key https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
kernel.sysrq=1
}}}
 * Copy rkhunter.conf, mailname from another server
Line 174: Line 324:

= Linux Desktops =
== Mint with cinnamon is the agreed SOE - don't install other operating systems or distros ==
 * Add a root user and nuke the initial unprivileged user
 * Set up [[LDAP]] by following the instructions in the linux servers section of this page
 * Ensure wheel group and sprocket group have sudo permission {{{sudo visudo}}}
{{{
%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL
}}}
 * Modify /etc/fstab to mount /away
Something like this (differs with distro):
{{{
services.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft 0 0
}}}

 * Add the following lines to /etc/network/interfaces. If you don't do this, network manager takes over the interface and nfs shares don't correctly mount at boot:
{{{
auto eth0
iface eth0 inet dhcp
}}}

 * Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.


Ensure the following packages are installed:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
{{{
blender build-essential cvs chromium-browser freeglut3-dev geeqie gimp glew-utils gnucash hugin inkscape jhead ladvd libglew-dev libglew1.10 libreoffice locate mplayer nasm nfs-common nslcd ocsinventory-agent pidgin rssh openjdk-7-jdk openssh-server python remmina subversion thunderbird tig vim-gtk vlc zsh
}}}
Ensure the following packages are NOT installed:
{{{

}}}
then (These ones are non-crucial/take a long time_)
apt-get install {lyx}


 * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
 * Log in and go to login window preferences in the main menu
  * Set theme to elegance
  * Go to options and deselect "automatically select the last logged in user"
  * Also change the default session from "Automatically detected" to "cinnamon"


Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there


== Debian or Ubuntu ==
 * Add a root user and nuke the initial unprivileged user
 * Ensure the package sources are pointing at AARNET's mirror, not UWA's
 * Set up [[LDAP]] by following the instructions in the linux servers section of this page
 * Modify /etc/fstab to mount /away
Something like this (differs with distro):
{{{
services.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft 0 0
}}}
 * Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.
 * Install Phonehome:
  * `apt-get install python-zsi rsync apt-listchanges`
  * As root on mooneye
   * Add your root key by running:
    * {{{eval `ssh-agent`}}}
    * {{{ssh-add ~<username>/.ssh/id_rsa}}}
   * Then run the following command once you have unlocked your key {{{cd /usr/local/phonehome && ./setup.zsh <hostname>}}}
   * Finally, kill the ssh-agent using {{{ssh-agent -k}}}



Ensure the following packages are installed:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
{{{
blender build-essential cvs chromium-browser compizconfig-settings-manager freeglut3-dev geeqie gimp glew-utils gnome-desktop-environment gnucash hugin inkscape jhead joe ladvd libglew-dev libglew1.8 locate mplayer nasm nfs-common nslcd ocsinventory-agent pidgin rssh openjdk-7-jdk openssh-server python remmina subversion thunderbird tig ubuntu-restricted-extras vim-gtk vlc zsh
}}}
Ensure the following packages are NOT installed:
{{{
ubuntuone-client unity-lens-shopping
}}}
then (These ones are non-crucial/take a long time_)
apt-get install {lyx}


 * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au

 * Ensure wheel group and sprocket group have sudo permission {{{sudo visudo}}}
{{{
%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL
}}}

Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

=== Graphics Don't Work? ===

If you get messages like "Hooray! GNOME3 won't work because your graphics hardware does not support it", or {{{glxinfo}}} segfaults, or {{{glxgears}}} does not show anything,
then you have entered the wonderful world of troubleshooting graphics drivers!

NVidea should just work. If you have problems, remove the {{{nouveu}}} driver and replace it with the non-free {{{nvidia}}} driver.

If things seem totally fucked, you probably have an AMD graphics card. Eg:
{{{
    $ lspci | grep vga
    00:01.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI BeaverCreek [Radeon HD 6550D]
}}}

You have two options; if one doesn't work try the other.

 * Install the debian {{{non-free}}} version of {{{fglrx}}} which may or may not explode
 * Install the official AMD {{{fglrx}}} which will definitely explode but may take longer to do so: [[http://support.amd.com/en-us/download]]

If none of this works you are doomed and need to try a different OS. However, debian or ubuntu are usually actually the best for {{{fglrx}}}, so you're probably still doomed.

== Networking is Notworking? ==

Disable IPv6.

== OpenSUSE ==
 * Rule 1: don't go messing with text config files (eg ldap, pam, nsswitch) - OpenSUSE is mostly configured through the GUI, and you'll be frustrated if you try and mix the two.
 * You can put it on ldap within the installer, so you won't need to create an unprivileged account like in Ubuntu
 * Put the machine on LDAP
  * Open YaST, either from the GUI or the command line, and select 'LDAP Client'
   * Set the address of LDAP servers to `mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au`
   * Click on 'Fetch DN' and the UCC dn should appear
   * 'Use LDAP' should be selected, deselect all other checkboxes
   * Click on advanced configuration
    * Deselect 'Use SSSD'
    * Set the user map to ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    * Set the password map to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    * Set the group map to ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
  * Run the following commands from a terminal as root:
   * `pam-config -a --ldap`
   * `pam-config -d --sss`
   * Running `id accmurph` should show `uid=666(accmurph) gid=666(winadmin) groups=666(winadmin)` if everything is working
 * Mount user home directories
  * Ensure there is a /away export to the machine from mylah
  * Delete or move the old /home directory: `rm -rf /home` (don't even leave an empty directory in / )
  * Set up automounting of home directories
   * OpenSUSE 11.4:
     * Uncomment the "/net -hosts" line in /etc/auto.master
     * Ensure you can ping mylah
     * Open YaST, go to 'System Services (Runlevel)', and enable the autofs and rpcbind services FROM SIMPLE MODE
     * Create a magic link to the home directories `ln -s /net/mylah/space/away/home /home`
     * Check this works by going to /home and listing the directory contents
     * If things aren't working the way they should, test mounting /away manually with the `mount` command after creating the /home directory. Don't forget to unmount /home and delete the empty directory when you're done.
   * OpenSUSE 12.2:
     * autofs is deprecated! Yay! We use systemd now.
     * From YaST, go to 'System Services (Runlevel)', and enable the 'nfs' and 'rpcbind' services.
     * Edit /etc/fstab (even though, strictly speaking, it's deprecated -- gotta love systemd)
     * Add this line: {{{
services.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,nolock,noauto,comment=systemd.automount 0 0 }}}
     * Maybe reboot (it can't hurt, right...)
     * ls /home (or do something in the directory in order to make it mount)
     * Everything should work
   * Check this is still working after a reboot!
 * Run a quick upgrade of all packages using `zypper up` before going any further.
 * The package management tool in OpenSUSE is zypper. Install the following packages using `zypper install` from a terminal
{{{
blender compiz compiz-plugins-extra compizconfig-settings-manager findutils-locate finger freeglut-devel glew glew-devel gcc geeqie gimp git hugin jhead joe nasm opera pidgin MozillaThunderbird zsh
}}}
 * OpenSUSE also supports 'pattern' packages (much like the build-essential package in Debian). Install the following patterns using `zypper install -t pattern`
{{{
devel_C_C++ devel_ide devel_java devel_mono devel_perl devel_python devel_qt4 devel_rpm_build devel_ruby devel_web remote_desktop
}}}
 * OpenSUSE 11.4 only: Compiz on OpenSUSE 11.4 has a problem where compiz-manager doesn't start correctly for users using compiz, so those users have no window borders, this can be solved by creating /etc/xdg/autostart/compiz-manager.desktop and putting the following contents in it:
{{{
[Desktop Entry]
Type=Application
Exec=/usr/bin/compiz-manager
Hidden=false
X-GNOME-Autostart-enabled=true
Name[C]=Compiz Manager (fix)
Name=Compiz Manager (fix)
Comment[C]=Fixes the annoying issue
Comment=Fixes the annoying issue
}}}
 * Install suitable graphics drivers. For ATI and nVidia chips see: http://en.opensuse.org/SDB:ATI_drivers and http://en.opensuse.org/SDB:NVIDIA_drivers
  * To use nouveau instead of nvidia, remove nvidia-computeG02 nvidia-gfxG02-kmp-desktop x11-video-nvidiaG02 and install Mesa-nouveau3d
  * Check compiz is working after a reboot (wobbly windows!)
 * Install vlc from this site: http://www.videolan.org/vlc/download-suse.html
 * Install google chrome (these instructions assume 64-bit openSUSE)
  * `wget https://dl-ssl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm`
  * `zypper install google-chrome-stable_current_x86_64.rpm`
 * Enable ssh and add the root keys:
  * Enable the sshd service through YaST
  * Allow Secure Shell Server through the firewall using YaST
  * Add the hostname to /home/wheel/bin/uccroot/push.sh and run that script
 * Add wheel to sudoers using visudo, and delete the two lines in the file that are mentioned in the comments in the file
 * Install ocs-inventory:
  * Download the source tarball from http://www.ocsinventory-ng.org/en/download/download-agent.html
  * Follow the instructions in the README to build and install it
  * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
 * Add printers. Phosphorous on mussel is currently best added as a samba printer

= Mac Desktops =
 * Do a fresh install of the operating system
 * Enable Remote Login http://support.apple.com/kb/PH18726
 * Add the UCC CA
  * Download https://ucc.asn.au/UCC-CA.crt
  * Add to System keychain
  * Trust root certificate
 * Settings > Users and Groups > Join Network Account Server
   * Open Directory Utility
    * Select LDAP then click the pencil icon
    * Add mussel.ucc.gu.uwa.edu.au
    * Enable Encrypt using SSL
   * Set RFC2307 mappings
   * Set search base to `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`
   * Edit the server settings
    * Disable "Use custom port"
 * Set up home directories
  * Open terminal and sudo to root
  * `mv /home /home2` to move the old `/home` out of the way, probably something still has it open
  * `ln -s /net/services.ucc.gu.uwa.edu.au/space/away/home /home` to use the automounter for `/home`, if you don't understand this, ask.
  * `ls -l /home` should now show `ucc`, `wheel`, etc. If not you need to work out why.
 * Reboot and SSH etc. should work.
 * TODO: cron'ed weekly fstrim(8)

This page is intended as a guide to set up UCC machines in some sort of standard way. Please update this if you find any problems when installing things (especially if using newer versions than described here).

Steps marked with <!> require a wheel member, anything else can be done by a winadmin.

Before you start

Steps to do before installation

  • <!> Add forward and reverse DNS entries for the machine.

  • <!> Add the machine to DHCP.

  • <!> Make sure all licenses required are on hand (see /home/wheel/docs/software-license/ on a user server)

Steps to do after

  • Check everything works as expected
  • Email [email protected] with a summary of what was set up/re-installed

Dualboot Machines

These instructions relate to Dualbooting Windows 10 and Linux Mint. If installing a dualboot machine, always install Windows first where possible.

  1. Install Windows following the below. Make note of the following when setting up the disks:

    • Depending on the size of the disk, try to reserve up to 500GB or more for Windows.
    • Linux works fine on anything down to about 100GB but 200GB+ is preferable.
  2. Install Linux, making sure to use the previously reserved disk space.

    • Use a different hostname for the Linux installation (eg. catfish on Windows, and catfish-linux on Linux, or vice-versa)

    • This is necessary so that the machine accounts in AD don't have the same name, otherwise one OS's entry overwrites the other and things get broken.
  3. Set up a scheduled task on Windows to reboot into Linux each day.

Windows 10

All new Windows machines in UCC should be installed with Windows 10 by default. Previous versions are deprecated.

  1. Find a Windows install disk or make a new one. Make sure you select the Professional edition.
    • You can download the latest ISO image here and USB imaging tool here.

  2. Plug in the install disk and boot from it.
    • Select the US keyboard layout and Australian time/date format.
    • Agree to the license terms etc.
  3. Partition the disks.
    • Delete all existing partitions (if any) on the designated install disk.
    • Select the empty space and click "New" to create a new partition. Enter the desired size or use the whole disk (if not doing dualboot).
  4. Create a dummy user account (call it something like accmurph)

  5. Finish the installer. Once it has rebooted into the new Windows system and you have logged in you can continue.
  6. Install software.
    • Software in this list should either be free to download and install, or something that the UCC has a license for.
    • sshd , to automate the rest of the following
    • Open Powershell as Administrator and run the following:

      Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
      
      choco install -y 7zip.install adobereader chocolateygui discord firefox foxitreader freecad gimp git.install googlechrome hwmonitor inkscape javaruntime keepass.install kicad kitty libreoffice lyx miktex notepadplusplus.install opera paint.net python3 teamviewer texstudio tor-browser vivaldi vlc vscode windirstat winscp.install 
      • If Lyx cannot find "Latex.exe", run MikTeX (initexmf --admin --mklinks as admin in cmd) and retry.
    • Install Steam and Battle.net to the games drive (if any).

    • Install the corresponding Graphics Driver for your GPU.
    • Install the ocsinventory agent from https://ocsinventory-ng.org/?lang=en.

      • This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is https://ocsinventory.ucc.asn.au/ocsinventory and turn off SSL cert verification. No auth is required.

    • https://github.com/da2x/EdgeDeflector/blob/master/README.md ?

  7. Set the Windows computer name - the installer picks a random one automatically and this is bad.
    • Right click on the Start button, select "System", then click "Rename this PC" and enter the desired name.
  8. Configure the system for the UCC network. (type any commands below into the Administrator Powershell window you just opened)

    • Delete the dummy user created during install, enable the local Administrator account and set the password:

      net user Administrator /active:yes
      net user Administrator <Clubroom Password>
    • DO ABOVE FIRST AND TEST! If you delete accmurph and mess up the admin password, you will need to reset and start again!

      net user accmurph /delete
    • Join the machine to the domain UCCDOMAYNE as described in ActiveDirectory#Windows.

    • REBOOT.

    • You may need to manually set the time if it is out of sync, run Command Prompt (not powershell!) as administrator and use the command time HH:MM:SS

    • Force update group policy on the machine (now in the admin Command Prompt window):

      gpupdate /force
      • Once Group Policy has been successfully applied (or before the machine is joined to the domain at all) you can force an NTP time sync with w32tm /resync /force

    • Add static route for 130.95.13.0/26: (This prevents a VPN connection from trying to steal the default route to users home directories.)

      route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65
    • Enable pings (alternatively, follow this guide):

    • netsh firewall set icmpsetting 8 enable
  9. Add the UCC printer blacklight and set it as the default.

Linux Desktops

Linux Mint x64 Cinnamon (not the LMDE / Debian version) is the only Linux installation we support.

These instructions have been updated and checked with Linux Mint 21 - please update them to be compatible with any newer versions if you choose to install them.

  1. Find or create an install USB.
    • Download the ISO from https://www.linuxmint.com/download.php onto an existing Linux system.

      wget https://mirror.aarnet.edu.au/pub/linuxmint/stable/21/linuxmint-21-cinnamon-64bit.iso
    • Plug in the USB and get the device node with lsblk (look at the size of each drive)

    • Copy the image to the USB: (this will take a few minutes)

      sudo dd if=linuxmint-21-cinnamon-64bit.iso of=/dev/<usb identifier> bs=1M; sync;
  2. Boot from the USB and run the installer.
  3. Partition the disks. Select "something else" rather than the automagic guided options.
    • If you are setting up dualboot, do NOT delete any Windows-related partitions.
    • Create a new partition for the Linux system. No swap partition is required - mint no longer creates a swap partition by default, and can use a swap file in the root partition if swap space is required.
      • Use as ext4 file system and use / as the mount point.

    • Configure a dummy user, for example accmurph.

    • Use sensible values for the other options.
  4. Boot into the newly installed system and configure it
    • For maximum automation you can use https://gitlab.ucc.asn.au/ucc-systems/ucc-ansible-soe/.

      • cd /tmp/
        git clone https://gitlab.ucc.asn.au/ucc-systems/ucc-ansible-soe.git
        sudo apt install ansible
        cd ucc-ansible-soe
      • Then edit the ucc-hosts file and add the name of the machine (minus the .ucc.asn.au part, that will be done in the playbook), then finally run:

        ansible-playbook --connection=local -i ucc-hosts --limit {INSERT_HOSTNAME_HERE} -K clubroom-desktop.yml
    • Once done, run ocsinventory-agent once, set the root password and add wheel keys, and continue from step 6.

    If not using the ansible playbook, continue with the instructions below.
    • Set up Active Directory

    • Ensure wheel group and sprocket group have sudo permission: sudo visudo

      %wheel ALL=(ALL:ALL) ALL
      %sprocket ALL=(ALL:ALL) ALL
    • Ensure wheel group and sprocket group have administrative rights in Polkit. Create the file /etc/polkit-1/localauthority.conf.d/90-ucc-desktops.conf with the following contents:

      [Configuration]
      AdminIdentities=unix-group:wheel;unix-group:sprocket
    • Modify /etc/fstab to mount /away. Use something like this (can differ with distro):

      away.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,auto,rw,tcp,nosuid,nodev,soft,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.requires=network-online.target      0       1
      • x-systemd.requires=network-online.target is oddly insufficient, but x-systemd.automount is relatively robust, see systemd . According to mount , systemd-fstab-generator implicitly defeats retries and continues without "failing" by means of "x-systemd.mount-timeout=infinity,retry=10000,fg,nofail" , so try automounts

    • Network configuration is via DHCP and handled entirely by NetworkManager

    • Use a local package repository mirror with sudo mint-switch-to-local-mirror

  5. Install software.

    wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
    sudo dpkg -i google-chrome-stable_current_amd64.deb
    wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -
    sudo apt install apt-transport-https
    echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list
    wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub | gpg --dearmor | sudo dd of=/usr/share/keyrings/vivaldi-browser.gpg
    echo "deb [signed-by=/usr/share/keyrings/vivaldi-browser.gpg arch=$(dpkg --print-architecture)] https://repo.vivaldi.com/archive/deb/ stable main" | sudo dd of=/etc/apt/sources.list.d/vivaldi-archive.list
    sudo apt update
    sudo apt install -y arduino blender build-essential cvs chromium-browser etckeeper fish freecad freeglut3-dev geeqie gimp glew-utils gnucash google-chrome-stable gtk2-engines-oxygen inkscape jhead keepassxc kicad ladvd libreoffice mlocate mplayer nasm nfs-common ocsinventory-agent openjdk-11-jdk openssh-server parallel pidgin python3 remmina remmina-plugin-rdp rdesktop subversion thunderbird tig vim-gtk vivaldi-stable vlc zsh lyx texlive torbrowser-launcher xdotool sublime-text
    • The server hostname for OCSInventory is https://ocsinventory.ucc.asn.au/ocsinventory

      • Check everything works by adding ssl=0 to /etc/ocsinventory/ocsinventory-agent.cfg and then running ocsinventory-agent from the command line and then check https://ocsinventory.ucc.asn.au for an entry

    • Download the discord-x.x.x.deb file from https://discord.com and install.

    • <!> Set the root password, then add the UCC root SSH keys: (make sure PermitRootLogin yes in /etc/ssh/sshd_config) add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.

  6. Set up the UCC printer blacklight

    • Open the Printers settings panel

    • Add printer from auto-detection on network, but if that doesn't work...
      • Add printer directly (list its hostname in the insert field)
      • If the definition file cannot be located, download from the manufacturer's website (some googling may be required)
  7. Log in as your own user (reboot if necessary to do so) and go to login window preferences in the main menu

    • Set theme to elegance
    • Go to options and deselect "automatically select the last logged in user"
    • Also change the default session from "Automatically detected" to "cinnamon"
    • Go to System Settings -> Login Window -> Users and enable "Allow manual login" and "Hide the user list".

    • Reboot.
    • Delete the initial user:  sudo userdel -r accmurph  (ignore any errors)

  8. Enable automatic upgrades in the Update Manager (GUI)
    • Tick the box "Apply updates automatically" and ignore any warnings about system stability

    • Tick the box "Apply updates automatically" and ignore any warnings about system stability.

Proprietary NVidia Drivers

NOTE: nouveau is preferred if it works, as it integrates with the kernel.

  1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)

    • DON'T DOWNLOAD FROM HERE
    • Remember to select "Linux x64" as the OS
  2. Install the relevant package sudo apt install nvidia-<VER>

    • E.g. nvidia-340 for the GeForce 9600

  3. Reboot
  4. If the graphics don't work (e.g. falls back to software rendering), sudo apt purge nvidia-<VER>

Mac Desktops

/!\ The following instructions apply to APFS formatted drives (typically beyond and including High Sierra), where Apple made the decision to make the root of the drive read only. Regardless, you will probably want to update to a more recent version anyways (including possible use of OpenCore Legacy Patcher.)

  • At install:
    • Don't need to worry about much, just try to minimise any tracking/analytics.
    • Create a local user (no Apple ID) with username accmurphy and the clubroom password.

  • Once logged in:
    • Join to AD:
      • Make sure that you've gotten DNS/DHCP sorted as well as /away/ exported and ready to access. Otherwise you will run into strange issues when you join to AD.
      • Navigate to "Users & Groups" (In System Preferences, or use CMD+Space to open search)

      • Click "Login Options" in the left column.
      • Click "Join..."
      • Enter ad.ucc.gu.uwa.edu.au as the server.

      • <!> You will need a wheel member to authenticate into AD.

      • Click OK and let it bind.
    • Configuring AD:
      • Navigate to "Directory Utility" (Use Spotlight Search as before)
      • Click the lock in the bottom left to unlock settings.
      • Select "Active Directory", and then click the pen icon on the bottom left.
      • Select "Show Options" in the dialog that appears.
      • Under "User Experience"
        • Deselect "Create mobile account at login", "Force local directory on startup disk", and "Use UNC path to derive network home location"
        • Change "Default user shell:" to /bin/zsh

      • Under "Mappings"
        • Select and map UID to uidNumber

        • Select and map user GID to gidNumber

        • Select and map group GID to gidNumber

      • Under "Administrative":
        • Under "Allow administration by:", add UCCDOMAYNE\wheel and UCCDOMAYNE\sprocket.

    • Hit "OK" and reauthenticate as needed.

At this point, you will have joined to AD but will not be able to log into any accounts which are not accmurphy as we will need to mount home folders manually.

  • Configuring NFS home directories
    • Open up a terminal and cd /etc/

    • Configuring automount

      • Open auto_master with your preferred editor of choice. Remove (or comment out) any lines which are there and add this line:

      • /System/Volumes/Data/mnt        /etc/auto_home
      • Save and exit.
      • Open auto_home. Remove (or comment out) any lines which are there and add this line:

      • away  -rw,tcp   away.ucc.asn.au:/space/away/home
      • You might have to create the mount point manually: mkdir /System/Volumes/Data/mnt/away

      • RUN sudo automount -vc AND CHECK IF away MOUNTED SUCCESSFULLY

We should now have home directories mounted. One last step remains which is to create a symlink to it from the root of the drive. Normally this would be impossible due to the read-only nature of it, but Apple have generously provided a way to synthesise these at boot via the kernel.

  • Configuring synthetic.conf

    • Also in a terminal:
      • Navigate to /etc/ cd /etc

      • Create synthetic.conf if it doesn't exist touch synthetic.conf and then open in your editor of choice.

      • Add this line:
      • home    System/Volumes/Data/mnt/away
      • Reboot.

If all went well, you should now be able to sign into your AD account and have your home folder dynamically mount from away. To finish off, install Chrome, OCSInventory, Discord, and Python.

Additional settings and notes:

  • Allow multiple users to be logged in, with session swapping:
    • Navigate to "Users & Groups" (In System Preferences, or use CMD+Space to open search)

    • Click "Login Options" in the left column.
      • Set "Display login window as:" to "Name and password".
      • Check "Show fast user switching menu as" and set it to "Account Name".
  • A note on brew

    • You will probably want to install this, unluckily it isn't great inside a multi-user environment.
    • The most sane workaround is to ONLY use brew from the accmurphy account.

    • A nice way to do this is to log in as accmurphy (su accmurphy) and install as usual...

    • Then add this to your user's shell config: alias brew='sudo -Hu accmurphy brew'

  • Keyboards
    • You will also probably want to swap the functionalities (and keycaps) of the Alt and Super keys.
    • The best way to do this is to use DoubleCommand, a kernel extension which has numerous options for proper keyboard handling.

      • Install and configure as you see fit. Make sure to save your config as "System" so that new users won't have to configure it themselves.

Linux Servers

  • At installation:
    • Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
    • Keep APT sources.list (or software repositories) as minimal as possible, but if you don't:
      • Beware of copying the apt sources.list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
    • The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
  • Add a root user and nuke the initial unprivileged user:
    • That's as simple as running passwd as a super user, re-logging in as root and running deluser on the original user

  • If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
  • Set up DNS on Mooneye:

    • Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
    • If zonemake has errors, go back and fix them before proceeding!
    • Use rndc reload to get bind to reload the zone files

  • Set up DHCP on Murasoi:

    • Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
    • Restart the DHCP server with service isc-dhcp-server restart

  • Set up NFS:
    • Only do this once you have DNS set up and working properlyChangeLog#preview
    • Add the machine to the /etc/exports files on the appropriate servers (Motsugo for /home, Molmol (or just host "away") for /away and nortel+onetel for /services). Reload the server config with exportfs -r (Linux) or service mountd reload (FreeBSD)

    • Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
    • Add the fstab line (copy off Motsugo or something)

    • mount -av and hope

  • Configure the SSH server:
    • Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
    • Ensure the correct banner file is set in /etc/ssh/sshd_config
    • Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
    • Restart the SSH server and confirm all working
  • Add the UCC root SSH keys:
    • Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
    • For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder

    • Start an ssh-agent using eval `ssh-agent` and authenticate your root key using ssh-add ~<username>/.ssh/id_rsa, then run the updated push.sh script

  • Setup Active Directory. Follow the instructions at ActiveDirectory

  • Allow wheel members sudo access to the machine by running visudo and adding the following lines:

  • # Allow wheel members to execute any command
    %wheel  ALL=(ALL:ALL) ALL
  • Install dispense: Go to /home/wheel/tpg/gitclones/opendispense2, run make -C src/client clean all and copy dispense to /usr/local/bin on the target server.

    • Add the machine's address as trusted in /etc/opendispense2/dispsrv.conf on merlo, and then restart dispsrv with systemctl restart dispsrv

    • For users to be able to dispense, you also need to install oidentd

  • Install postfix, set the mail host to mailhost.ucc.gu.uwa.edu.au

  • Packages to install:

  • alpine apache2 biff etckeeper finger fish joe ladvd logwatch mlocate molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd parallel rkhunter rssh screen subversion sudo strace sxid tig tmux tshark uptimed vim zsh
  • For file servers, you should also install:
  • acl clamav iotop nfs-common nfs-kernel-server
  • Drop the following file into /etc/sysctl.d/50-local-ucc.conf
    # [msh] 201910..
    kernel.dmesg_restrict=0
    # [NTU][BOB][MTL] 2020-04-25
    # enable Magic SysRequest key https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
    kernel.sysrq=1
  • Copy rkhunter.conf, mailname from another server
  • Install the UCC motd system on machines which mount /home:
    • Add the following line to /etc/inetd.conf:
    • motda   stream  tcp     nowait  root    /home/wheel/bin/motd.update.sh motda
    • Also add the following line to /etc/services (keeping things in order!):
    • motda           377/tcp                        # UCC MOTD update
    • Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
  • Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
  • *.* @130.95.13.1
  • TODO: cron'ed weekly fstrim(8)


CategorySystemAdministration