5 år sedan · 5967be7d07
--- a/config/linux-server/debian.md
+++ b/config/linux-server/debian.md
@@ -70,11 +70,13 @@ breadcrumbs:
 
				     - Run `mount -a` to validate fstab.
			
 
				     - (Optional) Restart the system for it to take effect.
			
 
				 1. Setup SSHD:
			
 
				-    - File: `/etc/ssh/sshd_config`
			
 
				-    - `PermitRootLogin no`
			
 
				-    - `PasswordAuthentication no`
			
 
				-    - `AllowTcpForwarding no`
			
 
				-    - `GatewayPorts no`
			
 
				+    - In `/etc/ssh/sshd_config`, set:
			
 
				+      ```
			
 
				+      PermitRootLogin no
			
 
				+      PasswordAuthentication no
			
 
				+      AllowTcpForwarding no
			
 
				+      GatewayPorts no
			
 
				+      ```
			
 
				     - Restart `sshd`.
			
 
				 1. Update MOTD:
			
 
				     - Clear `/etc/motd`.
			
@@ -121,42 +123,43 @@ breadcrumbs:
 
				 
			
 
				 #### QEMU Virtual Host
			
 
				 
			
 
				-1. Install `qemu-guest-agent`.
			
 
				+1. Install QEMU guest agent: `apt install qemu-guest-agent`
			
 
				 
			
 
				 ### Networking
			
 
				 
			
 
				 1. **TODO** Security stuff, like IPv6 link-locals and NDP.
			
 
				-1. (Alternative 1, Recommended) Setup networking using systemd-networkd:
			
 
				-    1. Add a simple network config:
			
 
				-      - Create `/etc/systemd/network/lan.network` based on [main.network](https://github.com/HON95/configs/blob/master/server/linux/networkd/main.network).
			
 
				+1. (Recommended alternative) Setup networking using systemd-networkd:
			
 
				+    1. Add a simple network config: Create `/etc/systemd/network/lan.network` based on [main.network](https://github.com/HON95/configs/blob/master/server/linux/networkd/main.network).
			
 
				     1. Disable/remove the ifupdown config: `mv /etc/network/interfaces /etc/network/interfaces.old`
			
 
				     1. Enable and (re)start systemd-networkd: `systemctl enable systemd-networkd`
			
 
				     1. Purge `ifupdown` and `ifupdown2`.
			
 
				-    1. Check the status: `networkctl [status [-a]]`
			
 
				+    1. Check status: `networkctl [status [-a]]`
			
 
				     1. Restart the system and check if still working. This will also kill any dhclient daemons which could trigger a DHCP renew at some point.
			
 
				-1. (Alternative 2) Setup networking using ifupdown2:
			
 
				-    1. Install `ifupdown2`.
			
 
				-      - This may take the network down, so do it locally.
			
 
				+1. (Other alternative) Setup networking using ifupdown2:
			
 
				+    1. Install `ifupdown2`. (This may take the network down, so do it locally.)
			
 
				     1. Restart `networking.service` afterward.
			
 
				     1. Configure `/etc/network/interfaces`.
			
 
				     - For VLAN support, install `vlan`.
			
 
				     - For bond support, install `ifenslave`.
			
 
				-1. (Alternative 1) Setup DNS without systemd-resolved:
			
 
				-    1. Configure `/etc/resolv.conf`.
			
 
				-1. (Alternative 2) Setup DNS with systemd-resolved:
			
 
				-    1. In `/etc/systemd/resolved.conf`, set `DNS` to a space separated list of DNS servers.
			
 
				-    1. If you're hosting a DNS server on this machine, set `DNSStubListener=no` to avoid binding to port 53.
			
 
				+1. (Recommended alternative) Setup DNS with systemd-resolved:
			
 
				+    1. (Optional) In `/etc/systemd/resolved.conf`, set `DNS` to a space separated list of DNS servers.
			
 
				+       If not set, this will use the DNS servers specified by the network config.
			
 
				+    1. (Optional) If you're hosting a DNS server on this machine, set `DNSStubListener=no` to avoid binding to port 53.
			
 
				     1. Enable and start `systemd-resolved.service`.
			
 
				     1. Point `/etc/resolv.conf` to the one generated by systemd: `ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
			
 
				+    1. Check status: `resolvectl`
			
 
				+1. (Other alternative) Setup DNS without systemd-resolved:
			
 
				+    1. Configure `/etc/resolv.conf`.
			
 
				 1. Setup time and NTP:
			
 
				     1. Set the timezone: `timedatectl set-timezone Europe/Oslo`
			
 
				     1. Enable network time: `timedatectl set-ntp true`
			
 
				-    1. In `/etc/systemd/timesyncd.conf`, set `NTP` (e.g. to `ntp.justervesenet.no`).
			
 
				+    1. (Optional) In `/etc/systemd/timesyncd.conf`, set `NTP` (e.g. to `ntp.justervesenet.no`).
			
 
				+       If not set, this will use the NTP servers specified by the network config.
			
 
				     1. Restart `systemd-timesyncd`.
			
 
				-    1. Check that NTP works: `timedatectl timesync-status`
			
 
				+    1. Check status works: `timedatectl` and `timedatectl timesync-status`
			
 
				 1. Setup firewall:
			
 
				-    - Install: `iptables iptables-persistent netfilter-persistent`
			
 
				-      - Don't save the current rules.
			
 
				+    - Install: `apt install iptables iptables-persistent netfilter-persistent`
			
 
				+        - Don't save the current rules.
			
 
				     - Add som [simple](https://github.com/HON95/configs/blob/master/server/linux/iptables/iptables-simple.sh) or [complex](https://github.com/HON95/configs/blob/master/server/linux/iptables/iptables-complex.sh) rules.
			
 
				 1. Reboot and make sure it still works.
			
 
				 
			
@@ -193,24 +196,24 @@ Everything here is optional.
 
				     - Example cron job (15 minutes past every 4 hours): `15 */4 * * * root /opt/bin/disk-space-checker`
			
 
				     - Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.
			
 
				 
			
 
				-## Miscellaneous
			
 
				-
			
 
				-### Cron
			
 
				-
			
 
				-- Don't use periods (including file extensions) in the hourly/daily/weekly/monthly scripts.
			
 
				-
			
 
				 ## Troubleshooting
			
 
				 
			
 
				 - `network-online.target` is stalling during boot:
			
 
				-  - See all services it depends on: `systemctl show -p WantedBy network-online.target`
			
 
				-  - Disable the unused services which stall.
			
 
				+    - See all services it depends on: `systemctl show -p WantedBy network-online.target`
			
 
				+    - Disable the unused services which stall.
			
 
				 - Firmware for the network card fails to load:
			
 
				-  - Causes a syslog record like "firmware: failed to load rtl\_nic/rtl8168g-3.fw (-2)" when trying to up the interface.
			
 
				-  - Might happen after installation even if working initially (for some reason).
			
 
				-  - Realtek solution: Enable the "non-free" repo and install "firmware-realtek".
			
 
				+    - Causes a syslog record like "firmware: failed to load rtl\_nic/rtl8168g-3.fw (-2)" when trying to up the interface.
			
 
				+    - Might happen after installation even if working initially (for some reason).
			
 
				+    - Realtek solution: Enable the "non-free" repo and install "firmware-realtek".
			
 
				 - Perl complains about a locale error:
			
 
				-  - Test with `perl -e exit`. It will complain if there's an error.
			
 
				-  - Check the locale: `locale`
			
 
				-  - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale.
			
 
				+    - Test with `perl -e exit`. It will complain if there's an error.
			
 
				+    - Check the locale: `locale`
			
 
				+    - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale.
			
 
				+
			
 
				+## Miscellaneous Notes
			
 
				+
			
 
				+### Cron
			
 
				+
			
 
				+- Don't use periods (including file extensions) in the hourly/daily/weekly/monthly scripts.
			
 
				 
			
 
				 {% include footer.md %}