Ubuntu/Bespin: Difference between revisions

From charlesreid1
 
(165 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Step by Step Articles==
All the setup involved for bespin, a Ubuntu 18.04 desktop server.
All the setup involved for bespin, a Ubuntu 18.04 desktop server.


=Setup=
* [[Ubuntu/Bespin/Initial Setup]] - initial setup of the Ubuntu machine
 
==Aptitude update==
 
During installation, we allow setup to join the wifi network. On first boot, the network manager will be running and will be connected to the same wifi network. We will disable network manager eventually, but first get some software.
 
<pre>
sudo apt-get update
sudo apt-get -y install vim gnome-tweak-tool net-tools
</pre>
 
Set caps lock as a control key.
 
==Allow sudo for user==
 
Create wheel group:
 
<pre>
sudo groupadd wheel
</pre>
 
Add user to group:
 
<pre>
sudo usermod -a -G wheel <your-username-here>
</pre>
 
Allow wheel group users passwordless sudo, first use visudo to edit the sudoers file:
 
<pre>
EDITOR=vi visudo
</pre>
 
Now add this line to the end:
 
<pre>
%wheel ALL=(ALL) NOPASSWD: ALL
</pre>
 
==Install ssh==
 
Install ssh and server:
 
<pre>
sudo apt-get install ssh
</pre>
 
Start the server:
 
<pre>
sudo service ssh start
</pre>
 
===Install trusted ssh key===
 
If you want, set up a machine to securely SSH into the Ubuntu server.
 
From the machine you want to SSH <b>FROM</b>:
 
<pre>
cat ~/.ssh/id_rsa.pub
</pre>
 
Copy this text. Now in another terminal, ssh into the Ubuntu server. Paste the output of the above command into the file:
 
<pre>
~/.ssh/authorized_keys
</pre>
 
Now verify that SSHing into the Ubuntu server will not ask you for a password.
 
==Configure WPA Supplicant==
 
We want to configure wifi manually, and disable the network manager. This requires some preparation to manually join a wifi network with wpa supplicant.
 
First set your wpa supplicant to join a wifi network.
 
<code>/etc/wpa_supplicant/wpa_supplicant.conf</code>
 
<pre>
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
 
network={
    ssid="yournetworkhere"
    proto=RSN
    key_mgmt=WPA-PSK
    pairwise=CCMP TKIP
    group=CCMP TKIP
    psk="yourpskhere"
}
</pre>
 
Next add the 2 usb wifi devices to network interfaces file. The following etc network interfaces file assumes that wlan0 will be joining an existing wifi network, and wlan1 will be in manual mode so it can be used as an AP.
 
<code>/etc/network/interfaces</code>
 
<pre>
allow-hotplug wlan0
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface wlan0 inet dhcp
 
allow-hotplug wlan1
iface wlan1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    gateway 192.168.10.1
</pre>
 
except actually the iface names were dependent on the mac addresses of the wifi cards.
 
==WPA Supplicant Startup Service==
 
Copy a wpa supplicant service template:
 
<pre>
sudo cp /lib/systemd/system/wpa_supplicant.service /etc/systemd/system/wpa_supplicant.service
</pre>
 
Edit the file
 
<pre>
sudo vim /etc/systemd/system/wpa_supplicant.service
</pre>
 
Change this line from this:
 
<pre>
ExecStart=/sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
</pre>
 
to this:
 
<pre>
ExecStart=/sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlan0
</pre>
 
Also, remove the following line if it is present:
 
<pre>
Alias=dbus-fi.w1.wpa_supplicant1.service # DELETE ME!
</pre>
 
Now enable this service to start on boot:
 
<pre>
sudo systemctl enable wpa_supplicant.service
</pre>
 
==Dhclient on Startup==
 
Create an rc.local startup service:
 
<code>/etc/systemd/system/rc-local.service</code>
 
<pre>
[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local
 
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
 
[Install]
WantedBy=multi-user.target
</pre>
 
Now add the dhclient command to rc.local:
 
<code>/etc/rc.local</code>
 
<pre>
#!/bin/bash
/sbin/dhclient
exit 0
</pre>
 
Make it executable:
 
<pre>
chmod 744 /etc/rc.local
</pre>
 
Now enable the rc-local service:
 
<pre>
sudo systemctl enable rc-local.service
</pre>
 
Verify it works okay:
 
<pre>
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service
</pre>
 
===Requesting Static IP===
 
If you want to request a static IP from the router, add this to the dhclient config file:
 
<code>/etc/dhcp/dhclient.conf</code>
 
<pre>
interface "wlan0" {
    send dhcp-requested-address 192.168.0.122;
}
</pre>
 
==Disable Network Manager==
 
Next step is to disable the network manager.
 
<pre>
sudo systemctl disable network-manager
sudo systemctl stop network-manager
</pre>
 
Don't uninstall it, because that will uninstall a bunch of other important gnome packages and you'll be left with a stupid broken ubuntu.
 
Now reboot
 
<pre>
sudo reboot now
</pre>
 
==Test Wifi==
 
Test that everything is working as expected by running the ifconfig and iwconfig commands. ifconfig should show an IP address for the wlan0 interface that has the wpa supplicant defined in the network interfaces file. iwconfig should show the name of the wifi network that the wifi card is connected to.
 
If you don't have an IPv4 address, troubleshoot with the following commands:
 
Check if you can reach the internet:
 
<pre>
ping google.com
</pre>
 
Check logs from dhcp service started by rc.local (this gets an IP address from the router and is the most likely culprit):
 
<pre>
sudo service rc-local status
</pre>
 
Check logs from wpa supplicant:
 
<pre>
sudo service wpa_supplicant status
</pre>
 
==Tweaking Gnome==
 
Tweak the theme. You already have Tweak tool installed (see above apt-get install line).
 
===Install Macbuntu Theme===
 
Set it up to look like a mac by installing the macbuntu theme - see http://www.linuxandubuntu.com/home/macbuntu-transform-ubuntu-1604-to-mac-os-x
 
<pre>
sudo add-apt-repository ppa:noobslab/macbuntu
sudo apt-get update
sudo apt-get install macbuntu-os-icons-v1804
sudo apt-get install macbuntu-os-ithemes-v1804
</pre>
 
===Pick Tweak Theme===
 
Now you can open the Tweak tool and pick the Macbuntu theme.
 
===Install Plank===
 
Plank is a dock replacement.
 
Install it like so:
 
<pre>
sudo apt-get install plank
sudo add-apt-repository ppa:noobslab/macbuntu
sudo apt-get update
sudo apt-get install -y macbuntu-os-plank-theme-v1804
</pre>
 
Start it at boot by creating the following file:
 
<pre>
mkdir -p ~/.config/autostart
</pre>
 
<code>~/.config/autostart/plank.desktop</code>
 
<pre>
[Desktop Entry]
Type=Application
Exec=plank
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Plank
</pre>
 
To open Plank preferences, right-click on the right or left side of the Plank dock and choose Preferences.
 
===Disable Launcher===
 
Do this to disable the ubuntu-provided launcher dock:
 
<pre>
cd /usr/share/gnome-shell/extensions/
sudo mv ubuntu-dock@ubuntu.com{,.bak}
</pre>
 
If you can't wait to see it go, type Alt + F2, then enter the letter "r" in the input box. This will refresh gnome.
 
===Install Albert===
 
Albert is a spotlight/quicksilver replacement.
 
Install it like so:
 
<pre>
sudo add-apt-repository ppa:noobslab/macbuntu
sudo apt-get update
sudo apt-get install -y albert
</pre>
 
 
Start it at boot by creating the following file:
 
<code>~/.config/autostart/albert.desktop</code>
 
<pre>
[Desktop Entry]
Type=Application
Exec=albert
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Albert
</pre>
 
===Test with Restart===
 
Restart and test that the startup services start okay:
 
<pre>
sudo reboot now
</pre>
 
==Ansible Setup==
 
Now use charlesreid1-ansible to run the provision and base plays against the server. Note that this requires root access via ssh, so you have to edit your ssh config file to include this line:
 
<code>/etc/ssh/sshd_config</code>
 
<pre>
PermitRootLogin yes
</pre>


Now restart the ssh service:
* [[Ubuntu/Bespin/Gnome Setup]] - setting up gnome on the Ubuntu machine


<pre>
* [[Ubuntu/Bespin/Ansible]] - setting up and running an Ansible role for the machine
sudo service ssh restart
</pre>


and test that you can log in as root without a password:
* [[Ubuntu/Bespin/PIA]] - set up a [[PIA]] VPN tunnel using [[OpenVPN]]


<pre>
* [[Ubuntu/Bespin/DNS]] - removing the built-in DNS server on Ubuntu and replacing it with dnsmasq
ssh root@<ip-for-bespin>
</pre>


IT IS VERY IMPORTANT YOU ONLY ENABLE THIS WHILE YOU RUN ANSIBLE! DISABLE IT WHEN YOU ARE DONE!!!
* [[Ubuntu/Bespin/PiHole]] - run an instance of PiHole, the DNS sinkhole, in a Docker container; install it between dnsmasq and the VPN tunnel, so all DNS queries will pass through the PiHole


Now run ansible from a different machine:
* [[Ubuntu/Bespin/Iptables]] - Update the iptables rules to allow better protection of the server and be less permissive


<pre>
* [[Ubuntu/Bespin/TIL]] - the summary of "today I learned" things that I learned while setting up Bespin
# run this from a different machine!
git clone git@github.com:charlesreid1-com/charlesreid1-ansible.git ansible
cd ansible


# provision (python3 install)
==Related Articles==
ANSIBLE_CONFIG="local.cfg" ansible-playbook --vault-password-file=.vault_secret --extra-vars "machine_name=bespin" provision.yml


# set up with all the things
* [[Ubuntu/OpenVPN Server]] - set up an OpenVPN server on a Ubuntu machine (not running on bespin)
ANSIBLE_CONFIG="local.cfg" ansible-playbook --vault-password-file=.vault_secret --extra-vars "machine_name=bespin" base.yml
</pre>


Last, edit your ssh config to disable root login:
==Old Irrelevant Articles==


<code>/etc/ssh/sshd_config</code>
Articles that are no longer relevant to bespin but that may have useful information for some future project.


Remove this line!
* <s>[[Ubuntu/Bespin/Second AP Tunnel]]</s> - this ended in failure, twice. short version: you can't have multiple simultaneous PIA tunnels in OpenVPN without significant extra configuration, so no need to go this above and beyond.


<pre>
* <s>[[Ubuntu/Bespin/Wifi Repeater]]</s> - using bespin to run hostapd and make a wifi repeater
PermitRootLogin yes # REMOVE ME
</pre>


and replace with this one:
* <s>[[Ubuntu/Bespin/Old/Wifi AP Setup]]</s>  set up a wireless AP to create/host a wifi hotspot on the machine


<pre>
* <s>[[Ubuntu/Bespin/Old/AP PIA Tunnel]]</s> - route traffic from a wireless AP to a PIA VPN tunnel
PermitRootLogin no
</pre>


Now restart the ssh service:
* <s>[[Ubuntu/Bespin/Old/Iptables]]</s> - old iptables rules for things that aren't actually running on Bespin


<pre>
sudo service ssh restart
</pre>




Line 416: Line 42:
[[Category:Ubuntu]]
[[Category:Ubuntu]]
[[Category:Linux]]
[[Category:Linux]]
[[Category:Unix]]
[[Category:Machine]]
[[Category:Machine]]
[[Category:Bespin]]

Latest revision as of 05:38, 19 August 2020

Step by Step Articles

All the setup involved for bespin, a Ubuntu 18.04 desktop server.

  • Ubuntu/Bespin/DNS - removing the built-in DNS server on Ubuntu and replacing it with dnsmasq
  • Ubuntu/Bespin/PiHole - run an instance of PiHole, the DNS sinkhole, in a Docker container; install it between dnsmasq and the VPN tunnel, so all DNS queries will pass through the PiHole
  • Ubuntu/Bespin/Iptables - Update the iptables rules to allow better protection of the server and be less permissive
  • Ubuntu/Bespin/TIL - the summary of "today I learned" things that I learned while setting up Bespin

Related Articles

Old Irrelevant Articles

Articles that are no longer relevant to bespin but that may have useful information for some future project.

  • Ubuntu/Bespin/Second AP Tunnel - this ended in failure, twice. short version: you can't have multiple simultaneous PIA tunnels in OpenVPN without significant extra configuration, so no need to go this above and beyond.
Retrieved from "https://charlesreid1.com/w/index.php?title=Ubuntu/Bespin&oldid=28545"